|
|
Saturday November 7, 2009
The SANS NT Digest
A Resource for Computer and Network Security Professionals
Volume 2, Number 11
December 1, 1999
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeff Brown (Merrill Lynch)
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (IBM Global Security Services)
Chris Lalka (Exxon)
Eric Maiwald (Fortrex)
Rob Marchand (Array Systems),
Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)
Copyright 1999. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
.
**********************************************************************
The big news this month is undoubtedly not technical, but legal. On
November 5, Judge Thomas Penfield Jackson issued his findings of fact
in the case of the United States of America vs. Microsoft Corporation.
In that finding the judge declared that Microsoft was indeed a monopolist,
and that it had used its power to cause consumer harm. However, it is
not certain yet whether those actions are in violation of US anti-trust
laws. For more complete information on the legal troubles involving
Microsoft, see the article
http://www.infoworld.com/cgi-bin/displayStory.pl?/features/980518msdoj.htm
at InfoWorld.
JMJ
**********************************************************************
Table of Contents
1 Microsoft Security Bulletins
1.1 Re-release of Microsoft Security Bulletin MS99-042 - Re-release of
patch for "IFRAME ExecCommand" patch
1.2 Re-release of Microsoft Security Bulletin MS99-043 - Patch Available
for "Javascript Redirect" Vulnerability
1.3 MS99-047 - Patch Available for "Malformed Spooler Request" Vulnerability
1.4 MS99-048 - Patch Available for "Active Setup Control" Vulnerability
1.5 MS99-049 - Patch Available for "File Access URL" Vulnerability
1.6 MS99-051 - Patch Available for "IE Task Scheduler" Vulnerability
1.7 MS99-052 - Patch Available for "Legacy Credential Caching" Vulnerability
2 MS Hotfixes
2.1 TCP Initial Sequence Number Patch recalled
3 Virus warnings
3.1 FunLove
3.2 BubbleBoy
4 Other NT Issues
4.1 Windows NT Service Pack 6a available soon
4.2 Windows 2000 scheduled for release to manufacturing before end of year
4.3 Problems with using RegEdit.exe to edit registry
4.4 Enabling case sensitivity fix under Service Pack 5 and 6x
4.5 BSOD on Compaq Servers after SP6 (with Compaq NC31xx)
4.6 Remote DOS in services.exe. Various workarounds available
4.7 IIS 4 fails to log passive FTP connections correctly
4.8 Buffer Overflow in WordPad
5 IE Issues
5.1 Internet Explorer 5.01 available
5.2 HTTP Redirection vulnerability in IE 5.0 and 4.x
5.3 IE 5.0 and Windows Media Player ActiveX object allow checking the
existence of local files and directories
5.4 IE 5.0 XML HTTP redirect problems
6 Third-party software issues
6.1 SQL Server linked logins recoverable passwords issue
6.2 Veritas BackupExec 7.3 potential restore issue
6.3 Netscape Messenger Server 3.6 DOS vulnerability
6.4 Buffer overflows discovered this month
This month we will try a new format to report the dozens of buffer
overflows reported each month. To avoid redundancy we will simply list
them with no further comment. They will not appear in the remainder of
the digest. In addition, we have tried to give you a little more
information in a concise format. To that end, certain items are marked
with a # or @ sign. A # sign means that an exploit for this issue is
publicly available. An @ sign means that a fix is available currently.
