|
SANS Network Security Digest, 08/10/97 (Includes C
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
- -----------------------------------------------------------------
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 1, No. 6 |
| @ @@@@@@ @ @ @ @ August 10, 1997 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele Crabb |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz |
| Rob Kolstad, Marcus Ranum, Dorothy Denning, Dan Geer |
| Peter Neumann, Peter Galvin, David Harley, Jean Chouanard |
- ----A Resource for Computer and Network Security Professionals---
CONTENTS:
i) Notice: Your Updated Network Security Poster
1) VULNERABILITY IN JAVASCRIPT
2) HP SECURITY PROBLEMS AND BUG FIXES
3) SUN SECURITY PROBLEMS AND BUG FIXES
4) NT/WIN95 SECURITY PROBLEMS AND BUG FIXES
5) BSD LPD SPOOLING PROGRAM VULNERABILITY
6) RACE CONDITION IN LINUX TEMPORARY FILE CREATION
7) MAC MDBF VIRUS IN THE VELLUM 3D CDROM
8) ANOTHER INN VULNERABILITY
9) BUFFER OVERFLOW IN MSL DATABASE SERVER
10) VULNERABILITY IN 4.4BSD PROCFS PROGRAM
11) QUICK TIDBITS
***************************************************
i) Notice to subscribers: We have updated the wall poster
containing lists of security threats, management challenges,
useful web sites, vendor security contacts and many other
similar lists. We sent it to you (assuming we had your surface
mail address) and, if you live in North America or Europe, it
should be in your hands now. So if it did not arrive, please
email us with the correct surface mailing address. People in
other parts of the world, please wait three more weeks. Also
in the same package is your program and course list for the
SANS Network Security '97 Conference in New Orleans in October.
It is by far the best combination of courses and technical
sessions we've ever assembled. New courses on advanced NT
Security, Network Security War Games and more. New short courses
on Virtual Private Networks, PGP, SSH, and similar topics. If
the package has not yet arrived, you'll find the whole program
at <www.sans.org/network.html>. If you need a printed version in
order to get your attendance approved, send us an email and we'll
get you another copy.
***************************************************
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
1) VULNERABILITY IN JAVASCRIPT (7/3)
Some browsers allow JavaScript (which is different from JAVA) programs to
monitor a user's web activity - such as URLs visited, information input
into data forms and the values of "cookies" sent. CERT recommends
disabling JavaScript until the vendor provides a patch. Netscape
Navigator 2 & 3 and Communicator 4.0, and Microsoft IE 3.* and 4.* are
known to be vulnerable.
An exploit for this problem has been published on the Internet.
For more information see the CERT Advisory at:
<ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
2) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
<http://us-support.external.hp.com> (US and Canada)
<http://europe-support.external.hp.com> (Europe)
A) 7/9 - Vulnerability in chfn executable allows local users to gain
root access or privileges. Patches are available from HP
----------------
B) 7/15 - Vulnerability in swinstall program allows local users to
gain root access. Patches are available from HP.
----------------
C) 7/23 - A new vulnerability in the rlogin program may allow a remote
user to gain access to the system. Patches are available from HP.
See the CIAC bulletin for more information:
<http://ciac.llnl.gov/ciac/bulletins/h-87.shtml>
----------------
D) 7/9 - Patch released to correct the ICMP echo requests bug in the
MPE/iX O/S, Release 5.0 and 5.5.
----------------
E) 7/15 - Vulnerability in Netscape Navigator 2.0, 3.0, and
Communicator 4.0. Shipped with HP/UX. Remote web masters can
download files from your hard disk. (See the Jun97 SANS Digest.)
A patch is not yet available.
----------------
F) 7/30 - HP releases three security patches (Bulletins 41,67,68)
1: fix for SUID programs to work with large UIDs/GIDs
2: fix for buffer overflow problems in X11/Motif Libraries
3: fix for Novell Netware 3.12
- -------------------------------------------------------------------
- -------------------------------------------------------------------
3) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
<http://sunsolve1.sun.com/sunsolve/secbulletins/>
Sun Security Patches are available at:
<ftp://sunsolve1.sun.com/pub/patches/patches.html>
A) 6/24 - Patch released for Buffer overflow in eeprom program
in Solaris 5.3 - 5.5.1 for SPARCs only. See also Sun Bulletin 00143.
