KPMG-2002035: IBM Websphere Large Header DoS
Title: IBM Websphere Large Header DoS BUG-ID: 2002035 Released: 19th Sep 2002 Problem: A malicious user can issue a malformed HTTP request and cause the webserver to crash. Vulnerable: === - IBM Websphere 4.0.3 on Windows 2000 Server Details: The application does not perform proper bounds check on large HTTP headers, and as a result the application can be crashed by a remote user. It could not be established if this could lead to code execu- tion. If a request is made for a .jsp ressource (the .jsp file does not need to exist), and the HTTP field "Host" contains 796 characters or more, the web service will crash. Other HTTP fields are also vulnerable if the size is increased to 4K. The web service sometimes recovers on it's own. Vendor URL: === You can visit the vendor webpage here: http://www.ibm.com Vendor response: The vendor was notified on the 4th of June, 2002. On the 12th of July the vendor sent us a patch for the problem. On the 19th of September we confirmed that the patch was officially released. Corrective action: == Install PQ62144 (supercedes PQ62249). The URL is wrapped: http://www-1.ibm.com/support/docview.wss? rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610 Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002034: Jigsaw Webserver DOS device DoS
Title: Jigsaw Webserver DOS device DoS BUG-ID: 2002034 Released: 17th Jul 2002 Problem: A malicious user can tie up working threads on the web server. when the web server runs out of working threads, the web server will no longer service web requests. Vulnerable: === - Jigsaw V2.2.1 Distribution on Windows 2000 Server Not Vulnerable: === - Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server Product Description: Quoted from the vendor webpage: "Jigsaw is W3C's leading-edge Web server platform, providing a sample HTTP 1.1 implementation and a variety of other features on top of an advanced architecture implemented in Java. The W3C Jigsaw Activity statement explains the motivation and future plans in more detail. Jigsaw is an W3C Open Source Project, started May 1996." Details: Requests for /servlet/con never times out, and approximately 30 of these requests is enough to tie up all working threads on the server. The service needs to be restarted to recover. Vendor URL: === You can visit the vendor webpage here: http://www.w3.org Vendor response: The vendor was notified on the 27nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: == Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002033: Resin DOS device path disclosure
Title: Resin DOS device path disclosure BUG-ID: 2002033 Released: 17th Jul 2002 Problem: It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server. Vulnerable: === - Resin 2.1.1 on Windows 2000 Server - Resin 2.1.2 on Windows 2000 Server Not Vulnerable: === - Resin 2.1.s020711 on Windows 2000 Server Details: Requesting certain DOS devices, such as lpt9.xtp, results in an error message that contains the physical path to the web root. 500 Servlet Exception java.io.FileNotFoundException: C:\Documents and Settings\Administrator \Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp (Access is denied) Vendor URL: === You can visit the vendor webpage here: http://www.caucho.com Vendor response: The vendor was notified on the 22nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: == Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002032: Macromedia Sitespring Cross Site Scripting
Title: Macromedia Sitespring Cross Site Scripting BUG-ID: 2002032 Released: 17th Jul 2002 Problem: A malicious user could use a default error page as the basis for a cross site scripting attack. Vulnerable: === - Macromedia Sitespring V1.2.0(277.1) on Windows 2000 Server Details: The default HTTP 500 error script does not check the contents of the error ticket (et) parameter before outputting it. That makes it possible to inject eg. javascript in the URL. http://server/error/500error.jsp?et=1alert('KPMG') Vendor URL: === You can visit the vendor webpage here: http://www.macromedia.com Vendor response: The vendor was notified on the 16th of April, 2002. The vendor has since removed the trial software from the webpage. To our knowledge there is no scheduled release date for a patch. Additional notes: = Quoted from the vendors webpage: "We will continue to provide technical support for Sitespring through May 2004. Please continue to visit the Sitespring support center for TechNotes, white papers, and other product information. If you've purchased a technical support plan for Sitespring, we will continue to provide support pursuant to the terms of your support agreement. Even though we will not be selling annual Sitespring support packages, you can purchase incident-based support from a technical support engineer." Corrective action: == Replace the error script with a custom error page. If you do not know how to create a .jsp file, simply create a standard 500 error page in html, and rename it to .jsp. Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002031: Jigsaw Webserver Path Disclosure
Title: Jigsaw Webserver Path Disclosure BUG-ID: 2002031 Released: 17th Jul 2002 Problem: It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server. Vulnerable: === - Jigsaw V2.2.1 Distribution on Windows 2000 Server Not Vulnerable: === - Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server Product Description: Quoted from the vendor webpage: "Jigsaw is W3C's leading-edge Web server platform, providing a sample HTTP 1.1 implementation and a variety of other features on top of an advanced architecture implemented in Java. The W3C Jigsaw Activity statement explains the motivation and future plans in more detail. Jigsaw is an W3C Open Source Project, started May 1996." Details: Requesting /aux two times, results in an error message, after second request, containing the physical path to the web root. Vendor URL: === You can visit the vendor webpage here: http://www.w3.org Vendor response: The vendor was notified on the 27th of May, 2002. On the 11th of July, 2002 we verified that the issue was corrected in the latest build (20020708). Corrective action: == Upgrade your Jigsaw.jar to the latest build, available from: http://jigsaw.w3.org/Devel/classes-2.2/20020711/ Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002030: Watchguard Firebox Dynamic VPN Configuration Protocol DoS
Title: Watchguard Firebox Dynamic VPN Configuration Protocol DoS BUG-ID: 2002030 Released: 9th Jul 2002 Problem: A malicious user can crash the Dynamic VPN Configuration Protocol service (DVCP) by sending a malformed packet to the listener service on TCP port 4110. Vulnerable: === - Watchguard Firebox firmware v5.x.x Not Vulnerable: === - Watchguard Firebox firmware v6.0.b1140 Product Description: Quoted from the vendor webpage: "The WatchGuard® Firebox System is a powerful security solution that gives small and medium sized businesses, central offices, and VPN hubs integrated firewall protection and VPN support." "About DVCP DVCP is a WatchGuard client server protocol that securely transmits IPSec VPN configuration information to WatchGuard Fireboxes. Network administrators use WatchGuard software to define each configuration aspect of the VPN, such as encryption algorithms and how often keys will be negotiated, then the settings are stored on a centrally located DVCP Server.When a Firebox is installed and initialized with software and instructions, a software client on the Firebox contacts the central DVCP server to obtain IPSec policy information using a secure protocol." Details: The DVCP service can be crashed using anywhere between 1 and 400 packets of tab characters, followed by a CRLF. The firewall needs to be rebooted for the DVCP service to function again. Vendor URL: === You can visit the vendor webpage here: http://www.watchguard.com Vendor response: The vendor was notified on the 8th of May, 2002. On the 23rd of May, 2002 the vendor notified us that the issue would be resolved in the next version (6.x). On the 9th of July we verified that the problem was resolved in the new firmware version. Corrective action: == Upgrade to firmware version 6.x, available at the livesecurity website. If you are not a subscriber to the livesecurity service, please contact Watchguard support further assistance. Authors: Andreas Sandor ([EMAIL PROTECTED]) Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002029: Bea Weblogic Performance Pack Denial of Service
Title: Bea Weblogic Performance Pack Denial of Service BUG-ID: 2002029 Released: 8th Jul 2002 Problem: If the performance pack is enabled, the Bea Weblogic Server can be crashed by a malicious user. The performance pack is enabled in a default installation. Vulnerable: === - Bea Weblogic 7.0 on Windows 2000 Server The vendor has reproduced the issue on: BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 on Microsoft NT or Windows 2000. Product Description: Quoted from the vendor webpage: "Designed for enterprise applications that demand the flexibility and security of server-side components in Java, BEA WebLogic ServerT brings scalability, performance, and fault tolerance to mission- critical Web-based solutions. BEA WebLogic Server is an award- winning Java application server for developing, deploying, and managing Web applications. BEA WebLogic Server also offers the most complete implementation of the Java 2 Enterprise Edition standard - including Enterprise JavaBeans." Details: The Bea Weblogic Server is vulnerable to a data/connection flooding that will result in the web service crashing with a report of an error in NTDLL.DLL. Vendor URL: === You can visit the vendor webpage here: http://www.bea.com Vendor response: The vendor was notified on the 1st of May, 2002. On the 2nd of May, 2002 the vendor had reproduced the issue and assigned case number 324070 and change request CR076409 to the issue. On the 17th of May, 2002 the vendor supplied us with a workaround for the issue. On the 3rd of July, the vendor issued an official patch for the issue. Corrective action: == As a temporary workaround, you can disable the performance pack: 1. Start the WebLogic Server Console. 2. Open the Servers folder in the navigation tree. 3. Select your server in the Servers folder. 4. Select the Configuration tab. 5. Select the Tuning tab. 6. If the "Native IO Enabled" check box is selected, uncheck it. 7. Click Apply. 8. Restart your server. The vendor released bulletin, containing links to the official patches, can be accessed through this URL (wrapped for readability): http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp? highlight=advisoriesnotifications&path=components/dev2dev /resourcelibrary/advisoriesnotifications/advisory_BEA02-19.htm Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002028: Sitespring Server Denial of Service
Title: Sitespring Server Denial of Service BUG-ID: 2002028 Released: 01st Jul 2002 Problem: A malicious user with access to the Sitespring database engine port can crash both the runtime database engine and the Sitespring web service. Vulnerable: === - Sitespring 1.2.0(277.1) using Sybase runtime engine v7.0.2.1480 Details: If the sybase database engine receives 1077 x chr(2) + \r\n\r\n it crashes. The web service will crash shortly after the database engine stops. Vendor URL: === You can visit the vendor webpage here: http://www.macromedia.com Vendor Response: This was reported to the vendor on the 16th of April, 2002. There is currently no scheduled patch for this vulnerability. Vendor support for Sitespring is planned to end May, 2004. Corrective action: == Apply IP filtering to the Sitespring server, so only the local host is allowed to connect to TCP port 2500. On Win2000 or WinXP this can be done using the built-in IP filter functionality. Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002026: Jrun sourcecode Disclosure