We have also, in some cases, included a URL after the item. That URL
points to either a fix, if one is available, or to the vendor's web-site,
if we know it. * Alibaba Web Server
* # APC PowerChute Plus 5.1 (will be fixed in version 5.2)
* Artisoft XtraMail 1.1 (http://www.artisoft.com/Files.nsf/All+Files?OpenView)
* # Avirt Mail Server 3.3a and 3.5
* BFTelnet Server v1.1
* # BisonWare FTP Server V3.5
(http://ourworld.compuserve.com/homepages/nick_barnes/)
* CMail SMTP service 2.4 (http://www.computalynx.com/)
* ExpressFS 2.x FTP Server
* Gene6's G6 FTP Server
* # Interscan VirusWall NT 3.23/3.3 (patch available at
http://www.antivirus.com/vinfo/default.asp)
* Intersoft NetFtpd distributed with NetTerm 4.2.a/4.2.2/4.2.1
(http://www.dragonmount.net/security/vra/InterSoft/NetFtpd_response.htm)
* #@ Ipswitch's IMAIL POP3 server 5.05-5.07
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe)
* #@ MDaemon Server v2.8.5.0 (http://www.mdaemon.com)
* # MDaemon WorldClient Server v2.0.0.0 (http://www.mdaemon.com)
* # NetCPlus SmartServer3 POP 3.51.1
* QPC QVT/Term Plus 4.2d FTP server
* # RealNetworks RealServer G2 (http://service.real.com/help/faq/servg260.html)
* # TransSoft's Broker Ftp Server v3.5 (http://www.transsoft.com)
* Vermillion FTP Daemon (VFTPD) v1.23 (http://www.arcanesoft.com/)
* #@ WFTPD v2.34 and 2.40 (fixed in 2.41)
* Ximtami Web Server
* ZetaMail 2.1 Mail POP3/SMTP Server
6.5 Web server directory traversal vulnerabilities
6.5.1 Eserv 2.50 (http://www.eserv.ru)
6.5.2 FTGate Version 2.1 (http:// http://www.floosietek.com)
6.5.3 Symantec Mail-Gear 1.0 (Fixed in v. 1.1 at
http://www.symantec.com/urlabs/public/download/download.html)
7 Tip of the month: Change the Office 2000 Installation media
=======================================================================
1 Microsoft Security Bulletins
1.1 Re-release of Microsoft Security Bulletin MS99-042 - Re-release of
patch for "IFRAME ExecCommand" patch
Microsoft has re-released the IFRAME ExecCommand patch for IE 5.0. The
original patch contained a regression error that re-introduced the
cross-frame navigation vulnerability. The new patch is only for users
of IE 5.0. Users of IE 4.01 SP2 are not affected. The patch is only for
IE 4.01 SP2. Users of earlier versions of IE 4 are recommended to install
IE 4.01 SP2 and then apply the patch.
For more information see:
* Microsoft Security Bulletin MS99-042
http://www.microsoft.com/security/bulletins/MS99-042.asp
* Microsoft Security Bulletin MS99-042: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-042faq.asp
* Microsoft Knowledge Base (KB) article Q243638, Update Available for
"IFRAME ExecCommand" Vulnerability in Internet Explorer 5
http://support.microsoft.com/support/kb/articles/q243/6/38.asp
1.2 Re-release of Microsoft Security Bulletin MS99-043 - Patch Available
for "Javascript Redirect" Vulnerability
This bulletin announces that a patch is now available for the JavaScript
re-direct vulnerability discussed in last month's digest.
The patch is for users of IE 5.0 and IE 4.01 SP2. Users of earlier
versions of IE 4.x must upgrade to IE 4.01 SP2 or IE 5.0 before applying
the patch. IE 4.01 SP2 is available at
http://www.microsoft.com/Windows/ie/download/windows.htm.
The patch is available on Windows Update (http://windowsupdate.com) and
MSDownload (http://www.microsoft.com/downloads).
For more information see:
* Microsoft Security Bulletin MS99-043
http://www.microsoft.com/security/bulletins/MS99-043.asp
* Microsoft Security Bulletin MS99-043: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-043faq.asp
* Microsoft Knowledge Base (KB) article Q244356 "Update for "Javascript
Redirect" Vulnerability in Internet Explorer 4.01"
http://support.microsoft.com/support/kb/articles/q244/3/56.asp
* Microsoft Knowledge Base (KB) article Q244357 "Update for "Javascript
Redirect" Vulnerability in Internet Explorer 5"
http://support.microsoft.com/support/kb/articles/q244/3/57.asp
1.3 MS99-047 - Patch Available for "Malformed Spooler Request"
Vulnerability (Exploit available)
The eEye Digital Security Team (http://www.eEye.com) discovered a buffer
overflow in the spooler service. The vulnerability could be used to run
arbitrary code on a Windows NT machine, or as a privilege elevation
attack. One version of this attack is remotely exploitable by normal
users. Several more are remotely exploitable by Power Users. None can
be exploited by anonymous users.
