|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Anton Alabushev 2:465/162.34 14 May 2000 11:56:00
To : All
Subject : forw
--------------------------------------------------------------------------------
Hello All!
----------------------------------------------------------------------------
Область: RU.SECUTITY (RU.SECURITY: обpазована 26/07/1998)
От: Alexey Lukatsky 2:5020/224.2 10 May 00 14:15:00
Kому: All
Тема: 10 самых популярных уязвимостей и атак
----------------------------------------------------------------------------
* Crossposted in RU.SECURITY
* Crossposted in RU.INTERNET.SECURITY
Hи хао май, All
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
TOP 10 VULNERABILITIES
The top 10 vulnerabilities represent the most commonly found and exploited
high-risk vulnerabilities on the Internet. This list is derived from
various trusted sources including ISS X-Force analysis, customer input,
ISS Professional Services, and security partners. The top 10 list is
maintained by ISS X-Force and distributed quarterly with the ISS Alert
Summary.
Security Advantage
Securing computers and networks from these vulnerabilities across the
enterprise assures protection from the most commonly exploited
vulnerabilities on the Internet. This list should be incorporated into
security policies to establish a reasonable level of protection.
TOP 10
1. Denial of service exploits
- TFN
- TFN2k
- Trin00
- Stacheldraht
- FunTime Apocalypse
2. Weak accounts
- Default accounts (routers, firewalls)
- Null passwords for admin/root accounts
- SNMP with public/private strings set
3. IIS (Microsoft Internet Information Server)
- RDS
- HTR
- Malformed header
- PWS File Access
- CGI Lasso
- PHP3 metacharacters
- PHP mlog.html read files
4. Open databases
- Oracle default account passwords
- Oracle setuid root oratclsh
- SQL Server Xp_sprintf buffer overflow
- SQL Server Xp_cmdshell extended
5. E-Business web applications
- NetscapeGetBo
- HttpIndexserverPath
- Frontpage Extensions
- FrontpagePwdAdministrators
6. Open Email
- Sendmail pipe attack
- SendmailMIMEbo
7. FileSharing
- NetBIOS
- NFS
8. RPC
- rpc.cmsd
- rpc-statd
- Sadmin
- Amd
- Mountd
9. BIND
- BIND nxt
a. Server to server response
b. Buffer handling overflows
c. More advanced
- BIND qinv
a. Compile flag on by default
b. Activated buffer overflow
c. Client request to server
d. Script kiddie
- Exposers outside firewall
- In.Named binary
10. Linux buffer overflows
- IMAP BO
- Qpopper BO
- Overwrite stack
- Common script kiddie exploits
- Poor coding standards
- WU-FTP BO
RECOMMENDED CORECTIVE ACTION
At a business level, Implement and manage security components across the
organization. Continue a process of being ever vigilant and apply new risk
reduction steps and monitor for threats.
ISS recommends establishing the following levels of security:
- Security Policy
- Secure management level (such as intranet)
- Security Software (Host based assessment and intrusion detection)
- Secure critical network components OS/net/db/web
VULNERABILITY DETAILS
1. Denial of service exploits
_____
Vulnerability: TFN
Platforms Affected: Linux, Solaris, Unix
Risk Level: High
Attack Type: Network Based, Host Based
Tribe Flood Network, TFN, is a distributed denial of service tool that
allows an attacker to use several hosts at once to flood a target. It has
four different kinds of floods -- ICMP Echo flood, UDP Flood, SYN Flood,
and Smurf attack. The TFN client and server use ICMP echo reply packets to
communicate with each other.