Title: Jrun sourcecode Disclosure BUG-ID: 2002026 Released: 01st Jul 2002 Problem: It is possible for a malicious user to trick the Jrun webserver into disclosing sourcecode. Vulnerable: === - Jrun 4.0 on Windows 2000 Server Other versions were not tested! Details: There are several strings that can be attacked to a legitimate request to fool the webserver into serving up the unparsed .jsp file The problem is with the handling of null characters in the request string and one way to trigger it is to append a unicoded null to the valid request string. Vendor URL: === You can visit the vendor webpage here: http://www.macromedia.com Vendor Response: This was reported to the vendor on the 17th of May, 2002. On the 27th of June, 2002, the vendor released a cumulative patch for Jrun that includes the patch for this issue. Corrective action: == Read the vendors advisory to determine which patch you need: http://www.macromedia.com/v1/handlers/index.cfm?ID=23164 Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002025: Apache Tomcat Denial of Service
Title: Apache Tomcat Denial of Service BUG-ID: 2002025 Released: 20th Jun 2002 Problem: A malicious user could tie up all 75 working threads and cause a Denial of Service situation. Vulnerable: === - Apache Tomcat 4.0.3 on Windows 2000 Server Not Vulnerable: === - Apache Tomcat 4.1.3 beta on Windows 2000 Server Details: By sending a large amount of null characters to the web service it is possible to cause a working thread to hang. The default installation has 75 working threads, which means this malformed request has to be sent to the server 75 times. Vendor URL: === You can visit the vendor webpage here: http://jakarta.apache.org Vendor Response: This was reported to the vendor on the 23rd of May, 2002. We never heard back from the vendor. On the 10th of June, 2002, the issue was confirmed fixed in the latest build. Corrective action: == Upgrade to V4.1.3 beta, which is available here (URL is wrapped): "http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release /v4.1.3-beta/" Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002019: BlackICE Agent not Firewalling After Standby
Title: BlackICE Agent not Firewalling After Standby BUG-ID: 2002019 Released: 06th Jun 2002 Problem: In a default installation, The BlackICE Agent might not reactivate when the host returns from standby. This could allow a malicious user to bypass the firewall completely. Vulnerable: === - BlackICE Agent 3.1 eal on Windows 2000 laptop Not Vulnerable: === - BlackICE Agent 3.1 ebh on Windows 2000 laptop Details: The BlackICE Agent setup contains the parameter "restart.whenSuspend", which should be enabled by default. This, however, is not always the case, and as a result the firewall might not reactivate after a system standby. The BlackICE Agent would still give all the appearences of being active, but the filter function would not be in effect, and network communication would be possible to the same extent as if the software wasn't installed. Vendor URL: === You can visit the vendor webpage here: http://www.iss.net Vendor response: The vendor was notified on the 15th of March, 2002. The issue was assigned case number 526997. On the 18th of March, we received a workaround that seemingly solved the issue. On the 6th of June, 2002 the vendor informed us that the issue had been corrected in the latest build. Corrective action: == Upgrade to BlackICE Agent V3.1 EBH, available through: https://bvlive01.iss.net/issEn/DLC/login.jhtml Author: Andreas Sandor ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002017: Snapgear Lite+ Firewall Denial of Service
Title: Snapgear Lite+ Firewall Denial of Service BUG-ID: 2002017 Released: 02nd May 2002 Problem: Several issues with the Snapgear Lite+ Firewall could allow a malicious user to cause a Denial of Service situation, where part of or all of the Firewall would cease to function. Vulnerable: === - Snapgear Lite+ V1.5.3 (all issues) - Snapgear Lite+ V1.5.4 (some issues) Not vulnerable: === - Snapgear Lite+ V1.6.0 Product Description: Quoted from the vendors webpage: "The SnapGear LITE+ is an ethernet/broadband VPN router, with one 10/100BaseT WAN port, one 4-port 10/100BaseT switch on the LAN, and one serial port that can have a modem attached for narrowband fallback to dial-out." Details: There are four general areas in which we found problems with the way the Snapgear Firewall handled malicious traffic: HTTP) If external web management had been enabled, creating 50 connections to the web port and cycling through them would result in the firewall crashing. In V1.5.4 this would only result in web management crashing. PPTP) If PPTP had been enabled, creating 50 connections to the PPTP port and cycling through them would result in the firewall crashing. IPSEC) Sending a 0 length UDP packet to UDP port 500 would result in IPSEC exiting. This would result in IPSEC no longer working. This issue was resolved in v1.5.4. IP-OPTIONS) Sending a stream of approx. 7000 packets with malformed IP options through the firewall would result in the firewall crashing. This stream could be sent from the internal network or externally. Vendor URL: === You can visit the vendors webpage here: http://www.snapgear.com Vendor response: The vendor was contacted about the first issue on the 14th of February, 2002 and subsequently on the 7th of March, 2002 about the remainding issues. On the 10th of April, 2002 we received a beta version of v1.6.0, which corrected the issues. On the 2nd of May, 2002 we received notification that V1.6.0 had been released. Corrective action: == Install firmware version 1.6.0, which is available here: http://www.snapgear.com/downloads.html Authors: Andreas Sandor ([EMAIL PROTECTED]) & Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002016: Bea Weblogic incorrect URL parsing issues
Title: Bea Weblogic incorrect URL parsing issues BUG-ID: 2002016 Released: 30th Apr 2002 Problem: The Bea Weblogic server incorrectly parses certain types of URL requests. This can result in the physical path being revealed, a Denial of Service situation and revealing of .jsp sourcecode. Vulnerable: === - Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server - Other versions were not tested. Details: A problem with the URL parser in Bea Weblogic could allow a malicious user to reveal the physical path to the web root, cause a Denial of Service and reveal the sourcecode of .jsp files. Physical webroot) By appending %00.jsp to a normal .html request, a compiler error would in some cases be generated that would print out the path to the physical web root. A similar result can be achieved by prefixing with %5c (backslash): Denial of Service) This issue is very similar to the one reported in KPMG-2002003, in which we published that requesting a DOS device and appending .jsp to the request would exhaust the working threads and cause the web service to stop parsing HTTP and HTTPS requests. If a malicious user also added %00 in the request, it would still work. The server can handle about 10-11 working threads, so when this number of active threads has been reached, the server will no longer service any requests. Since both HTTP and HTTPS are handled by the same module, both are crippled if one is attacked. Sourcecode revealed) There are a number of ways to manipulate the URL in a way that will allow a malicious user to read the contents of a .jsp file. One way is to append "%00x" to the request, another could be to add "+." to the request (exclamation marks excluded). Vendor URL: === You can visit the vendors webpage here: http://www.bea.com Vendor response: The vendor was contacted about the first issue on the 6th of November, 2001 and subsequently on the 12th of March, 2002 and finally on the 22nd of March, 2002 about the remainding issues. On the 25th of March, 2002 we received a private hotfix, which corrected the issues. On the 22nd of April, 2002 the vendor released a public bulletin. The vendors bulletin can be seen here: (note that the url has been wrapped for readability) http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp? highlight=advisoriesnotifications&path=components/dev2dev/ resourcelibrary/advisoriesnotifications/ securityadvisoriesbea020303.htm Be sure you read the vendor bulletin, as it suggests other security settings that might prevent future similar issues. Corrective action: == The following has been copied from the vendor bulletin: "BEA WebLogic Server and Express version 6.1 standalone or as part of BEA WebLogic Enterprise 6.1 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar When Service Pack 3 becomes available, you can use that jar instead of Service Pack 2 and this patch. BEA WebLogic Server and Express version 6.0 standalone or as part of BEA WebLogic Enterprise 6.0 on all OS platforms Action: Apply Service Pack 2 with Rolling Patch 3 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar BEA WebLogic Server and Express version 5.1 standalone or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms Action: Apply Service Pack 11 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar When Service Pack 12 becomes available, you can use that jar instead of Service Pack 11 and this patch. BEA WebLogic Server and Express 4.5.2 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip BEA WebLogic Server and Express 4.5.1 on all OS platforms Action: Apply Service Pack 15." Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002015: Microsoft Distributed Transaction Coordinator DoS
Title: Microsoft Distributed Transaction Coordinator DoS BUG-ID: 2002015 Released: 19th Apr 2002 Problem: A flaw in the way MSDTC handles malformed packets could allow an attacker to hang the service and exhaust ressources on the Server. Vulnerable: === - Windows 2000 Server without MS02-018 patch Details: If an attacker sends 20200 null characters to the MSDTC service, which listens on TCP port 3372, server ressources are allocated poorly. This attack can result in MSDTC.EXE spiking at 100% cpu usage, MSDTC refusing connections and kernel ressources being exhausted. This was already corrected in MS02-018, and has been brought up on Bugtraq (after it was reported to the vendor), http://online.securityfocus.com/archive/1/253360 The security bulletin from Microsoft, however, does not mention this vulnerability. Vendor URL: === You can visit the vendors webpage here: http://www.microsoft.com Vendor response: The vendor was contacted on the 24th of October, 2001. On the 15th of March, 2002 we received a private hotfix, which corrected the issue. On the 10th of April, 2002 the vendor released a public bulletin. On the 19th of April, 2002 the vendor notified us that the patch also included the patched binary for the MSDTC issue. Corrective action: == The vendor has released a patched binary, which is included in the security rollup package MS02-018, available here: http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002014: Foundstone Fscan Format String Bug