The vulnerability affects all versions of Windows NT 4.0
Microsoft has published fixes for NT 4.0 Workstation, Server, and Server
Enterprise Edition at:
* X86:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-US/Q243649.exe
* Alpha:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN-US/Q243649.exe
For more information see:
* Microsoft Security Bulletin MS99-047
http://www.microsoft.com/security/bulletins/MS99-047.asp
* Microsoft Security Bulletin MS99-047: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-047faq.asp
* Microsoft Knowledge Base (KB) article Q243649 "Unchecked Print Spooler
Buffer may Expose System Vulnerability"
http://support.microsoft.com/support/kb/articles/q243/6/49.asp
1.4 MS99-048 - Patch Available for "Active Setup Control" Vulnerability
Juan Carlos Garcia Cuartango discovered a new vulnerability for Outlook
98 and 2000 as well as Outlook Express 4.x and 5.x this month. This
vulnerability can be exploited by a combination of ActiveX and Active
Scripting to cause an arbitrary attachment to be executed from the mail
reader, if Active Scripting is enabled.
A CAB file can be disguised as an innocuous GIF, TXT, etc file and
attached to an e-mail. When a user tries to open the attachment the open
request will fail. However, a copy of the attachment is saved in the
TEMP folder. This copy can now be opened using the Active Setup ActiveX
control from a script in the e-mail message.
A workaround, which we recommend be implemented regardless of the patch,
is to set Outlook and Outlook Express to use the "Restricted Sites"
security zone, and then permanently disable Active Scripting in that
zone. We recommend that you do so even if you install that patch because
this is the latest in a long line of Active Scripting problems. We
believe that it is not the last. Besides, do you really need to execute
Java Scripts in e-mail and newsgroup messages?
Since the control in question ships with IE 4 and 5, the vulnerability
is considered to affect IE. In keeping with current Microsoft strategy,
there is no fix available for IE 4.01 SP1 and earlier, even though those
versions are affected as well.
The patch works by restricting the Active Setup control to launch only
digitally signed CAB files. It is available at:
* http://windowsupdate.microsoft.com
* http://www.microsoft.com/msdownload
* http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm
For more information see:
* Microsoft Security Bulletin MS99-048
http://www.microsoft.com/security/bulletins/MS99-048.asp
* Microsoft Security Bulletin MS99-048: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-048faq.asp
* Microsoft Knowledge Base (KB) article Q244540 "Update Available for
"Active Setup Control" Vulnerability"
http://support.microsoft.com/support/kb/articles/q244/5/40.asp
1.5 MS99-049 - Patch Available for "File Access URL" Vulnerability
This bulletin addresses a buffer overrun vulnerability specific to
Windows 9x. For more information see:
* Microsoft Security Bulletin MS99-049
http://www.microsoft.com/security/bulletins/MS99-049.asp
* Microsoft Security Bulletin MS99-049: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-049faq.asp
* Microsoft Knowledge Base (KB) article Q245729 "Windows 95 and
* 98 File Access URL Update"
http://support.microsoft.com/support/kb/articles/q245/7/29.asp
1.6 MS99-051 - Patch Available for "IE Task Scheduler" Vulnerability
Arne Vidstrom and Svante Senmark have discovered a vulnerability in the
Task Scheduler component of IE. The vulnerability can be used in a
privilege elevation attack. If an attacker has write access to a file
owned by the Administrators group, the contents of that file can be
replaced with a schedule job definition. The file can then be moved into
the %systemroot%\tasks\ directory and renamed with a job extension. The
Task Scheduler will think it is a scheduled task and run it. In this
manner, an unprivileged user can schedule tasks on a system.