Reference:
CERT Advisory CA-99-17: "Distributed Denial-of-Service Tools" at:
http://www.cert.org/incident_notes/IN-99-07.html
Vulnerability: TFN2k
Platforms Affected: Linux, Solaris, Unix
Risk Level: High
Attack Type: Network Based, Host Based
Tribe Flood Network 2000 (TFN2k) is a distributed denial of service tool
that can perform a number of different types of floods against a host. It
consists of a client and a daemon. The client controls one or more
daemons, which flood a targeted host. The client can use UDP, TCP, or ICMP
to communicate with the daemon and can spoof (fake) the source IP address
of outgoing packets. Communication between the client and daemon is
encrypted.
Reference:
CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Vulnerability: Trin00
Platforms Affected: Linux, Solaris, Unix
Risk Level: High
Attack Type: Network Based, Host Based
Trin00 is a distributed denial of service attack tool. It allows an
attacker to control several hosts to make them send a UDP flood to another
host. The Trin00 master can make several requests to the Trin00 daemon:
- - Start flooding a host with UDP packets
- - Stop flooding a host with UDP packets
- - Change the UDP flood configuration of the daemon
Reference:
CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Vulnerability: Stacheldraht
Platforms Affected: Any
Risk Level: High
Attack Type: Network Based
Stacheldraht is a distributed denial of service tool based on the source
code of the Tribe Flood Network (TFN) and Trin00 tools. In addition to
providing the features of these tools, Stacheldraht encrypts communication
between clients, master servers (sometimes known as handlers), and agents.
It can also remotely upgrade agents with an account and server name using
the rcp command.
Stacheldraht was designed to be built and installed on compromised Linux
and Solaris systems, but it potentially could be installed on any system
by modifying the source code.
Reference:
CERT Advisory CA-2000-01: "Denial of Service Developments" at:
http://www.cert.org/advisories/CA-2000-01.html
Vulnerability: FunTime Apocalypse
Platforms Affected: Windows 9x, NT, 2K
Risk Level: High
Attack Type: Network Based
Funtime Apocalypse is a distributed denial of service (DDoS) tool for
Windows 9x and Windows NT. Attackers can launch a "timer fused" flood
against a target computer. Funtime Apocalypse consists of several
different files:
- - a flooding program (bmb2.exe)
- - a host file (funtime.txt)
- - some batch files (funtime.bat, timer98.bat, and timerNT.bat)
- - two Windows HTML applications (funtime98.hta and funtimeNT.hta)
Funtime requires an attacker to make major modifications to the batch
files and Windows HTML application files, or it will not work.
2. Weak accounts
_____
Vulnerability: Default Accounts (Firewalls/Routers)
Platforms Affected: Any
Risk Level: High
Default accounts are usually unsafe and should always be changed.
Vulnerability: Null passwords for admin/root accounts
Platforms Affected: Any
Risk Level: High
Null passwords for admin and root accounts allow anyone access with admin
or root privileges. A password should be added to protect the computer or
network.
Vulnerability: SNMP with public/private strings set
Platforms Affected: Any
Risk Level: High
An attacker can use SNMP strings to gain valuable information about a
computer. This information could be used at a later time to launch an
attack.
Reference:
Microsoft Knowledge Base Article Q99880: "SNMP Agent Responds to Any
Community Name" at:
http://support.microsoft.com/support/kb/articles/q99/8/80.asp
3. IIS (Microsoft Internet Information Server)
_____
Vulnerability: IIS RDS
Platforms Affected: Microsoft IIS Servers
Risk Level: High
Implicit remoting is enabled via the Microsoft Internet Information Server
(IIS) web server. RDS allows an unauthorized user access to ODBC databases
via IIS.
Reference:
Microsoft Security Bulletin: "Re-Release: Unauthorized Access to IIS
Servers through ODBC Data Access with RDS" at:
http://www.microsoft.com/security/bulletins/ms99-025.asp
Vulnerability: IIS HTR
Platforms Affected: Microsoft IIS Servers
Risk Level: Medium
An attacker could gain access to the IIS server and run any program.
