-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
March 1, 2000
Volume 5 Number 2
 
X-Force Vulnerability and Threat Database: https://xforce.iss.net/   To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type:  'subscribe alert'.
 
_____
 
Contents

12 Reported Vulnerabilities
 
 - trin00-dos
 - netgear-multiple-dos
 - sambar-batfiles
 - win-media-dos
 - win-active-setup
 - siteserver-sitebuilder
 - netbsd-ptrace
 - netbsd-procfs
 - ie-image-source-redirect
 - sco-openserver-arc-symlink
 - iis-frontpage-info
 - outlook-active-script-read
 
Risk Factor Key
 
_____
 
Date Reported:    2/14/00
Attack:      trin00-dos
Platforms Affected:  Any
Risk Factor:    High
Attack Type:    Network Based
 
Trin00 is a Distributed Denial of Service system that allows a master
computer to launch a denial of service attack by enlisting the help of
several client computers that contain the Trin00 client. The Trin00 client
can be used by a Trin00 master to launch a DDoS attack.
 
References:
ISS Security Alert: "Denial of Service Attack using the TFN2K and
Stacheldraht programs" at: https://xforce.iss.net/alerts/advise43.php3

ISS Security Alert Update: "trin00 for Windows Distributed Denial of
Service Attack Tool" at: https://xforce.iss.net/alerts/advise44.php3
 
_____
 
Date Reported:    2/25/00
Vulnerability:    netgear-multiple-dos
Platforms Affected:  Netgear ISDN Router RH348 and RT328
Risk Factor:    Medium
Attack Type:    Network Based
 
Netgear ISDN Routers (RH348 and RT328) contain multiple denial of service
attacks. If a remote attacker runs a SYN scan against the router, it will
deny connections to port 23 for about 5 minutes per packet, effectively
shutting it down. If a remote attacker telnets to the router and remains
idle, it will not allow any other management session. Finally, if a remote
attacker sends a large number of ICMP redirect packets, it will stop
routing packets as long as the attack exists.
 
Reference:
BUGTRAQ Mailing List: "DoSing the Netgear ISDN RT34x router" at:
https://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=Pine.LNX.4.20.0002251214450.23763-100000@voodoomindcontrol.jcius.com
 
_____
 
Date Reported:    2/23/00
Vulnerability:    sambar-batfiles
Platforms Affected:  Sambar Server for Windows 9x and NT
Risk Factor:    High
Attack Type:    Network Based
 
Sambar Server is a multi-threaded HTTP server for Windows 9x and NT
environments. Some beta versions of Sambar Server shipped with two files,
HELLO.BAT and ECHO.BAT, in the CGI directory. These two files, and .BAT
files like them, could allow remote attackers to execute arbitrary
commands on the server.
 
Reference:
BugTraq Mailing List: "Sambar Server alert!" at:
https://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=38B3E60A.6A84FEC3@cybcom.net

_____

Date Reported:    2/23/00
Vulnerability:    win-media-dos
Platforms Affected:  Microsoft Windows Media Services (4.0, 4.1)
Risk Factor:    Medium
Attack Type:    Network Based

Microsoft Windows Media Services contain a denial of service attack
against the media server.  If a remote user sends client-side handshake
packets out of order to the server, the server will try to use resources
before it has been initialized causing the Windows Unicast Service to
crash.  

Reference:
Microsoft Security Bulletin (MS00-013): "Patch Available for 'Misordered
Windows Media Services Handshake' Vulnerability" at:
https://www.microsoft.com/technet/security/bulletin/ms00-013.asp

_____

Date Reported:    2/19/00
Vulnerability:    win-active-setup
Platforms Affected:  Microsoft Internet Explorer
      Microsoft Outlook
Risk Factor:    High
Attack Type:    Network/Host Based

Microsoft signed ActiveX setup files are normally installed without
notification to the user. An attacker could have the operating system
install a Microsoft component with known vulnerabilities and then exploit
them accordingly.. This could be exploited remotely if it is executed via a
web page or an HTML email message.

Reference:
BUGTRAQ Mailing List: "Microsoft signed software can be install software
without prompting users" at:
https://www.securityfocus.com/templates/archive.pike?list=1&msg=20000221103938.T21312@securityfocus.com

_____

Date Reported:    2/18/00
Vulnerability:    siteserver-sitebuilder
Platforms Affected:  Microsoft SiteServer 3.0
Risk Factor:    High
Attack Type:    Network Based

Microsoft SiteServer 3.0 (Commerce Edition) ships with a Site Builder
wizard used to build custom sites.  A security vulnerability exists in the
"product.ast" file it creates that could allow a remote attacker to
execute arbitrary SQL commands. This hole also affects the "product.asp"
file, which is part of the Volcano Coffee sample site. 