The vulnerability is eliminated in IE 5.01, which is available at:
http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm
For more information on this issue, see the following:
* Microsoft Security Bulletin MS99-051
http://www.microsoft.com/security/bulletins/MS99-051.asp
* Microsoft Security Bulletin MS99-051: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-051faq.asp
* Microsoft Knowledge Base (KB) article Q246972 "IE 5 Task Scheduler
Allows Privilege Elevation on Windows NT Systems"
http://support.microsoft.com/support/kb/articles/q246/9/72.asp
* An explanation of the issue by Arne Vidstrom
http://ntsecurity.nu/advisories/a11.shtml
1.7 MS99-052 - Patch Available for "Legacy Credential Caching" Vulnerability
This is a patch for an old password caching issue in Windows 9x. Windows
9x prior to Windows 98 SE caches passwords in RAM, where they are easily
retrievable. For more information, see the bulletin at
http://www.microsoft.com/security/bulletins/MS99-052.asp
2 MS Hotfixes
2.1 TCP Initial Sequence Number Patch recalled
Microsoft recalled the TCP Initial Sequence Number patch on November
17. That patch contained a regression error in Winsock.dll causing only
administrators to be capable of making Winsock connections. The same
error was included in Service Pack 6, causing a new version of Service
Pack 6 to be released. For more on that story, see section 4.1. A new
version of the TCP ISN patch is expected shortly.
3 Virus warnings
A couple of viruses affecting NT were discovered this month.
3.1 FunLove
This virus affects executables with exe, scr (screen savers) and ocx
(ActiveX controls) extensions. It is unique in that if an Administrative
user launches an infected executable, the virus will patch the
ntoskrnl.exe - the NT kernel. The modification disables all security
checking. The virus will also patch the NTLDR bootstrap loader so that
it does not cause an error when the modified kernel is loaded.
This is only the second virus (Remote Explorer was the first) to run as
a service under NT. For more information on the virus, see:
* The Symantec Anti-virus Research Center description
http://www.symantec.com/avcenter/venc/data/fun.love.html
* The NAI Labs write-up at http://vil.nai.com/vil/vpe10419.asp
* The Data Fellows Virus Information page at
http://www.datafellows.com/v-descs/funlove.htm
* Or the corresponding page from your favorite AV vendor.
3.2 BubbleBoy
Even though this virus does not spread on Windows NT, it is worth
mentioning. NT suffers from the same vulnerabilities exploited by this
virus. Therefore, a similar virus could affect NT in the future. BubbleBoy
spreads via e-mail messages in Outlook and Outlook Express. Once a system
is infected, the virus will, among other things, send a copy of the
infected e-mail message to every recipient in the Outlook Address book.
Unlike previous worms, like Melissa, it does not rely on the user opening
an attachment for the virus to spread. Rather, it uses the Active
Scripting vulnerabilities described in Microsoft Security Bulletin
MS99-032 to spread.
Since those vulnerabilities also affect Windows NT, it is probably
possible to write a similar virus that works on NT. As further protection
against that, install the fixes described in MS99-032 and disable Active
Scripting in Outlook and Outlook Express.
4 Other NT Issues
4.1 Windows NT Service Pack 6a available soon
As you are probably aware, Microsoft released Service Pack 6 for Windows
NT last month. This month, an updated service pack, named SP6a was
announced. The original version "fixed" the winsock.dll file in such a
way that only users with administrative privileges are capable of making
winsock connections. This caused problems with a wide range of software,
most notably Lotus Notes.
The updated service pack was not available at the time of this writing.
However, all indications are that it will be available by early December
at:
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp
Microsoft has also made available a fix for existing Service Pack 6
installations. Therefore, if you have already deployed Service Pack 6,
you only need this fix:
http://support.microsoft.com/support/kb/articles/Q245/6/78.asp
This leads to two different deployment options for SP6:
1. SP6 + the original TCP-ISN fix + the AFD Hotfix - Use this option if
you have already deployed SP6 or you absolutely have to have the
additional randomness of the TCP Initial Sequence Number patch right
away
2. SP6a - Use this option if you can wait until the TCP Initial Sequence
Number patch is re-released and you have not yet deployed SP6.
