Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Black Tuesday Summary

Published: 2005-10-11
Last Updated: 2005-10-11 20:17:26 UTC
by Joshua Wright (Version: 2)
0 comment(s)
Thanks to Lorna for putting together a summary or today's patching fun:


Bulletin Supercedes Severity Impact
MS05-044  N/A Moderate Tampering 
MS05-045  N/A Moderate Denial of Service
MS05-046  N/A Important Remote Code Execution
MS05-047  MS05-039 Important Remote Code Execution and Local Elevation of Privilege
MS05-048  N/A Important Remote Code Execution
MS05-049  MS05-016, MS05-024
Important Remote Code Execution
MS05-050  MS05-030 Critical  Remote Code Execution
MS05-051  MS05-010, MS05-026, MS05-039, MS05-012, MS04-012
Critical Remote Code Execution
MS05-052  MS05-037, MS05-038
Critical Remote Code Execution

Keywords:
0 comment(s)

MS05-045: Network connection Manager DoS

Published: 2005-10-11
Last Updated: 2005-10-11 20:11:21 UTC
by Joshua Wright (Version: 2)
0 comment(s)
KB: 905414

CVE: CAN-2005-2307

The Network Connection Manager is used to manage different network connections (e.g. LAN, Dialup ...). A special crafted packet send to a connection can cause the Netowrk Connection Manager to die. However, it will restart once a new request is received.

Not much of a vulnerability. Requires an already authenticated (=connected) user and impact appears to be minimal. The latest versions of Windows are not vulnerable (XP-SP2, Win2k3 SP1). However, older and still popular versions are (like XP-SP1, Win2k3 pre-SP1, Win2k).

Firewall best practices can be used to mitigate the issue.

MS05-045
Keywords:
0 comment(s)

MS05-051 Vulnerabilities in MSDTC and COM+

Published: 2005-10-11
Last Updated: 2005-10-11 20:10:08 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS05-051 is actually 3 unrelated vulnerabilities wrapped into one advisory. To aid in our discussion, I split it into '05-051-A' through '05-051-C':

MS05-051-A: MSDTC Vulnerability
KB: 902400
CVE: CAN-2005-2119

MSDTC stands for "Microsoft Distributed Transaction Coordinator". This facilities allows programmers to combine updates send to several programs or systems into a "Transaction". This ensures consistency across several applications.

This vulnerability is particularly serious for Windows 2000. In the case of Windows 2000, a remote user may trigger the vulnerability without having to log in. For Windows 2k3 and XP, a user would have to log in first.

Either way, an exploit for this vulnerability would provide full system access. One of the other non-system vulnerabilities could leverage the MSDTC problem to gain full system access.

As a quick workaround, you should disable the network access to DTC. See
this MSDN Article for details. Even if you patch, you should still disable remote access to DTC if you don't need it.

Quick notes to disabled DTC:


sc stop MSDTC & sc config MSDTC start= disabled


Eeye discovered the vulnerability and provided a cookbook to write an exploit as part of its advisory. Shouldn't take too long to see this exploited.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=319

--------

MS05-051-B: COM+ Vulnerability
KB: 902400
CVE: CAN-2005-1878

COM+ is used to allocate resources to applications. By keeping for example connection pools and allocating connections as needed to processed, programs will be able to run faster as they do not have to initiate a new connection each time.

On Win2k and XP-SP1, an attacker can use this vulnerability to remotely obtain administrator privileges without having to authenticate. On XP-SP2 and Win2k3, this vulnerability can only be used to escalate privileges of a local authenticated user.

Standard firewalling procedures (UDP 135,137,138,445 and TCP 135,139,445,593) can help mitigate the vulnerability. However, if you have COM Internet services enabled, or RPC over HTTP, you will also have to firewall port 80 and 443.

Patching this vulnerability is critical for Win2k users. XP-SP1 users should patch and update to SP2 if possible. You may also want to consider disabling DCOM in addition to patching. See the MSFT bulletin for details.

