Summary of Security Items from August 4 through August 17, 2004
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin provides a summary of
new or updated vulnerabilities, exploits, trends and viruses identified between
August 4 and August 17, 2004.
name=bugs>Bugs, Holes,
& Patches
The table below summarizes vulnerabilitiesthat have been identified, even if they are not being exploited. Updates to
items appearing in previous bulletins are listed in bold.
Complete details about patches or workarounds are available from the source of
the information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.
Note: All the information included in the
following tables has been discussed in newsgroups and on web sites.
Windows Operating
Systems Only
- Adobe Acrobat/Acrobat Reader
ActiveX Control Buffer Overflow Vulnerability - ACME Labs thttpd Input Validation Error
Discloses Files to Remote Users - Clearswift MAILsweeper Fails to
Detect and Analyze Some Attachment Formats - Clearswift MIMEsweeper for Web
Directory Traversal Vulnerability - IceWarp Web Mail Multiple Unspecified
Vulnerabilities - Keene Digital Media (KDM) Server Multiple
Vulnerabilities - Microsoft Windows Task Scheduler
Vulnerability - Microsoft POSIX Vulnerability Could
Allow Code Execution - Microsoft Exchange Server 5.5
Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks - Microsoft Internet Explorer
Address Bar Spoofing Vulnerability - NGSEC StackDefender 1.10 Invalid
Pointer Dereference Vulnerability - Serv-U Local Privilege Escalation
Vulnerability - SapparoWorks BlackJumboDog Has
Buffer Overflow in the FTP Service - Sun JRE Win32 Native Assertion Error Lets
malicious Applets Deny Service - Sygate Secure Enterprise Multiple
Vulnerabilities - Symantec Clientless VPN Gateway 4400
Series Multiple Vulnerabilities - VentaFax Command Execution Lets Local
Users Gain Elevated Privileges - WIDCOMM Bluetooth Connectivity Software
Buffer Overflow Vulnerabilities
UNIX / Linux Operating
Systems Only
- Adobe Acrobat Reader Shell Command
Injection and Buffer Overflow Vulnerability - Apache Can Be Crashed By PHP Code
- Benchmark Designs' WHM Autopilot
Backdoor Allows Plaintext Credential Leakage - CVSTrac "filediff" Arbitrary Command
Execution Vulnerability - Ethereal: Multiple security problems
- Gaim Buffer Overflows in Processing MSN
Protocol - Geeklog Default Installation Lets
Remote Users Access the Installation Script - Gentoo Tomcat Privilege Escalation
Vulnerability - gv Local Buffer Overflow
- HP-UX Process Resource Manager Bug
Lets Local Users Corrupt Files - HP VirtualVault / Webproxy
Multiple Vulnerabilities in Apache - KDE Insecure Temporary File
Creation Vulnerability - Konqueror Frame Injection
Vulnerability - Linux Kernel sys_chown() Bug May Let
Remote NFS Users Modify Group Permissions on Files - Linux Kernel 64-bit to 32-bit File
Offset Conversion Errors Disclose Kernel Memory to Local Users - Paul L Daniels ripMIME Base64 Decoding
May Terminate Prematurely When Decoding Virus Attachments - Peter F. Brown Simple Form Open Mail
Relay Vulnerability - phpMyWebhosting SQL Injection
Vulnerabilities - Redhat GNOME VFS updates address extfs
vulnerability - Rsync Input Validation Error in
sanitize_path() May Let Remote Users Read or Write Arbitrary Files - Shorewall Insecure Temporary File
Creation Vulnerability - SGI IRIX CDE Multiple
Vulnerabilities - Sourceforge.net Pavuk Digest
Authentication Buffer Overflow Vulnerabilities - SoX ".WAV" File Processing Buffer Overflow
Vulnerabilities - SpamAssassin Lets Remote Users
Deny of Service By Sending Malformed Messages - Team OpenFTPD Format String Flaw Lets