----------------
B) 6/26 - Patch released for chkey bugger overflow problem in
(SunOS 5.5.1, 5.5, and 5.4). Patches for SunOS 5.3 should be
available in ten weeks. If you are running 5.3 you should apply
the workaround by installing the wrapper program available from
AUSCERT. See <http://ciac.llnl.gov/ciac/bulletins/h-73.shtml> for
more information. See also Sun Bulletin 00144.
----------------
C) 6/25 - Multiple vulnerabilities exist in AdminSuite releases
2.1 and 2.2.
AdminSuite is used to add user accounts and manage NIS maps.
AdminSuite creates files with incorrect permissions and adds
users to the NIS map with excessive permissions. Patches are
available from Sun. For more information see the CIAC bulletins at:
<http://ciac.llnl.gov/ciac/bulletins/h-75.shtml>
----------------
D) 7/18 - Patch released for ping vulnerability in SunOS 5.5.1 and 5.5.
Sun Bulletin 00146. Remote users can crash a system by sending a
ping packet via the multicast address through the loopback interface.
Patches for SunOS 5.3 and 5.4 will be available in
approximately 6-8 weeks. A workaround is available for those
systems. See the CIAC bulletin for more information:
<http://ciac.llnl.gov/ciac/bulletins/h-83.shtml>
----------------
E) Patches released for talkd vulnerability for SunOS 5.3-5.5 and
SunOS 4.1.4 and 4.1.3_U1. Also see Sun Bulletin 00147.
----------------
F) 7/30 - Patches released for vulnerability in NIS+ in SunOS 5.3
and 5.4. The vulnerabilities relates to buffer overflow problems
in the nss_nisplus.so.1 module. Also see Sun Bulletin 00148.
- -------------------------------------------------------------------
- -------------------------------------------------------------------
4) NT/WIN95 SECURITY PROBLEMS AND BUG FIXES
The Microsoft Security page is located at:
<http://www.microsoft.com/security/>
Additional NT Security Related web pages may be found at:
<http://ntbugtraq.rc.on.ca/index.html>
<http://www.ntsecurity.net/>
A) Denial of Service Attack in Microsoft IIS for NT 4.0 - (6/30)
By sending a request with a URL of a certain length (typically
between 4 and 8K) you can cause an access server violation which
requires a reboot to fix. Unsaved data may be lost. Microsoft
has provided a patch for this problem. Exploits for this problem
have been published on the Internet.
This problem effects Versions 2.0 and 3.0 on NT systems running 4.0.
For more information see the CIAC bulletin at:
<http://ciac.llnl.gov/ciac/bulletins/h-77.shtml>
----------------------
B) Denial of Service Attack on Windows/NT using ICMP - (7/2)
This problem is similar to the Ping of Death attacks discussed earlier
this year. By sending a corrupt ICMP packet you can cause a
Windows/NT system to freeze and require a reboot.
Patches are available at
<ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
fixes/usa/NT40/hotfixes-postSP3/icmp-fix>
For more information see the CIAC bulletin at:
<http://ciac.llnl.gov/ciac/bulletins/h-78.shtml>
------------------------
C) Bug fixes released for NT3.51 (7/26)
Patches fix two known security problems [Q143474 - Anonymous
login user (Red Button) and Q161372 - SMB signing to prevent
"Man in the middle" attacks.] Fixes are available at:
<ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
usa/NT351/hotfixes-postSP5/sec-fix>
-------------------------
D) Kernel Routine Error in NT 4.0 Service Pack 3.0 - (7/4)
A program called getadmin.exe, which has been distributed on the
Internet, grants administrative privileges to normal users. The
program takes advantage of a bug in a low-level kernel routine.
Microsoft has published a fix for this problem:
<ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
hotfixes-postSP3/getadmin-fix>
Later discussions on bugtraq revealed this patch did not fix the
problem entirely. Additional information on the vulnerability can be
found at: <http://www.ntsecurity.net/security/getadmin.htm>
-------------------------
E) Yet Another Netscape Communicator Bug (7/25)
The latest version of Communicator (4.0.1a) was supposed to correct
a security bug discovered in June. However, there is a flaw in the
way LiveConnect has been implemented in 4.0.1a. The end result is
similar to the situation with the previous bug: a malicious user can
monitor all of your web activity. For more information, see the
article at:
<http://www5.zdnet.com/zdnn/content/zdnn/0725/zdnn0005.html>
-------------------------
F) A New Fragmentation Attack (Win NT)
When reassembling a fragmented IP packet, the Microsoft implementation
does not require the first fragment to have an offset value of zero.
