SecurityFocus Newsletter #130 ----------------------------- This issue is sponsored by: MIS Training Institute (MISTI) http://www.misti.com InfoSec World Conference and Expo/2002, March 18-20, 2002 in Orlando, delivers proven strategies and solutions to the hottest infosecurity issues: wireless device security, PKI, encryption, thwarting hacker attacks, firewalls, IDSs, vulnerability tests, enterprisewide security, VPNs, and more. For complete details and to register, go to: http://www.misti.com/northamerica.asp?page=4 ------------------------------------------------------------------------------- I. FRONT AND CENTER 1. SecurityFocus is Hiring! 2. Special Event: Information Security in the Age of Terrorism 3. Castles Built on Sand: Why Software is Insecure 4. Understanding IDS Active Response Mechanisms 5. Reject the Corporate Secrecy Grab 6. Passive Aggressive II. BUGTRAQ SUMMARY 1. rsync Signed Array Index Remote Code Execution Vulnerability 2. Sony VAIO Unauthorized System Access Vulnerability 3. PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability 4. Alteon AceDirector Half-Closed HTTP Request IP Address Reveal... 5. Tarantella Enterprise 3 gunzip Race Condition Vulnerability 6. Compaq Intel PRO/Wireless 2011B LAN USB Device Driver Infor... 7. BRU SetLicense Script Insecure Temporary File Symbolic Link... 8. Hosting Controller Information Disclosure Vulnerability 9. SAP SAPgui Denial of Service Vulnerability 10. SGI O2 Video Session Viewing Information Disclosure Vulnerability 11. XInet K-AShare XKAS Program World Writable Icon Directory... 12. Agora.CGI Debug Mode Path Disclosure Vulnerability 13. CNet CatchUp Remote Arbitrary Code Execution Vulnerability 14. Xoops Remote SQL Injection Vulnerability 15. Xoops Private Message Box Cross-Site Scripting Vulnerability 16. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability 17. SAS SASTCPD Command Format String Vulnerability 18. PhpSmsSend Remote Shell Command Execution Vulnerability 19. Xoops Private Message System Cross-Site Scripting Vulnerability 20. Etype EServ Passive Mode Denial of Service Vulnerability 21. Etype EServ Bounce Attack Vulnerability 22. fwmon Oversized Packet Denial of Service Vulnerability 23. AHG Search Engine Search.CGI Arbitrary Command Execution... 24. Netjuke Remote Command Execution Vulnerability 25. Microsoft Windows NTFS File Hiding Vulnerability 26. Lotus Domino Username Enumeration Vulnerability III. SECURITYFOCUS NEWS ARTICLES 1. FBI Issues Water Supply Cyberterror Warning 2. Accused Ebay Hacker put on Electronic Leash 3. Senator Introduces New Cybercrime Bills IV.SECURITYFOCUS TOP 6 TOOLS 1. SILC (Secure Internet Live Conferencing)(Toolkit) v0.7.3 2. EnderUNIX spamGuard v1.0 3. Securepoint Firewall and VPN Server SB v2.06 4. Win Sniffer v1.22 5. Appcap v0.12 6. Secure FTP Wrapper v2.0pr2 V. SECURITYJOBS LIST SUMMARY 1. Communications Consultant/Project Manager (with Security... 2. Advice on entering the security field (training, qualifi... 3. Web Security Engineer (Thread) 4. Needed: Security Consultants - DC/Virginia area (Thread) 5. Junior-level Security Administrator/Engineer (Thread) 6. (job offered) HIPAA Security Compliance Consultant (Thread) 7. Would that be appropriate content for securityjobs list?... 8. Would that be appropriate content for securityjobs list? (fwd ) 9. Security System Development Positions Available (Thread) 10. Seeking: Information Security/Penetration Testing Position... 11. Seeking a Security Position in Northern Virginia/DC-Metro... 12. Intrusion Detection Management Position (Thread) 13. Enterprise Systems Developer - Job #681 - NJ (Thread) 14. CSIRC SHIFTWORK in Leesburg, VA (Thread) 15. Seeking a software position (Thread) 16. Freelance Security Consultant and Trainer (Thread) 17. Security positions available.. (Thread) 18. Positions open at CORE Security Technologies - NYC (Thread) 19. Looking For Internship In Computer Security (Thread) 20. Resume: Senior Software Developer (Thread) 21. Seeking Information Security position in Denver area (Thread) 22. Any jobs in Canada (Thread) 23. Senior Security Account Managers - Based in the UK (Thread) 24. Resume (Thread) 25. Network/Security Administrator Candidate, (Thread) 26. Resume for Kurt Seifried (Thread) 27. UK Contract Opportunity - IT Security Incident Response... 28. Seeking an entry level position in Security (Thread) 29. seeking a position in information security (Thread) 30. Entry level candidate (Thread) 31. (jobs offered) Security/IT candidates needed (Thread) 32. Contracting Position (Thread) VI. INCIDENTS LIST SUMMARY 1. DDoS to microsoft sites (? avenues of attack!) (Thread) 2. formmail - abuse contact for broadwing.net? (Thread) 3. New Virus/Worm - Frontpage? (Thread) 4. DDoS to microsoft sites (Thread) 5. suspicious packets (Thread) 6. Apache 1.3.XX (Thread) 7. Odd scan (Thread) 8. UDP port 500 traffic from two clients (Thread) 9. DDoS attack. (Thread) 10. is this enumeration? (Thread) 11. Lots of scans by SSH-1.0-SSH_Version_Mapper (Thread) 12. Honeypot challenge you've probably already heard about (Thread) 13. port 22224?? What the heck (Thread) 14. DDoS help! (Thread) 15. Odd string in packet... (Thread) 16. Strings of 'EEEE' in pings... (Thread) 17. Odd connection attempts from many addresses (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY 1. CSS, CSS & let me give you some more CSS (Thread) 2. buffer overflow on whois (redhat linux 7.0/7.1 on i686) (Thread) 3. switch jamming (Thread) 4. Big Security Holes in Portix-PHP Portal (Thread) 5. Black Hat Windows Security Keynotes announced (Thread) 6. Script to find domino's users (Thread) 7. DoS against DHCP (Thread) 8. SPI Labs SQL Injection Whitepaper Released (Thread) 9. Enumerating users on a Domino webserver (Thread) 10. Looking for old Interbase proof-of-concept exploit (Thread) 11. PhpSmsSend remote execute commands bug (Thread) 12. SSH brute forcer (Thread) 13. eNom Domain Registration Services Domain Hijacking Vulnerability 14. [NGSEC] Whitepaper Released: Polymorphic shellcodes... 