4.2 Windows 2000 scheduled for release to manufacturing before end of year
Microsoft announced this month that Windows 2000 will be released to
manufacturing before the end of the year. Beta testers received the
third release candidate this month, along with a statement asking them
to rush testing so that bug fixes could be included in the final release.
More importantly for most sites, Microsoft also announced pricing for
the new operating system. The pricing is inline with current pricing on
Windows NT 4.0. However, the licensing model has changed. Under NT 4.0
a separate client access license was needed for users using the file
and print services of a Windows NT Server. However, Microsoft has decided
to charge organizations for the web services of the new operating system.
Therefore, a separate client access license will be required under
Windows 2000 for each user accessing the server over an intranet or the
Internet. This, of course, leads to the problem of determining how many
licenses to buy. To solve that problem Microsoft will offer an Internet
licensing package, which for $2,000 will provide you with unlimited
client licenses for accesses to a web server running on Windows 2000.
While that is inexpensive for most organizations, it is high enough to
cause educational sites to look into switching operating systems. A
large number of educational sites have been using Windows NT Server 4.0
because the web services were free to them. So far, no educational
pricing has been announced for Windows 2000.
Pricing for Windows 2000 Data Center edition do not seem to be available
yet. However, for more information on pricing for the other versions,
see the InfoWorld article at
http://www.infoworld.com/cgi-bin/displayStory.pl?99112.piwinprice.htm.
4.3 Problems with using RegEdit.exe to edit registry
A post on NTBugTraq (http://www.ntbugtraq.com) claimed that the choice
of registry editors is important. Windows NT comes with two registry
editors, the Windows 95 registry editor, regedit.exe, and the NT registry
editor regedt32.exe. regedit.exe does not support all data types.
Therefore, if you use regedit.exe to edit an existing REG_MULTI_SZ value,
the editor will consider the value to be a REG_SZ value, and save it as
such. This causes problems if you use it to remove the POSIX and OS/2
subsystems. For example, if you clear the following value:
Hive: HKEY_Local_Machine
Key: \SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems
Value: Optional
Using regedit.exe, the system will crash. The reason is that regedit
changes the type of the value to REG_SZ, causing a type mismatch.
This is a known issue, and is described in KBase article Q155267
(http://support.microsoft.com/support/kb/articles/Q155/2/67.asp).
Microsoft states that regedit.exe is included with NT only for its nice
search feature.
4.4 Enabling case sensitivity fix under Service Pack 5 and 6x
Microsoft received numerous reports that the Case Sensitivity
vulnerability (see KBase article Q222159 at
http://support.microsoft.com/support/kb/articles/Q222/1/59.ASP) was not
fixed in SP5. Apparently, that is not completely the case. It turns out
that the vulnerability will only be fixed if you enable protection of
base system objects. That is done by setting a registry value as follows:
Hive: HKEY_Local_Machine
Key: \SYSTEM\CurrentControlSet\Control\Session Manager
Value: ProtectionMode
Type: REG_DWORD
Data: 1 to enable base system object protection, 0 (default) to disable it.
For more information on protection of base system objects, see KBase
article Q218473 at
http://support.microsoft.com/support/kb/articles/Q218/4/73.ASP
Base system object protection is not enabled by default because it
apparently causes problems with some applications.
4.5 BSOD on Compaq Servers after SP6 (with Compaq NC31xx)
Apparently, there is an incompatibility between the Compaq NC31xx series
of network interface cards and Service Pack 6 for NT. Those cards ship
with several Compaq servers. Before you install SP6 on a Compaq server,
be sure to check a document describing the problem, available at
ftp://ftp.compaq.com/pub/softpaq/sp11501-12000\sp11718.txt.