Reference:
Microsoft Security Bulletin: "Workaround Available for 'Malformed HTR
Request' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-019.asp
Vulnerability: IIS Malformed Header
Platforms Affected: Microsoft IIS Servers
Risk Level: Medium
A vulnerability in Microsoft Internet Information Server 4.0 (IIS) and
SiteServer 3.0 could cause the web server to consume all the memory on the
system, if a remote attacker sends a flood of specifically malformed HTTP
request headers. The service would have to be stopped and restarted in
order to resume normal operation.
Reference:
Microsoft Security Bulletin MS99-029: "Patch Available for 'Malformed HTTP
Request Header' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-029.asp
Vulnerability: PWS File Access
Platforms Affected: Microsoft Personal Web Server 4.0
Risk Level: Medium
A vulnerability in the file access protocols of the Microsoft Personal Web
Server (PWS) and FrontPage PWS could allow arbitrary files to be remotely
read. The attacker is required to have prior knowledge of file names to
exploit this vulnerability, which does not yield any other privileges than
read access.
Reference:
Microsoft Security Bulletin MS99-010: "Patch Available for File Access
Vulnerability in Personal Web Server" at:
http://www.microsoft.com/security/bulletins/ms99-010.asp
Vulnerability: IIS CGI Lasso
Platforms Affected: CGI
Risk Level: Medium
The Lasso CGI program installed on many web servers, especially WebSTAR
servers, contains a vulnerability that could allow remote attackers to
read arbitrary files from the system. While the problem does not lead to
direct access to the system, it could potentially compromise sensitive
files.
Reference:
BugTraq Mailing List: "Lasso CGI security hole (fwd)" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9708D&L=bugtraq&P=R1093
Vulnerability: PHP3 Metacharacters
Platforms Affected: PHP3
Risk Level: High
PHP3 is a scripting language used in webhosting setups. If safe_mode is
enabled in the hosting setup, a remote attacker can send metacharacters
from commands that are executed with popen. This could allow the attacker
to execute commands on the server.
Reference:
Microsoft Security Bulletin MS99-010: "Patch Available for File Access
Vulnerability in Personal Web Server" at:
http://www.microsoft.com/security/bulletins/ms99-010.asp
Vulnerability: PHP mlog.html Read Files
Platforms Affected: PHP, CGI
Risk Level: Medium
The 'mlog.html' sample script shipped with the PHP/FI package allows
remote attackers to view any file on the system. Attackers are limited to
viewing files accessible to the user the httpd server is running under,
generally "nobody." This vulnerability also exists in the 'mylog.html'
script shipped with PHP/FI. Exploit information for this hole has been
widely published.
Reference:
BugTraq Mailing List: "Vulnerability in PHP Example Logging Scripts" at:
http://www.securityfocus.com/templates/archive.pike?
list=1&msg=3.0.3.32.1997101 9203840.0075b7b0@mail.underworld.net
4. Open databases
_____
Vulnerability: Oracle default account passwords
Platforms Affected: Unix
Risk Level: High
Oracle databases have several well-known default username/password
combinations. These combinations include the following: SCOTT/TIGER,
DBSNMP/DBSNMP, SYSTEM/MANAGER, SYS/CHANGE_ON_INSTALL, TRACESVR/TRACE,
CTXSYS/CTXSYS, MDSYS/MDSYS, DEMO/DEMO, CTXDEMO/CTXDEMO, APPLSYS/FND,
PO8/PO8, NAMES/NAMES, SYSADM/SYSADM, ORDPLUGINS/ORDPLUGINS, OUTLN/OUTLN,
ADAMS/WOOD, BLAKE/PAPER, JONES/STEEL, CLARK/CLOTH,
AURORA$ORB$UNAUTHENTICATED/INVALID, and APPS/APPS. These default
combinations could allow an attacker to may provide unauthorized access to
the server.
Vulnerability: Oracle setuid root oratclsh
Platforms Affected: Unix
Risk Level: High
The Oracle 8.x Intelligent Agent for Unix installs a program called
'oratclsh' that is suid root. This program allows full access to the Tcl
interpreter and can be used by any local user to run any program.
