Re: PROBLEMS WITH WINDOWS SHORTCUTS
Verified on Windows XP Pro SP1. Crashes Explorer everytime. /Alex Kiwerski At 05:19 AM 3/15/2003 -0800, S G Masood wrote: PROBLEMS WITH WINDOWS SHORTCUTS == Topic: Problems with Windows Shortcuts Tested With: Windows 98, Windows 2000 Server Author: S.G.Masood ([EMAIL PROTECTED]) == == DESCRIPTION: There is a problem with the way Windows (tested with Win98 and Win2k Server) handles shortcut (.lnk) files. A specially crafted shortcut will crash explorer.exe/shell32.dll. A shortcut, say, A.lnk is created and it is made to point to another shortcut B.lnk. Then, B.lnk is made to point to A.lnk. Now when the folder containing these two files is viewed or accessed in any way, explorer crashes.
AOL's Billion SPAM March on Cyberspace
Aloha, Lonnie. Your article: "ISPs Seek Bigger Mallet To Eliminate Spammers" caught my attention. http://www.theledger.com/apps/pbcs.dll/section?Category=COLUMNISTS0203 I'm an information security and computer forensics expert with detailed technical knowledge of SPAM and the technology employed by spammers. Recently I authored a report on SPAM delivery via AOL -- where a spammer gains access to the Internet for the purpose of delivering SPAM to other people elsewhere on the Internet. Considering the topic of your recent article for The Ledger, I thought you'd be interested in reading this report. AOL is being ridiculous when they suggest that their billion SPAM march on cyberspace does any good whatsoever. In fact, AOL is being downright deceptive in their assertion that blocking inbound SPAM on behalf of their subscribers who use @aol.com e-mail addresses is a virtue: AOL blocks SPAM sent to their subscribers without AOL's permission (paid 'advertisements' are sent to AOL subscribers with AOL's full support) but AOL does NOT block SPAM that AOL users send to people who use OTHER ISP's e-mail services. AOL may as well capture those billion SPAM messages and relay them to non-AOL subscribers because this is exactly what the end-result is of AOL's alleged attempts to curtail SPAM. AOL has positioned themselves to be a facilitator of SPAM transmission to non-AOL subscribers while simultaneously trumpeting their technical triumph over SPAM that originates elsewhere on the Internet and is destined for an AOL subscriber's mailbox. Your readers would be interested to know that anyone with an AOL account can send SPAM to any other AOL account and AOL will NOT block it. On the other hand, some ISPs are now blocking ALL e-mail that originates from AOL because of these very issues. Sincerely, Jason Coombs [EMAIL PROTECTED] -- A Report on SPAM Blackholes, Blocking/Filtering, and AOL For the last month I have purposefully used AOL for SMTP server mail relay in order to analyze the real-world impact of blackhole lists. AOL not only does not block outbound SMTP from dialup customers, they operate a transparent proxy farm that intercepts all outbound SMTP traffic and intentionally relays this traffic on to its intended recipient (but not its intended SMTP relay point -- you can configure ANY remote IP address as your SMTP server and AOL's proxy farm will still do your delivery for you based on the MX records present in the destination domain, you need not find an open mail relay to exploit nor set up authorized/authenticated SMTP service with any third-party service provider in order to relay SPAM through dial-up AOL Internet service). The results have been quite interesting. To summarize, only a few of my outbound e-mails have been blocked by blackhole sites in the last month. All e-mail sent to mailing lists such as bugtraq has gone through successfully. Every rejected message has been returned to me with an explanation (thank you, blackhole-enabled servers, your deterministic failure mode made this experiment possible because I didn't have to worry about whether my e-mail simply disappeared silently and could take corrective action to see that my recipient received my message through other channels). The most interesting failure I encountered was to my own domains. For e-mail service we use a third-party service provider, the same provider who does our Web hosting on Linux-based servers running Ensim (www.ensim.com). By default our service provider refuses all inbound mail delivery based on a blocking filter rule (not a blackhole service). This blocking filter considers ALL e-mail from AOL to be SPAM and refuses it. This isn't just e-mail relayed from a dial-up address block, this is ALL AOL e-mail. No user of AOL was able to send e-mail to our domains until we requested that inbound filtering be disabled. It's also interesting to note that my Reporting-MTA FQDN "mail.jasoncoombs.com" does NOT have an A record or a PTR or any other DNS records associated with it. This doesn't bother AOL's SMTP proxy farm, and it likewise did not bother a single SMTP server that relayed or received my e-mail during this test. My conclusion is that blackhole servers and filtering are a terrible way to deal with the problem of SPAM. Few people actually benefit from these techniques. They introduce unnecessary deterministic failure rather than unnecessary nondeterministic failure therefore they offer their own helpful work-around instructions. By informing the sender that their e-mail did not go through, they automatically ("oracle"-like) produce a comprehensive list of target domains that are protected by blackhole services -- a list that any spammer would use to relay SPAM from a different point of presence. Blackhole-enabled services should switch to a non-deterministic failure mode that silently kills e-mail delivery. This would have a far greater effect, and it would prevent spammers from easily discovering the extent
CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0 (fwd)