4.6 Remote DOS in services.exe. Various workarounds available
Rain forest puppy published an exploit in services.exe this month. The
bug is apparently not in services.exe, but in srvsvc.dll. A function in
that dll fails to check the validity of a pointer returned to it, and
can thus be tricked into trying to access invalid memory.
An exploit for this attack has been released. However, it is coded so
as to cause the attackers machine to crash/reboot each time it is run
(thanks RFP, but a "rm * -s" might have been more appropriate).
There are three current workarounds possible, roughly in order of severity:
1. Block port 139 on your firewall. However, that will still leave you
open to internal attacks
2. Enable RestrictAnonymous, as per Q143474
3. Unbind NetBIOS from TCP/IP. However, this will disable Windows
networking unless you have NetBeui or IPX/SPX installed. Of course,
NetBeui is not routable.
4. Stop the Server service. This will not only disable all SMB file
sharing but also disable many kinds of remote management. However, it
is the recommended solution for a web server.
4.7 IIS 4 fails to log passive FTP connections correctly
IIS 4 appears to have a bug which keeps it from correctly logging passive
FTP connections. When the port number is passed from the server to the
client, it is broken into two eight-bit integers. Those same eight-bit
integers are passed to the logging function of IIS. However, that function
puts them together in the wrong order, causing incorrect entries to be
written to the log. For more information, the discoverer has put up a
web-page with a description at http://develop.queso.com/iisftplogbug.html.
4.8 Buffer Overflow in WordPad
A buffer overflow in WordPad was found this month. After considerable
debate, the experts analyzing the issue seem to have concluded that
although the problem may be exploitable, if the attacker is lucky, it
is extremely difficult to do. Therefore, this bug seems to be mostly
just a bug to cause WordPad to crash at this point. For more information,
see the BugTraq archives at http://www.securityfocus.com.
5 IE Issues
5.1 Internet Explorer 5.01 available
Microsoft has made available an update to IE 5.0. The update, numbered
5.01, includes some new features, such as the ability to re-use IE 5.01
browser windows when launching shortcuts, rather than opening new windows.
The update also fixes numerous bugs in IE 5.0, including the very annoying
text field bug that we reported in the June 1999 NT Digest. For more
information on the new release, look at KBase article Q244655 available
at http://support.microsoft.com/support/kb/articles/Q244/6/55.ASP. The
update is available at
http://www.microsoft.com/windows/ie/download/default.asp.
5.2 HTTP Redirection vulnerability in IE 5.0 and 4.x
Georgi Guninski and Shane Hird have discovered another Active Scripting
vulnerability in IE 5.x and 4.x. This issue uses an http redirection
request in a script to read local files on the victim's computer. The
attacker must know the name of the file to read, but that is not much
of a limitation.
At this point, we are unaware of a fix for this issue. A temporary
workaround is, you guessed it, disable active scripting.
5.3 IE 5.0 and Windows Media Player ActiveX object allow checking the
existence of local files and directories
This is another Georgi Guninski discovery. The Windows Media Player
ActiveX object returns a specific error code when a web-page tells it
to open a file that does not exist. That error code can be used to map
out which files exist on a victim's machine. That information can then
be used by other exploits.
The vulnerability is present at least in IE 5.0 on Windows 95, NT, and
2000. At this point, we are unaware of an official response from Microsoft
to this issue. The workaround is the same as usual: disable Active
Scripting, and you may also want to disable scripting of ActiveX objects
marked safe for scripting.
5.4 IE 5.0 XML HTTP redirect problems
The third Georgi Guninski discovery of the month is also an HTTP redirect
issue. However, this one affects documents containing XML. When an XML
document is embedded in an HTML document, the browser does not handle
HTTP redirects properly. This, at least, would let an attacker:
* Read any XML file and other well-formed documents
* Read parts of documents, including non-XML documents
* Check for the existence of files on the victim's computer
As you probably expected, we have not yet seen an official Microsoft
response to this issue. At this point, you are probably familiar with
the work-around: if you want to protect yourself disable Active Scripting,
and/or disable scripting of ActiveX objects marked safe for scripting.