Title: Foundstone Fscan Format String Bug BUG-ID: 2002014 Released: 19th Apr 2002 Problem: A flaw in Foundstone Fscan could result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning. Vulnerable: === - Foundstone Fscan 1.12 for Windows Details: If banner grabbing is turned on, Fscan will print the banner string directly instead of using format specifiers (%s). This will cause any %'s in the banner to be interpreted as format specifiers. This issue is probably best clarified using a worst case scenario: - Attacker has taken over a host on a network. - Attacker has set up a service on "his" host that returns a malformed banner. - Admin uses Fscan to sweep his network on a regular basis. - Admin scans Attacker's PC with banner grabbing on to check for abnormal services. - When Admin scans the malicious service, his Fscan is "attacked" - Attacker has now overwritten the stack and the EIP on Admin's own PC in the security context Admin was using when he was scanning. More Information: = Guardent has published a small whitepaper on Format String Attacks: http://www.guardent.com/docs/FormatString.PDF Vendor URL: === You can visit the vendors webpage here: http://www.foundstone.com Vendor response: The vendor was contacted on the 14th of April, 2002. The vendor identified the problem as a format string bug. On the 17th of April, 2002 I received a new version of Fscan that solved the issue. On the 18th of April, 2002 the vendor put that version online for download. Corrective action: == The vendor has corrected the issue and put version 1.14 online: http://www.foundstone.com/knowledge/proddesc/fscan.html Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002012: (Re-submitted) Sambar Webserver Serverside Fileparse Bypass
-=>Sambar Webserver Serverside Fileparse Bypass<=- courtesy of KPMG Denmark BUG-ID: 2002012 Released: 17th Apr 2002 Re-submitted: 18th apr 2002 Cause for re-submission: It would appear that I am in need of glasses. The patch URL in the original advisory was misspelled, and this advisory is re-submitted to make sure people that are interested in the patch can obtain it. Problem: A flaw in the serverside URL parsing could allow a malicious user to bypass serverside fileparsing and display the sourcecode of scripts. The same flaw could allow a malicious user to crash the web service. Vulnerable: === - Sambar Webserver V5.1p on Windows 2000 - Other versions were not tested. Details: It is possible to bypass the serverside parsing of scripts, such as .pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also opens up for a request to certain DOS-devices that the server would then attempt to access. These ressources used in such requests are not freed properly and as a result, the web server will eventually run out of memory and the operating system will kill the web service. To bypass the serverside parsing, an attacker would have to access the ressource with a suffix of . There are a lot of ways to achieve this in eg. Internet Explorer, and an example of sourcecode exposure could be: http://server/cgi-bin/environ.pl+%00 which would return the following (perl sourcecode): read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'}); print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'} PATH_INFO: $ENV{'PATH_INFO'} PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'} QUERY_STRING: $ENV{'QUERY_STRING'} REMOTE_ADDR: $ENV{'REMOTE_ADDR'} REMOTE_HOST: $ENV{'REMOTE_HOST'} REMOTE_USER: $ENV{'REMOTE_USER'} REQUEST_METHOD: $ENV{'REQUEST_METHOD'} DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'} DOCUMENT_URI: $ENV{'DOCUMENT_URI'} SCRIPT_NAME: $ENV{'SCRIPT_NAME'} SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'} SERVER_NAME: $ENV{'SERVER_NAME'} SERVER_PORT: $ENV{'SERVER_PORT'} SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'} SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'} CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'} CONTENT: $CONTENT END Vendor URL: === You can visit the vendors webpage here: http://www.sambar.com Vendor response: The vendor was contacted 3rd of April, 2002. The vendor confirmed the bug on the same day, and notified us that a patch was being developed. On the 17th of April, the vendor released a new version that corrects the issues. Corrective action: == The vendor has released Version 5.2b, which is available here: http://sambar.dnsalias.org/win32-preview.tar.gz Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002013: Coldfusion Path Disclosure
Title: Coldfusion Path Disclosure BUG-ID: 2002013 Released: 18th Apr 2002 Problem: Requests for certain DOS-devices are parsed by the isapi filter that handles .cfm and .dbm and result in error messages containing the physical path to the web root. Vulnerable: === - Coldfusion 5.0 on Windows 2000 w. IIS5 - Other versions were not tested. Details: Requests for non-existant .cfm and .dbm files return a coldfusion "Object Not Found" error message similar to this: "Error Occurred While Processing Request Error Diagnostic Information An error has occurred. HTTP/1.0 404 Object Not Found" Requesting a DOS-device, such as nul.dbm or nul.cfm returns: "Error Occurred While Processing Request Error Diagnostic Information Cannot open CFML file The requested file "C:\data\nul.dbm" cannot be found. The specific sequence of files included or processed is: C:\data\nul.dbm Date/Time: 04/18/02 11:32:16 Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Remote Address: xxx.xxx.xxx.xxx" A similar result can be achieved with this request: /nul..dbm which returns: "Error Occurred While Processing Request Error Diagnostic Information The template specification, 'C:\data\nul..dbm', is illegal. Template specifications cannot include '..' nor begin with a backslash ('\\')." Vendor URL: === You can visit the vendors webpage here: http://www.coldfusion.com Vendor response: The vendor was contacted on the 26th of November, 2001. The vendor suggested a workaround for the problem on the 8th of January, 2002. This advisory was delayed was due to a lapse of communication. Corrective action: == The vendor suggests turning on "Check that file exists": Windows 2000: 1. Open the Management console 2. Click on "Internet Information Services" 3. Right-click on the website and select "Properties" 4. Select "Home Directory" 5. Click on "Configuration" 6. Select ".cfm" 7. Click on "Edit" 8. Make sure "Check that file exists" is checked 9. Do the same for ".dbm" Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
-=>Sambar Webserver Serverside Fileparse Bypass<=- courtesy of KPMG Denmark BUG-ID: 2002012 Released: 17th Apr 2002 Problem: A flaw in the serverside URL parsing could allow a malicious user to bypass serverside fileparsing and display the sourcecode of scripts. The same flaw could allow a malicious user to crash the web service. Vulnerable: === - Sambar Webserver V5.1p on Windows 2000 - Other versions were not tested. Details: It is possible to bypass the serverside parsing of scripts, such as .pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also opens up for a request to certain DOS-devices that the server would then attempt to access. These ressources used in such requests are not freed properly and as a result, the web server will eventually run out of memory and the operating system will kill the web service. To bypass the serverside parsing, an attacker would have to access the ressource with a suffix of . There are a lot of ways to achieve this in eg. Internet Explorer, and an example of sourcecode exposure could be: http://server/cgi-bin/environ.pl+%00 which would return the following (perl sourcecode): read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'}); print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'} PATH_INFO: $ENV{'PATH_INFO'} PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'} QUERY_STRING: $ENV{'QUERY_STRING'} REMOTE_ADDR: $ENV{'REMOTE_ADDR'} REMOTE_HOST: $ENV{'REMOTE_HOST'} REMOTE_USER: $ENV{'REMOTE_USER'} REQUEST_METHOD: $ENV{'REQUEST_METHOD'} DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'} DOCUMENT_URI: $ENV{'DOCUMENT_URI'} SCRIPT_NAME: $ENV{'SCRIPT_NAME'} SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'} SERVER_NAME: $ENV{'SERVER_NAME'} SERVER_PORT: $ENV{'SERVER_PORT'} SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'} SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'} CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'} CONTENT: $CONTENT END Vendor URL: === You can visit the vendors webpage here: http://www.sambar.com Vendor response: The vendor was contacted 3rd of April, 2002. The vendor confirmed the bug on the same day, and notified us that a patch was being developed. On the 17th of April, the vendor released a new version that corrects the issues. Corrective action: == The vendor has released Version 5.2b, which is available here: http://sambar.dnsaloas.org/win32-preview.tar.gz Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002011: Windows 2000 microsoft-ds Denial of Service
-=>Windows 2000 microsoft-ds Denial of Service<=- courtesy of KPMG Denmark BUG-ID: 2002011 Released: 17th Apr 2002 Problem: The default LANMAN registry settings on Windows 2000 could allow a malicious user, with access to TCP port 445 on your Windows 2000, to cause a Denial of Service. Vulnerable: === - Windows 2000 Server (SP0, SP1, SP2) - Windows 2000 Advanced Server (SP0, SP1, SP2) - Windows 2000 Professional (SP0, SP1, SP2) Details: Sending malformed packets to the microsoft-ds port (TCP 445) can result in kernel ressources being allocated by the LANMAN service. The consequences of such an attack could vary from the Windows 2000 host completely ignoring the attack to a blue screen. An attack could be something as simple as sending a continuous stream of 10k null chars to TCP port 445. The most common symptoms would be that the LANMAN service would allocate a lot of kernel memory, until a point, where very few applications would be able to run. The routine that draws windows would commence to draw incomplete windows, the warning "beep" would be replaced by an error stating that the sound driver could not be loaded. Internet Information Server would no longer be able to service .asp pages, attempts to reboot the server (as administrator) would result in the error "You do not have permissions to shutdown or restart this computer.", aso. It would frequently be possible to cause the system service to enter a state where it constantly used 100% CPU usage. A PC was left in this state over the weekend, to see if it would recover on it's own. It did not recover. Vendor URL: === You can visit the vendors webpage here: http://www.microsoft.com Vendor response: The vendor was contacted mid-October, 2001. The vendor released a Q-article, describing the problem and possible solutions on the 11th of April, 2002. KPMG was notified of the publication on the 17th of April, 2002. Corrective action: == The vendor has suggested two possible solutions, available here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751 Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun
-=>Microsoft IIS .htr ISAPI buffer overrun<=- courtesy of KPMG Denmark BUG-ID: 2002010 CVE: CAN-2002-0071 Released: 11th Apr 2002 Problem: There is a buffer overrun condition in the isapi extension that handles .htr extensions that could allow an attacker to crash the service and possibly execute arbitrary code on the server. Vulnerable: === - Microsoft Internet Information Server 4.0 - Microsoft Internet Information Server 5.0 Details: This vulnerability was discovered by Dave Aitel from @stake and by Peter Gründl from KPMG. It was done independently, and both reported the same two vulnerabilities to the same vendor at around the same time. Dave Aitel released an advisory on this issue: http://archives.neohapsis.com/archives/bugtraq/2002-04/0114.html Ism.dll handles files with the extension .htr and a flaw in the module could allow an attack to disable parts of or all of the functionality of a website. It is theoretically possibly to execute code with this overflow, although attempted exploitation would most likely result in a Denial of Service situation. The problem is with the modules parameter handling, as declared variables are subject to a buffer overrun ("/foo.htr?=x"). The number of overflows needed and the result depends on the internal state of the IIS memory allocations. A determined attacker could proceed to crash the service, and repeatedly send the malicious payload as the injection vector would now be relatively fixed, when the server was rebooted. Vendor URL: === You can visit the vendors webpage here: http://www.microsoft.com Vendor response: The vendor was contacted on the 31st of January, 2002. On the 18th of March we received a private hotfix, which corrected the issue. On the 10th of April, the vendor released a public bulletin. Corrective action: == The vendor has released a patched ism.dll, which is included in the security rollup package MS02-018, available here: http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002009: Microsoft IIS W3SVC Denial of Service
-=>Microsoft IIS W3SVC Denial of Service<=- courtesy of KPMG Denmark BUG-ID: 2002009 CVE: CAN-2002-0072 Released: 11th Apr 2002 Problem: A flaw in internal object interaction could allow a malicious user to bring down Internet Information Server 4.0, 5.0 and 5.1. Vulnerable: === - Microsoft Internet Information Server 4.0 with FP2002 - Microsoft Internet Information Server 5.0 with FP2002 - Microsoft Internet Information Server 5.1 with FP2002 Details: This vulnerability was discovered by Dave Aitel from @stake and by Peter Gründl from KPMG. It was done independently, and both reported the same two vulnerabilities to the same vendor at around the same time. Frontpage contains URL parsers for dynamic components (shtml.exe/dll) If a malicious user issues a request for /_vti_bin/shtml.exe where the URL for the dynamic contents is replaced with a long URL, the submodule will filter out the URL, and return a null value to the web service URL parser. An example string would be 35K of ascii 300. This will cause an access violation and Inetinfo.exe will be shut down. Due to the nature of the crash, we do not feel that it is exploitable beyond the point of a Denial of Service. Although servers are supposed to restart the service with "iisreset", this only works a few times (if any), and the service is crashed until an admin manually restarts the service or reboots the server. Vendor URL: === You can visit the vendors webpage here: http://www.microsoft.com Vendor response: The vendor was contacted on the 4th of February, 2002. On the 9th of April we received a private hotfix, which corrected the issue. On the 10th of April, the vendor released a public bulletin. Corrective action: == The vendor has released a patched w3svc.dll, which is included in the security rollup package MS02-018, available here: http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002008: Watchguard SOHO IP Restrictions Flaw
-=>Watchguard SOHO IP Restrictions Flaw<=- courtesy of KPMG Denmark BUG-ID: 2002008 Released: 10th Apr 2002 Problem: A flaw in the Watchguard SOHO firmware could allow malicious users to access services set up with IP restrictions in your SOHO firewall Vulnerable: === - Watchguard SOHO Firewall, firmware 5.0.35 Details: This vulnerability is a bit atypical, since it does not require any actions from an attacker, but rather actions from the firewall admin. However, we felt that the nature of this bug warrented the release of an advisory. V5.0.35 introduced a flaw that could, under certain circumstances turn off IP restrictions on customised services. If a user had set up IP restrictions prior to upgrading to 5.0.35 (which corrected issues with TCP/IP handling on port-forwarding). The IP restrictions could vanish from time to time, without any local indication that the function had failed. To find out that IP restrictions mal- functioned, the admin would have to access an external IP, and try to access the IP restricted service. If the IP restrictions fail, going into the custom service setup and submitting the rule again (without altering it), will restore functionality again, temporarily. Using other features of the firewall admin console, such as logging, would result in the IP restrictions malfunctioning again. Vendor URL: === You can visit the vendors webpage here: http://www.watchguard.com Vendor response: The vendor was contacted on the 6th of April, 2002. The vendor then proceeded to pull the firmware from the website, and on the 10th of April the vendor confirmed the issue and announced the availability of a new firmware version, which corrects the issue. Corrective action: == Upgrade to firmware version 5.0.35a, available through Watchguard Livesecurity. Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
KPMG-2002006: Lotus Domino Physical Path Revealed
-=>Lotus Domino Physical Path Revealed<=- courtesy of KPMG Denmark BUG-ID: 2002006 Released: 02nd Apr 2002 Problem: Due to problems handling Windows DOS devices, the Domino Server can be brought to show the physical location of the web root. Vulnerable: === - Lotus Domino 5.0.9 on Windows 2000 Server - Lotus Domino 5.0.9a on Windows 2000 Server - Older versions were not tested, but are likely to be vulnerable Details: First of all, this issue was partially released on Bugtraq by Nicolas Gregoire from Exaprobe ([EMAIL PROTECTED]). Nicolas apparently found and released this at the same time as we were emailing the vendor about the issue. The test that Nicolas released does not work on v5.0.9a, which is part of why this was released. Another element is the possible effects the basics of this bug can have on other Windows application that use similar DOS device verification techniques. In V5.0.9a Lotus added additional measures to weed out references to DOS devices, but problems with the low-level C library function access() caused some of the devices to be improperly filtered. Lotus (on Windows) uses the function QueryDosDevice to check if a referenced file is a DOS device, and then proceeds to determine if the file exists or not using the before-mentioned access()-function. If you feed eg. com5 into the access() function, it will return 0, although the device is not enabled on the system. The function should have returned -1. With this in mind, we can build an HTTP reference that will result in an attempt to parse the file serverside, and generate error- messages containing the physical web root. The cgi parser, htcgibin.exe, has two builtin extension parsers that will yield the desired result (.java and .pl): http://server/cgi-bin/com5.pl http://server/cgi-bin/com5.java Another, interesting, detail is that the .pl error message will also be shown to the user, if the user requests: http://server/cgi-bin/com5<218x.>box where <218x.> means that you enter 218 periods (..) This line will be too long for the access() function, and it will check if another extension is possible. Since pl is one char shorter it is accepted. Vendor URL: === You can visit the vendors webpage here: http://www.lotus.com Vendor response: The vendor was contacted on the 7th of February, 2002. On the 8th of February the vendor replied that the "htcgibin.exe" module would be redesigned in the next release of Domino (5.0.10). Late March, 2002 the vendor released the new version, that corrected the issue. Corrective action: == Upgrade to Lotus Domino V5.0.10, which can be downloaded here: http://www.notes.net/qmrdown.nsf Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
def-2001-26: IIS WebDav Lock Method Memory Leak DoS
== Defcom Labs Advisory def-2001-26 IIS WebDav Lock Method Memory Leak DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-05-17 == =[Brief Description]=- The WebDav extensions for Internet Information Server 5.0 contain a flaw that could allow a malicious user to consume all available memory on the server. =[Affected Systems]=-- - httpext.dll versions prior to 0.9.3940.21 (Windows 2000 SP2) --=[Detailed Description]= The lock method contains a memory leak that will trigger if you send it continous requests for non-existing files. Eg. LOCK /aa.htw HTTP/1.0 Eventually the server will run out of memory and run really slow, you might argue that the server will then crash, reboot and return to normal again, but there are a few things that can be done to determine when you get close to filling up the servers memory, and then it is just a matter of stopping, and the server won't free the memory. One way is to combine the attack with asp executions, eg. GET /iisstart.asp?uc=a HTTP/1.0 which ofcourse requires the presence of iisstart.asp (but this is just an example). The script will return execution errors when it runs out of temporary space on the server to execute the .asp script and that's when the server is almost out of memory. ---=[Workaround]=- The problem has been corrected in httpext.dll v.0.9.3940.21, which is packaged with Windows 2000 Service Pack 2 and according to Microsoft: "it will ship with each IIS5 hotfix that we release going forward (and will be available for SP0, SP1, and SP2+.)" You can find Service Pack 2 on Microsofts webpage at: www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 3rd of March, 2001, and the vendor released a patch on the 16th of May. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-25: Carello E-Commerce Arbitrary Command Execution
== Defcom Labs Advisory def-2001-25 Carello E-Commerce Arbitrary Command Execution Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-05-14 == =[Brief Description]=- A malicious user can execute arbitrary commands on the E-Commerce server with the privileges of the web server. =[Affected Systems]=-- - Carello E-Commerce V1.2.1 for Windows NT --=[Detailed Description]= The Carello.dll utilizes full physical path to execute Carello scripts instead of paths relative to the webroot. Some input validation has been inserted in the program, but not to a sufficient degree, as can be seen from the following example: (The following URL has been wrapped for readability) http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&; VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt The example will result in INETINFO.EXE spiking at 100% CPU and the web server will no longer answer HTTP requests. The webservice can not be stopped/restarted and the server will need to be rebooted to regain functionality. The command will be executed with the privileges of the web server, which, when dealing with IIS, usually means LocalSystem Access. The test was performed on a Windows NT 4.0 Server with SP 6a. ---=[Workaround]=- Pacific Software Publishing, Inc. has released version 1.3 to correct the problem and introduce support for Windows 2000. You can download it at http://www.carelloweb.com -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 3rd of April, 2001, and the vendor released a patch on the 12th of May. Vendor also responded with: "We are planning to release newer version of Carello in near future. Please subscribe newsletter from http://www.carelloweb.com/subscription.htm , we will be informing an update information." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-24: Windows 2000 Kerberos DoS