David Mirza Ahmad Symantec "sabbe dhamma anatta" 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 --- Begin Message --- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0 Original issue date: March 17, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft Windows 2000 with IIS 5.0 enabled Overview A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on Microsoft Windows 2000. IIS 5.0 is installed and running by default on Microsoft Windows 2000 systems. This vulnerability may allow a remote attacker to run arbitrary code on the victim machine. An exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply a patch. I. Description IIS 5.0 includes support for WebDAV, which allows users to manipulate files stored on a web server (RFC2518). A buffer overflow vulnerability exists in ntdll.dll (a portion of code utilized by the IIS WebDAV component). By sending a specially crafted request to an IIS 5.0 server, an attacker may be able to execute arbitrary code in the Local System security context, essentially giving the attacker compete control of the system. Microsoft has issued the following bulletin regarding this vulnerability: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/ms03-007.asp This vulnerability has been assigned the identifier CAN-2003-0109 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109 II. Impact Any attacker who can reach a vulnerable web server can gain complete control of the system and execute arbitrary code in the Local System security context. Note that this may be significantly more serious than a simple "web defacement." III. Solution Apply a patch from your vendor A patch is available from Microsoft at http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en Disable vulnerable service Until a patch can be applied, you may wish to disable IIS. To determine if IIS is running, Microsoft recommends the following: Go to Start | Settings | Control Panel | Administrative Tools | Services. If the World Wide Web Publishing service is listed then IIS is installed To disable IIS, run the IIS lockdown tool. This tool is available here: http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 If you cannot disable IIS, consider using the IIS lockdown tool to disable WebDAV (removing WebDAV can be specified when running the IIS lockdown tool). Alternatively, you can disable WebDAV by following the instructions located in Microsoft's Knowledgebase Article 241520, "How to Disable WebDAV for IIS 5.0": http://support.microsoft.com/default.aspx?scid=kb;en-us;241520 Restrict buffer size If you cannot use either IIS lockdown tool or URLScan, consider restricting the size of the buffer IIS utilizes to process requests by using Microsoft's URL Buffer Size Registry Tool. This tool can be run against a local or remote Windows 2000 system running Windows 2000 Service Pack 2 or Service Pack 3. The tool, instructions on how to use it, and instructions on how to manually make changes to the registry are available here: URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875 Microsoft Knowledge Base Article 816930 - http://support.microsoft.com/default.aspx?scid=kb;en-us;816930 Microsoft Knowledge Base Article 260694 - http://support.microsoft.com/default.aspx?scid=kb;en-us;260694 You may also wish to use URLScan, which will block web requests that attempt to exploit this vulnerability. Information about URLScan is available at: http://support.microsoft.com/default.aspx?scid=kb;[LN];326444 Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Corporation Please see Microsoft Security Bulletin MS03-007. _ Author: Ian A. Finlay __ This document is available from: http://www.cert.org/advisories/CA-2003-09.html __ CERT/CC Contact Information Email: [EMAIL PROTECTED] Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989
[Sorcerer-spells] SAMBA-SORCERER2003-03-17
-- Michael Walton Asst-Manager Tech Support [EMAIL PROTECTED] (915)677-7900 Sorcerer Update Advisory Tap Into the Source Source Name:samba-2.2.8 Advisory ID:SORCERER2003-03-17 Date: March 17th, 2003 Problem Description: A flaw has been deteced in the Samba main smbd code that could allow an external attacker to remotyly and anonymously gain super user access on the server running the Samba server. Present inf Samba 2.0.x to 2.2.7a. Update: Sources have been updated to the lates version. Updated Sources: samba-2.2.8 Recomendation: augur synch && augur update Contacts: Email: [EMAIL PROTECTED] Mail List: https://lists.berlios.de/mailman/listinfo/sorcerer-spells Web:http://sorcerer.wox.org Irc:irc://irc.freenode.net #sorcerer
PHP-Nuke 5.5 and 6.0: Path Disclosure
+ Product -> PHP-Nuke + Version -> 5.5, 6.0 (other versions not tested jet) + Website -> http://www.phpnuke.org + Problems -> Path Disclosure + Explanation: The fault happens in the file print.php, which this including in the modulos 'News' and 'AvantGo', in the same one is checked that the variable $sid exists, but its content is not controlled, since if he is equal to NULL or not it corresponds with I articulate in the data base, generates an error. + Exploit: This vulnerability may be exploited by accessing one of the following vulnerable scripts: http://www.target.x/modules.php?name=AvantGo&file=print&sid= http://www.target.x/modules.php?name=News&file=print&sid= http://www.target.x/modules.php?name=AvantGo&file=print&sid=[Any_Text] http://www.target.x/modules.php?name=News&file=print&sid=[Any_Text] [..] Another one bug also has been found in "Forums" (Splatt Forums 3.2) module: http://www.target.x/modules.php?op=modload&name=Forums&file=attachment&AtchOp=show [..] + Path AvantGo & News only: http://www.rynhozeros.com.ar/files/site/own/fixes/PHPNuke6.0_5.5_etc.zip -- XyBØrG WebMaster de: www.RZWEB.com.ar Powered By Dattatec.Com +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Re: qpopper timing analysis on to determine if a username exists on a system