It merely checks whether the sum of the lengths of the collected
fragments equals the total length of the original unfragmented IP
packet. If enough fragments have been received so that this condition
holds, the NT stack will happily reassemble what it has accumulated so
far. This problem has been fixed with Service Pack 3. For more
information see:
<http://www.dataprotect.com/ntfrag/>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
5) BSD LPD SPOOLING PROGRAM VULNERABILITY (7/25)
A buffer overflow resulting from insufficient bounds checks may allow
local users to gain root access by overwriting an internal stack.
Exploits of this problem are available on the Internet. As a
workaround, AUSCERT recommends you use their wrapper program
available at:
<ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c>
Some vendors have already provided patches for this problem.
For more information see the CERT Advisory at:
<ftp://info.cert.org/pub/cert_advisories/CA-97.19.bsdlp>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
6) RACE CONDITION IN LINUX TEMPORARY FILE CREATION (7/15)
Temporary files on Lynx systems are usually created in the /tmp
directory and the file names are predictable. A user on the same
machine could take advantage of a possible race condition and overwrite
a temporary file with one of his own. This could result in the user
gaining access to information not normally available to that user.
There is a patch available (the FOTEMODS patch) and there is a
workaround for Lynx version 2.7.1.
Questions about the bulletin only may be sent to Jim Spath at
[email protected]; questions about Lynx may be sent to
[email protected].
For more information see the CERT Advisory at:
<ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.05.lynx>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
7) MAC MDBF VIRUS IN THE VELLUM 3D CDROM (7/8)
Vellum 3D version 3.0 is a CAD package for the Mac distributed on CD.
Versions of this CD contained a strain of the MBDF virus. The CD is
distributed free by Ashlar. The MAC version of the program contains
the virus. The CD also contains a Windows/NT version of the demo
program which is not infected. For more information see the
CIAC bulletin:
<http://ciac.llnl.gov/ciac/bulletins/h-79.shtml>
A minor variant of MBDF B has been reported, the first 'new' Macintosh
system virus in two years. The freeware Macintosh virus scanner
Disinfectant has been upgraded to version 3.7.1 accordingly. NB
Disinfectant is only effective against Macintosh system viruses, not
macro viruses or Trojan Horses.
<ftp://ftp.nwu.edu/pub/disinfectant/>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
8) ANOTHER INN VULNERABILITY (7/22)
Another vulnerability has been discovered in INN versions up to
1.5.1. The vulnerability can allow remote users to gain access to
systems and, once a single server has been penetrated, all of the
peers can be accessed as well. Post access is required to exploit
these vulnerabilities. (The 'remote user MUST have post access right
to the target server) The problem stems from lack of bounds checking
when doing multiple string copies.
The version number correcting this problem is inn-1.5.1sec.
For more information see the SECNET advisory at:
<http://www.secnet.com/advisories/sni-16.inn.advisory.html>
** Speaking of INN vulnerabilities, Mark Abene, AKA Phiber Optik,
during the course of performing a security audit, discovered a system
running an older, exploitable version of INN. In the course of testing,
Phiber found himself flooded with over 100 MBs of password files. You
can find his explanation of the incident at:
<ftp://suburbia.net/pub/mailinglists/lacc/984>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
9) BUFFER OVERFLOW IN MSL DATABASE SERVER (7/27)
Many of the text manipulation strings used in the msqld or msqld2
programs do not perform error checking, thus making it possible
to overwrite an internal stack and run arbitrary code. There is also
a problem involving spoofed hostnames by lack of a forward
lookup on the hostname. Versions 2.0.1 and earlier are vulnerable.