== Defcom Labs Advisory def-2001-24 Windows 2000 Kerberos DoS Author: Peter Gründl <[EMAIL PROTECTED]>Release Date: 2001-05-09===[Brief Description]=-The Kerberos service and kerberos password service contain a flaw thatcould allow a malicious attacker to cause a Denial of Service on theKerberos service and thus making all domain authentication impossible. =[Affected Systems]=--- Windows 2000 Server- Windows 2000 Advanced Server- Windows 2000 Datacenter Server --=[Detailed Description]=By creating a connection to the kerberos service and the disconnectingagain, without reading from the socket, the LSA subsystem will leakmemory. After about 4000 connections the kerberos service will stopaccepting connections to tcp ports 88 (kerberos) and 464 (kpasswd) andall domain authentication will effectively have died (if the targetwas a domain controller). It requires a reboot to recover from the attack. ---=[Workaround]=-Disallow access to TCP ports 88 and 464 from untrusted networks or/andapply the patch located at the following URL: http://www.microsoft.com/technet/security/bulletin/MS01-024.asp -=[Vendor Response]=--This issue was brought to the vendor's attention on the 26th ofJanuary, 2001, and the vendor released a patch on the 8th of May. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-21: Ghost Multiple DoS
== Defcom Labs Advisory def-2001-21 Ghost Multiple DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-04-11 == =[Brief Description]=- Ghost contain flaws that allow an attacker to crash the application. =[Affected Systems]=-- - Symantec Ghost 6.5 for Windows NT/2000 - Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747 --=[Detailed Description]= The first flaw involves the database engine, which isn't a Symantec product, but it is shipped with Symantec Ghost 6.5 (and possibly older versions as well). The database engine is the run-time engine by Sybase. Connecting to the database engine on tcp port 2638 and sending a string of approx. 45Kb will cause a buffer overflow that results in registers being overwritten. The database engine needs to be restarted in order to regain functionality. "State Dump for Thread Id 0x5c8 eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020 edi=0063 eip=65719224 esp=08fbfbf0 ebp= iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206" The Ghost Configuration Server is running on TCP port 1347. It is periodically vulnerable to crash triggered the same way as the database engine overflow. This is not a buffer overflow, and can only be used as a DoS attack. "The following information has been placed on the clipboard. If you would like to visit the Symantec Technical support site at http://www.symantec.com/techsupp/ it may help our technicians diagnose the problem and improve our product. Symantec Ghost Configuration Server An exception has occurred of type c005 D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144 [ Limited backtrace only ] memmove+0x33 StreamInterchange::doDispatch+0x1b2 StreamInterchange::readEvent+0x13e SocketEvent::dispatch+0x33 SocketEvent::wait+0x203" ---=[Workaround]=- Restricting access to the Ghost Configuration Server might not be applicable, since you would need that access in order to use the net capabilities of the program. The database engine can be restricted to listening on the loopback interface like so: 1. shut down the configuration server 2. launch the Sybase engine manually: cd "\Program Files\Symantec\Ghost\bin" rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB (or the equivalent before restarting the Symantec Ghost Configuration Server service) Vendor reponse regarding upgrade: "1 - Ghost 7.0 ships out to customers on the 2nd of April 2 - It is a "free" upgrade for those who purchased Upgrade Insurance as part of their license 3 - Standard upgrade procedures are available for those affected by the problem Direct all inquires to www.symantec.com/ghost and/or www.binaryresearch.net" -=[Vendor Response]=-- The issues were brought to the vendors attention on the 21st of December, 2000. The issues were resolved in Ghost 7.0, released 2nd of April, 2001. In response to the DoS on the Configuration Server port (1347) the vendor replied: "Just an FYI on the defect; it's not a buffer overflow as such (we're pretty religious about avoiding fixed-size buffers here), but rather a simple fencepost bug which is triggered by an error-handling path where the code at one layer that consumed some input fell over because a lower-layer error function had already cleaned out the buffer." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-20: Lotus Domino Multiple DoS
== Defcom Labs Advisory def-2001-20 Lotus Domino Multiple DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-04-11 == =[Brief Description]=- The Lotus Domino Web Server contains multiple flaws that could allow an attacker to cause a Denial of Service situation. =[Affected Systems]=-- - All releases of Lotus Domino R5 prior to 5.0.7, for all platforms --=[Detailed Description]= HTTP Header DoS: Affected headers are "Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language" and "Content-Type". Unique values sent with these headers are not freed properly. This means that by repeatedly requesting eg. document root (/) with various accept fields (accept: a, accept: aa, accept: aaa aso.) will eventually result in the server running out of physical memory and the server will display a message similar to this one: "HTTP Server: Could allocate 8036 bytes of memoryOut of memory in HTMemPoolAlloc (file htmpool.c, line 506).Program aborted." and one of two things will happen then: 1) The Lotus Server will continue to run (although it no longer answers on TCP port 80), and no function that needs a working thread will work (this includes task manager, as the parser process is preventing other processes from requesting a thread). The occupied memory will not be released. 2) The Lotus Server process will crash, and will need a restart in order to regain functionality. The rest of the services, unrelated to the Lotus Server, on the host will continue to function. Unicode DoS: Sending certain combinations of unicode chars (16 bit) to the server in a GET request triggers a server exception that will crash the Domino server. eg. GET /190xchr(430) HTTP/1.0 If qnc.exe is removed from the system, the crash will only affect the web server. DOS-device DoS: !!!This Denial of Service only affects Windows and OS/2 platforms!!! You can access DOS-devices through the web server, and if this is done through the cgi-bin directory, a ncgihttp.exe process will be opened to handle the execution of eg. con. This processing will not finish and when approx. 400 of these requests have been made, the server will no longer answer requests to tcp port 80. CORBA DoS: A continous stream of connects with a payload of 10K data followed by return to TCP port 63148 (DIIOP - CORBA) results in the CPU on the target host jumping to 100% and the memory slowly filling up, and the harddisk being written to constantly during the attack. The CPU usage will continue to remain at 100% long after the attack is over. URL parsing: Big HTTP requests (8k) to TCP port 80 of /'s result in a lot of CPU consumption (99-100%) opposed to eg. 8k of a's that result in approx. 1% CPU usage. ---=[Workaround]=- Download and upgrade to Notes/Domino 5.0.7: http://www.notes.net/qmrdown.nsf/QMRWelcome -=[Vendor Response]=-- The need for improved parsing and the CORBA issue were brought to the vendors attention on the 9th of November, 2000. The header-DoS was brought to the vendors attention on the 1st of December, 2000. The Unicode DoS and the DOS-device issues were brought to the vendors attention on the 9th of January, 2001. The URL parsing algorithm was improved in Lotus Domino 5.0.6, and the remaining three issues were fixed with the release of QMR 5.0.7. The DOS-device issue was also discovered by Lotus internal testing! == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-18: Watchguard Firebox II Kernel DoS
== Defcom Labs Advisory def-2001-18 Watchguard Firebox II Kernel DoS Authors: Andreas Sandor <[EMAIL PROTECTED]> Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-04-05 == =[Brief Description]=- This vulnerability makes it possible to force the Firebox into a condition where it stops responding to packets of a certain protocol after it has been sent large bursts of packets for that protocol. =[Affected Systems]=-- Watchguard FireboxII Versions * All versions prior to 4.6 --=[Detailed Description]= The Linux-based kernel in the Watchguard Firebox has problems handling certain types of malformed packets. If the firewall is subjected to a burst of around 10.000 of these packets, it will cause a kernel fault and either crash or reboot. Both TCP and ICMP are affected by this and the burstrate needed to achieve a kernel fault was about one megabit in our testlab, which isn't that uncommon these days. If the firewall manages to log the attack, the log file might look something like this: kernel: Unable to handle kernel paging request at virtual address c400 kernel: current->tss.cr3 = 03557000, %cr3 = 03557000 kernel: *pde = kernel: Oops: kernel: CPU:0 kernel: EIP:0010:[<00186379>] kernel: EFLAGS: 00010206 kernel: eax: 8c807bd9 ebx: 636f7270 ecx: 07f65441 edx: kernel: esi: 0400 edi: 02ca8818 ebp: 02ca882c esp: 03be7f08 kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018 kernel: Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000) kernel: Stack: 0013 03049b98 00153ad4 02ca8840 09002d0a 02ca8818 kernel: 002e 03be7f80 0013 02ca8848 0013f845 0002 0013f9b9 03be7f88 kernel: 001a3e54 02ca8848 0019ca48 0019ca48 002af018 kernel: Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>] [<001181f3>] [<0010a62f>] kernel: Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b kernel: Aiee, killing interrupt handler But most of the time the firewall just crashes without any indication of foul play in the log file. Even if the firewall crashes, some network related tasks will still function. ---=[Workaround]=- Obtaining version 4.6 requires membership of LiveSecurity http://www.watchguard.com/support Information about LiveSecurity can be obtained from the vendor http://www.watchguard.com -=[Vendor Response]=-- The Vendor was contacted February 23rd, 2001 and an update was released on March 24th, 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-17: Navision Financials Server DoS
== Defcom Labs Advisory def-2001-17 Navision Financials Server DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-04-03 == =[Brief Description]=- The Navision Financials Server contains a flaw that allows an attacker to crash the service. =[Affected Systems]=-- - Navision Financials Server V2.50 for Windows NT/2000 - Navision Financials Server V2.60 for Windows NT/2000 --=[Detailed Description]= Sending a null character followed by approx. 30k of A's to TCP port 2407 causes a buffer overflow and terminates the process (SERVER.EXE). The overflow does not appear to be exploitable. A smaller amount can also be used, and will silently kill the process. This requires approx. 10 connections starting with a null character, followed by 100+ characters. ---=[Workaround]=- Disallow access to TCP port 2407 from untrusted systems, and contact Navision-Damgaard Support to obtain the patch for this problem: http://www.navision.com/com/view.asp?documentID=258 -=[Vendor Response]=-- The issue was brought to the vendors attention on the 21st of December, 2000. A patch was created by the vendor on the 5th of March, 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-16: Internet & Acceleration Server Event DoS