Hi, I have tested this on my qpopper 4.0.5 - and I get this response no matter from which host I test (even localhost): sun waldo # ./poptest mail.XXX.net gert Validating username gert , please stand by.. Disconnected after 119.993 seconds. User "gert" is probably a valid user But that user is not a valid user. I have APOP authentication on and required, thus the pop server responded with You must use TLS/SSL or stronger authentication such as APOP to connect to this server Maybe this is a temporary solution? Or maybe the issue was fixed in 4.0.5? Regards, - Waldo On Saturday 15 March 2003 21:13, Dennis Lubert wrote: > Hello, > > during development of a pop3 tool I found an issue that makes it possible > for any user to check the validity of a user on a target system. If a user > is valid and an invalid password has been supplied, then the system waits > ~10 seconds until it sends a disconnect message and disconnect. If the > username was not correct, then it disconnect immediately after the wrong > password. > > This makes it possible to scan a server for valid users, to generate spam > sending lists, or to check a username for another kind of attack. > > Tested against qpopper 3.1 and 4.0.4, others might be affected as well. > > Attached is the source code for a program that will do a simple check on a > pop3 server. Additionally qpopper will also return an answer if the > username supplied has a UID < 100 (< 10 for 3.1), which will also been > checked. > > The fix should be simple, there must be a usleep() call or similar that > should either be deleted, or added also to the part where the username was > not correct. > > greets > > Dennis
MDKSA-2003:032 - Updated samba packages fix remote root vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: samba Advisory ID:MDKSA-2003:032 Date: March 15th, 2003 Affected versions: 8.0, 8.1, 8.2, 9.0, Corporate Server 2.1, Multi Network Firewall 8.2 Problem Description: The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem. MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system: The "hosts allow" and "hosts deny" options in the smb.conf file can be used to allow access to your Samba server by only selected hosts; for example: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 This will disallow all connections from machines that are not the localhost or in the 192.168.2 and 192.168.3 private networks. Alternatively, you can tell Samba to listen to only specific network interfaces by using the "interfaces" and "bind interfaces only" options: interfaces = eth1 lo bind interfaces only = yes Obviously, use the internal interface for your network and not an external interface connected to the internet. You may also choose to firewall off some UDP and TCP ports in addition to the previously mentioned suggestions by blocking external access to ports 137 and 138 (UDP) and ports 139 and 445 (TCP). These steps should only be used as a temporary preventative measure and all users should upgrade as quickly as possible. Thanks to Sebastian Krahmer and the SuSE security team for performing the audit, Jeremy Allison for providing the fix, and Andrew Tridgell for providing advice on how to protect an unpatched Samba system. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 http://www.samba.org/samba/whatsnew/samba-2.2.8.html Updated Packages: Corporate Server 2.1: 810bfc81419eda40ab94406b80e2fa78 corporate/2.1/RPMS/nss_wins-2.2.7a-8.1mdk.i586.rpm 6ddcdba4b4ddc8de889a68408cf63e6e corporate/2.1/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm dbbf8399e5d5b475e76b4ee4c8aa78ee corporate/2.1/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm 94ef44b5ce3a5aededddeb60485c90cd corporate/2.1/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm ca867675236e7df77aa4901f6f91f21e corporate/2.1/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm 3c9dbd347014301c6cc249979170bf19 corporate/2.1/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm 15b1406c67b55ecefb228cd40736d8fe corporate/2.1/RPMS/samba-winbind-2.2.7a-8.1mdk.i586.rpm 536160396aa14907f6195f42c480c0e3 corporate/2.1/SRPMS/samba-2.2.7a-8.1mdk.src.rpm Mandrake Linux 8.0: f705527a1ad9f511a8e61da4e2581bbf 8.0/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm 2bb5172eb1e79908df14b6829ddfc8eb 8.0/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm 3db651903659ecf5ca94be587a78057b 8.0/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm aac48811be4dbb7663b31f75f10d56fa 8.0/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm 8eca4b870ad649dd50635142ef3220e3 8.0/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm 536160396aa14907f6195f42c480c0e3 8.0/SRPMS/samba-2.2.7a-8.1mdk.src.rpm Mandrake Linux 8.0/PPC: c0619454ddd254a2864f41d1a15b3d31 ppc/8.0/RPMS/samba-client-2.2.7a-8.1mdk.ppc.rpm a98846ba4a83fa3953c1d910fe9ba650 ppc/8.0/RPMS/samba-common-2.2.7a-8.1mdk.ppc.rpm 2f47b120f0947fa8458e250f214e3689 ppc/8.0/RPMS/samba-doc-2.2.7a-8.1mdk.ppc.rpm 2a48acf9fc1db869a9c7dfac85953b1f ppc/8.0/RPMS/samba-server-2.2.7a-8.1mdk.ppc.rpm 35491c934f9bdd08b689b5c1b68e57fe ppc/8.0/RPMS/samba-swat-2.2.7a-8.1mdk.ppc.rpm 536160396aa14907f6195f42c480c0e3 ppc/8.0/SRPMS/samba-2.2.7a-8.1mdk.src.rpm Mandrake Linux 8.1: b8c035ddd18cd9da2682f3143e234b5a 8.1/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm f28d560e6c86e9315898351f7c528275 8.1/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm 391bfea011d0bd10a91335754f135f6a 8.1/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm 1adccf598ff2488a65e3ac776056d6b8 8.1/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm 8db945ae3a6f9f880ee9b2c76b4dd084 8.1/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm 536160396aa14907f6195f42c480c0
[SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb
Security Corporation Security Advisory [SCSA-010] PROGRAM: MyABraCaDaWeb HOMEPAGE: http://www.webmaster-mag.net/ VULNERABLE VERSIONS: v1.0.2 and prior DESCRIPTION MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke More informations at : http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French) DETAILS & EXPLOITS ¤ Path Disclosure : Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request, such as a request for an invalid Admin ID. Exploits : http://[target]/index.php?IDAdmin=test http://[target]/index.php?base=test http://[target]/index.php?tampon=test http://[target]/index.php?SqlQuery=test etc... --- ¤ Cross Site Scripting : A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow attackers to inject script codes into the search script and use them on clients browser as if they were provided by the site. This Cross-Site Scripting vulnerability are found in the page for searching keyword. An attacker can input specially crafted links and/or other malicious scripts. Exploit : http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw= [hostile_c ode] The module could be : "annuaire2liens" The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) Vulnerable code "header.php" : //---Creation du rapport $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); SOLUTIONS ¤ Path Disclosure : No solution for the moment. ¤ Cross Site Scripting : You can found a patch at the following link : http://www.security- corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat ch.zip For example use this code in "header.php": //---Creation du rapport # BugFix by Gregory LEBRAS www.security-corporation.com $ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw); $ma_kw = eregi_replace("include","!include!",$ma_kw); $ma_kw = eregi_replace("\<\?","<.?",$ma_kw); $ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw); $ma_kw = eregi_replace("\?\>","?.>",$ma_kw); $ma_kw = eregi_replace("","<./script>",$ma_kw); $ma_kw = eregi_replace("javascript","!javascript!",$ma_kw); $ma_kw = eregi_replace("embed","!embed!",$ma_kw); $ma_kw = eregi_replace("iframe","!iframe!",$ma_kw); $ma_kw = eregi_replace("refresh","!refresh!",$ma_kw); $ma_kw = eregi_replace("onload","!onload!",$ma_kw); $ma_kw = eregi_replace("onstart","!onstart!",$ma_kw); $ma_kw = eregi_replace("onerror","!onerror!",$ma_kw); $ma_kw = eregi_replace("onabort","!onabort!",$ma_kw); $ma_kw = eregi_replace("onblur","!onblur!",$ma_kw); $ma_kw = eregi_replace("onchange","!onchange!",$ma_kw); $ma_kw = eregi_replace("onclick","!onclick!",$ma_kw); $ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw); $ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw); $ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw); $ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw); $ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw); $ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw); $ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw); $ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw); $ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw); $ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw); $ma_kw = eregi_replace("onreset","!onreset!",$ma_kw); $ma_kw = eregi_replace("onselect","!onselect!",
S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server
### ID: S21SEC-011-en Title: Multiple vulnerabilities in BEA WebLogic Server Date: 7/01/2003 Status: Patch published Scope: Remote command execution Platforms: Linux, Windows 2000, probably others Author: llmora Location: http://www.s21sec.com/en/avisos/s21sec-011-en.txt Release: Public ### S 2 1 S E C http://www.s21sec.com Multiple vulnerabilities in BEA WebLogic Server About BEA WebLogic Server - WebLogic Server is a quite extended BEA J2EE applications server (http://www.bea.com). Vulnerabilities description --- WebLogic offers a web management console through which you can manage the web server contents, load servlets, etc. One of the functionalities it offers is that you can upload files to the remote server for its publication. The process in charge of managing the file upload validates the user credentials and then calls an internal weblogic servlet to upload the file, that does not require any authentication. This internal servlet can be publically accessed and therefore it is possible to upload files to the server without any kind of authentication. Files can be uploaded to any location in the remote server, not limiting to the tree of WebLogic directories (in Windows 2000 it is possible to upload files to any disk drive). If you know the directory where the Weblogic server applications have been installed (such as in a default installation) there is the possibility to upload a malicious application that will allow an attacker to execute commands with the premissions of the user executing the Weblogic server. Additionally, the internal servlet offers different operations that allow, without any authentication: * Download arbitrary files from the remote server * Obtain the users, groups and passwords (salted and hashed) of WebLogic Affected Versions and platforms --- These vulnerabilities have been verified to work in the WebLogic version for Windows and Linux, although we think that they are not specific to the platform. The current vulnerabilities vary in the different versions, the following table shows which vulnerabilities are present in each version: UPLOAD DOWNLOADPASSWORD WebLogic 6.0 X X WebLogic 6.1 X X X WebLogic 7.0 X The WebLogic Server 5.1 version does not present any of the previously mentioned vulnerabilities. Solution The vendor was notified and published a patch to solve these vulnerabilities. More information on how to get and install the patch can be found in BEA's security advisory BEA03-28.00 (http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp ). If upgrading is not an option, there is a temporary workaround for the problem which consists in the installation of a ConnectionFilter class to filter out requests to the administration server, avoiding explotation of the vulnerability from the outside world. In order to apply this workaround the administration and application servers must be running on separate ports. Once they are separated the ConnectionFilter will filter connections based on the request source address. S21SEC developed a ConnectionFilter class that allows filtering based on the source address and destination port. This filter along with detailed instructions on how to install and configure the filter can be downloaded for free from the downloads section in S21SEC website, at: http://www.s21sec.com/download/s21sec-weblogic-connectionfilter-1.0.tar.gz Alternatively, connections to the administrative server can be filtered by using an IP filtering device. Additional information -- These vulnerabilities have been found and researched by: Lluis Mora [EMAIL PROTECTED] You can find the latest version of this advisory at: http://www.s21sec.com/en/avisos/s21sec-011-en.txt And other S21SEC advisories at http://www.s21sec.com/en/avisos/
[RHSA-2003:054-00] Updated rxvt packages fix various vulnerabilites