15. [NGSEC] Whitepaper Released: Polymorphic shellcodes vs... 16. ASP Security (Thread) 17. Lame: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs... 18. CGI THREAT: Malicious data injection into Perl modules... VIII. MICROSOFT FOCUS LIST SUMMARY 1. Windows 2000/.Net Group Policy Locker (Thread) 2. Outlook 2002 SP-1 Plain Text Patch Problem (Thread) 3. latest MS Advisory ms02-001 (Thread) 4. "undelete" for NT2000 file sharing? (Thread) 5. Early Summary: RE: UPnP on Windows 2000 Pro? (Thread) 6. UPnP on Windows 2000 Pro? (Thread) 7. NetBIOS Enumeration Utility 1.1 now available! (Thread) 8. two questions that need answering (Thread) 9. Microsoft CSP Random Key Generation (Thread) 10. Terminal Service Question (Thread) 11. Exchange 5.5 RPC Encryption (Thread) 12. SecurityFocus Microsoft Newsletter #71 (Thread) 13. Administrivia: Fun with Viruses (Thread) 14. Persistent Shares viewable between users? (Thread) 15. Enterprise Web application Security (Thread) 16. Risk Analysis and Management Tool (Thread) 17. How to get my encrypted files back - Copy to FAT32... (Thread) IX. SUN FOCUS LIST SUMMARY 1. /etc/default/passwd and SSH (Thread) X. LINUX FOCUS LIST SUMMARY 1. apache and nimbda (Thread) 2. Mitigating SYN flooding with Netfilter or net.ipv4.tcp_syn... XI. SPONSOR INFORMATION I. FRONT AND CENTER ------------------- 1. SecurityFocus is Hiring! SecurityFocus is currently looking for a programmer/debugger for its Threat Analysis teams. This position requires skillsets which I have outlined below. These positions require the staff members to be located in Calgary, Alberta, Canada. Relocation assistance is possible from within Canada. Skills will require verification by the way of an actual practical test before an in-person interview is secured. Skills required: - Expertise with SoftICE & IDA Pro (or similar tools). - Expertise with x86 assembly language - Programming ability in C & C++, targeting both the Unix and Windows platforms - Strong report writing skills and ability to interface with customers. Additional skills preferred: - Working knowledge of computer viruses, worms, and trojans propagation techniques - Working knowledge of honeypots. Personal Skills Required: Any applicant must be able to work in a team environment and deal with very tight deliverables. An outgoing pleasant personality is an absolute requiremant. No rockstars, no primadonas. About SecurityFocus SecurityFocus, is the leading provider of security intelligence products and services for business. They include SIA (Security Intelligence Alert), which alerts subscribers to security vulnerabilities, and ARIS (Attack Registry & Intelligence Service), which predicts cyber assaults on customer networks, based on global attack data. SecurityFocus also licenses the world's largest and most comprehensive vulnerability information database, hosts the most popular security community mailing list on the Internet, Bugtraq, and publishes original security content on its Web site. Please send resumes if interested to Alfred Huger ah@securityfocus.com 2. Special Event: Information Security in the Age of Terrorism (March 25-26, 2002, Washington DC) Join an impressive faculty to learn strategic tools to safeguard your trade secrets and assets at Financial Research Associates' conference on Information Security in the Age of Terrorism, March 25-26 in Washington DC. Learn about the burgeoning relationships between terrorist organizations and hackers, the impact of better funded and organized hackers, how to protect your organization and much more. This event focuses on practical security strategies with practitioner case studies and features an all-star faculty. To see a detailed conference brochure, go to www.frallc.com , or call for more information at 800-280-8440. 3. Castles Built on Sand: Why Software is Insecure by Josh Ryder Software developers spend endless hours developing sophisticated programs that will make users' lives easier and more productive. Unfortunately, the outcome is not always what the developers had in mind. Many software programs are plagued by programming flaws that may lead to security vulnerabilities. This article will offer a brief overview of some of the factors that may contribute to insecure software. http://www.securityfocus.com/infocus/1541 4. Understanding IDS Active Response Mechanisms by Jason Larsen, and Jed Haile Debates still rage in the developer community over which methods of detecting attackers are best, but IDS customers as a whole are satisfied with the current IDS technology. To get an edge on the competition, many of the IDS vendors are adding active response capabilities to their products. The concept underlying this tactic is that the IDS will detect an attacker and then move to stop his attack. The problem is that any attacker with a basic knowledge of TCP/IP can easily defeat these mechanisms directly or simply knock the network offline often enough that the Admin is forced to turn off the feature. It is important for Admins to know the limitations of active response mechanisms to avoid being blindsided by them. http://www.securityfocus.com/infocus/1540 5. Reject the Corporate Secrecy Grab By David Banisar In the name of improving cyber security, corporations are pushing for exemptions to the U.S. Freedom of Information Act (FOIA) that are unnecessary and dangerous. These will result in crucial information being suppressed without improving security. http://www.securityfocus.com/columnists/56 6. Passive Aggressive by Jon Lasser Black hats use 'passive fingerprinting' to identify your operating system without you knowing it. But the technique is useful for white hats too http://www.securityfocus.com/columnists/57 II. BUGTRAQ SUMMARY ------------------- 1. rsync Signed Array Index Remote Code Execution Vulnerability BugTraq ID: 3958 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3958 Summary: The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. It is available for Linux and other Unix operating systems. rsync is usually configured to run as the root user. A vulnerability exists within some versions of rsync. Under some circumstances, a remotely supplied signed value is used as an array index. If a negative value is used as an array index, it is possible to access nearly arbitrary memory locations. It has been reported that this may only be used to write NULL bytes to memory. If a remote attacker is able to exploit this vulnerability, they may write NULL bytes to arbitrary locations on the stack. This could lead to the corruption of data used to restore an instruction pointer, which in turn would modify the flow of execution of the program. If successfully exploited, this would result in the execution of arbitrary code as the root user. It is possible that other versions of rsync share this vulnerability. 