== Defcom Labs Advisory def-2001-16 Internet & Acceleration Server Event DoS Authors: Peter Gründl <[EMAIL PROTECTED]> Andreas Sandor <[EMAIL PROTECTED]> Release Date: 2001-04-02 == =[Brief Description]=- If an alert action has been chosen in the ISA server console, a malicious attacker can cause a Denial of Service situation on the ISA server. =[Affected Systems]=-- - Internet & Acceleration Server for Windows 2000 Server --=[Detailed Description]= By default the log settings on the Windows 2000 server are not set to overwrite the log files as needed, and since the installation of the ISA server does not change these settings, this is also the case with the ISA server. If you enable the "Event Log Failure" option in the ISA console, an attacker can send in any kind of spoofed packets that will trigger event logs and cause the ISA server to start spawning a CMD.EXE for each event log failure. This will result in the server running very slowly and consuming all available memory. This will go on even after the ISA server is rebooted until the event log is cleaned. We used ISIC to create a flood of spoofed, random packets: http://www.packetfactory.net/Projects/ISIC/ Whether you chalk this one up as a security vulnerability or not, it is still a potential problem that should be given attention if you set up an "Internet Security and Acceleration" Server. ---=[Workaround]=- Make sure your log file is either overwritten as needed or that you have the "event log failure" option disabled in the ISA firewall. The issue is now described in Q284800 by MSRC: http://support.microsoft.com/support/kb/articles/q284/8/00.ASP -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 20th of February, 2001. The vendor replied: "There are two issues here: the particular alert action (i.e., opening the command prompt in response to the log becoming full), and the fact that the alert action recurs each time you boot. * Alert action. By default, there is no alert action selected -- you have to have enabled alerts. Once they're enabled, the default alert mechanism is to run a program. This is usually used to run a program to, for instance, send a mail to the administrator. If you want to, you can select a different alert mechanism. * Recurrence. By default, ISA will continue to take the alert action each time the machine is booted, until the "log full" condition no longer applies. Again, the idea here is that ISA will give the administrator a signal that he needs to tend to his logs. You can reset the recurrence so that the alert action is only take at predefined intervals, or only after a manual reset of the event log." Also: "Thanks for letting me review the draft. I don't see anything in it that's factually incorrect. However, classifying this as a denial of service vulnerability seems excessive, don't you think? There isn't a product flaw here -- the only issue is that if the user deliberately turns on a feature, but doesn't configure it correctly, he can hurt the performance of his machine. That is, there isn't any way for a bad guy to force the admin to turn on the Event Log Failure option, nor is there any way for him to prevent the admin from properly configuring it. It seems much more appropriate to discuss this as an issue of proper use of the product, rather than as a security vulnerability." And finally: "I agree that the right way to use the alert mechanism isn't intuitive, and that we need to get the word out so folks will use it appropriately." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-15: Website Pro Remote Manager DoS
== Defcom Labs Advisory def-2001-15 Website Pro Remote Manager DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-28 == =[Brief Description]=- The remote manager service contains a flaw that allows an attacker to cause the service to crash. =[Affected Systems]=-- - Website Pro/3.0.37 --=[Detailed Description]= The remote manager service (default on port ) will leak memory if non-authenticated requests are repeatedly made to the /dyn/ directory and will eventually get killed by the OS. eg: GET /dyn/x HTTP/1.0 host: 10.0.0.1 ---=[Workaround]=- Disallow access to the remote manager service from untrusted networks. The service is on TCP port by default. -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 21st of February, 2001 and although the vendor has been contacted repeatedly no workaround or fix has been received to this date. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-14: Bea Weblogic Directory Browsing (re-release)
== Defcom Labs Advisory def-2001-14 Bea Weblogic Directory Browsing Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-26 Re-release Date: 2001-03-27 == =[Re-Release Reason]=- Due to a poorly chosen name for the vulnerability this advisory has been re-released (I was getting A LOT of mails from people explaining the difference between unicode and ascii to me ;) Also some more information about the bug has surfaced. =[Brief Description]=- The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. =[Affected Systems]=-- - Bea Weblogic Server 6.0 for Windows NT/2000 - It appears that versions prior to 6.0 might also be vulnerable! --=[Detailed Description]= By requesting a URL and ending it with one of the following ascii representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\" ---=[Workaround]=- Workaround: In the WLS console set the "index directory" from "enabled" to "disabled". It should be noted that this will not fix the issue with revealing jsp sourcecode that Adam Boileau reported to Bugtraq in response to the original posting of this advisory! Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls For some people installing V6.0Sp1 might not be an option. Those people are adviced to contact Bea Systems Support for assistance with this issue. -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 22nd of February, 2001 and a workaround was received on the 6th of March 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-14: Bea Weblogic Unicode Directory Browsing
== Defcom Labs Advisory def-2001-14 Bea Weblogic Unicode Directory Browsing Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-26 == =[Brief Description]=- The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. =[Affected Systems]=-- - Bea Weblogic Server 6.0 for Windows NT/2000 --=[Detailed Description]= By requesting a URL and ending it with one of the following unicode representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\" ---=[Workaround]=- Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 22nd of February, 2001 and a workaround was received on the 6th of March 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-12: Hursley Software Laboratories Consumer Transaction Framework DoS
== Defcom Labs Advisory def-2001-12 Hursley Software Laboratories Consumer Transaction Framework DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-20 == =[Brief Description]=- The HSLCTF HTTP object contains a flaw that could allow a malicious attacker to crash the web object and interconnected objects (eg. SMTP) =[Affected Systems]=-- - HSLCTF 1.0 for AIX --=[Detailed Description]= A never-ending HTTP request will crash the HTTP service, and can also bring down the internal mail system. The request looks like this: GET / HTTP/1.0\r\nhost:www.foo.org\r\nreferrer: aaa.. This means a script that will continue to fire in "a"'s in the socket, until it exhausts the server. This vulnerability is closely coupled with def-2001-11, as the method of triggering the crash in HSLCTF is the same is the one in Websweeper: http://www.securityfocus.com/bid/2465 ---=[Workaround]=- The following workaround example has been supplied by IBM Hursley Software Laboratories, see "Vendor Response": import com.ibm.CTF.Adapters.*; import java.io.*; public class LimitHttpTcpipAdapter extends CTFTcpipHttpAdapter { protected String ReadLine( ) throws Exception { intintChar; inti = 0; StringBuffer Result = new StringBuffer( 1024 ); /* read Header from input stream*/ while ( true ) /* repeat until "newline"*/ { intChar = Stream_in.read(); /* read a character */ switch ( intChar ) /* what character*/ { case -1: /* ... no character */ i = i + 1; /* error count */ if ( i > 3 ) /* more than threshold ? */ throw new EOFException();/* ... yes, EOF */ else /* ... no*/ Thread.sleep( 10 ); /* wait a bit*/ break; case 10: /* line feed */ BytesRead = BytesRead + Result.length(); /* data received so far */ return( Result.toString() ); /* all done */ case 13: /* carridge return */ BytesRead = BytesRead + 1; /* data received so far */ break; default: /* real data */ i = 0; /* timeout count reset */ Result.append( (char) intChar ); /* append to string */ if ( Result.length( ) > 1024 ) throw new IOException( "missing cr-lf delimiter" ); }/* switch*/ }/* while */ } } -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 9th of November, 2000 and a workaround was received by the vendor on the 20th of March 2001. The Danish Vendor replied (translated to English): "Support on the CTF toolkit stopped at the end of 2000, but customers can protect themselves against http header overflow, see workaround from IBM hursley" Hursley Software Laboratories replied: "The customer can put in what ever extra checks or controls they wish. In the following example I have shown how a check can be made for header records not exceeding 1024 characters in length by creating a descendent of the CTFTcpipHttpAdapter this descendent adapter would then be used in place of the CTFTcpipHttpAdapter in the start up information for the webserver i.e. In the web server ini file (or equivalent AddAdapter statement in the server start up code) [Adapter] TCPIPHTTP=LimitHttpTcpipAdapter Only the customer will know what limits they want to impose and what they want to do if the limits are exceeded, since it depends on the sending application, any additional information proxy's or firewalls may add etc..." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-13: NTMail Web Services DoS
== Defcom Labs Advisory def-2001-13 NTMail Web Services DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-20 == =[Brief Description]=- NTMails web services contain a flaw that could allow a malicious attacker to crash the web services using a malformed URL. =[Affected Systems]=-- - NTMail V6.0.3c for Windows NT/2000 --=[Detailed Description]= It appears that while fixing another URL related problem, Gordano accidently introduced a new one. The web services on TCP ports 8000 and 9000 are both vulnerable to a "LongURL attack". That means that a request larger than 255 characters will crash the service. A crash will take down the services listening on TCP ports: 8000 (NTMail configuration), 8025, 8080, and 9000 (GLWebMail). ---=[Workaround]=- Install the patch located at: ftp://ftp.gordano.com/ntmail6/hotfixes/ntmail6C_Intel_20010317.zip -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 9th of March, 2001 and a patch was released by the vendor on the 17th of March 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
Re: def-2001-11: MDaemon 3.5.4 Dos-Device DoS
The CON/CON didn't affect NT (not natively anyway). Windows NT and 2000 run on different kernels than Win9x (if you can call those kernels?), and dos-devices (AFAIK) are implemented virtually on NT/2000. A fully patched Windows NT/2000 is still vulnerable to this attack if the host runs Mdaemon < 3.5.6. Besides it's not a request for a dos-device inside a dos-device (which is what triggered the old Win9x DoS. Peter Gründl Defcom Security - Original Message - From: "Nelson Brito" <[EMAIL PROTECTED]> To: "Peter Gründl" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, March 15, 2001 6:39 PM Subject: Re: def-2001-11: MDaemon 3.5.4 Dos-Device DoS [snip] > > I don't know, but it's a CON/CON old bug, isn't it? > > If you pacthed your NT Box, the app is not vulnerable to this BUG, isn't it? > [snip]