----------

MS05-051-C: TIP Vulnerability and Distributed TIP Vulnerability
KB: 90240
CVE: CAN-2005-1979, CAN-2005-1980

The Transaction Internet Protocol ('TIP') is used by MSDTC (see MS05-051-A) to interface with other transaction managers. The particular vulnerability discussed here is a denial of service vulnerability which will cause TIP to seize responding if a particular crafted message is received.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=320

----------

http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Keywords:
0 comment(s)

MS05-049 Windows Shell Vulnerability

Published: 2005-10-11
Last Updated: 2005-10-11 20:08:56 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code
Execution(900725)

Impact: Remote Code Execution
Rating: Important
Supercedes: MS05-016 and MS05-024

This bulletin has three Parts to it.

Shell Vulnerability- CAN-2005-2122: A vulnerablity exist in the way that Windows handles the .lnk file extention. A .lnk file is a file that is a shortcut which points to another file and can contain properties that are passed on to the file that it is pointing to. As such, an attacker an attacker taking advantage of this would be able to execute code on the victim's system by getting the victim to open the .lnk file.

Shell Vulnerability - CAN-2005-2118: Same information as above. The main difference appears that instead of opening the .lnk file, the victim only needs to view the properties of the .lnk file.

Web View Script Injection Vulnerability - CAN-2005-2117: This vulnerability deals with Web View format used my Microsoft Explorer to view files and their information. A vulnerability exists in the way that Microsoft handles the validation of HTML characters within certain fields on the files. A attacker taking advantage of this
would be able to take complete control of the victim's system if the vicitim views the malicious file with the Web View format turned on in Explorer.

http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx
Keywords:
0 comment(s)

MS05-050 Vulnerability in DirectShow

Published: 2005-10-11
Last Updated: 2005-10-11 20:07:04 UTC
by Joshua Wright (Version: 2)
0 comment(s)
KB: 904706
CVE: CAN-2005-2128

DirectShow is part of DirectX. This component is used to display audio and video stream. DirectX is able to do so very fast and efficiently by taking advantage of hardware specific acceleration.

In order to trigger this vulnerability, a user has to open a malicious .avi video file. If opened, the file may execute arbitrary code. This vulnerability is not able to escalate privileges by itself. So wherever damage will be done will be limited to files the user running DirectShow has access to.

Malicious .avi files would likely be delivered as an instant message link, a URL on a web site or they may be attached to an e-mail message.

Standard "safe computing" practices will help mitigate this vulnerability. For example, do not log in as "Administrator" for day to day work and avoid accessing untrusted web sites. However, these steps are not perfect and patching is highly recommended.

In some cases, in particular on servers, you may be able to do without DirectX. Let us know if you have a recipe on how to disable DirectX.

http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx
Keywords:
0 comment(s)

MS05-046 Client Service for NetWare Vulnerability

Published: 2005-10-11
Last Updated: 2005-10-11 19:50:43 UTC
by Patrick Nolan (Version: 5)
0 comment(s)
MS05-046 affects "Customers who use the Client or Gateway Service for NetWare" using Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 1, XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1.

The update "resolves a newly-discovered, privately-reported vulnerability", MS rates it Important, and MS says update at your "earliest opportunity".

I rate it "Critical", test and deploy this update ASAP. One reason is that Microsoft notes "CSNW is commonly associated with the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols. However, CSNW could be exploited by using any installed protocol".

In the MS list of workarounds, one reasonable workaround is "Block TCP ports 139 and 445 at the firewall" and "use a personal firewall". An unreasonable workaround is that MS says you can remove CSNW.
CVE CAN-2005-1985 is "(under review)" and "Reserved" so far.

NOT AFFECTED - Microsoft Windows XP Professional x64 Edition, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems, Windows Server 2003 x64 Edition, Windows 98, Windows 98 Second Edition (SE), and Windows Millennium Edition (ME).