For more information see the SNI security advisory at:
<ftp://ftp.secnet.com/advisories/SNI-17.MSQL.advisory>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
10) VULNERABILITY IN 4.4BSD PROCFS PROGRAM
A vulnerability in the 4.4BSD process file system allows arbitrary
processes to lower the system securelevel, subverting security
measures that rely on this setting. This problem can affect the
filesystem "immutable" flag, and may allow intruders to modify the
running kernel. Experts believe that all 4.4BSD operating systems
are currently vulnerable to this problem. A patch has been posted in
bugtraq but the discussion is still ongoing.
- -------------------------------------------------------------------
- -------------------------------------------------------------------
11) QUICK TIDBITS
A) Buffer overflow with IRC servers derived from irc2.x distribution.
An explanation of the problem was sent to the bugtraq mailing list
on 7/1. No alerts are known to have been posted. The bug
is known to exist in all versions of ircd.dal through 4.4.10 and the
base ircu2.9.32 version. A patch was posted to the bugtraq list.
The bugtraq archives are available on the web at:
<http://www.netspace.org/lsv-archive/bugtraq.html>
---------------
B) Internet Draft on methods to defeat source address spoofing (7/2)
P. Ferguson and D. Senie have released their paper as an Internet draft
which discusses a method for protecting against Denial of Service
attacks by ingress (input) traffic filtering. The draft is available at:
<ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt>
-----------------
C) Buffer Overflow in Linux ld.so loader program (7/22)
Local users may gain root access by exploiting this
vulnerability. Fixes for various version of Linux are available.
See the CIAC bulletin for more information:
<http://ciac.llnl.gov/ciac/bulletins/h-86.shtml>
-----------------
D) U.S. Senate committee approves encryption bill
The U.S. Senate Commerce Committee Thursday approved the Secure
Public Networks Act, a move that software industry and privacy
rights groups called a setback for electronic privacy and electronic
commerce. This topic has been widely discussed in various places. Some
useful resources include:
<http://www.netspace.org/lsv-archive/bugtraq.html>
<http://www.epic.org/>
<http://www.vtw.org/>
-----------------
E) THEY FOUND IT!!!!! DES has been cracked !!!
LOVELAND, COLORADO (June 18, 1997). Tens of thousands of computers,
all across the U.S. and Canada, were linked together via the Internet
in an unprecedented cooperative supercomputing effort to decrypt a
message encoded with the Data Encryption Standard (DES). The size
of the DES key was 56 bits. The $10,000 DES Challenge was sponsored
by RSA Data Security, Inc. For more info, see:
<http://www.frii.com/~rcv/deschall.htm>
<http://www.rsa.com/pressbox/html/970619.html>
As a general note, the NIST is in the process of developing a new standard.
-----------------
F) Asmodeus releases a port scanner/database for NT.
It is actually quite fast, and supports burst scanning an entire
class C address. It does use Winsock 2, so you need to have NT 4.0
Workstation or Server, and an 800x600 display. For more information
see the web page at: <http://www.asmodeus.com/>
-----------------
G) Infilsec has released a new vulnerability database called the
Vulnerability Engine at: <http://www.infilsec.com/vulnerabilities/>
-----------------
H) Sendmail 8.8.6 is Released
Archive locations are:
<//ftp.sendmail.org/pub/sendmail/sendmail.8.8.6.tar.gz>
<//ftp.cs.berkeley.edu/ucb/src/sendmail/sendmail.8.8.6.tar.gz>
-----------------
I) PGP for Personal Privacy, Version 5.0 released
The new version of PGP is designed for individuals and "features integrate
seamlessly" into popular email packages, and all of the standard consumer
operating packages. See the pgp website for more
details: <http://www.pgp.com/products/PGP50.cgi>
**********************
Copyright, 1997. No copying or forwarding allowed. Please email
[email protected] for subscription information.
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBM+5j/6Nx5suARNUhAQERmQP+Mw1fO7KxX62s1vAdpnuGOFI68be+NXzz
J9BgAHCj0dEtgX2QJwTzj65+ufBNjBZpzGjVzgWBMBWnxh9KlDg7wnoCL+OlpE07
ChGAJZHG6uWB/JPl2R3J5b72zMnaT8003d1cWQ3OtjpVPB4PS46rnBXmNQsaXpGr
018VU1LJCQ8=
=BRFd
-----END PGP SIGNATURE-----
This note includes three items:
(1) Three corrections to the August Network Security Digest
(2) The url, user name and password that will allow you to access the
August issue of the Digest with live links.