- Red Hat Security Advisory Synopsis: Updated rxvt packages fix various vulnerabilites Advisory ID: RHSA-2003:054-00 Issue date:2003-03-17 Updated on:2003-03-17 Product: Red Hat Linux Keywords: trojan escape reporting Cross references: Obsoletes: CVE Names: CAN-2003-0022 CAN-2003-0023 CAN-2003-0066 - 1. Topic: Updated rxvt packages are available which fix a number of vulnerabilities in the handling of escape sequences. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 3. Problem description: Rxvt is a color VT102 terminal emulator for the X Window System. A number of issues have been found in the escape sequence handling of Rxvt. These could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on a rxvt terminal being used by their victim. One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants, including rxvt, also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Since it is not possible to embed a carriage return into the window title itself, the attacker would have to convince the victim to hit enter for it to process the title as a command, although the attacker can perform a number of actions to increase the likelyhood of this happening. The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. Users of Rxvt are advised to upgrade to these errata packages which contain a patch to disable the title reporting functionality and patches to correct the other issues. Red Hat would like to thank H D Moore for bringing these issues to our attention. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/rxvt-2.7.8-3.6.2.1.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/rxvt-2.7.8-3.6.2.1.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/rxvt-2.7.8-3.7.0.1.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/rxvt-2.7.8-3.7.0.1.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/rxvt-2.7.8-3.7.1.1.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/rxvt-2.7.8-3.7.1.1.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/rxvt-2.7.8-4.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/rxvt-2.7.8-4.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/rxvt-2.7.8-4.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/rxvt-2.7.8-4.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/rxvt-2.7.8-4.i386.rpm 6. Verification: MD5 sum Package Name -- 356e4148537e1e522cdcbedfb735ef80 6.2/en/os/SRPMS/rxvt-2.7.8-3.6.2.1.src.rpm 8ce644f8e66b473ef91ea5baa70066ea 6.2/en/os/i386/rxvt-2.7.8-3.6.2.1.i386.rpm 08bc3ef32e1bc77836dc266af8ef2fa1 7.0/en/os/SRPMS/rxvt-2.7.8-3.7.0.1.src.rpm b93bc19a8403c72943b33779b44b28fe 7.0/en/os/i386/rxvt-2.7.8-3.7.0.1.i386.rpm cf99378c595e06eed1ff0c2a493d0472 7.1/en/os/SRPMS/rxvt-2.7.8-3.7.1.1.src.rpm f973a30d1f45f561a1e15d4c58615526 7.1/en/os/i386/rxvt-2.7.8-3.7.1.1.i386.rpm f5b4712eeb3c941b9b5f2cf3ab6d6dc4 7.2/en/os/SRPMS/rxvt-2.7.8-4.src.rpm 94a3cbbf0dbd8739e9b1b2cc716a326e 7.2/en/os/i386/rxvt-2.7.8-4.i386.rpm 781b84624dda1114d74d09814438c54a 7.2
GLSA: qpopper (200303-12)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - GENTOO LINUX SECURITY ANNOUNCEMENT 200303-12 - - - PACKAGE : qpopper SUMMARY : buffer overflow DATE : 2003-03-17 09:50 UTC EXPLOIT : remote VERSIONS AFFECTED : <4.0.5 FIXED VERSION : >=4.0.5 CVE : CAN-2003-0143 - - - - From advisory: "Under certain conditions it is possible to execute arbitrary code using a buffer overflow in the recent qpopper. You need a valid username/password-combination and code is (depending on the setup) usually executed with the user's uid and gid mail." Read the full advisory at: http://marc.theaimsgroup.com/?l=bugtraq&m=104739841223916&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/qpopper upgrade to qpopper-4.0.5 as follows: emerge sync emerge qpopper emerge clean - - - [EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+dZp5fT7nyhUpoZMRAq9XAJsFyPbrwFb1CcvL59jEKtAoymZzTwCeIw4Z p8IXHapfnjyZM1j7pcN+nW8= =OPDK -END PGP SIGNATURE-
[RHSA-2003:072-08] Updated Gnome-lokkit packages fix vulnerability
- Red Hat Security Advisory Synopsis: Updated Gnome-lokkit packages fix vulnerability Advisory ID: RHSA-2003:072-00 Issue date:2003-03-17 Updated on:2003-03-17 Product: Red Hat Linux Keywords: iptables forward lokkit Cross references: Obsoletes: CVE Names: CAN-2003-0080 - 1. Topic: Updated Gnome-lokkit packages fix missing FORWARD ruleset in Red Hat Linux 8.0 2. Relevant releases/architectures: Red Hat Linux 8.0 - i386 3. Problem description: Gnome-lokkit is a utility that provides firewalling for the average Linux end user based on responses to a small number of simple questions. Red Hat made modifications to Gnome-lokkit to support firewalls based on iptables instead of ipchains. In Red Hat Linux 8.0, the iptables ruleset created by Gnome-lokkit did not place any rules on the FORWARD chain. This is a security vulnerability if an administrator enables packet forwarding and uses an unmodified ruleset created by the Gnome-lokkit tool. Users are advised to upgrade to these erratum packages which contain a patch to Gnome-lokkit to also apply the INPUT chain ruleset to the FORWARD chain. Red Hat would like to thank Deneb Meketa for bringing this issue to our attention. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 84975 - does not include FORWARD chain 6. RPMs required: Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/gnome-lokkit-0.50-21.8.0.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/gnome-lokkit-0.50-21.8.0.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/lokkit-0.50-21.8.0.i386.rpm 7. Verification: MD5 sum Package Name -- 5e5edd316950132ec84f9c727dac63f6 8.0/en/os/SRPMS/gnome-lokkit-0.50-21.8.0.src.rpm 01f42937db89e8afb3f30a704e52ca7f 8.0/en/os/i386/gnome-lokkit-0.50-21.8.0.i386.rpm 0f80d90d4766f04eef08928b33b6a25e 8.0/en/os/i386/lokkit-0.50-21.8.0.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0080 9. Contact: The Red Hat security contact is <[EMAIL PROTECTED]>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc.
