Predictable Name Pipes Could Enable Privilege Elevation via Telnet

Security 10941 Published by Philipp Esselbach 0

Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have their roots in flaws related to the way Telnet sessions are created. When a new Telnet session is established, the service creates a named pipe, and runs any code associated with it as part of the initialization process. However, the pipe´s name is predictable, and if Telnet finds an existing pipe with that name, it simply uses it. An attacker who had the ability to load and run code on the server could create the pipe and associate a program with it, and the Telnet service would run the code in Local System context when it stablished the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks. None of these vulnerabilities have anything in common with each other.

- One occurs because it is possible to prevent Telnet from terminating idle sessions; by creating a sufficient number of such sessions, an attacker could deny sessions to any other user.

- One occurs because of a handle leak when a Telnet session is terminated in a certain way. By repeatedly starting sessions and then terminating them, an attacker could deplete the supply of handles on the server to point where it could no longer perform useful work.

- One occurs because a logon command containing a particular malformation causes an access violation in the Telnet service.

- One occurs because a system call can be made using only normal user privileges, which has the effect of terminating a Telnet session.

The final vulnerability is an information disclosure vulnerability that could make it easier for an attacker to find Guest accounts exposed via the Telnet server. It has exactly the same cause, scope and effect as a vulnerability affecting FTP and discussed in Microsoft Security Bulletin MS01-026.

Download

Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script

Security 10941 Published by Philipp Esselbach 0

Issue:
======
OWA is a service of Exchange 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user´s Exchange mailbox.

An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user´s mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.

Download

HyperTerminal Buffer Overflow Vulnerability

Security 10941 Published by Philipp Esselbach 0

The HyperTerminal application is a communications utility that installs by default on all versions of Windows 98, 98SE, Windows ME, Windows NT 4.0, and Windows 2000. The product contains two unchecked buffers through which an attacker could potentially cause code of her choice to run on another user´s machine:

- One resides in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particular type of malformed Telnet URL, and HyperTerminal were configured as the default Telnet client, it would trigger the buffer overrun. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. It is not the default Telnet client on Windows 2000.

- The other resides in a section of the code that processes session files - files that enable HyperTerminal users to specify session parameters such as the connection method and the destination host. If a user opened a session file that contained a particular type of malformed information, it would trigger the buffer overrun.

Download

Windows Media Player .ASX Processor Contains Unchecked Buffer

Security 10941 Published by Philipp Esselbach 0

This bulletin discusses two security vulnerabilities that are related
to each other only by the fact that they affect Windows Media Player.
We packaged them in a single patch for customers using Windows Media
Player 6.4 to make it more convenient for customers to apply. For
customers using Windows Media Player 7, both security vulnerabilities
are addressed by upgrading to Windows Media Player 7.1.

Read more

RTF document linked to template can run macros without warning

Security 10941 Published by Philipp Esselbach 0

Word, like other members of the Office product family, provides a security mechanism that requires user´s approval to run macros. By design, anytime a document is opened the user would be notified if
the document contains macros. In addition, this mechanism checks
secondary documents that the original document links to, such as templates, and warn if any of those contain macros. This feature works by scanning the document or template for the presence of macros, alerting the user of their presence, and then asking the user if he wants to allow the macros to run.

By embedding a macro in a template, and providing another user with
an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened. The macro would be
able to take any action that the user herself could take. This could
include disabling the user´s Word security settings so that subsequently-opened Word documents would no longer be checked for macros.

Read more

Politically motivated virus hits Europe

Security 10941 Published by Philipp Esselbach 0

Users are being warned about a new fast spreading virus that seems to be politically motivated. The Mawanella virus arrives in an email with the subject line ´Mawanella´. It carries an attachment ´mawanella.vbs´ and in the body has an ASCII art picture of a burning house.

Read more

Flaws in Web Server Certificate Validation Could Enable Spoofing

Security 10941 Published by Philipp Esselbach 0

A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites. The first vulnerability involves how digital certificates from web servers are validated. When CRL checking for such certificates is enabled, it could be possible for any or all of the following checks to no longer be performed:
- Verification that the certificate has not expired
- Verification that the server name matches the name on the certificate
- Verification that the issuer of the certificate is trusted

Read more

Fake virus warning carries worm

Security 10941 Published by Philipp Esselbach 0

Symantec has confirmed the existence of the worm, known as VBS.Hard.A@mm, VBS/Hard-A, or VBS/Hard@mm, and created software to detect it. So far, the virus has a low geographical distribution and has infected a small number of sites, according to a Symantec report published earlier this week.

The worm distributes itself--like several in the past, including Love Letter Homepage--as an attachment to an e-mail message. The message is called "FW: Symantec Anti-Virus Warning," and claims to contain a description of a non-existent worm in an attached file.

Read more

Previous Page

Next Page

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...