def-2001-11: MDaemon 3.5.4 Dos-Device DoS
== Defcom Labs Advisory def-2001-11 MDaemon 3.5.4 Dos-Device DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-15 == =[Brief Description]=- Webservices in the Mdaemon package can be crashed by requesting a malicious URL. =[Affected Systems]=-- - MDaemon 3.5.4 Standard for Windows NT/2000 - MDaemon 3.5.4 Pro for Windows NT/2000 --=[Detailed Description]= There is a problem with the way the Worldclient (default port 3000) and the Webconfig service (default port 3001) handle requests for dos- devices. If a user requests eg. "http://www.foo.org:3000/aux", the Worldclient service will crash. The same fault affects the Webconfig service. The service needs to be restarted from the Mdaemon console. ---=[Workaround]=- Upgrade to MDaemon 3.5.6: http://mdaemon.deerfield.com/download/getmdaemon.cfm -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 3rd of March, 2001 and the vendor released a patch on the 9th of March, 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-10: Websweeper Infinite HTTP Request DoS
== Defcom Labs Advisory def-2001-10 Websweeper Infinite HTTP Request DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-08 == =[Brief Description]=- The Websweeper application from Baltimore Technologies is vulnerable to a Denial of Service attack. Malicious usage can lead to the application crashing. =[Affected Systems]=-- - Websweeper 4.0 for Windows NT --=[Detailed Description]= By sending an infinitely long HTTP request through the Websweeper application, it is possible to cause it to consume all available memory on the server and eventually have the operating system kill the process. The term "infinitely long HTTP request" needs some clarification, as it is not really a request, because it is never issued. The point is to use up all available buffer memory in the application, and if this buffer is not restricted, cause the application to be killed by the operating system. The concept works on a lot of HTTP applications, and the idea came from reading one of Marc Maiffrets posts to Bugtraq and this really goes far beyond just the Websweeper application. what you do in practice is this: GET / HTTP/1.0 Host: www.foo.org referrer: a. And keep filling in a's. The HTTP request will then be buffered and the a's will be pushed to the application and memory will be allocated to handle the beginning request. Some HTTP applications will restrict the size of HTTP requests, like IIS/4.0 (2MB), but that can be bypassed by opening up eg. 500 connections. 500x2 = 1000Mb. This is all terribly generalized, as some applications handle these attacks quite well, but a lot of them do not. Eg. IIS/5.0 handles it rather well, as the maxhttprequest size here is around 148Kb. ---=[Workaround]=- None known, the vendor suggest placing a firewall infront of the websweeper application. -=[Vendor Response]=-- The Vendor was contacted February 27th, 2001 and replied: "Unfortunately it is not possible to legislate for all deliberate attacks. If a client program wilfully sends a large number of malformed requests and holds the connections open, the request data will fill up the memory and eventually you will run out of virtual memory. Under normal situations this will not be an issue, except where Internal Users pose a significant security risk to your system. In these situations alternative low-level packet security software such as firewalls may need to be considered. Nonetheless the wider issues of what can be done to minimise exposure to hacking is with Engineering and they are always striving to make our products as secure and robust as possible. Thank you for your comments on this issue." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-02: IBM HTTP Server Kernel Leak DoS (re-release)
== Defcom Labs Advisory def-2001-02 IBM HTTP Server Kernel Leak DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-08 Re-release Date: 2001-03-07 == =[Re-Release Reason]=- Due to a vendor released patch for this vulnerability this advisory has been re-released. Also, as it was pointed out on Bugtraq, the advisory name was poorly chosen, so the advisory has been named more appropriately. Finally vulnerable versions of the IBM HTTP Server are now fully known, so the updated list is included in the advisory. =[Brief Description]=- The Afpa cache in the IBM HTTP Server, has problems handling certain types of URL requests. The result of such a URL is a kernel leak, which will eventually end up consuming all available kernel memory and rendering the host useless. =[Affected Systems]=-- - IBM HTTP Server 1.3.6.4 for Windows NT/2000 - IBM HTTP Server 1.3.12 for Windows NT/2000 - IBM HTTP Server 1.3.12.2 for Windows NT/2000 --=[Detailed Description]= Sending a continous stream of HTTP requests resulting in "bad request" will cause a kernel leak in Windows NT. There are many ways to trigger the bad request result that triggers the leak, eg. GET / HTTP/1.0\r\nuser-agent: 2xnull\r\n\r\n ---=[Workaround]=- Temporary workaround: Comment out the three lines beginning with "Afpa" in the httpd.conf file (located in the conf directory in the web server folder). Fix: Download and install the fix from http://www-4.ibm.com/software/webservers/httpservers/efix.html -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 8th of December, 2000. A workaround was received from the vendor on the 5th of January, 2001. A fix was released on the 5th of March, 2001. Original Response: "This issue is caused by a problem in the AfpaCache module of the IBM HTTP Server. The only workaround at this time is to disable the AfpaCache. IBM Development is working on fixing this issue, but it is not yet known when a fix will be available." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-09: Winzip32 zipandemail Buffer Overflow
== Defcom Labs Advisory def-2001-09 Winzip32 zipandemail Buffer Overflow Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-03-02 == =[Brief Description]=- Winzip contains an exploitable buffer overflow flaw that could allow an attacker to execute arbitrary code under the user context of the user or service running winzip. =[Affected Systems]=-- - Winzip 8.0 for Windows NT/2000 --=[Detailed Description]= The /zipandemail option in winzip contains a buffer overflow flaw when handling very long filenames. The EIP is overwritten and a carefully crafted filename could allow for execution of arbitrary code. The probability of this happening "in the wild" is very low, as the overflow only triggers if winzip is used with this option. Theoretically, this could occur when a .jpg with a malformed filename is 'zipped and emailed'. Alternatively if an attacker managed to place a malicious file in the log directory on an automated logging system´ then the automated zipping and emailing of the log would trigger the overflow. ---=[Workaround]=- Don't use the /zipandemail function indescrimantely before a fix has been released. -=[Vendor Response]=-- The Vendor was contacted December 18th, 2000 and replied: "Hopefully this will be corrected in the next version, fortunately this doesn't seem to a problem that many people will run into." We agree with this statement, yet, feel that people using winzip for eg. automated log collecting should be aware of this flaw. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-08: Netscape Collabra DoS
== Defcom Labs Advisory def-2001-08 Netscape Collabra DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-02-26 == =[Brief Description]=- By sending malicious packets to the Netscape Collabra Server, it can be brought to consume all available memory and CPU. =[Affected Systems]=-- - Netscape Collabra Server V3.54 for Windows NT --=[Detailed Description]= The collabra server listens on the following TCP ports per default: 119, 5238, 5239 and 20749. By sending approx. 5kb of A's to TCP port 5238 and then terminating the connection, you will cause two handles to be be allocated and approx. 4-5kb kernel memory per connection. The ressources are not freed again, so the attack can take place very slowly and eventually it will consume all available memory. By sending a null character followed by seven or more characters to TCP port 5239, you will cause the process srchs.exe to spike at 100% CPU usage. ---=[Workaround]=- Filter TCP ports 5238 and 5239 from untrusted networks, and contact Netscape Support, if you need further assistance. -=[Vendor Response]=-- The Vendor was contacted January 4th, 2001 and then again four times via phone and email. There is still no indication that the vendor intends to fix this problem. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-07: Watchguard Firebox II PPTP DoS
== Defcom Labs Advisory def-2001-07 Watchguard Firebox II PPTP DoS Author: Andreas Sandor <[EMAIL PROTECTED]> Release Date: 2001-02-14 == =[Brief Description]=- By sending malformed PPTP packets to the Watchguard, it is possible to cause the PPTP Daemon to terminate. It requires a reboot, to restore PPTP functionality to the Watchguard. =[Affected Systems]=-- Watchguard FireboxII Versions * Policy manager version 4.50-B1780 * Watchguard product version 4.50-612 Previous firmware versions are likely to be vulnerable as well. --=[Detailed Description]= Connecting to the PPTP port with telnet roughly 12 times and disconnecting causes the PPTP Daemon to terminate. When it does so all connected users will be disconnected and no new connections will be acceppted. If you look at the traffic monitor during the attack, it will look like this: pptpd[113]: Watchguard pptpd 2.2.0 started pptpd[113]: Using interface pptp0 kernel: pptp0: daemon attached. pptpd[113]: Connect: pptp0 [0] <--> 10.2.0.7 pptpd[113]: User "test" at 10.45.0.150 logged in pptpd[113]: Add Host 7 10.45.0.150 pptp_users test succeeded pptpd[113]: Compression enabled pptpd[113]: Using PPTP encryption RC4 128-bit. pptpd[113]: Not using any PPTP software compression. pptpd[113]: Using stateless mode. pptpd[113]: Allowing unsafe packet transfer mode for lossy links. pptpd[113]: local IP address 10.45.0.9 pptpd[113]: remote IP address 10.45.0.150 pptpd[113]: found interface eth1 for proxy arp tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: exceeded maximum number of consecutive bad packets from 10.2.0.7 pptpd[113]: Terminating on signal 2. pptpd[113]: Connection terminated. pptpd[113]: Persist flag not set, so we are exiting. kernel: pptp0: pptp_sock_close pptpd[113]: Drop Host 7 10.45.0.150 pptp_users test succeeded pptpd[113]: User "test" at 10.45.0.150 logged out pptpd[113]: Exit. tunneld[95]: TERMINATED init[1]: Pid 95: exit 0 The only way to get the daemon up again is by rebooting the firewall. ---=[Workaround]=- Obtaining the patch for this issue requires membership of LiveSecurity http://www.watchguard.com/support Information about LiveSecurity can be obtained from the vendor http://www.watchguard.com -=[Vendor Response]=-- The Vendor was contacted January 24th, 2001 and a patch was released on the February 9th, 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications
>3) The note about Service Pack levels for iPlanet Enterprise 4.1 in > Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat > confusing. The iPlanet URL he refers to correctly states that the > latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6 > has not been released or officially announced by iPlanet. To clarify on the note. I was told, by Netscape, that they could not reproduce the flaw that was found in their webserver, and that I would be better off installing Service Pack 6 for IWS4.1 (aka. Netscape Enterprise Server 4.1). They later admitted, that their testing was solely performed on Solaris and that two different people wrote the letter to me. Obviously one of them doesn't know which patch levels their own products are at. Later again, I got another email stating that they couldn't reproduce on Windows NT 4.0, SP6a. The reason I released it, even if the vendor has not been able to reproduce, is that we CAN reproduce this. It works on whatever Windows NT-based computer we install it on. We have tried Windows NT 4.0, SP6a, Windows 2000 Professional, Windows 2000 Server with or without SP1. They all crash in exactly the same way. The performed installation is a "next-next-finish" of the web server downloaded from the following location: http://www.iplanet.com/downloads/download/2011.html (that being the Windows NT version). To spell it out: Iplanet (Sun + Netscape) has not admitted that their product is flawed in any way, and as such they have not released any fix for the problem. Thus, it is very unlikely that the issue will be fixed in SP6 (when that is released). On the other hand, older versions does not appear to suffer from the same defect, so maybe they will (unknowningly) code their way out of it again? >[0] All Netscape-branded Web server products, including Netscape Enterprise 3.6, >have officially passed their end-of-life dates and are no longer supported. Where on earth did you get that? Try looking at the HTTP Server header for www.netscape.com :) Just because they label the web server Iplanet Web Server on the outside of the shiny box, doesn't mean the guts got any shinier. It's still NES and I can promise you V4.1SP5 is a supported version. Peter Gründl Defcom Security
def-2001-06: Easycom/Safecom 10/100 Multiple DoS
== Defcom Labs Advisory def-2001-06 Easycom/Safecom 10/100 Multiple DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-23 == =[Brief Description]=- The Easycom/Safecom print server from I-Data International contains multiple vulnerabilites that allow a malicious user to bring down the print server. Execution of arbitrary code is also possible. =[Affected Systems]=-- - Easycom/Safecom, firmware 404.590 - Most likely older firmware revisions as well --=[Detailed Description]= The print server has a web service running on port 80 and on port 631. Both are vulnerable to a long URL request. The long URL results in a buffer overflow on the server. The effect can either be that the unit crashes or execution of arbitrary code on the server. The PrintGuide service on port 5742 will cease to respond, if you send two bursts (80 connects in each burst) of null characters to the port. The FTP service on TCP port 21 is vulnerable to data flooding. The flooding results in the unit being disconnected from the network. The web services on port 80 and port 631 are both vulnerable to long HTTP requests. An infinite HTTP request will result in the unit being disconnected from the network. This is done by eg. issuing a normal GET request and filling A's into an HTTP header field, like "host:". The TCP/IP implementation on the Easycom/Safecom unit is vulnerable to flooding. Sending large burst of "normal" network packets to the unit at eg. 10 mbit will result in the unit being disconnected from the network. ---=[Workaround]=- No vendor supplied workaround known. You could put your unit behind a filtering router, and make sure the ports aren't accessible from the network (except from the managing console, of course). -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 30th of November, 2000. Vendor promises to look into it, but has not yet come up with any indication on when a fix would be available. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-03: GoodTech Systems FTP Connection DoS
== Defcom Labs Advisory def-2001-03 GoodTech Systems FTP Connection DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-22 == =[Brief Description]=- The GoodTech FTP server does not properly free ressources. This can result in the FTP server either crashing or displaying its banner and immediately disconnecting the user. =[Affected Systems]=-- - GoodTech Systems FTP 3.0.1.2.1.0 (evaluation build) --=[Detailed Description]= Connecting approx. 2060-2080 times (one at a time) to the FTP server, using sockets, can result in the server either crashing or refusing to accept more connections. This appears to depend on the rate the connections are received by the FTP server. A fast flood results in a crash, whereas a slow flood results in the ftp banner being displayed and an immediate disconnect. ---=[Workaround]=- Obtain the latest build from the vendor: http://www.goodtechsys.com -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 11th of January, 2001. A workaround was received from the vendor on the 12th of January, 2001. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-05: Netscape Fasttrack Server Caching DoS
== Defcom Labs Advisory def-2001-05 Netscape Fasttrack Server Caching DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-22 == =[Brief Description]=- The Fasttrack 4.1 server has problems with its caching module. The problem can result in all the server memory being consumed and thus causing the server to perform very sluggishly. =[Affected Systems]=-- - Netscape Fasttrack Server 4.1 for Windows NT 4.0 --=[Detailed Description]= The Fasttrack 4.1 server caches requests for non-existing URLs with valid extensions (eg. .html). The cached ressources are not freed again (at least not after half an hour), so a malicious user could cause the web server to perform very sluggishly, simply by requesting a lot of non-existing html-documents on the web server. ---=[Workaround]=- None known. -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 7th of December, 2000. Vendor replied that the Fasttrack server is not meant for production environments and as that, the issue will not be fixed. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-04: Netscape Enterprise Server Dot-DoS
== Defcom Labs Advisory def-2001-04 Netscape Enterprise Server Dot-DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-22 == =[Brief Description]=- The Netscape Enterprise Server 4.1, SP5 has a problem dealing with dotdot-URLs. The problem can result in the service crashing. =[Affected Systems]=-- - Netscape Enterprise Server 4.1, SP5 for Windows NT 4.0 --=[Detailed Description]= If a GET request is performed which includes at least 1344 x /../, the web service will crash. This goes for both the normal HTTP service and the admin service. The crash has to be performed twice, since NES will reestablish the service the first time it crashes. ---=[Workaround]=- None known. We've only come across this bug on 4.1, SP5, but would not rule out the possibility of it existing in other versions. -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 7th of December, 2000. Vendor replied on the 22nd of January, 2001 and has been unable to reproduce the bug: "I've used their perl script to abuse an iWS4.1sp5 server. The server does not crash, politetly returns errors to the client, and logs errors. However, given the announcement on the Iplanet Web site regarding iWS stability I would recommend they upgrade to SP6, URL given below. http://www.iplanet.com/support/iws-alert/index.html" According to the URL supplied by Netscape, there is no SP6 for IWS4.1, so it is adviced that people try this out for themselves to determine if they are vulnerable. It was found on Windows NT 4.0, with SP6a. == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-02: IBM Websphere 3.52 Kernel Leak DoS
== Defcom Labs Advisory def-2001-02 IBM Websphere 3.52 Kernel Leak DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-08 == =[Brief Description]=- The Apfa cache in the IBM HTTP Server, which Websphere is built on, has problems handling certain types of URL requests. The result of such a URL is a kernel leak, which will eventually end up consuming all available kernel memory and rendering the host useless. =[Affected Systems]=-- - IBM WebSphere 3.52 (IBM HTTP Server 1.3.12) for Windows NT --=[Detailed Description]= Sending a continous stream of HTTP requests resulting in "bad request" will cause a kernel leak in Windows NT. There are many ways to trigger the bad request result that triggers the leak, eg. GET / HTTP/1.0\r\nuser-agent: 2xnull\r\n\r\n ---=[Workaround]=- Comment out the three lines beginning with "Apfa" in the httpd.conf file (located in the conf directory in the web server folder). -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 8th of December, 2000. A workaround was received from the vendor on the 5th of January, 2001. "This issue is caused by a problem in the AfpaCache module of the IBM HTTP Server. The only workaround at this time is to disable the AfpaCache. IBM Development is working on fixing this issue, but it is not yet known when a fix will be available." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==
def-2001-01: ImageCast IC3 Control Center DoS
== Defcom Labs Advisory def-2001-01 ImageCast IC3 Control Center DoS Author: Peter Gründl <[EMAIL PROTECTED]> Release Date: 2001-01-08 == =[Brief Description]=- ImageCast, a rapid-PC-deployment tool, much like Ghost, has problems handling malformed input. These problems can result in a DoS against the ImageCast Control Center. =[Affected Systems]=-- - ImageCast V4.1.0 --=[Detailed Description]= Sending a string of approx. 50Kb to the ICCC service (TCP port 12002) results in the server consuming all available CPU and no longer accepting connections to that port. Sending multiple packets to port 8081 starting from size 14000 bytes (+carriage return & linefeed), results in a warning box being opened for each connection, and will eventually (after approx 326 packets) result in the OS killing ICCC.exe within a very short time. ---=[Workaround]=- None known. The vendor, Storagesoft Inc., can be contacted through their website at http://www.storagesoft.com/corporate/contact.asp. Please refer to the incident number ([Incident:main 001222-0002]), if you contact Storagesoft regarding this issue. -=[Vendor Response]=-- This issue was brought to the vendor's attention on the 21st of December and assigned incident number [Incident:main 001222-0002]. Three emails were exchanged and here is a snippet from the correspondance: "At 12/29/2000 02:16 PM we wrote - Peter, this is an issue that will be dealt with in a future version of Imagecast. The information you have provided has been forwarded to the product manager. It has been closed so it is no longer in the tech support database since it is an issue that can currently only be fixed through code changes in the program." Attempts to find out which version this would be, and when it would be released, resulted in this reply: "At 01/04/2001 03:30 PM we wrote - We currently do not have the data as to which version it will be done with. We will most likely be unable to provide that information until a the very least 1 to 2 weeks before a release. We cannot release a product with out testing for specifics. At the very least we are trying to get more time to test before release dates." == This release was brought to you by Defcom Labs [EMAIL PROTECTED] www.defcom.com ==