Remote Authenticated Users Execute Arbitrary Code - xine Buffer Overflow in Processing 'vcd'
Identifiers Lets Remote Users Execute Arbitrary Code
Multiple
Operating Systems - Windows / UNIX / Linux / Other
- AOL Instant Messenger aim:goaway URI
Handler Buffer Overflow Vulnerability - Apache ap_escape_html Remote
Denial of Service - Apple Mac OS X Security Update Fixes
Multiple Vulnerabilities - CuteNews "archive" Parameter
Cross-Site Scripting Vulnerability - CVS Undocumented Flag Information
Disclosure Vulnerability - eNdonesia 'mod.php' Input Validation
Vulnerability in Search 'query' Parameter Permits Cross-Site Scripting
Attacks - GoScript Input Validation Hole Lets
Remote Users Execute Arbitrary Commands - IBM Tivoli Access Manager HTTP
Response Splitting Vulnerability - Juniper Networks NetScreen ScreenOS Can
Be Crashed By Remote Users Due to an SSHv1 Implementation Bug - Mark Burgess Cfengine RSA
Authentication Heap Corruption - Matt Johnston Dropbear SSH Server DSS
Verification Vulnerability - Moodle Input Validation Flaw in
'post.php' in reply Variable Permits Cross-Site Scripting Attacks - Mozilla Multiple
Vulnerabilities - Nokia IPSO Denial of Service
Vulnerability - Opera Browser Spoofing Vulnerability
- JetBoxOne CMS Arbitrary File Upload
Vulnerability / JetBoxOne Leaves Account Database Unencrytped - PHP-Nuke Search Box Cross-Site
Scripting Vulnerabilities - PluggedOut Blog Input Validation
Hole in 'blogid' - PHP Development Group Multiple
Vulnerabilities in libpng - QuiXplorer Input Validation Hole in
'item' Parameter Discloses Files to Remote Users - Simon Tatham PuTTY System Compromise
Vulnerability - Sun Solaris XDMCP Parsing
Vulnerability - The Webmaster Guide Board Power
forum contains cross-site scripting vulnerability - Thompson SpeedTouch Home ADSL Modem
Predictable TCP ISN Generation - Volker Rattel phpBB Fetch All SQL
Injection Vulnerability - vRating Discloses Sensitive Information
and Grants Administrative Access to Remote Users - WackoWiki textsearch Cross-Site
Scripting Vulnerability - Xavier Cirac Shuttle FTP Suite
Directory Traversal Vulnerability
Risk is defined as
follows:
- High - A high-risk
vulnerability is defined as one that will allow an intruder to immediately
gain privileged access (e.g., sysadmin or root) to the system or allow an
intruder to execute code or alter arbitrary system files. An example of a
high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges. - Medium - A medium-risk
vulnerability is defined as one that will allow an intruder immediate access
to a system with less than privileged access. Such vulnerability will allow
the intruder the opportunity to continue the attempt to gain privileged
access. An example of medium-risk vulnerability is a server configuration
error that allows an intruder to capture the password file. - Low - A low-risk
vulnerability is defined as one that will provide information to an intruder
that could lead to further compromise attempts or a Denial of Service (DoS)
attack. It should be noted that while the DoS attack is deemed low from a
threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
[back to
top]
size=-2>
Recent
Exploit Scripts/Techniques
face="Arial, Helvetica, sans-serif">The table below contains a sample of exploitscripts and "how to" guides identified during this period. Items listed in
boldface/red (if any) are attack scripts/techniques for which vendors, security
vulnerability listservs, or Computer Emergency Response Teams (CERTs) have not
published workarounds or patches, or which represent scripts that malicious
users are utilizing.
Note: At times, scripts/techniques may contain names or content that may
be considered offensive.