2. Sony VAIO Unauthorized System Access Vulnerability BugTraq ID: 3959 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3959 Summary: An issue exists in Sony's VAIO pre-installed software which could allow a remote user full control of the user's system. This is acheived if a user accesses a maliciously crafted web page or receives a maliciously crafted HTML email or HTML file as an email attachment. Further technical details are not available at this time. It should be noted that all VAIO personal computers with "VAIO Manual CyberSupport for VAIO" pre-installed and sold in Japan from May 2001 are vulnerable. 3. PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability BugTraq ID: 3961 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3961 Summary: PGPfire is a desktop firewall solution distributed and maintained by PGP Security. It is available for Microsoft Windows operating systems. A problem with the software could make it possible for a remote user to fingerprint a system with the software installed. The problem is due to the alteration of the system TCP stack. When PGPfire is installed on a system, the software replaces the default Windows TCP stack with a version supplied in the PGPfire package. In doing so, it makes it easier to identify the operating system of the host. This is due to the fact that the altered TCP stack produces responses uncharacteristic of any other operating system. This could allow a remote user to fingerprint and identify sensitive information systems, and could result in an organized attack against sensitive resources. 4. Alteon AceDirector Half-Closed HTTP Request IP Address Revealing Vulnerabililty BugTraq ID: 3964 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3964 Summary: Alteon ACEdirector is a hardware solution distributed by Nortel Networks. ACEdirector runs the Nortel WebOS operating system. A problem with the handling of some types of network traffic may make it possible for a remote user to gain sensitive information. The problem is in the handling of half-closed HTTP connections. It is possible to retrieve the real IP addresses of webservers that are managed by an ACEdirector. When a client is connected to a webserver via the virtual IP address of the ACEdirector, the connection to a web server in the load balanced pool is tracked by a cookie and session id. The traffic is then altered to appear as though it is coming from the ACEdirector. When a client has half-closed a connection to the ACEdirector, the load balancer will no longer alter the traffic to the client to appear as though it is coming from the ACEdirector's IP address. The traffic will continue to come from the webserver, but will instead come from the real IP address of the web server. This problem makes it possible for a remote user to gather information about webservers, and could lead to organized attack against network resources. 5. Tarantella Enterprise 3 gunzip Race Condition Vulnerability BugTraq ID: 3966 Remote: No Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3966 Summary: Tarantella Enterprise 3 is vulnerable to a race condition during the installation process. During installation, a root owned binary is created in /tmp (the directory specified by the $TMPDIR environment variable) with the name gunzip#### where #### is a PID. It is later run by the installation process with root privileges. The race condition exists as there is a delay between writing the file and executing it by the installation procedure. Thus, it can be overwritten by a local user, as it is created with world writable permissions. An attacker can only gain privileges in this manner if a privileged user is installing the software. 6. Compaq Intel PRO/Wireless 2011B LAN USB Device Driver Information Disclosure Vulnerability BugTraq ID: 3968 Remote: No Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3968 Summary: Compaq's Intel PRO/Wireless 2011B LAN USB Device driver allows a user to connect a number of supported WLAN Ethernet devices via a USB port. It runs on Microsoft Windows platforms that support USB, such as Windows 98/ME/2000. The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry. This sensitive information is stored in the appropriate registry key for the device, which by default may be accessed by unprivileged users. The WEP Key may be used by the local attacker to decrypt all network traffic encapsulated in WEP. 7. BRU SetLicense Script Insecure Temporary File Symbolic Link Vulnerability BugTraq ID: 3970 Remote: No Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3970 Summary: BRU is a commercially available backup software infrastructure available for both UNIX and Linux Operating Systems. It is distributed and maintained by the Tolis Group. A problem with the software could make it possible for a local user to overwrite system files. This problem is in the creation of temporary files. When BRU executes, it creates temporary files insecurely. When the setlicense script is executed, a couple problems occur that could lead to the overwriting of system files. This is due first to the fact that setlicense uses an easily predicted filename for the storage of data in the temporary directory. Upon execution, setlicense stores data in the file /tmp/brutest.$$, where $$ signifies the process id of the current shell. Secondarily, the setlicense script does not perform adequate checks in the temporary file prior to attempting to create and write to the file. The setlicense script neglects to check for the existence of the file it is attempting to write to, and thus can be tricked into overwriting root owned files through symbolic links. This makes it possible for a local user to overwrite arbitrary root owned files, and could potentially lead to denial of service, or local elevated privileges. 8. Hosting Controller Information Disclosure Vulnerability BugTraq ID: 3971 Remote: Yes Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3971 Summary: Hosting Controller is an application which centralizes all hosting tasks to one interface. Hosting Controller gives every user the required control they need to manage the appropriate web site relevant to them. Hosting Controller runs on Microsoft Windows systems. An issue has been discovered in Hosting Controller which may make it easier for remote attackers to brute-force user accounts. In particular, it is trivial for an attacker to determine if a username exists or not. When a user enters an invalid username, Hosting Controller gives the following feedback: "The user name could not be found" The following URLs are common paths to the login page: http://www.thesite.com.tr/admin/ http://www.thesite.com.tr/webadmin/ http://www.thesite.com.tr/advwebadmin/ http://www.thesite.com.tr/hostingcontroller/ This issue allows the attacker to determine which usernames are valid. The attacker may then attempt a brute-force attack in an attempt to crack the passwords of valid usernames. 