Security Bugfix for Samba - Samba 2.2.8 Released
(See http://www.samba.org/samba/whatsnew/samba-2.2.8.html for a copy of this information) The Samba Team announces Samba 2.2.8 * IMPORTANT: Security bugfix for Samba * This release provides an important security fix outlined in the release notes that follow. This is the latest stable release of Samba and the version that all production Samba servers should be running for all current bug-fixes. The source code can be downloaded from : http://download.samba.org/samba/ftp/ in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2. Both archives have been signed using the Samba Distribution Key. Binary packages will be released shortly for major platforms and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ As always, all bugs are our responsibility. --Sincerely The Samba Team Summary --- The SuSE security audit team, in particular Sebastian Krahmer, has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section. The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks. Description --- A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd. This version of Samba adds explicit overrun and overflow checks on fragment re-assembly of SMB/CIFS packets to ensure that only valid re-assembly is performed by smbd. In addition, the same checks have been added to the re-assembly functions in the client code, making it safe for use in other services. Credit -- This security flaw was discovered and reported to the Samba Team by Sebastian Krahmer of the SuSE Security Audit Team. The fix was prepared by Jeremy Allison and reviewed by engineers from the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers on the Linux Vendor security mailing list. The Samba Team would like to thank SuSE and Sebastian Krahmer for their excellent auditing work and for drawing attention to this flaw. Patch Availability - As this is a security issue, patches for this flaw specific to earlier versions of Samba will be posted on the [EMAIL PROTECTED] mailing list as requested. Protecting an unpatched Samba server Samba Team, March 2003 This is a note on how to provide your Samba server some protection against the recently discovered remote security hole if you are unable to upgrade to the fixed version immediately. Even if you do upgrade you might like to think about the suggestions in this note to provide you with additional levels of protection. Using host based protection --- In many installations of Samba the greatest threat comes for outside your immediate network. By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable. One of the simplest fixes in this case is to use the 'hosts allow' and 'hosts deny' options in the Samba smb.conf configuration file to only allow access to your server from a specific range of hosts. An example might be: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused connections as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error. Using interface protection -- By default Samba will accept connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want. You can change this behavior using options li
[ADVISORY] Timing Attack on OpenSSL
I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r->flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth)
GLSA: samba (200303-11)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - GENTOO LINUX SECURITY ANNOUNCEMENT 200303-11 - - - PACKAGE : samba SUMMARY : buffer overrun DATE : 2003-03-17 09:22 UTC EXPLOIT : remote VERSIONS AFFECTED : <2.2.8 FIXED VERSION : >=2.2.8 CVE : CAN-2003-0085 CAN-2003-0086 - - - - From advisory: "The SuSE security audit team, in particular Sebastian Krahmer , has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server." "A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd." Read the full advisory at: http://lists.samba.org/pipermail/samba-announce/2003-March/63.html SOLUTION It is recommended that all Gentoo Linux users who are running net-fs/samba upgrade to samba-2.2.8 as follows: emerge sync emerge samba emerge clean - - - [EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+dZPAfT7nyhUpoZMRAqJaAJ90Tc8Bkgq+QRwjzTIdAedcgGZb8wCggBWq Gok26HB4womHvtn/3PrBsXY= =7cIA -END PGP SIGNATURE-
[INetCop Security Advisory #2002-0x82-013] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability.
INetCop Security Advisory #2002-0x82-013 * Title: Kebi Academy 2001 Web Solution Directory Traversing Vulnerability. 0x01. Description Kebi Academy 2001 is web solution that is supplied to C Binary CGI in web. Fatal vulnerability that can read or can write, and execute uploading malignancy code interior file of system in remote of this web solution exists. Vulnerability happens because don't filter "../" from homepage file administration contents of web solution. If exploit of vulnerability succeeds, is possible to be writing with reading file as competence of webserver. Also, result that attacker can execute shell in remote if upload malignancy code to directory that cgi or php file can be executed happens. 0x02. Vulnerable Packages Vendor site: http://solution.nara.co.kr/ Kebi Academy 2001 Solution +Linux +Unix * We already, liaised to vendor. 0x03. Exploit Can read certain file as following as competence of webserver. http://target.com/k/home?dir=/&file=../../../../../../../../etc/passwd&lang=kor If become so, can get other user's database and so on which can get as competence of web server. Also, can upload certain file to directory that competence of web server is permited. In case attacker uploads code that is enemy of evil, it can enforce very fatal attack. 0x04. Patch -- It can solve these problems as chroot() function. Desire to compose safer web solution. -- P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net & http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- ___ Get your free email from http://www.hackermail.com Powered by Outblaze
SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express
Remote Administration of BEA WebLogic Server and Express Release Date: March 18, 2003 Severity: High Systems Affected: WebLogic Server and Express 6.0 WebLogic Server and Express 6.1 WebLogic Server and Express 7.0 Description: SPI Labs and S21sec have identified a serious vulnerability that could allow an attacker to gain unauthorized access to the applications and systems present on an affected Weblogic server. Several undocumented applications were found, which are, deployed in default configurations of Weblogic. Some of these applications are used by Weblogic for server-to-server communication during internal maintenance and administration tasks, such as source code distribution and modification. Further analysis revealed that many of these applications were not adequately protected from unauthorized use. In some cases, no authentication was required to perform administrative functions. The threat posed by the existence of these unprotected applications is severe. If an attacker can directly access a Weblogic server, it is reasonable to assume that the presence of this vulnerability can ultimately result in a compromise of the applications residing on the server. Because these applications are not intended to be user-configurable or user identifiable, no configuration workaround exists. BEA has issued a patch that corrects this issue. SPI Labs recommends that it be applied to all Weblogic installations immediately. Remediation: SPI Labs recommends the following actions: For WebLogic Server and Express 6.0 o Upgrade to Service Pack 2 Rolling Patch 3 and follow the instructions to apply the included patch: For Weblogic Server and Express 6.1 o Upgrade to Service Pack 4 and follow the instructions to apply the included patch: o When Service Pack 5 becomes available, you may use that Service Pack instead of Service Pack 4 and the patch For WebLogic Server and Express 7.0 released or 7.0.0.1 o Upgrade to Service Pack 2 and follow the instructions to apply the included patch: o When Service Pack 3 becomes available, you may use that Service Pack instead of Service Pack 2 and the patch Vendor Information: BEA has been notified of this issue and has released the patch information described above at the following link: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28. jsp