Date of | Script name | Script Description |
August 17, 2004 | SpecificMAIL.theft.txt | A freeware spam filter for Outlook and Outlook Express that is extremely intrusive and acts more as spyware than a useful utility to users. |
August 16, 2004 | proc_kmem_dump.c | Script that exploits the Linux Kernel Proc_kmem_dump vulnerability. |
August 14, 2004 | aimAway.c | Proof of concept exploit for AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability. |
August 13, 2004 | ethereal-0.10.6.tar.gz | A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. |
August 13, 2004 | gv-exploit.c | Script that exploits the gv Local Buffer Overflow vulnerability. |
August 13, 2004 | netgearDG834G.txt | The Netgear DG834G has a hardcoded root password of zebra and a debug mode that allows for an immediately available rootshell. |
August 13, 2004 | priv8afp.pl | Remote root exploit for Mac OS X Apple Filing Protocol Buffer Overflow vulnerability. |
August 12, 2004 | aircrack-1.1.tgz | An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools. |
August 12, 2004 | freedom.c | Remote CVS exploit for the Double free() Heap Overflow vulnerability. |
August 12, 2004 | mercantec_softcart.pm | Exploit for the Mercantec Softcart CGI Buffer Overflow vulnerability. |
August 12, 2004 | pngslap.c | Script that exploits the Libpng Buffer Offset Calculation Overflow vulnerability. |
August 12, 2004 | rkhunter-1.1.5.tar.gz | Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. |
August 11, 2004 | 0x4553_Exorcist.tar.gz | A tool that can be considered an anti-anti-ptrace utility that unlocks the ptrace_traceme guard of a binary. |
August 11, 2004 | 0x4553_Scorpion.tar.gz | Tool for infecting statically linked ELF binaries. |
August 11, 2004 | 0x4553-Static_Infecting.html | White paper that discusses a method of infecting statically linked ELF |
August 11, 2004 | c030224-001.txt | Detailed exploit details for the ServerMask Header Identification vulnerability. |
August 11, 2004 | framework-2.2.tar.gz | The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads. |
August 11, 2004 | OllyExp.c | Script that exploits the OllyDbg Debugger Messages Format String vulnerability. |
August 10, 2004 | linuxKernelFileOffsetPointerHandlingExploit.c | Exploit for the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure vulnerability. |
August 9, 2004 | Xines_Mine.c | Script that exploits the Xine Buffer Overflow vulnerability. |
August 9, 2004 | align=left>yapig_script_injection.php | Exploit for the
class=maintitle>YaPiG Remote Server-Side Script Execution vulnerability. |
August 8, 2004 | servulocal.c | Script that exploist the RhinoSoft Serv-U FTP Server Default Administration Account vulnerability. |
August 7, 2004 | pavuk.c | Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities. |
August 7, 2004 | pavukWebSpider.c | Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities. |
August 6, 2004 | apache-dos.pl | Perl script that exploits the Apache ap_escape_html Remote Denial of Service vulnerability. |
August 6, 2004 | apacheEscapeHeaderD0SExploit.c | Script that exploits the Apache ap_escape_html Remote Denial of Service vulnerability. |
August 5, 2004 | aircrack-1.0.tgz | An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered. |
August 5, 2004 | bjd361exp.cpp | Proof of Concept exploit for the BlackJumboDog FTP Buffer Overflow vulnerability. |
August 5, 2004 | C-MD5.tar.bz2 | MD5 Brute Force Tool that tests the security of MD5 passwords by attempting to brute force them. |
August 5, 2004 | evil_song.py | Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability. |
August 5, 2004 | hoagie_openftpd.c | Remote root exploit for OpenFTPD Format String vulnerability. |
August 5, 2004 | HOD-ms04022-task-expl.c | Exploit for the Microsoft Windows Task Scheduler Remote Buffer Overflow vulnerability. |
August 5, 2004 | hydra-4.2-src.tar.gz | A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. |
August 5, 2004 | isec-0016-procleaks.txt | Exploit for the Linux Kernel 64-bit to 32-bit File |