(Thanks to Patrick Nolan for putting this summary together!)
Keywords:
0 comment(s)

MS05-044 Windows FTP Client File Transfer Location Tampering

Published: 2005-10-12
Last Updated: 2005-10-12 16:05:22 UTC
by Joshua Wright (Version: 2)
0 comment(s)

MS05-044 Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering

KB: 905495
CVE: CAN-2005-2126

This bulletin and related patch resolves a newly discovered public vulnerability.  The flaw exists in the Windows FTP Client on Windows 2000SP4 (with IE 6 SP1), XP SP1 and Windows Server 2003 computers.  An attacker can exploit the flaw to tamper with the file transfer location on the client during an FTP file transfer session.  When a client has manually chosen to transfer a file via FTP on affected systems, the attacker can redirect the storage location to a location such as the Startup Folder.  In general, if you do not download files from un-trusted FTP (or any other servers) then you really won't have a problem.  Unfortunately, most end users are too trusting of links on the web and email and can be exploited in a few situation.

Per Microsoft, the vulnerability is mitigated in 3 ways.

1) "The attacker would have to successful persuade end users to visit an FTP server hosting files with specially-crafted file names" and would not have a way to forcing the files to be transferred.  This would require our end-users to interact with dialog boxes and click on links without concern.
2) If the file of the same name already exists in this alternate location, then an "Overwrite File" warning message will be presented.  If end users click through the dialog box, then it will go ahead and overwrite the file.
3)  If the Internet Explorer setting "Enable Folder View for FTP Sites" is changed from the default disabled state, then the attack will be successful.

http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx
Keywords:
0 comment(s)

MS05-047 Vulnerability in PnP Could Allow Remote Code Execution

Published: 2005-10-11
Last Updated: 2005-10-11 18:52:13 UTC
by Joshua Wright (Version: 1)
0 comment(s)
KB: 905749
CVE: CAN-2005-2120

This patch addresses a remote code of execution and local elevation of privilege vulnerability which exists in Plug and Play.  This vulnerability is similar to the one addressed by MS05-039, however,  it requires the attacker to have valid logon credentials to exploit the flaw.  For those that have not patched for MS05-039 under Windows 2000, this issue could be exploited remotely by anonymous users.  Windows XP SP2 computers must be able to log on locally in addition to having valid logon credentials for the administrator.  This patch replaces MS05-039 which was released in August of the Zotob worm fame.

The standard practice of blocking ports 139 and 445 TCP will help slow exploitation of this. Just remember that the road warriors who are connected to less firewalled locations can potentially bring any such activity inside your organization.

Microsoft rates this vulnerability as an Important Severity as it does require valid logon credentials to attack a host.  Knowing that many corporations and academic organizations use a common password for local administrator or other accounts on desktop computers, it is not unconceivable to me that this could be more critical then first look.  Any passwords that were compromised with MS05-039 (or any other patches in the past year) could be used to satisfy the need of local credentials in 2000 and XP systems prior to exploitation.  If all compromises of hosts in the past year or so resulted in all related passwords across the domain being changed, then this will be a mostly non-event.  If old passwords are still in use, then botnets or other malware will widely exploit this one in due time.

http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx
Keywords:
0 comment(s)

MS05-048 CDO Object Remote Code Execution

Published: 2005-10-11
Last Updated: 2005-10-11 18:46:55 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS05-048

KB: Win2K SP4 - KB901017, WinXP SP1/SP2 - KB901017, Win2K3 - KB901017
CVE: CAN-2005-1987

Colloborative Data Objects (CDO) allow Windows systems to send email through SMTP or a Microsoft Exchange server.  An unchecked buffer in the CDO functions for Windows 2000 and later systems (CDOSYS) and in Microsoft Exchange servers (CDOEX) allows an attacker to compromise the target host.  In order to trigger this vulnerability, an attacker has to deliver a specially-crafted mail message via SMTP which is processed by the event sink handling subsystem, designed for granular processing of CDO messages.

The mitigating circumstance for this vulnerability is that IIS 5.0 and Exchange 2000 SMTP service do not use event sinks by default, which mitigates the vulnerability.  IIS 6.0 SMTP service does use event sinks and is therefore vulnerable, but IIS 6 does not install the SMTP service by default.  There is some confusion in the Microsoft bulletin about Exchange 2003 as it is listed as both "not vulnerable" and in the "affected software" sections of the bulletin.

