+====================================================================+ | | |SANS | | @ @ @@@@@ @@@@ @@@@@ @@@@ @@@@@ @@@@ @@@@@ | | @@ @ @ @ @ @ @ @ @ @ @ | | @ @ @ @ @ @ @ @ @@@ @@@@ @ | | @ @ @ @ @ @ @ @ @@@ @ @ @ | | @ @@ @ @ @ @ @ @ @ @ @ @ | | @ @ @ @@@@ @@@@@ @@@@ @@@@@ @@@@ @ | | | | March 26, 1999 Volume 2, Number 3 | | | | The SANS NT Digest | | Editor: Jesper M. Johansson | | (University of Minnesota) | | | | Contributing Editors: | | Dr. Matt Bishop (Univ. California, Davis) | | Jeff Brown (Merrill Lynch) | | Phil Cox (NTS) | | Mark T. Edmead (IBM Global Security Services) | | Chris Lalka (Exxon) | | Eric Maiwald (Fortrex) | | Rob Marchand (Array Systems), | | Dr. Gene Schultz (Global Integrity Corporation, | | an SAIC Company) | | | +=====A Resource for Computer and Network Security Professionals=====+ ********************************************************************** Copyright 1999. The SANS Institute. All rights reserved. You may forward this issue to your co-workers and encourage them to subscribe by sending a note with the subject "NT Digest" to digest@sans.org. Unsubscribe or change address by forwarding this digest to digest@sans.org with simple instructions. Subscribe by sending a note with the subject "NT Digest" to . ********************************************************************** This month we received the fix for the KnownDLLs list vulnerability from last month. We also found three other new hotfixes, including one Y2K related hotfix. There have been bugs discovered in a few third-party applications, and we also tell you a little about some trojans, or potential trojans. Lastly, we will tell you how to make NT a little more UNIX like. JMJ ********************************************************************** Table of Contents 1. Microsoft Security Bulletins 1.1. Update to KnownDLLs list vulnerability 1.2. Windows NT Screensaver Vulnerability and patch 1.3. MS Exchange 5.5 "Malformed Bind request" vulnerability and patch 2. MS Hotfixes 2.1. RNR-FIX 2.2. Scrnsav-fix 2.3. Smss-fix 2.4. Sms-fix 2.5. Y2KUPD 2.6. roll-up 3. Other NT Issues 3.1. Date/Time Control Panel Bug 3.2. Extension mapping and implications 3.3. Internet Explorer 5 released 3.3.1. Cross-domain security violation in control 3.3.2. Cookies 3.3.3. Currently identified bugs and incompatibilities 3.3.3.1. Diamond video drivers 3.3.3.2. PPTP 4. IIS Issues 4.1. Password Storage 5. Third-party Software issues 5.1. ArcServe IT transmits loosely encrypted passwords over the network 5.2. SLMail 3.1 and 3.2 Remote Administration Vulnerability 5.3. IMail 5.0 buffer overflow vulnerabilities 5.4. Conseal PC Firewall update available 6. Trojans etc. 6.1. NetBus Pro 6.2. ProMail 1.21 7. Tip of the month: Use UNIX commands ********************************************************************** 1. Microsoft Security Bulletins This month Microsoft released three new security bulletins, one of which was an update to a previous bulletin. 1.1. Update to KnownDLLs list vulnerability Microsoft released the fix for the KnownDLLs list vulnerability from last month, and updated the bulletin. The fix is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Smss-fix/ The updated security bulletin is available at: http://www.microsoft.com/security/bulletins/ms99-006.asp. The attendant KBase article is available at: http://support.microsoft.com/support/kb/articles/q218/4/73.asp 1.2. Windows NT Screensaver Vulnerability and patch A privilege elevation vulnerability was discovered in the mechanism by which NT launches screen savers. These are launched in SYSTEM context and then switch their context to that of the logged on user. However, the screen saver mechanism never verifies if the second context switch was successfully made. This may enable an attacker who can log on interactively to launch a screen saver which causes the second context switch to fail, leaving the screen saver running in the SYSTEM context. At that point, the program could, for example, add the user to Administrators group. Note that this would give the user administrative access over the machines controlled by the current SAM. Thus, it is primarily an issue on workstations, since un-trusted users ordinarily have no logon privileges on servers and domain controllers. However, all current versions of NT are vulnerable. A fully supported fix for SP4 is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Scrnsav-fix/. For Terminal Server the fix is at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3/ScrnSav-fix/ The security bulletin is available at: http://www.microsoft.com/security/bulletins/ms99-008.asp. The attendant KBase article is available at: http://support.microsoft.com/support/kb/articles/q221/9/91.asp 1.3. MS Exchange 5.5 "Malformed Bind request" vulnerability and patch A buffer overflow issue was discovered in MS Exchange 5.5. The issue involves the use of the Bind request in the LDAP service. If you have turned off LDAP support, you are not at risk from this issue. A fix is available at: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/ The security bulletin is available at: http://www.microsoft.com/security/bulletins/ms99-009.asp The KBase article is at: http://support.microsoft.com/support/kb/articles/q221/9/89.asp. ********************************************************************** 2. MS Hotfixes 2.1. RNR-FIX This fix, fixes issues documented in KBase articles Q214864, Q216091, and Q217001. The first two of these articles are available on the March Technet CD. The latter article is not yet available on Technet. The issue involves a bug in the GetHostByName() call which may result in getting an invalid IP address. This has been shown to impact multihomed computers in which