August 5, 2004 | mailEnable.txt | Exploit for the MailEnable Content-Length Denial Of Service vulnerability. |
August 5, 2004 | openf.c | Remote root exploit for OpenFTPD Format String vulnerability. |
August 5, 2004 | pocExploitEtherealiSNSProtocolVuln.c | Proof of Concept exploit for the Ethereal iSNS Protocol Denial of Service vulnerability. |
August 4, 2004 | drop-root.c | Script that exploits the Dropbear SSH Server DSS Verification Vulnerability. |
August 4, 2004 | FreeWebChat[Mir]DoS-po.cc | Script that exploits the
class=maintitle>Free Web Chat Denial Of Service Vulnerabilities. |
August 4, 2004 | FreeWebChat_ir_RC_poc.java | Exploit for the
class=maintitle>Free Web Chat Denial Of Service Vulnerabilities. |
August 4, 2004 | libpn.gc | Script that exploits the LibPNG Graphics Library Denial of Service vulnerability. |
August 4, 2004 | linuxKernelFileOffsetPointerHandlingExploit.c | Script that exploits the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure Vulnerability. |
August 4, 2004 | soxWAVfilebufferoverflowexploi.tc | Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability. |
name=trends>Trends
- Seven months since the W32/Bagle mass-mailing virus
first appeared on the Internet, US-CERT continues to see new variants
appearing and many variants (new and old) continuing to spread. Many variants
of W32/Beagle are known to open a backdoor on an infected system which can
lead to further exploitation by remote malicious users.
name=#viruses>Viruses/Trojans
Top Ten Virus Threats
A list of high threat viruses, as reported to various
anti-virus vendors and virus incident reporting organizations, has been ranked
and categorized in the table below. For the purposes of collecting and collating
data, infections involving multiple systems at a single location are considered
a single infection. It is therefore possible that a virus has infected hundreds
of machines but has only been counted once. With the number of viruses that
appear each month, it is possible that a new virus will become widely
distributed before the next edition of this publication. To limit the
possibility of infection, readers are reminded to update their anti-virus
packages as soon as updates become available. The table lists the viruses by
ranking (number of sites affected), common virus name, type of virus code (i.e.,
boot, file, macro, multi-partite, script), trends (based on number of infections
reported during the latest three months), and approximate date first found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trends |
face="Arial, Helvetica, sans-serif">Date |
1 | W32/Netsky-P | Win32 Worm | Stable | March 2004 |
2 | W32/Zafi-B | Win32 Worm | Stable | June 2004 |
3 | W32/Netsky-Q | Win32 Worm | Increase | March 2004 |
4 | W32/Netsky-D | Win32 Worm | Slight Increase | March 2004 |
5 | W32/Netsky-B | Win32 Worm | Slight Increase | February 2004 |
6 | W32/Netsky-Z | Win32 Worm | Decrease | April 2004 |
7 | W32/Bagle-AA | Win32 Worm | Decrease | April 2004 |
8 | W32/MyDoom-M | Win32 Worm | New to Table | July 2004 |
9 | W32/MyDoom-O | Win32 Worm | New to Table | July 2004 |
9 | I-Worm.Bagle.z | Win32 Worm | New to Table | April 2004 |
9 | I-Worm.Bagle.AI | Win32 Worm | New to Table | July 2004 |
10 | Worm_Sasser.B | Win32 Worm | Decrease | April 2004 |
10 | W32/Netsky-C | Win32 Worm | Return to Table | March 2004 |
10 | W32/Mydoom.s@MM | Win32 Worm | New to Table | August 2004 |
10 | W32/Mydoom.q | Win32 Worm | New to Table | August 2004 |
New Viruses / Trojans
Viruses or Trojans Considered to be a High Level of
Threat
- Brador/Bardoor These are the first
known backdoor Trojans for the Pocket PC hand-held devices. They send the IP
address of the infected handheld to the malicious user and opens various TCP
ports. Brador only affects Windows Mobile 2003 (Pocket PC 2003 and Windows CE
4.2) and ARM-based devices.
The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.
NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.