6 Third-party software issues
6.1 SQL Server linked logins recoverable passwords issue
SQL Server 7.0 includes a new feature whereby two database servers can
be linked. However, if the linked server is running different database
software than SQL Server 7.0, such as SQL Server 6.5, the username and
password used to set up the link are stored in the SQL Server 7.0
database. The passwords are stored in encrypted form, but the key used
to encrypt them is fixed and the cipher is a byte-wise stream cipher.
That makes the encryption easy to break, and an exploit that does just
that is publicly available.
Note that the potential vulnerability is probably small, since the table
where the passwords are stored is normally only available to
administrators. However, using an easily crackable password format is
bad in general and should be avoided.
6.2 Veritas BackupExec 7.3 potential restore issue
Veritas has discovered a potential problem in Backup Exec 7.3 builds
2570 and 2575. The bug could prevent a restore or verify operation from
completing successfully in the following situation:
1. The backup must span media.
2. The backup set that spans must be the second (or higher) backup set.
3. The backup set must contain a single object (such as a Microsoft
Exchange Directory, Microsoft Exchange Information Store, or the first
Microsoft SQL database selected in a backup)
If all of those conditions are true, the restore/verification will
apparently fail.
For users running BackupExec 7.3, build 2575 a patch is available at:
http://seer.support.veritas.com/ftp/descriptions/spanfix.exe.htm
With either version, you can download a new build that contains the fix.
That build is available at:
http://support.veritas.com/ftp/filelist_ddproduct_bewnt_area_11.htm
As usual, you can also request a new set of CDs from
http://www.veritas.com/cdrequest .
6.3 Netscape Messenger Server 3.6 DOS vulnerability
Nobuo Miwa discovered a DOS attack for Netscape Messenger Server 3.6
with Service Pack 2. The vulnerability will cause Netscape Messenger
Server to use up all available processor cycles and memory.
An exploit is publicly available for this issue. Netscape has responded
that it will release a new version of Messenger Server in December that
will resolve the problem. That version will be numbered 4.15.
6.4 Buffer overflows discovered this month
See table of contents for this item.
6.5 Web server directory traversal vulnerabilities
Three web server directory traversal vulnerabilities were discovered
this month. The following web servers allow the user to escape the web
root by simply entering a ../ command:
* Eserv 2.50 (http://www.eserv.ru)
* FTGate Version 2.1 (http:// http://www.floosietek.com)
* Symantec Mail-Gear 1.0 (Fixed in v. 1.1 at
http://www.symantec.com/urlabs/public/download/download.html)
7 Tip of the month: Change the Office 2000 installation media
You have probably seen the spiffy new Microsoft Installer (MSI) interface
used for Office 2000 and other newer applications. This interface is
designed to alleviate problems with software installations. It also has
features such as the "run-from CD" and "nag me every time I use the help
feature because I removed the incredibly annoying Office Assistant." If
you have used Office 2000 you have probably seen the dialog box that
says "The feature you are trying to use is on a CD-ROM or other removable
disk that is not available. Please insert the Microsoft Office 2000
Premium disk." However, if you originally installed Office 2000 with
the MSDN distribution disks, but subsequently acquired the retail medium,
or are using a CD-R copy, inserting the disk will not find the
installation package. This is because the registry settings for MSI
hard-code the title of the CD that contains the installation packages.
If you permanently change from a CD with one title to another, you can
make a permanent change by editing the following registry value:
Hive: HKEY_CLASSES_ROOT
Key: \Installer\Products\904000001E872D116BF00006799C897E\SourceList\Media
Value: 1
Type: REG_SZ
Data: A string with the title of the CD that contains the installation package, concatenated with ";1"
If the change is temporary, you can work around the problem by hitting
the browse button and opening the DATA1.MSI file in the root of the
installation CD you are currently using.
|
The SANS Institute. Adapted for Intranet Design with the permission of the
authors. Further distribution is prohibited without permission of The SANS
Institute.
|
|
|
|
[
Home | eXchange | F
A Q | Search ] 