one interface is disabled in the current hardware profile. In such a situation, GetHostByName() may return the IP address for the disabled interface. The problem could also affect Microsoft Exchange. The fix, which is not completely regression tested, is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Rnr-fix/ 2.2. Scrnsav-fix This fix repairs the screen saver issue discussed in item 1.2 above. It is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Scrnsav-fix/ 2.3. Smss-fix This is the fix for the KnownDLLs issue discussed in item 1.1 above. It is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Smss-fix/ 2.4. Sms-fix This is a repost of the fix for the SNMP memory leak we reported in the December 1998 Digest. We do not know, and Microsoft does not volunteer the information, what was changed in this repost. The updated fix is available at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Sms-fix/. This fix is also contained in the roll-up hotfix discussed in item 2.6. 2.5. Y2KUPD This fix updates the MFC40.dll. The MFC has an internal function to resolve dates such that it adds 1900 to any two-digit year passed to it. However, programs that use this function may not correctly parse the date. This could result in the year 2000 being identified as the year 100 for example. The fix is discussed in Q218877 and Q221120. The fix is available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Y2KUPD/ 2.6. roll-up This hotfix contains several prior hotfixes in one package. The following hotfixes are in this package: Sms-fix, Gina-fix, Msv1-fix, Nprpc-fix, Clik-fix, Tcpip-fix and the infget hotfix for IIS. ********************************************************************** 3. Other NT Issues 3.1. Date/Time Control Panel Bug A serious problem in the Date/Time control panel was reported to NTBugTraq (http://www.ntbugtraq.com) by Brett Robins. If you open the Date/Time control panel applet and select a different month, the system will immediately reset the current date to that month. E.g. if I open the Date/Time control panel on March 23, 1999, and select September from the Month dropdown list, the system clock immediately gets set to September 23, 1999. This can have serious implications, for example, if your user accounts expire between that date and today. Note that you do not have to hit Apply for this change to take effect! Microsoft has acknowledged this problem and a fix is likely to be forthcoming eventually. 3.2. Extension mapping and implications An issue was reported to NTBugtraq (http://www.ntbugtraq.com) about how NT parses extensions. NT will allow most extensions on executables. To show this, copy notepad.exe from %systemroot% into a temporary directory and rename it notepad.dummy. If you double-click this file in Explorer you are prompted for an application to open it with. However, if you run it from the command line it works. This has some important implications for system administrators. Firstly, it is very easy for users to hide executables from administrators. They do not even need to rename the file to run it. Secondly, it means that virus scanners that check files based on the extension are not very effective. Some virus scanners actually check the header to determine what kind of file it is and whether to scan it. However, unless you can prove that your particular virus scanner correctly identifies executables based on the header, and not the extension, you may want to turn on scanning of all files, rather than just executables. 3.3. Internet Explorer 5 released Microsoft released the new version of Internet Explorer last week. Since it is now part of the operating system, the expectation is that all machines will be updated to IE 5 eventually. Here are a few things to keep in mind if you upgrade yours 3.3.1. Cross-domain security violation in control A cross-frame navigation vulnerability in the DHTML edit control was discovered by Juan Carlos Cuartango. Microsoft has acknowledged this and will revoke the existing control and release a fixed version. 3.3.2. Cookie setting IE 5 will reset your cookie setting to "Accept Always," regardless of what it was under IE 4. If you do not wish to receive cookies you must change this setting back manually. There was also a report on NTBugTraq (http://www.ntbugtraq.com) reporting some strange behavior regarding how IE 5 treats cookies. The editorial board investigated this and found the following: 1 If you have the browser prompt you for cookies and then let a site set a cookie, all subsequent cookies from that site will be set without your being prompted. 2 If a site has previously been allowed to set a cookie on your computer-e.g. if there was one from an older browser, from before you turned on prompting for cookies, or if you have previously allowed a cookie from a site-you will not be prompted for any further cookies from that site. They will be allowed automatically. 3 If a site already has a cookie on your computer and the site tries to update information in that cookie, that will be allowed, even if prompting for cookies is turned on. Of course, if you disable cookies, no cookies will be set on your computer. However, this will break many sites. 3.3.3. Currently identified bugs and incompatibilities A few bugs and incompatibilities have been reported with IE 5. 