The challenge with determining if your IIS SMTP service or Exchange 2000 system is vulnerabile depends on whether or not you are using event sinks on your system.  Third-party software vendors such as SPAM gateways or anti-virus systems may install event sinks to process email messages, making these products vulnerable to this flaw.

The workaround is to disable event sinks, which may not be an option for your third-party AV or SPAM filtering software.  Customers should apply the patches to resolve this flaw at the earliest opportunity.

http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
Keywords:
0 comment(s)

MS05-052 Cumulative Security Update for Internet Explorer (896688)

Published: 2005-10-11
Last Updated: 2005-10-11 18:39:21 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Microsoft has released Microsoft Security Bulletin MS05-052 and reports the "Impact of Vulnerability: Remote Code Execution", "Maximum Severity Rating: Critical" and their "Recommendation: Customers should apply the update immediately.".

Once again, watch out on this one because the only thing a part of this cumulative update does is set "the kill bit for the affected Class Identifiers (CLSID) in these COM objects.". And it's a growing list of kill bits MS is setting.
 
In your environment, if you cannot accept setting the kill bits involved in this "Cumulative" update, then you are effectively prevented from receiving other portions of the update, including "improvements to the Internet Explorer Pop-up Blocker" and "improvements to the Internet Explorer Add-on Manager." MS also mentions that the "Cumulative" Security Update "includes a kill bit for the ADODB.Stream object. This kill bit was released previously, but not as part of a security  update. For more information about the ADODB.Stream object, see Microsoft Knowledge Base Article 870669. The Class Identifier (CLSID) for this object is 00000566-0000-0010-8000-00AA006D2EA4."

CVE CAN-2005-2127

Previous commentary on kill bits - Open letter from the handlers

Affected Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

A portion of this "Cumulative" update replaces MS05-037 and MS05-038.
Keywords:
0 comment(s)

SSL 2.0 Rollback in OpenSSL

Published: 2005-10-11
Last Updated: 2005-10-11 15:32:15 UTC
by Erik Fichtner (Version: 1)
0 comment(s)
New versions of OpenSSL have been released today (0.9.7h and 0.9.8a) to address a potential cryptographic weakness.  In servers that have enabled SSL_OP_ALL for compatibility reasons, the session is vulnerable to a potential rollback to SSL 2.0, even in the presence of SSL 3.0 and TLS 1.0, due to the implied SSL_OP_MSIE_SSLV2_RSA_PADDING setting.  Note that SSL 2.0 suffers from several cryptographic vulnerabilities, including allowing an attacker to manipulate the encrypted contents of packets without the possibility of being detected.

This can be solved by either disabling SSL 2.0 entirely on either endpoint, or by upgrading the server software to one of the new OpenSSL versions.

For more information, see:  http://www.openssl.org/news/secadv_20051011.txt

Keywords:
0 comment(s)

More on hunting rogue access points

Published: 2005-10-11
Last Updated: 2005-10-11 15:04:28 UTC
by Jim Clausing (Version: 3)
0 comment(s)
If you haven't read Kevin Liston's story from Friday on his adventure's hunting down rogue access points, please go read it.  I have to mention one other resource, if it comes to your area, check out the SANS Stay Sharp Program: Defeating Rogue Access Points class.  I had the opportunity to teach it in June and it does an excellent job of covering the fundamentals of how to track down these rogues in your environment.

------------------
Jim Clausing, jclausing/at/isc.sans.org  and http://handlers.sans.org/jclausing/
Keywords:
0 comment(s)

CA iGateway debug mode HTTP GET request bo vulnerability/exploit

Published: 2005-10-11
Last Updated: 2005-10-11 10:28:31 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Computer Associates has an announcement concerning an "iGateway debug mode HTTP GET request buffer overflow vulnerability" that says "Remote attackers can execute arbitrary code." Exploit code is publicly available. Their is no patch available at this moment, the recommended workaround is "do not run iGateway in debug mode." Computer Associates announcement references CA iGateway 3.0, and CA iGateway 4.0.
Keywords:
0 comment(s)
Diary Archives