[RHSA-2003:098-00] Updated 2.4 kernel fixes vulnerability
- Red Hat Security Advisory Synopsis: Updated 2.4 kernel fixes vulnerability Advisory ID: RHSA-2003:098-00 Issue date:2003-03-17 Updated on:2003-03-17 Product: Red Hat Linux Keywords: ptrace Cross references: Obsoletes: RHSA-2003:025-20 RHBA-2003:069-12 CVE Names: CAN-2003-0127 - 1. Topic: Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now available. These packages fix a ptrace-related vulnerability that can lead to elevated (root) privileges. 2. Relevant releases/architectures: Red Hat Linux 7.1 - athlon, i386, i586, i686 Red Hat Linux 7.2 - athlon, i386, i586, i686 Red Hat Linux 7.3 - athlon, i386, i586, i686 Red Hat Linux 8.0 - athlon, i386, i586, i686 3. Problem description: The Linux kernel handles the basic functions of the operating system. A vulnerability has been found in version 2.4.18 of the kernel. This vulnerability makes it possible for local users to gain elevated (root) privileges without authorization. This advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0. All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade to these errata packages, which contain patches to fix the vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied, especially the additional packages from RHSA-2002:205 and RHSA-2002:206. The procedure for upgrading the kernel manually is documented at: http://www.redhat.com/support/docs/howto/kernel-upgrade/ Please read the directions for your architecture carefully before proceeding with the kernel upgrade. Please note that this update is also available via Red Hat Network. Many people find this to be an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Note that you need to select the kernel explicitly on default configurations of up2date. 5. RPMs required: Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm athlon: ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm i586: ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.18-27.7.x.i586.rpm i686: ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.1/en/os/i686/kernel-debug-2.4.18-27.7.x.i686.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm athlon: ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm i586: ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.18-27.7.x.i586.rpm i686: ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.18-27.7.x.i686.rpm ftp://updates.redhat.com/7.2/en/os/i686/kernel-debug-2.4.18-27.7.x.i686.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm athlon: ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm i586: ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.
[SECURITY] [DSA 263-1] New tcpdump packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 263-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 17th, 2003http://www.debian.org/security/faq - -- Package: netpbm-free Vulnerability : math overflow errors Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0146 CERT advisory : VU#378049 VU#630433 Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. For the stable distribution (woody) this problem has been fixed in version 9.20-8.2. The old stable distribution (potato) does not seem to be affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 9.20-9. We recommend that you upgrade your netpbm package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.dsc Size/MD5 checksum: 662 1c8d2ac6308e12bd407551f0a239709e http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.diff.gz Size/MD5 checksum:48519 15bdcd7cdbbd33e4eafedc4224ec158a http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20.orig.tar.gz Size/MD5 checksum: 1882851 0f153116c21bc7d2e167e574a486c22f Alpha architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_alpha.deb Size/MD5 checksum:77636 fbd95c88eec1506033829ef65a56b033 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_alpha.deb Size/MD5 checksum: 135348 d6fc73f5432869a4c8c20d6a6d202a3e http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_alpha.deb Size/MD5 checksum: 1412714 9c508ca408fbc5f6a03f5a2e320cad60 ARM architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_arm.deb Size/MD5 checksum:64038 5d2ff5816d2bc9f5b9b8f6555c0dc365 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_arm.deb Size/MD5 checksum: 125450 3422bd71d85d14d950f4b490ea7fcb14 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_arm.deb Size/MD5 checksum: 1127198 ff627c8920c5bd9c3420a7182e07a764 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_i386.deb Size/MD5 checksum:62358 89e5f42f2d3a11b4b7c9dc27b996324d http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_i386.deb Size/MD5 checksum: 103340 0f0c7e2bbbeb897bc1993ce2ca2dee06 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_i386.deb Size/MD5 checksum: 1078350 415a6018874f103405739bb92d718100 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_ia64.deb Size/MD5 checksum:96448 65abd6e7e2945f52cc31727d5c2d48b1 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_ia64.deb Size/MD5 checksum: 170308 05e9e8e8b00f1fcba4511cb55b8be368 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_ia64.deb Size/MD5 checksum: 1608002 84bca62575bc798425e65ce0733fde65 HP Precision architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_hppa.deb Size/MD5 checksum:83808 6c997768d27d95ff71247ab15a63dad1 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_hppa.deb Size/MD5 checksum: 122828 dab9d6a493a3bb46393c7302a44accf7 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_hppa.deb Size/MD5 checksum: 1337162 054e5945f8146d45a1b178ca95658b12 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_m68k.deb Size/MD5 checksum:61934 bb0176c0eed79eafa32cbc8f5a99dfdf http://securit
MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4protocol