3.3.3.1. Diamond video drivers If you are using Diamond video drivers you must download a new driver >from Diamond if you would like to re-install the driver after you have installed IE 5. The drivers replace a critical file used by IE 5 with the result that the machine will not reboot if you install over IE 5. New drivers were posted on March 24 at http://www.diamondmm.com/products/support/ie5.html. 3.3.3.2. PPTP According to BugTraq (http://www.bugnet.com) IE 5 may disable PPTP. The editorial board has not verified this claim, but, as with all upgrades, you should test IE 5 thoroughly in your organization before rolling it out on a large scale. ********************************************************************** 4. IIS Issues 4.1. Password Storage The IIS metabase, stored in C:\WINNT\system32\inetsrv\MetaBase.bin, stores passwords for the IIS service accounts loosely obfuscated form. This file is readable using a tool called MetaEdit from the IIS resource kit. Care must be taken so that this file is protected from untrusted users. ********************************************************************** 5. Third-party Software issues 5.1. ArcServe IT transmits loosely encrypted passwords over the network ArcServe IT has been reported to transmit loosely encrypted passwords over the network from its NT Agents. Computer Associates promptly released a fix which is available at: http://support.cai.com/Download/patches/asnt.html 5.2. SLMail 3.1 and 3.2 Remote Administration Vulnerability A vulnerability in Seattle Labs SLMail 3.1 and 3.2 was reported by Mnemonix. Using the Remote Administration Service in SLMail any user with an account on the system can make changes to the mail services and user account information. This can result in several problems, such as the ability to read any file on the system by setting it as a user's plan file. Seattle Labs is reportedly working on a fix. 5.3. IMail 5.0 buffer overflow vulnerabilities The eEye Digital Security Team (http://www.eEye.com) reported several buffer overflows in IMail 5.0. The vulnerabilities are in the Imapd, LDAP, Imonitor, IMail web service, and WhoIs32 daemon services. The vendor has been notified but it is unknown as of yet whether a fix is forthcoming. 5.4. Conseal PC Firewall update available Signal9 has discovered a vulnerability in its Conseal PC Firewall product. Versions 1.3 and 1.35 may exit prematurely when run as a service. A fix is available at http://www.signal9.com/cgi-bin/update.exe. ********************************************************************** 6. Trojans etc. 6.1. NetBus Pro A new version of NetBus was released last month. NetBus is a program designed to allow remote control over a computer. By itself, it can be a useful management tool. However, if clandestinely introduced, it could be used by an attacker to gain control over a computer. The new version has some significant upgrades over the previous version. For example, it can now run on a user-selected port. CIAC issued a bulletin regarding this new release of NetBus. The bulletin is available at http://www.ciac.org. To determine if NetBus is running on your computer look in the registry for a key called HKEY_CURRENT_USER\NetBus Server. To determine which port NetBus is listening to look at HKEY_CURRENT_USER\NetBus Server\General\TCPPort and then use netstat -an to determine whether the system is actually listening on that port. In addition, NetBus may be set to start automatically. In that case, there will be an entry called NetBus Server Pro under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. That entry will list the path to the NetBus executable. You can delete the registry entry and the executable. NetBus now also supports a plug-in architecture similar to that supported by BackOrifice. The only plug-in available right now is a file-find utility. 6.2. ProMail 1.21 ProMail 1.21, a mail package for Win9x, apparently hides a trojan. Aeon labs (http://cool.icestorm.net/aeon) have disassembled the program and found that, in addition to the regular mail transfer feature, it transmits user information, such as passwords, e-mail address, and so on, to an e-mail account on a free e-mail provider. Apparently, the program works well otherwise. ********************************************************************** 7. Tip of the month: Use UNIX commands If you are like us, you have sometimes wished that you had some of the powerful commands we got used to under UNIX on NT (actually, if you are like us, you have probably written one or two of these yourselves, like mv). Well, these commands are available in the NT Resource Kit as Win32 native programs: cat.exe cp.exe ls.exe mv.exe touch.exe wc.exe vi.exe Since NT is POSIX compliant, the Resource Kit also includes the above commands in POSIX versions, as well as the following commands in a POSIX version: chmod.exe chown.exe find.exe grep.exe ln.exe mkdir.exe rm.exe rmdir.exe sh.exe Note that the Win32 clone is not always equivalent to the POSIX version. The POSIX version of the ls command, for example (stored in /ntreskit/POSIX), supports the full complement of BSD 4.4 switches, with the exception of -o. However, the Win32 clone (stored in /ntreskit) supports [-FrqRdlt1sSvu] and can also take those switches with a /, like ls /1F. The resource kit documentation also claims that there are POSIX CC.EXE and LINK.EXE commands. However, those do not seem to be present Due to some security risks with the POSIX sub-system, you may want to run only the Win32 versions of the commands. If you do not modify your path environment variable, those are the only commands available to you. Those commands do not cause the POSIX sub-system to be loaded and should work even if the POSIX sub-system has been removed. Now, if only we had a where command. Maybe we will write one for you for next month. ======================================================================= The SANS NT Digest is provided at no cost to those people who attend SANS and SANS Network Security conferences. Others may subscribe for a small annual fee. To subscribe, email with the subject NT Digest.