Reference:
BugTraq Mailing List: "Huge security hole in Oracle 8.0.5 with Intellegent
agent installed" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904E&L=bugtraq&P=R1249
Vulnerability: SQL Server Xp_sprintf buffer overflow
Platforms Affected: Any
Risk Level: High
In versions of SQL Server earlier than Release 6.5, Service Pack 5 the
extended stored procedure xp_sprintf can be exploited using buffer
overflows. An attacker can use xp_sprintf to crash the server or to
possibly gain admin privileges on the system running SQL Server.
Vulnerability: SQL Server Xp_cmdshell extended
Platforms Affected: Windows
Risk Level: Medium
Microsoft SQL Server extended stored procedure, xp_cmdshell, can be used
to gain Windows NT administrator rights.
5. E-Business web applications
_____
Vulnerability: Netscape Get Buffer Overflow
Platforms Affected: Netscape FastTrack, Netscape Enterprise Server
Risk Level: High
A vulnerability in the Netscape Enterprise Server and Netscape FastTrack
Server allows an attacker to send the web server an overly long HTTP GET
request, overflowing a buffer in the Netscape httpd service and
overwriting the process's stack. This allows a sophisticated attacker to
force the machine to execute any program code that they send. It is
possible to use this vulnerability to execute arbitrary code as SYSTEM on
the server, giving an attacker full control of the machine.
Reference:
Microsoft Knowledge Base Article: "Buffer Overflow in Netscape Enterprise
and FastTrack Web Servers" at:
http://xforce.iss.net/alerts/advise37.php3
Vulnerability: Netscape HTTP Index Server Reveals Path
Platforms Affected: IIS4, Microsoft Index Server
Risk Level: Medium
Microsoft Index Server reveals sensitive path information in certain error
messages. Microsoft Index Server is a web search engine included in the
Windows NT 4.0 Option Pack. When a user requests a non-existent Internet
Data Query (IDQ) file, the program returns an error message that provides
the physical path to the web directory that was contained in the request.
An attacker could use this to gain information about the file structure of
the web server that would be helpful in an attack.
Reference:
Microsoft Security Bulletin MS00-006: "Patch Available for "Malformed
Hit-Highlighting Argument" Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
Vulnerability: Frontpage Extensions
Platforms Affected: Microsoft Frontpage
Risk Level: High
Microsoft FrontPage extensions under Unix systems sporadically create
'service.pwd' files with world readable (or sometimes, world writable)
permissions. This file contains encrypted user passwords that can be later
cracked offline.
Reference:
BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547
Vulnerability: Frontpage Pwd Administrators
Platforms Affected: Microsoft Frontpage
Risk Level: High
Microsoft FrontPage Extensions creates an administrators.pwd file inside
the _vti_pvt directory in the HTTP server's document root. This file
contains encrypted passwords which could be remotely retrieved by an
attacker and cracked offline. If the passwords in this file are weak
enough, or enough time is spent cracking them, the attacker could
potentially obtain the cleartext password and use it to access resources
on the server.
Reference:
BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547
6. Open Email
Vulnerability: Sendmail pipe attack
Platforms Affected: Sendmail
Risk Level: High
By inserting a pipe character into certain fields in an e-mail, Sendmail
may be forced to execute a command on the remote machine. This behavior
may result in a remote attacker being able to execute commands as root.
Reference:
Sendmail Consortium: "Sendmail FAQ" at:
http://www.sendmail.org/faq
Vulnerability: Sendmail MIME Buffer Overflow
Platforms Affected: Sendmail versions 8.8.3 and 8.8.4
Risk Level: High
A vulnerability exists in Sendmail 8.8.3 and 8.8.4 in the MIME handling
code. A buffer overflow in this code could allow a remote attacker to send
the server a message with specially crafted headers that would cause
Sendmail to execute arbitrary commands with root privileges.
