I S S   X - F o r c e
                                      
                         The Most Wanted Alert List
                                      
       [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
          [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
                             [9]Advanced Search
                                      
   _ Alert Summaries_


ISS Security Alert Summary
October 22, 1997
Volume 1 Number 5

- - ---
Index

7 Reported New Vulnerabilities                  [10]Back to Alert List
[11] - IBM-xdat
[12] - www-count
[13] - IE-spy
[14] - smurf-dos
[15] - NT-reg
[16] - NEC-nosuid
[17] - imapd-core

Risk Factor Key


- - ---

Date Reported:          10/21/97
Vulnerability:          IBM-xdat
Affected Platforms:     AIX (4.1, 4.2)
Risk Factor:            High

The xdat command starts Set Date and Time, Schedule a Job, or Remove or
View Scheduled Jobs on AIX 4.x platforms.  It does not check the length of
the "TZ" environment variable which can result in a buffer overflow.
Local users can exploit this vulnerability and gain root privileges.

Reference:
[18]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:004.1
.txt


[19]Top of Page || [20]Back to Alert List

- - ---

Date Reported:          10/16/97
Vulnerability:          www-count
Affected Platforms:     All platforms running count.cgi 2.3
Risk Factor:            High

Count.cgi is a popular web cgi program that displays the number of raw
hits on web pages as an in-line image.  People use it to keep track of how
many hits their web pages have received, etc.  It contains a buffer
overflow that can allow remote http users to execute commands on the
system running count.cgi.  The author has released a patch and the problem
has been corrected in the upcoming release of count.cgi 2.4.

Patch:
[21]http://www.fccc.edu/users/muquit/Count.html


Reference:
[22]http://www.iss.net/xforce/advisories/wwwcount.asc


[23]Top of Page || [24]Back to Alert List

- - ---

Date Reported:          10/16/97
Vulnerability:          IE-spy
Affected Platforms:     Windows NT, 95
Risk Factor:            High

A security flaw exists that allows unauthorized users to "spy" on the
contents of files on the system running Microsoft Internet Explorer 4.0.
Malicious web pages can contain an IFRAME, which can copy HTML or text
files from the system to any other system for later viewing.  A patch is
available to correct the vulnerable Internet Explorer version.

Patch:
[25]http://www.microsoft.com/ie/security/?/ie/security/freiburg.htm


Reference:
[26]http://www.jabadoo.de/press/ie4_old.html
[27]http://www.iss.net/xforce/advisories/ie4-spy.asc (English Translation)

[28]Top of Page || [29]Back to Alert List

- - ---

Date Reported:          10/13/97
Vulnerability:          smurf-dos
Affected Platforms:     Any platform on the Internet
Risk Factor:            Medium

The smurf denial of service attack is being widely used because of the
exploit program being available on the Internet.  The attack consists of
sending out hundreds of ICMP echo packets to broadcast addresses, from a
spoofed source (the victim).  All of these hosts then reply to the victim
with ICMP echo replies.

Reference:
[30]http://www.quadrunner.com/~chuegen/smurf.txt

[31]Top of Page || [32]Back to Alert List

- - ---

Date Reported:          10/10/97
Vulnerability:          NT-reg
Affected Platforms:     Windows NT (workstation and server
                                    3.5, 3.5.1, 4.0)
Risk Factor:            High

A security vulnerability has been found on Windows NT that allows
malicious users to install a trojan horse in the registry.  The
permissions give access to "Everyone", thus users can create a program and
have the system execute it on start-up.  This can result in users
obtaining unauthorized administrator rights on the system or performing
other unauthorized tasks.

References:
[33]http://support.microsoft.com/support/kb/articles/q126/7/13.asp
[34]http://www.infoworld.com/cgi-bin/displayStory.pl?971014.wntsecurity.htm

[35]Top of Page || [36]Back to Alert List

- - ---

Date Reported:          10/10/97
Vulnerability:          NEC-nosuid
Affected Platforms:     EWS-UX/V Rel4.2 (R7.x, R8.x, R9.x, R10.x)
                        EWS-UX/V Rel4.2MP (R10.x)
                        UP-UX/V Rel4.2MP (R5.x, R6.x, R7.x)
                        UX/4800 (R11.x, R12.1)
Risk Factor:            High

NEC Corporation has found and released patches for a vulnerability that
exists in the "nosuid" mount(1) option.  On file systems that are mounted
with "nosuid", it still allows setuid and setgid program execution.  This
vulnerability can allow local users to execute commands as other users or
even obtain root privileges.

Patches:
[37]ftp://ftp.meshnet.or.jp/pub/48pub/security

Reference:
[38]http://ciac.llnl.gov/ciac/bulletins/i-004.shtml

[39]Top of Page || [40]Back to Alert List

- - ---

Date Reported:          10/8/97
Vulnerability:          imapd-core
Affected Platforms:     Any running imap 4.1b
Risk Factor:            High

A vulnerability in the University of Washington's imap daemon allows
remote users to obtain a copy of the password file.  A publicly
available exploit causes the imapd server to leave a core file containing
the password file and shadowed password file.