Reference:
Microsoft Security Bulletin MS00-010: "Patch Available for "Site Wizard
Input Validation" Vulnerability" at:
https://www.microsoft.com/technet/security/bulletin/ms00-010.asp

_____

Date Reported:    2/16/00
Vulnerability:    netbsd-ptrace
Platforms Affected:  NetBSD/vax 1.4.1
Risk Factor:    Medium
Attack Type:    Host Based

A vulnerability in NetBSD's ptrace command could allow a local user to
construct a wrapper program that can modify the hardware privileges of the
ptrace program.

Reference:
BUGTRAQ Mailing List: "NetBSD Security Advisory 1999-012" at:
https://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23579.967265.266049@passion.geek.com.au
 
_____

Date Reported:    2/16/00
Vulnerability:    netbsd-procfs
Platforms Affected:  NetBSD 1.4.1
Risk Factor:    High
Attack Type:    Host Based

NetBSD's proc filesystem contains a vulnerability by which a local user
can trick a setuid binary into writing to /proc/<pid>.  This would cause
the memory image of another setuid binary to execute a shell.

Reference:
BUGTRAQ Mailing List: "NetBSD Security Advisory 2000-001" at:
https://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23693.773699.404104@passion.geek.com.au
 
_____

Date Reported:    2/16/00
Vulnerability:    ie-image-source-redirect
Platforms Affected:  Microsoft Internet Explorer (4.0, 4.01, 5.0, 5.01)
Risk Factor:    Medium
Attack Type:      Network Based

Microsoft Internet Explorer has a problem that allows a malicious web site
operator to read files on the affected system that is browsing his
website.

Reference:
Microsoft Security Bulletin (MS00-009) "Patch Available for 'Image Source
Redirect' Vulnerability" at:
https://www.microsoft.com/technet/security/bulletin/ms00-009.asp

_____

Date Reported:    2/15/00
Vulnerability:    sco-openserver-arc-symlink
Platforms Affected:  SCO OpenServer 5.0.5
Risk Factor:    High
Attack Type:    Host Based

SCO OpenServer version 5.0.5 ARCserve agent /tmp files could allow a
symlink attack. The ARCserver agent startup script creates several files
in the /tmp directory with world writeable permissions (mode 777). An
attacker could replace these files with symlinks and create files anywhere
on the filesystem with root privileges.

Reference:
SCO Security Bulletin: "SSE063 - ARCserve startup script symlink
vulnerability in SCO OpenServer 5" at: https://www.sco.com/security

_____

Date Reported:    2/3/00
Vulnerability:    iis-frontpage-info
Platforms Affected:  IIS running Frontpage
Risk Factor:    Medium
Attack Type:    Network Based

Microsoft Windows NT 4 running Internet Information Server with Frontpage
contains a vulnerability that would allow a remote attacker to learn the
name of the anonymous Internet account and learn physical paths on the
affected system.

Reference:
BUGTRAQ Mailing List: "Alert: IIS 4 / IS 2 IDQ Cerberus Information
Security Advisory (CISADV000202)" at:
https://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-29&msg=038201bf6dd8$249e2250$5802020a@cerberusinfosec.co.uk

_____

Date Repored:    2/1/00
Vulnerability:    outlook-active-script-read
Platforms Affected:  Microsoft Express 5.01
      Internet Explorer 5.01 
Risk Factor:    Medium
Attack Type:    Host/Network Based

Microsoft Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95
(and possibly other versions) contains a vulnerability in when active
scripting is enabled.  A malicious email message could run active
scripting that would read any new messages that arrive after malicious
email has been read.

Reference:
BUGTRAQ Mailing List: "Outlook Express 5 vulnerability - Active Scripting
may read email messages" at:
https://www.securityfocus.com/templates/archive.pike?list=1&msg=896E440.553BD289@nat.bg

_____

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
hereby granted for the redistribution of this Alert Summary
electronically.  It is  not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   https://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOL3AUzRfJiV99eG9AQEA3wQAtJ7M11joAtjI5sF/BiAE7X49Jr9gYPRL
oW8caEAqZ1dv+6Bm4p26EcBWGBdhCXgR56k+ul5q8ADzetMJXjLrAjGaYx6HflJH
EyCqUvFLuhby9LV3S85ZFXiZ7VyDA6K3Y4Nvaisq4DIOIHEOhkmLju63v5XoPrr6
ZqOzZKys3Sk=
=FS9Z
-----END PGP SIGNATURE-----