Reference:
CERT Advisory CA-97.05: "MIME Conversion Buffer Overflow in Sendmail
Versions 8.8.3 and 8.8.4" at:
http://www.cert.org/advisories/CA-97.05.sendmail.html
Vulnerability: Sendmail pipe attack
Platforms Affected: Sendmail
Risk Level: High
By inserting a pipe character into certain fields in an e-mail, Sendmail
may be forced to execute a command on the remote machine. This behavior
may result in a remote attacker being able to execute commands as root.
Reference:
Sendmail Consortium: "Sendmail FAQ" at:
http://www.sendmail.org/faq
7. FileSharing
_____
Vulnerability: NetBIOS
Platforms Affected: NetBIOS
Risk Level: High
NetBIOS file sharing could allow an attacker to access to files on the
system and perform brute force password cracking.
Vulnerability: NFS
Platforms Affected: NFS
Risk Level: High
NFS systems could allow an attacker to access files on systems across the
network.
8. RPC
_____
Vulnerability: rpc.cmsd
Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6, Common
Desktop Environments (CDE)
Risk Level: High
Sun has found a vulnerability in the database manager rpc.cmsd, which is
used as an appointment and resource-scheduler with clients such as
Calendar Manager in Openwindows, and Calendar in CDE. The vulnerability,
if exploited, would allow an attacker to overwrite arbitrary files and
gain root level access.
Reference:
Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/166
Vulnerability: Sun RPC Statd
Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6
Risk Level: High
The RPC service statd works with lockd to provide crash and recovery
functions for file locking over NFS. Under Solaris and SunOS, a remote
attacker can use statd's ability to indirectly call other RPC services to
bypass the access controls of those RPC services. This hole could
potentially be used to exploit other security weaknesses in Sun servers.
Reference:
Sun Microsystems, Inc. Security Bulletin #00186: "rpc.statd" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/186
Vulnerability: Sadmin
Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7
Risk Level: High
The sadmind daemon is part of the Solstice AdminSuite distributed system
adminisitration package distributed with Sun's Solaris operating system.
The program contains a remotely exploitable buffer overflow in calls made
to NETMGT_PROC_SERVICE, which could allow an attacker to execute arbitrary
code with root privileges.
Reference:
Sun Microsystems, Inc. Security Bulletin #00191: "Sadmin" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/191
Vulnerability: Amd
Platforms Affected: Linux
Risk Level: High
The Automounter daemon (amd) has a buffer overflow in the mount code that
affects Linux and some BSD platforms. Amd automatically mounts file
systems in response to attempts to access files that reside on those file
systems. Passing a long string to the AMQPROC_MOUNT procedure can cause a
remote attacker to obtain root credentials.
Reference:
CERT Advisory CA-99-12: "Buffer Overflow in amd" at:
http://www.cert.org/advisories/CA-99-12-amd.html
Vulnerability: Mountd
Platforms Affected: Linux
Risk Level: High
There is a vulnerability in some implementations of the software that NFS
servers use to log requests to use file systems. Attackers who exploit the
vulnerability are able to gain administrative access to the vulnerable NFS
file server. That is, they can do anything the system administrator can
do. This vulnerability can be exploited remotely and does not require an
account on the target machine.
Reference:
CERT Advisory CA-98.12: "Remotely Exploitable Buffer Overflow
Vulnerability in mountd" at:
http://www.cert.org/advisories/CA-98.12.mountd.html
9. BIND
_____
Vulnerability: BIND nxt
Platforms Affected: Bind: 8.2, 8.2 P1, and 8.2.1
Risk Level: High
A vulnerability has been discovered in the processing of NXT records in
the 8.2 and 8.2.1 versions of BIND. BIND is a freely available DNS server
produced by the Internet Software Consortium. This buffer overflow could
allow a remote attacker to execute arbitrary code on vulnerable servers
with root privileges.