-BEGIN PGP SIGNED MESSAGE- MIT krb5 Security Advisory 2003-004 2003-03-17 Topic: Cryptographic weaknesses in Kerberos v4 protocol Severity: CRITICAL SUMMARY === A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation included in the MIT krb5 distribution permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure. Kerberos version 5 does not contain this cryptographic vulnerability. Sites are not vulnerable if they have Kerberos v4 completely disabled, including the disabling of any krb5 to krb4 translation services. IMPACT == * An attacker controlling a krb4 shared cross-realm key can impersonate any principal in the remote realm to any service in the remote realm. This can lead to root-level compromise of a KDC, along with compromise of any hosts that rely on authentication provided by that KDC. * This attack may be performed against cross-realm principals, thus allowing an attacker to hop realms and compromise any realm that transitively shares a cross-realm key with the attacker's local realm. * Related, but more difficult attacks may be possible without requiring the control of a shared cross-realm key. At the very least, an attacker capable of creating arbitrary principal names in the target realm may be able to perform the attack. * An attacker may impersonate any principal to a service keyed with triple-DES krb4 keys, given the ability to capture network traffic containing tickets for the target client principal. * A leak has occurred of an unpublished paper containing enough details about the vulnerability that an attacker familiar with the krb4 protocol can easily construct an exploit. No exploit is known to be circulating at this time, though. AFFECTED SOFTWARE = * These are protocol vulnerabilities; ALL implementations of vulnerable functionality are vulnerable. * All implementations of the Kerberos version 4 Key Distribution Center that allow cross-realm authentication are vulnerable. * All implementations of the Kerberos version 5 Key Distribution Center that also implement a KDC for the Kerberos version 4 protocol and use the same keys for version 4 and version 5 are vulnerable. * MIT implementations of krb5 that include support for triple-DES keys in krb4 are vulnerable. FIX === * These are PROTOCOL vulnerabilities; fixes inherently involve restricting the functionality of the protocol. * If you are using the implementation of krb4 contained in the MIT krb5, apply the patch kit, which is available at http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz The detached PGP signature of the patch kit is available at http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.sig * Release 1.3 of MIT krb5 will include a fix. The fix has also been committed to our development source tree. * If you are running MIT release krb5-1.2.6 or later, and you are unable to patch your production code, setting the DISALLOW_ALL_TIX or the DISALLOW_SVR attributes on all cross-realm principals should disable cross-realm authentication without losing key information. This will, of course, cause loss of krb5 cross-realm functionality. Note that the functionality of these principal attributes has not been extensively tested. * If using the Kerberos v4 implementation contained in MIT krb5, and you are unable to patch your production systems, cease use of triple-DES keys for Kerberos v4 services. * If using a different implementation of krb4, disable all krb4 cross-realm functionality, both in KDC implementations and in any krb524d implementations. * A possible workaround is to randomize all cross-realm keys. This should be considered to be a last resort, as re-establishing cross-realm keys can be time-consuming, and krb5 cross-realm functionality will be lost. * The following text describes the patch kit for the MIT krb5 implementation. PATCH KIT DESCRIPTION = ** FLAG DAY REQUIRED ** One of the things we decided to do (and must do for security reasons) was drop support for the 3DES krb4 TGTs. Unfortunately the current code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new code issues only DES TGTs, the old code will not understand its v4 TGTs if the site has a 3DES key available for the krbtgt principal. The new code will understand and accept both DES and 3DES v4 TGTs. So, the easiest upgrade option is to deploy the code on all KDCs at once, being sure to deploy it on the master KDC last. Under this scenario, a brief window exists where slaves may be able to
McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: ePolicy Orchestrator Format String Vulnerability Release Date: 03/17/2003 Application: McAfee ePolicy Orchestrator 2.5.1 Platform: Windows 2000 Server SP1 Windows 2000 Pro SP1 Severity: There is a a format string vulnerability that leads to the remote execution of code as SYSTEM. Authors: Ollie Whitehouse [EMAIL PROTECTED] Andreas Junestam [EMAIL PROTECTED] Vendor Status: Vendor has patch available CVE Candidate: CAN-2002-0690 Reference: www.atstake.com/research/advisories/2003/a031703-1.txt Overview: McAfee Security ePolicy Orchestrator (http://www.mcafeeb2b.com/ products/epolicy/default-desktop- protection.asp [line wrapped]) is an enterprise antivirus management tool. ePolicy Orchestrator is a policy driven deployment and reporting tool for enterprise administrators to effectivley manage their desktop and server antivirus products. There is a vulnerability in the processing of network requests that allows an attacker to anonymously execute arbitrary code. To attack a machine running ePO, an attacker would typically need to be located within the corporate firewall with access to TCP port 8081 on the host they wish to compromise. Once the vulnerability is sucessfully exploited the attacker gains SYSTEM level privileges on the host. This is a good example of why you should perform a risk analysis of all new solutions being introduced in to your environment even when the product is designed to enhance your overall security. Details: The ePolicy Orchestrator Agent is a service that to allows the retrieval of log data. It should be noted that the Agent does not require password authentication to gain access and allows the retrieval of sensitive information (i.e. the source AV server, local paths etc.). By default the agent runs as SYSTEM on the host and thus can be used to either elevate local privileges or remotely compromise the host. The ePO agent uses the HTTP protocol to communicate on port 8081. Sending a GET request with a request string containing a few format string characters will cause the service to terminate. An event will be written to the event log detailing the crash. A properly constucted malicious string containing format string characters will allow the execution or arbitrary code. Vendor Response: Initial contact: May, 2002 The vendor has made a patch available. It is not directly downloadable. Call to request the patch. It is delivered via email. Contact information: http://www.nai.com/naicommon/aboutnai/contact/intro.asp# software-support [URL wrapped] @stake Recommendation: If you have a support contract and are eligible for the patch you should request it and install it. If you cannot patch, you should consider host based filtering so that only the network management systems that need to communicate with the hosts running ePO can connect on TCP port 8081. This requires a host based firewall. When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce. Does the service need to be running as the SYSTEM user? Does the service need to be accessed anonymously from any machine? In addition to the remote execution of arbitrary code issue there is an information disclosure issue that can be mitigated by host based network filtering. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0690 McAfee ePolicy Orchestrator Format String @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to [EMAIL PROTECTED] Copyright 2003 @stake, Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPnXZuEe9kNIfAm4yEQIStwCfT5YS5dckLOLmowF0eH6dxnFdQlYAoLsL 03RASV2cRXv/Pmf7bILYWSa6 =q0ko -END PGP SIGNATURE-