Reference:
[41]http://www.l0pht.com/advisories/imapd.txt

[42]Top of Page || [43]Back to Alert List

---
Risk Factor Key:

        High    any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  any vulnerability that provides information that has a
                high potential of giving access to an intruder.  Example:
                A misconfigured TFTP or vulnerable NIS server that allows
                an intruder to get the password file that possibly can
                contain an account with a guessable password.
        Low     any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via bruteforce.

Developed and maintained by renown security experts, the X-Force Computer
Vulnerability and Threat Database is the world's most comprehensive
on-line source for information on network security risks. It details
hundreds of network security vulnerabilities and threats, including
information on the relative severity of each risk, and recommended
corrective actions to tighten security holes.  Visit it at
[44]http://www.iss.net/xforce

Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and monitoring tools,  providing
comprehensive software that enables organizations to proactively manage
and minimize their network security risks.  For more information, contact
the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site
at [45]http://www.iss.net

[46]Top of Page || [47]Back to Alert List

--------
Copyright (c) 1997 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
e-mail [48]xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.

Please send suggestions, updates, and comments to:
X Force [49]xforce@iss.net of Internet Security Systems, Inc.

[50]Top of Page || [51]Back to Alert List

     [52]News | [53]Serious Fun | [54]Mail Lists | [55]Security Library
        [56]Protoworx | [57]Alerts | [58]Submissions | [59]Feedback
                            [60]Advanced Search
                                      
                        [61]About the Knowledge Base
                                      
            Copyright ©1994-1998 Internet Security Systems, Inc.
          All Rights Reserved. Sales Inquiries: [62]sales@iss.net
         6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
                 Phone (678) 443-6000 · Fax (678) 443-6477
                                      
                      Read our [63]privacy guidelines.

References

   1. http://xforce.iss.net/news.php3
   2. http://xforce.iss.net/seriousfun/
   3. http://xforce.iss.net/maillists/
   4. http://xforce.iss.net/library/
   5. http://xforce.iss.net/protoworx/
   6. http://xforce.iss.net/alerts/
   7. http://xforce.iss.net/submission.php3
   8. http://xforce.iss.net/feedback.php3
   9. http://xforce.iss.net/search.php3
  10. http://xforce.iss.net/alerts/alerts.php3
  11. http://xforce.iss.net/alerts/vol-1_num-5.php3#ibm
  12. http://xforce.iss.net/alerts/vol-1_num-5.php3#count
  13. http://xforce.iss.net/alerts/vol-1_num-5.php3#spy
  14. http://xforce.iss.net/alerts/vol-1_num-5.php3#smurf
  15. http://xforce.iss.net/alerts/vol-1_num-5.php3#reg
  16. http://xforce.iss.net/alerts/vol-1_num-5.php3#nec
  17. http://xforce.iss.net/alerts/vol-1_num-5.php3#imapd
  18. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:004.1.txt
  19. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  20. http://xforce.iss.net/alerts/alerts.php3
  21. http://www.fccc.edu/users/muquit/Count.html
  22. http://www.iss.net/xforce/advisories/wwwcount.asc
  23. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  24. http://xforce.iss.net/alerts/alerts.php3
  25. http://www.microsoft.com/ie/security/?/ie/security/freiburg.htm
  26. http://www.jabadoo.de/press/ie4_old.html
  27. http://www.iss.net/xforce/advisories/ie4-spy.asc
  28. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  29. http://xforce.iss.net/alerts/alerts.php3
  30. http://www.quadrunner.com/~chuegen/smurf.txt
  31. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  32. http://xforce.iss.net/alerts/alerts.php3
  33. http://support.microsoft.com/support/kb/articles/q126/7/13.asp
  34. http://www.infoworld.com/cgi-bin/displayStory.pl?971014.wntsecurity.htm
  35. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  36. http://xforce.iss.net/alerts/alerts.php3
  37. ftp://ftp.meshnet.or.jp/pub/48pub/security
  38. http://ciac.llnl.gov/ciac/bulletins/i-004.shtml
  39. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  40. http://xforce.iss.net/alerts/alerts.php3
  41. http://www.l0pht.com/advisories/imapd.txt
  42. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  43. http://xforce.iss.net/alerts/alerts.php3
  44. http://www.iss.net/xforce
  45. http://www.iss.net/
  46. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  47. http://xforce.iss.net/alerts/alerts.php3
  48. mailto:xforce@iss.net
  49. mailto:xforce@iss.net
  50. http://xforce.iss.net/alerts/vol-1_num-5.php3#list
  51. http://xforce.iss.net/alerts/alerts.php3
  52. http://xforce.iss.net/news.php3
  53. http://xforce.iss.net/seriousfun/
  54. http://xforce.iss.net/maillists/
  55. http://xforce.iss.net/library/
  56. http://xforce.iss.net/protoworx/
  57. http://xforce.iss.net/alerts/
  58. http://xforce.iss.net/submission.php3
  59. http://xforce.iss.net/feedback.php3
  60. http://xforce.iss.net/search.php3
  61. http://xforce.iss.net/about.php3
  62. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
  63. http://xforce.iss.net/privacy.php3