9. SAP SAPgui Denial of Service Vulnerability BugTraq ID: 3972 Remote: Yes Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3972 Summary: SAP SAPgui is an application which allows users to access and complete transactions in SAP. This interface can be modified according to user preferences. A problem with SAPgui could make it possible to deny service to legitimate users. The problem is in the handling of invalid connections. If a connection is made to a SAPgui host on the appropriate port by a tool such as nc or nmap, the SAPgui application will crash. As SAPgui has been reported to listen on a port below 1024, this condition will be caused by most port scans. 10. SGI O2 Video Session Viewing Information Disclosure Vulnerability BugTraq ID: 3974 Remote: No Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3974 Summary: The SGI O2 workstation integrates high-quality graphics and powerful processing with built-in video. It runs the 6.5 series of the IRIX operating system. A problem has been discovered in SGI O2 systems which may, under some circumstances, allow a local attacker to spy on the session of a user who is currently physically logged into a vulnerable machine. Sensitive information may be disclosed as a result. The VCP (Video Control Panel) provides a graphical user interface for configuring the certain types of video cards on SGI O2 systems. When the Default Input is set to "Output Video" using the VCP interface, it is possible for a user to launch videoout and then videoin to view events that are happening on the screen of the vulnerable host. The attacker may view the session of the user who is currently physically logged in to the host. Any xhosts or xauth settings on the host are effectively bypassed. The attacker must have local access to the system for this issue to be exploited. This may lead to a disclosure of sensitive information. It should be noted that this issue is exclusive to all SGI O2 systems. Other SGI systems are not affected. 11. XInet K-AShare XKAS Program World Writable Icon Directory Vulnerability BugTraq ID: 3969 Remote: No Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3969 Summary: K-AShare is a file sharing system designed to allow Apple Macintosh and Unix systems to share resources. It is maintained and distributed by Xinet. A default installation of K-AShare installs an icon directory used by the system with insecure permissions. The /var/adm/appletalk/icons/ directory is created with world read and write permissions. One of the files in this directory, 'VOLICON', is copied to a directory being shared by an administrator throgh the xkas GUI utility. As a result of the icon directory permissions, a local user could remove the VOLICON file and create a symbolic link to an unreadable file such as /etc/shadow. When the superuser executes the xkas program and shares a directory, the /etc/shadow file would be copied to the shared directory as file '.HSicon' with world-readable permissions. The attacker may then proceed to read the file, gaining possibly sensitive information (such as password hashes). 12. Agora.CGI Debug Mode Path Disclosure Vulnerability BugTraq ID: 3976 Remote: Yes Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3976 Summary: Agora.cgi is a freely available, open source shopping cart system. A vulnerability has been discovered in agora.cgi which may disclose potentially sensitive information to remote attackers. When debug mode is enabled, it is possible for a remote attacker to display the absolute path to the directory that the agora.cgi script is stored in. This is possible by making a web request for a non-existent .html file. The remote attacker may potentially use the disclosed information to aid in further "intelligent" attacks against the host running the vulnerable software. 13. CNet CatchUp Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3975 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3975 Summary: CNET Catchup is a highly customizable utility for retrieving software updates for various products. It runs on Microsoft Windows 9x/ME/NT/2000/XP platforms. CNET Catchup functions by scanning the user's system and then creating a list of possible updates for software that is installed. The user then selects which updates to install. CNET Catchup also provides a feature for scanning the system for ad-ware. A vulnerability has been discovered that may allow a remote attacker to execute arbitrary code on the host running CNET Catchup. Additionally, it may be possible for an attacker to remotely start the CNET Catchup utility. Successful exploitation of this issue may result in a full compromise of the host running the vulnerable software. 14. Xoops Remote SQL Injection Vulnerability BugTraq ID: 3977 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3977 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. A vulnerability exists in the script userinfo.php, included with Xoops. It includes user supplied input in a SQL statement, and fails to correctly escape special characters. As a result, it is possible to modify and subvert the original query. Exploitation of this vulnerability may result in the disclosure of sensitive information. Additionally, error messages resulting from the SQL statement are passed to the remote user. This may leak additional, valuable information about the structure of the SQL statement. 15. Xoops Private Message Box Cross-Site Scripting Vulnerability BugTraq ID: 3981 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3981 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. Xoops includes a Private Message System for users, so that they may send messages to one another. The script pmlite.php is used to access this system. This script does not properly escape user supplied data, and is vulnerable to a cross-site scripting attack. Script tags may be submitted as part of the image parameter. When another user views this page, the malicious script code will be executed on that user in the context of the site running Xoops. This issue may be exploited by an attacker to steal a legitimate user's cookie-based authentication credentials, among other things. 16. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability BugTraq ID: 3979 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3979 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of long in command line arguments. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. When sastcpd is executed with a command line argument of 1200 characters, a buffer overflow occurs. This overflow can result in the overwriting of stack variables, including the return address, and the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 17. SAS SASTCPD Command Format String Vulnerability BugTraq ID: 3980 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3980 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of format strings. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. sastcpd is vulnerable to a format string attack. When executed with a command line argument of a format string, it is possible to overwrite arbitrary addresses in memory. This can result in the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 18. PhpSmsSend Remote Shell Command Execution Vulnerability BugTraq ID: 3982 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3982 Summary: PhpSmsSend is a front end to the SmsSend program, and allows users to send SMS messages through a web interface. SmsSend is available for Linux and Microsoft Windows. PhpSmsSend accepts a message to send as a user supplied CGI parameter. This data is then used to build a command calling SmsSend. PhpSmsSend does not properly validate user input used in this manner. A malicious party may include escape characters such as ` in the input, and execute additional, arbitrary shell commands. Exploitation of this vulnerability could lead to arbitrary code being executed as the script user, generally 'nobody'. This could lead to local access to the vulnerable system, from which point futher elevated privileges may be easier to obtain. 19. Xoops Private Message System Cross-Site Scripting Vulnerability BugTraq ID: 3978 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3978 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. Xoops includes a Private Message System for users, so that they may send messages to one another. The Title: field of the Private Message System does not sufficiently filter HTML tags. This makes it possible for an attacker to supply malicious input for the Title: field which contains arbitrary script code. When another user receives the attacker's private message, the malicious script code will be executed on that user in the context of the site running Xoops. This issue may be exploited by an attacker to steal a legitimate user's cookie-based authentication credentials, among other things. 20. Etype EServ Passive Mode Denial of Service Vulnerability BugTraq ID: 3983 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3983 Summary: EType EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems. There is an exploitable denial of service vulnerability in EServ FTP server. It is possible to cause the server to stop accepting passive mode commands. This is accomplished by sending a large number of 'PASV' requests, consuming ports 1024 to 5000. In the event that the affected service crashes, it will have to be restarted in order to regain normal functionality. This vulnerability does not require any user authentication to exploit. 21. Etype EServ Bounce Attack Vulnerability BugTraq ID: 3986 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3986 Summary: EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems EServ is prone to FTP bounce attacks. An attacker who logs in to the FTP server may use the PORT command to connect to an arbitrary port on a remote host. The PORT command is normally intended to be used to create a connection to the client machine on a high-numbered port. As a result of this vulnerability, the attacker may use the FTP server as a proxy. 22. fwmon Oversized Packet Denial of Service Vulnerability BugTraq ID: 3984 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3984 Summary: fwmon is a firewall monitoring tool. It works with the Linux operating system, and either iptables or ipchains. It is able to provide more detailed information on network traffic than the standard ipchains log. It is possible for some versions of fwmon to crash when the kernel sends an oversized packet. If an attacker were able to exploit this condition, it may be possible to create a denial of service condition. If firewall monitoring is disrupted, further attacks against the host would go undetected. This would not impact the effectiveness of the firewall, only the quality of the log data. 23. AHG Search Engine Search.CGI Arbitrary Command Execution Vulnerability BugTraq ID: 3985 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3985 Summary: Search.CGI is a component of the HTMLsearch Search Engine software distributed by AHG. The software is available for the Unix, Linux, and Microsoft platforms. A problem with the script could make it possible for a remote user to execute arbitrary commands. The problem is in the filtering of input. The search.cgi script included with the AHG Search Engine does not adequately filter input. Due to lack of sufficient input sanitization, it is possible for a remote user to pass semi-colon (;) and pipe (|) characters through a search request. This can result in the commands encapsulated between the symbols being executed with the privileges of the web server. This problem makes it possible for a remote user to execute arbitrary commands on a vulnerable system. On UNIX systems, this would likely be as an unprivileged user. On Microsoft systems, these commands may be executed with SYSTEM privileges. 