(3) Announcement of availability of the "Twelve Mistakes to Avoid in Web
Security" - a booklet that will help your managers see why and how they
should invest more heavily in computer security.
=======================================================
1. We made three errors in the August Digest. The corrected items are
below:
Item 3) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
<http://sunsolve1.sun.com/sunsolve/secbulletins/>
Sun Security Patches are available at:
<ftp://sunsolve1.sun.com/pub/patches/patches.html>
A) 6/24 - Patch released for Buffer overflow in the eeprom program
in Solaris 5.3 - 5.5.1 (for SPARCs only). See also Sun Bulletin 00143.
----------------
B) 6/26 - Patch released for chkey buffer overflow problem in
(SunOS 5.5.1, 5.5, and 5.4). Patches for SunOS 5.3 should be
available in approximately ten weeks. If you are running 5.3 you
should apply the workaround by installing the wrapper program available
from AUSCERT. See <http://ciac.llnl.gov/ciac/bulletins/h-73.shtml>
for more information. See also Sun Bulletin 00144.
----------------
- -------------------------------------------------------------------
- -------------------------------------------------------------------
Item 6) RACE CONDITION IN LYNX TEMPORARY FILE CREATION (7/15)
Temporary files on Lynx systems are usually created in the /tmp
directory and the file names are predictable. A user on the same
machine could take advantage of a possible race condition and overwrite
a temporary file with one of his own. This could result in the user
gaining access to information not normally available to that user.
There is a patch available (the FOTEMODS patch) and there is a
workaround for Lynx version 2.7.1.
Questions about the bulletin only may be sent to Jim Spath at
[email protected]; questions about Lynx may be sent to
[email protected].
For more information see the CERT Advisory at:
<ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.05.lynx>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
Item 7) MAC MBDF VIRUS IN THE VELLUM 3D CDROM (7/8)
Vellum 3D version 3.0 is a CAD package for the Mac distributed on CD.
Versions of this CD contained a strain of the MBDF virus. The CD is
distributed free by Ashlar. The MAC version of the program contains
the virus. The CD also contains a Windows/NT version of the demo
program which is not infected. For more information see the
CIAC bulletin:
<http://ciac.llnl.gov/ciac/bulletins/h-79.shtml>
A minor variant of MBDF B has been reported, the first 'new' Macintosh
system virus in two years. The freeware Macintosh virus scanner
Disinfectant has been upgraded to version 3.7.1 accordingly. NB
Disinfectant is only effective against Macintosh system viruses, not
macro viruses or Trojan Horses.
<ftp://ftp.nwu.edu/pub/disinfectant/>
- -------------------------------------------------------------------
2. To view the corrected August issue on the web, and to use live links,
go to http://www.sans.org/NWSdigest/nwsdiges.htm. When it asks you for
your user name and password, type nwsdigest for the user name and type the
word update for the password.
3. One of the SANS Institute's sister organizations, called The Intranet
Institute, has just published a useful short booklet called "Twelve
Mistakes To Avoid in Web Security." It's the story of the aftermath of
the US Justice Departments break-in, written by one of the most respected
CIO's in government, Dr. Mark Boster, Asst. Attorney General for
Information Resource Management. What makes it useful to sysadmins and
security professionals - in addition to some of the findings - is that it
speaks directly to management and makes a strong case for substantial
increases in funding and staffing for security.
Copies are free for those people who attended SANS 96 or SANS 97 or
Network Security 95 or 96 or have registered for Network Security 97. If
you fall in that category, just reply to this email letting us know that
you want one and to what surface mail address it should be sent. Others
who want a copy can try emailing [email protected] and asking for a copy.
Other than the copies reserved for SANS people, the booklets are primarily
for the people who attend the upcoming Intranet Implementation and
Operations Conference (IIOC) in Washington in November, which will be the
intranet equivalent of SANS. The Intranet Institute people may have some
extra copies to send out, especially if they think you are interested in
attending the conference.
============================================================
I hope you were able to get away for a vacation this summer. My wife and I
just went up to Maine to take our youngest child to college there. It was
beautiful. If you haven't been to Maine, it's worth trying.
Cheers.
|
|