Reference:
Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
http://www.cert.org/advisories/CA-99-14-bind.html
Vulnerability: BIND Qinv
Platforms Affected: Bind
Risk Level: High
A buffer overflow exists in BIND versions prior to 4.9.7, and BIND
versions prior to 8.1.2. A malicious remote user can send a specially
formatted inverse-query TCP stream that would crash the BIND server and
allow the attacker to gain root access.
Reference:
CERT Advisory CA-98.05: "Multiple Vulnerabilities in BIND" at:
http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems
10. Linux buffer overflows
_____
Vulnerability: IMAP Buffer Overflow
Platforms Affected: IMAP
Risk Level: High
IMAP4rev1 servers up to and including 10.234 contain a buffer overflow
that allows a remote attacker to execute arbitrary commands on the victim
site as the user running imapd, generally root.. This is not the same
vulnerability described in CERT CA-97.09, which was a buffer overflow in
the IMAP LOGIN command whereas this vulnerability affects the IMAP
AUTHENTICATE command. It is important to note that fixed versions of IMAP
were distributed under the 10.234 version number as well, so version
numbers alone are not indicative of a safe or vulnerable server.
Reference:
CERT Advisory CA-98.09: "Buffer Overflow in Some Implementations of IMAP
Servers" at: http://www.cert.org/advisories/CA-98.09.imapd.html
Vulnerability: QPopper Buffer Overflow
Platforms Affected: Qpopper, SCO Open Server, SCO Internet FastStart
Risk Level: High
Qualcomm qpopper server versions earlier than 2.5 contain a buffer
overflow. A remote attacker can issue a PASS command of excessive length
to the server and cause an internal buffer to be overflowed. This could
allow an attacker to execute arbitrary code on the server with root
privileges.
Reference:
CERT Advisory CA-98.08: "Buffer overflows in some POP servers" at:
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
Vulnerability: Overwrite Stack
Platforms Affected: wu-ftpd
Risk Level: High
Wu-ftpd macro variables in the message file allow local or remote
attackers to overwrite the stack in the FTP daemon and execute code as
root. This is caused by improper bounds checking during the expansion of
macro variables in the message file.
Reference:
CERT Advisory CA-99.013: "Multiple Vulnerabilities in WU-FTPD" at:
http://www.cert.org/advisories/CA-99-13-wuftpd.html
Vulnerability: WU-FTP Directory Buffer Overflow
Platforms Affected: wu-ftpd: 2.5, BeroFTPD,
Risk Level: High
A vulnerability in Washington University's FTP server (wu-ftpd) and
servers derived from its source could allow a local or remote attacker to
execute code as root. A buffer overflow condition exists in bounds
checking of directory names supplied by users when the server is compiled
to use the MAPPING_CHDIR feature. Any attacker with the ability to create
directories can overwrite static memory space and execute arbitrary code
with root privileges.
Reference:
CERT Advisory CA-99.013: "Multiple Vulnerabilities in WU-FTPD" at:
http://www.cert.org/advisories/CA-99-13-wuftpd.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBORhAgjRfJiV99eG9AQGbygQAl2xkCJfUpWs4RKuNIUixB+O5+HmCdUCt
Wevhx5tONo30i3XD6c2bvTGG/tyAsd+xobjmRUr/U9fSr2gS5fc+Wfspr/zg4B28
O9dAvQ0NT9HKh69OWVORwxoOFQZ/vpK2Uz1itFnNYYseXeRuBpysspdO0h1b8vS4
iPVitevyXoY=
=XmQY
-----END PGP SIGNATURE-----
С уважением Антон.
[Team ДГУЭТ] [Team LINUX]
---
* Origin: novell - не тваpь, а сpедство коммуникации! (2:465/162.34)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
forw |
Anton Alabushev |
14 May 2000 11:56:00 |
|
|