24. Netjuke Remote Command Execution Vulnerability BugTraq ID: 3988 Remote: Yes Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3988 Summary: Netjuke is a web based audio streaming jukebox program which supports MP3, Ogg Vorbis, and other music file formats. An issue exists in Netjuke which could enable remote attackers to execute arbitrary commands as the web server user. Exploitation of this issue could lead to a compromise of the host. This issue may be a result of insufficient validation of user input passed to an eval call. No further technical details are available at this time. 25. Microsoft Windows NTFS File Hiding Vulnerability BugTraq ID: 3989 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3989 Summary: There exists a condition in Microsoft Windows operating systems using NTFS that may allow for files to be hidden. Though the NTFS filesystem allows for a 32000 character path, Microsoft Windows operating systems (NT4, 2000 and XP) enforce a 256 character limit. Any attempt to create, traverse or otherwise operate on a path longer than 256 chatacters will fail. By using drives mapped to directories created with 'SUBST', it is possible to create directory paths longer than 256 characters. This can be accomplished by creating directories on the 'SUBST' drive. The directories on the drive will be subdirectories in the tree to which the drive is mapped. Creating these directories may result in the total absolute path exceeding the 256 character limit. If the absolute path of a directory created on a 'SUBST' mapped drive exceeds 256 characters, any files within will be inaccessible through traversing the full path. The files may still be accessed through the paths on the mapped drive. If the drive is deleted, the files may be completely inaccessible unless a drive is re-mapped to the same position in the directory tree. This vulnerability poses a serious risk to programs which scan the filesystem, such as antivirus software. When attempting to traverse the long path, Norton Antivirus and Kaspersky Antivirus fail to scan files in the long directory trees due to the Windows path restrictions. Furthermore, if a virus executes, they do not scan the disk image because it is inaccessible. Exploitation of this vulnerability may allow for viruses to remain undetected on filesystems. Attackers may also be able to hide files using this vulnerability, as Explorer and any other utility cannot traverse the paths where they are stored. It is not yet known which programs may be affected and in what ways. This report has not been confirmed by Microsoft and will be updated as more information becomes available. 26. Lotus Domino Username Enumeration Vulnerability BugTraq ID: 3991 Remote: Yes Date Published: Jan 30 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3991 Summary: Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. An issue has been reported in Lotus Domino server, which could allow for remote users to determine the validity of a username existing on a host. When a remote user submits a GET request for a possible user's account, the server response will assist the user in determining the validity of the username submitted. In a case where the tested username is valid, the server replies with HTTP 200 OK message, and the login screen. Alternatively, when the tested username does not exist on the system, the server responds with 404 File not Found. Because the server responds differently in each case, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable host. III. SECURITYFOCUS NEWS AND COMMENTARY ------------------------------------------ 1. FBI Issues Water Supply Cyberterror Warning By Kevin Poulsen Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns http://www.securityfocus.com/news/319 2. Accused Ebay Hacker put on Electronic Leash By Kevin Poulsen A federal judge rules that Jerome Heckenkamp can go home, but under tighter anti-computer restrictions and close electronic monitoring http://www.securityfocus.com/news/318 3. Senator Introduces New Cybercrime Bills By Brian Krebs, Newsbytes Sen. John Edwards, D-N.C., on Monday introduced a pair of bills that would increase funding and training to help fight computer crime and cyberterrorism. http://www.securityfocus.com/news/317 IV.SECURITYFOCUS TOP 6 TOOLS ----------------------------- 1. SILC (Secure Internet Live Conferencing)(Toolkit) v0.7.3 by Priikone Relevant URL: http://silcnet.org/ Platforms: Linux, UNIX Summary: SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic. The SILC is delivered as SILC Client for end users, SILC Server for system administrators, and SILC Toolkit for application developers. 2. EnderUNIX spamGuard v1.0 by EnderUNIX Team Relevant URL: http://www.enderunix.org/spamguard/ Platforms: Linux, POSIX, UNIX Summary: spamGuard is a small application that automagically monitors spammer activity in mail server logs. For the time being, the program supports the qmail MTA and features multilog logging. 3. Securepoint Firewall and VPN Server SB v2.06 by Lutz Hausmann, lutz.hausmann@linkx.de Relevant URL: http://www.securepoint.cc/download.htm Platforms: Linux, Windows 2000, Windows 95/98, Windows NT Summary: The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer. 4. Win Sniffer v1.22 by WinSniffer Inc. Relevant URL: www.winsniffer.com Platforms: Windows 2000, Windows 95/98, Windows NT Summary: Win Sniffer captures passwords on LAN. It capture ftp, http, telnet, icq, pop3, imap and other passwords. 5. Appcap v0.12 by Paul Starzetz Relevant URL: http://appcap.ihaquer.com/ Platforms: Linux Summary: Appcap is a tricky application for x86 Linux which allows an user with enough power (usually the superuser) on a machine to attach and redirect standard input and output of any application to his/her actual tty. In this way the superuser obtains an instrument for looking into ordinary users' sessions. This may be very useful if you suspect some of your users of doing nasty things from your machine. 6. Secure FTP Wrapper v2.0pr2 by Glub Tech, Inc. Relevant URL: http://www.glub.com/products/ftpswrap/download.shtml Platforms: Java Summary: Secure FTP Wrapper is a server-based package that enables an existing FTP server to become a Secure FTP server. In this release the wrapper allows for a Secure Sockets Layer, or SSL, connection to be made to your FTP server. V. SECURITY JOBS SUMMARY ------------------------ 1. Communications Consultant/Project Manager (with Security Experien ce) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=050B8C29FC907D44B2068CF14FD06722BF8115@bestcx1.best-people.co.uk&threads=1 2. Advice on entering the security field (training, qualifications etc..) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=001801c1aa48$561d90f0$142a2a0a@local&threads=1 3. Web Security Engineer (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020130181310.24537.qmail@mail.securityfocus.com&threads=1 4. Needed: Security Consultants - DC/Virginia area (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=5544986F9407D611A5900008C7096406076E65@EXCHANGE&threads=1 5. Junior-level Security Administrator/Engineer (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020130162655.AAB12537@cas.org&threads=1 6. (job offered) HIPAA Security Compliance Consultant (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=MGENLCPOCDFIHEFHOLGOMECDCFAA.colleen.nelson@certifiedonly.com&threads=1 7. Would that be appropriate content for securityjobs list? (fwd) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=4.3.2.7.2.20020130135613.03603ed0@pop1.sympatico.ca&threads=1 8. Would that be appropriate content for securityjobs list? (fwd ) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=99A0CE50F3E7D4118DC50001028B30BC01F17F2E@unassigned.webex.com&threads=1 9. Security System Development Positions Available (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020130004519.31101.qmail@mail.securityfocus.com&threads=1 10. Seeking: Information Security/Penetration Testing Position (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020129181636.14369.qmail@mail.securityfocus.com&threads=1 11. Seeking a Security Position in Northern Virginia/DC-Metro (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=KNELJCGONFABHNBELAJEMEEKCCAA.chintam@erols.com&threads=1 12. Intrusion Detection Management Position (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=01af01c1a907$eec779c0$4c6ea8c0@ambiguous&threads=1 13. Enterprise Systems Developer - Job #681 - NJ (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=3C56C205.F4F959B7@erols.com&threads=1 14. CSIRC SHIFTWORK in Leesburg, VA (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=C515289F68A7D511A0E400A0C9ADE1163743F5@astor.artelinc.com&threads=1 15. Seeking a software position (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=99E837AD9DB8D311A97A00508B6F2ACC0376D118@flex1.sra.com&threads=1 16. Freelance Security Consultant and Trainer (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=79838CFE470AD511A7F10002B33055F402C5E7@ThisAddressDoesNotExist&threads=1 17. Security positions available.. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=B926E8E70FC34E48AB984F7F7D72B36D5B1F20@exchange01&threads=1 18. Positions open at CORE Security Technologies - NYC (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=08ce01c1a819$6ffbb460$2e58a8c0@ffornicario&threads=1 19. Looking For Internship In Computer Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=F122VjYKtWfN3vSAMfK00002095@hotmail.com&threads=1 20. Resume: Senior Software Developer (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=163CB231.30E34EC7.00A93B4A@netscape.net&threads=1 21. Seeking Information Security position in Denver area (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020128194236.436.qmail@web20310.mail.yahoo.com&threads=1 22. Any jobs in Canada (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=Pine.GSO.4.05.10201281042500.20318-200000@rain.cise.ufl.edu&threads=1 23. Senior Security Account Managers - Based in the UK (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=NFBBIBNDCLFOHGFCKFFBGEBPCNAA.Julie.Holmwood@Eton-Mai.co.uk&threads=1 24. Resume (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020126203836.8046.qmail@mail.securityfocus.com&threads=1 25. Network/Security Administrator Candidate, (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=009c01c1a668$e0c4ad80$0c64a8c0@systemgroup.net&threads=1 26. Resume for Kurt Seifried (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=006001c1a6ac$87e063a0$6400030a@seifried.org&threads=1 27. UK Contract Opportunity - IT Security Incident Response Planner (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020126132713.24761.qmail@mail.securityfocus.com&threads=1 28. Seeking an entry level position in Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020126052321.3406.qmail@mail.securityfocus.com&threads=1 29. seeking a position in information security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=F52cFPTy8hcpz5rTxM000011a7e@hotmail.com&threads=1 30. Entry level candidate (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=Pine.GSO.4.05.10201251820250.17102-200000@rain.cise.ufl.edu&threads=1 31. (jobs offered) Security/IT candidates needed (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=MGENLCPOCDFIHEFHOLGOGEMDCEAA.colleen.nelson@certifiedonly.com&threads=1 32. Contracting Position (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=85256B4C.004F13AD.00@corp4.tsi.net&threads=1 VI. INCIDENTS LIST SUMMARY ------------------------- 1. DDoS to microsoft sites (? avenues of attack!) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=7EBD5E15B02AD511BE270003471B7B5103C9A276@wasexc101a.fdic.gov&threads=1 2. formmail - abuse contact for broadwing.net? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=8HwdcDtjaCB@robinton.gmx.de&threads=1 3. New Virus/Worm - Frontpage? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=3C58B012.96414142@iinet.net.au&threads=1 4. DDoS to microsoft sites (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=005501c1aa69$a2013280$e25f753f@desktop01&threads=1 5. suspicious packets (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=F175lQKoZVlKAIpZwYm000070f2@hotmail.com&threads=1 6. Apache 1.3.XX (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=004601c1a9fe$ee563920$0200a8c0@nbs&threads=1 7. Odd scan (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=1128.207.158.135.103.1012419027.squirrel@fire-eyes&threads=1 8. UDP port 500 traffic from two clients (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020129174743.DF762B5@proven.weird.com&threads=1 9. DDoS attack. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020128184707.GC25601@pine.nl&threads=1 10. is this enumeration? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=81070896086202499A8EC09CBCC4F5F511141E@dc2-msg1.remingtonltd.com&threads=1 11. Lots of scans by SSH-1.0-SSH_Version_Mapper (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=BAECKHLFBCDACOFIIOLBEEDHCBAA.bswopes@isecorp.com&threads=1 12. Honeypot challenge you've probably already heard about (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=005101c1a6d4$171193b0$0501a8c0@mark&threads=1 13. port 22224?? What the heck (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=5.1.0.14.2.20020126132418.00a7d148@mail.baribault.net&threads=1 14. DDoS help! (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=200201261806.g0QI6k303052@gotak.dyn.dhs.org&threads=1 15. Odd string in packet... (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=0GQI00G0MPVPCF@smtp2.clear.net.nz&threads=1 16. Strings of 'EEEE' in pings... (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=3C51C79C.722662A@cmc.cwo.net.au&threads=1 17. Odd connection attempts from many addresses (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=Pine.LNX.4.33.0201251745360.2322-100000@homer.cmp.liv.ac.uk&threads=1 VII. VULN-DEV RESEARCH LIST SUMMARY ---------------------------------- 1. CSS, CSS & let me give you some more CSS (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=EMEPKDIHDAGPPCPOJIKBCEMICFAA.obscure@eyeonsecurity.net&threads=1 2. buffer overflow on whois (redhat linux 7.0/7.1 on i686) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.BSI.4.05L.10201311838410.884-100000@maxx.mc.net&threads=1 3. switch jamming (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=B36C365832C90E47A37F4FFCDDEFC46D04F645@hkisrv08.tw.fi&threads=1 4. Big Security Holes in Portix-PHP Portal (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=F111BdyFj9ZYhtBct7900011414@hotmail.com&threads=1 5. Black Hat Windows Security Keynotes announced (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C59CAA4.BC549383@thievco.com&threads=1 6. Script to find domino's users (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C59646D.C44B49F8@ciudad.com.ar&threads=1 7. DoS against DHCP (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C5907F3.531D75B8@nruns.com&threads=1 8. SPI Labs SQL Injection Whitepaper Released (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C5887EA.19AE1525@kampbjorn.com&threads=1 9. Enumerating users on a Domino webserver (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=RQC865E0C7QL62ZVZV2ZHE75PJ3PJ.3c582551@NICOLAS&threads=1 10. Looking for old Interbase proof-of-concept exploit (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=20020130095425.V59911-100000@tasam.com&threads=1 11. PhpSmsSend remote execute commands bug (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.LNX.4.33.0201300145300.3877-100000@mataram.1rstwap.com&threads=1 12. SSH brute forcer (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=20020128195437.12736.qmail@mail.securityfocus.com&threads=1 13. eNom Domain Registration Services Domain Hijacking Vulnerability (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=003101c1a816$e22a1480$ecc283d9@ts&threads=1 14. [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C55AFF9.22670E12@corest.com&threads=1 15. [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=20020127220734.F0.0@bobanek.nowhere.cz&threads=1 16. ASP Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=HMEHIOMBONNDKPCGPBGHMEGLCBAA.mark@curphey.com&threads=1 17. Lame: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDS (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.LNX.4.33.0201270012410.6211-100000@insomniac.ath.cx&threads=1 18. CGI THREAT: Malicious data injection into Perl modules. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C50B769.6070202@dds.nl&threads=1 VIII. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Windows 2000/.Net Group Policy Locker (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E748F5C5A5A8D411B14100508BDCB15CD7FC47@mail.mis.sandstream.com&threads=1 2. Outlook 2002 SP-1 Plain Text Patch Problem (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=003301c1aab8$a952e110$020ba8c0@jankariwo.com&threads=1 3. latest MS Advisory ms02-001 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=70465867425FD411A011006008926532013CFD@noc.theworks.com&threads=1 4. "undelete" for NT2000 file sharing? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=93CAA6F0D1EBD311A00C00508B2C2D668B728F@uiexch2.unind.com&threads=1 5. Early Summary: RE: UPnP on Windows 2000 Pro? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=15448.32471.540918.131799@gargle.gargle.HOWL&threads=1 6. UPnP on Windows 2000 Pro? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=MKEAIJIPCGAHEFEJGDOCEEJEDOAA.marc@eeye.com&threads=1 7. NetBIOS Enumeration Utility 1.1 now available! (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020130005650.22436.qmail@mail.securityfocus.com&threads=1 8. two questions that need answering (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFOEBECFAA.alancr@ntlworld.com&threads=1 9. Microsoft CSP Random Key Generation (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFAEBECFAA.alancr@ntlworld.com&threads=1 10. Terminal Service Question (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=GHEGKEPDEHBCJCAIIMKAGEJOCEAA.sypox@swip.net&threads=1 11. Exchange 5.5 RPC Encryption (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=C3E5D03891AAD411BC6000508B1214FF01F3383B@us-cwi-exc-a05.cwi.cablew.com&threads=1 12. SecurityFocus Microsoft Newsletter #71 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0201281235450.19908-100000@mail.securityfocus.com&threads=1 13. Administrivia: Fun with Viruses (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0201281148510.19908-100000@mail.securityfocus.com&threads=1 14. Persistent Shares viewable between users? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NFEFLALDPOIFPKKBBCDNKEHPCCAA.bill.mote@bigfoot.com&threads=1 15. Enterprise Web application Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=011d01c1a681$a8dc81e0$e00992da@kornet.net&threads=1 16. Risk Analysis and Management Tool (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=200201261646.g0QGk1901487@uekae.uekae.gov.tr&threads=1 17. How to get my encrypted files back - Copy to FAT32... (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFEEPBCEAA.alancr@ntlworld.com&threads=1 IX. SUN FOCUS LIST SUMMARY ---------------------------- 1. /etc/default/passwd and SSH (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=92&mid=200201311316.OAA19837@romulus.Holland.Sun.COM&threads=1 X. LINUX FOCUS LIST SUMMARY --------------------------- 1. apache and nimbda (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=20020130220245.L26840@jensbenecke.de&threads=1 2. Mitigating SYN flooding with Netfilter or net.ipv4.tcp_syncookies ? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=13CFD9ED17AAD411982B00D0B76DFB8A013705A9@WHEAT&threads=1 XI. SPONSOR INFORMATION ----------------------- This issue is sponsored by: MIS Training Institute (MISTI) http://www.misti.com InfoSec World Conference and Expo/2002, March 18-20, 2002 in Orlando, delivers proven strategies and solutions to the hottest infosecurity issues: wireless device security, PKI, encryption, thwarting hacker attacks, firewalls, IDSs, vulnerability tests, enterprisewide security, VPNs, and more. For complete details and to register, go to: http://www.misti.com/northamerica.asp?page=4 -------------------------------------------------------------------------------