Index Server Search Function Contains Unchecked Buffer

Security 10941 Published by Philipp Esselbach 0

The patches provided in the bulletin address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker´s choice could be made to run on the server, in the Local System security context.

The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 ( http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.

Read more

Patch Available for "SQL Server 7.0 Service Pack Password" Vulnerability

Security 10941 Published by Philipp Esselbach 0

When SQL Server 7.0 Service Packs 1, 2, or 3 are installed on a
machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%sqlsp.log and %WINNT%setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.

The password is only recorded if Mixed Mode is used, and even then, only if the adminstrator chose to use SQL Server Authentication when installing the service pack. Microsoft has long recommended that SQL servers be configured to use the more secure Windows NT Authentication Mode, and customers who have followed this recommendation would not be affected. Even on affected machines, the password could not be compromised if, per normal security recommendations, normal users are prevented from logging onto the machine interactively.

Read more

Malformed Request to Domain Controller can Cause Memory Exhaustion

Security 10941 Published by Philipp Esselbach 0

A core service running on all Windows 2000 domain controllers (but
not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.

A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-024.asp for information on obtaining this patch.

Security Alert: IIS 5 allows attacker to run code of choice as System

Security 10941 Published by Philipp Esselbach 0

Thanks to clutch for forwarding me the follow newsletter from IIS Answers:

------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------

I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.

First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.

If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.

Rule: Disable all application mapping that you aren´t using!

This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.

Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.

Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.

This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.

---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training

Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server

Security 10941 Published by Philipp Esselbach 0

Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default on
all Windows 2000 servers but which can only be accessed via IIS 5.0.

A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.

The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need
to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.

Read more

First MSN Messenger virus

Security 10941 Published by Philipp Esselbach 0

The first known virus that spreads by MSN´s Messenger Service application has been discovered.

W32/Hello, an Internet worm that affects Windows machines, arrives via MSN Messenger as a file called Hello.exe.

Read more

IE can Divulge Location of Cached Content

Security 10941 Published by Philipp Esselbach 0

The IE security architecture provides a caching mechanism that is
used to store content that needs to be downloaded and processed on the user´s local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security
architecture to access the information. This ensures that the uses of the information can be properly restricted.

A vulnerability exists because it is possible for a web page or HTML e- mail to learn the physical location of cached content. Armed with
this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.

Read more

Exploit devastates WinNT/2K security

Security 10941 Published by Philipp Esselbach 0

An application called SMBRelay, written by cDc´s Sir Dystic, exploits a design flaw in the SMB (Server Message Block) protocol on Win NT/2K boxes, easily enabling an attacker to interpose himself between the client and the server.

Read more

WebDAV Service Provider Can Allow Scripts to Levy Requests as User

Security 10941 Published by Philipp Esselbach 0

The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.

The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.

Read more

Previous Page

Next Page

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...