FYI....
Wilmont C. Belfry
> TOP 10 VULNERABILITIES
>
> The top 10 vulnerabilities represent the most commonly found and exploited
> high-risk vulnerabilities on the Internet. This list is derived from
> various trusted sources including ISS X-Force analysis, customer input,
> ISS Professional Services, and security partners. The top 10 list is
> maintained by ISS X-Force and distributed quarterly with the ISS Alert
> Summary.
>
> Security Advantage
> Securing computers and networks from these vulnerabilities across the
> enterprise assures protection from the most commonly exploited
> vulnerabilities on the Internet. This list should be incorporated into
> security policies to establish a reasonable level of protection.
>
> TOP 10
> 1. Denial of service exploits
> - TFN
> - TFN2k
> - Trin00
> - Stacheldraht
> - FunTime Apocalypse
>
> 2. Weak accounts
> - Default accounts (routers, firewalls)
> - Null passwords for admin/root accounts
> - SNMP with public/private strings set
>
> 3. IIS (Microsoft Internet Information Server)
> - RDS
> - HTR
> - Malformed header
> - PWS File Access
> - CGI Lasso
> - PHP3 metacharacters
> - PHP mlog.html read files
>
> 4. Open databases
> - Oracle default account passwords
> - Oracle setuid root oratclsh
> - SQL Server Xp_sprintf buffer overflow
> - SQL Server Xp_cmdshell extended
>
> 5. E-Business web applications
> - NetscapeGetBo
> - HttpIndexserverPath
> - Frontpage Extensions
> - FrontpagePwdAdministrators
>
> 6. Open Email
> - Sendmail pipe attack
> - SendmailMIMEbo
>
> 7. FileSharing
> - NetBIOS
> - NFS
>
> 8. RPC
> - rpc.cmsd
> - rpc-statd
> - Sadmin
> - Amd
> - Mountd
>
> 9. BIND
> - BIND nxt
> a. Server to server response
> b. Buffer handling overflows
> c. More advanced
> - BIND qinv
> a. Compile flag on by default
> b. Activated buffer overflow
> c. Client request to server
> d. Script kiddie
> - Exposers outside firewall
> - In.Named binary
>
> 10. Linux buffer overflows
> - IMAP BO
> - Qpopper BO
> - Overwrite stack
> - Common script kiddie exploits
> - Poor coding standards
> - WU-FTP BO
>
> RECOMMENDED CORECTIVE ACTION
> At a business level, Implement and manage security components across the
> organization. Continue a process of being ever vigilant and apply new risk
> reduction steps and monitor for threats.
>
> ISS recommends establishing the following levels of security:
> - Security Policy
> - Secure management level (such as intranet)
> - Security Software (Host based assessment and intrusion detection)
> - Secure critical network components OS/net/db/web
>
>
>
> VULNERABILITY DETAILS
>
> 1. Denial of service exploits
> _____
>
> Vulnerability: TFN
> Platforms Affected: Linux, Solaris, Unix
> Risk Level: High
> Attack Type: Network Based, Host Based
>
> Tribe Flood Network, TFN, is a distributed denial of service tool that
> allows an attacker to use several hosts at once to flood a target. It has
> four different kinds of floods -- ICMP Echo flood, UDP Flood, SYN Flood,
> and Smurf attack. The TFN client and server use ICMP echo reply packets to
> communicate with each other.
>
> Reference:
> CERT Advisory CA-99-17: "Distributed Denial-of-Service Tools" at:
> http://www.cert.org/incident_notes/IN-99-07.html
>
>
> Vulnerability: TFN2k
> Platforms Affected: Linux, Solaris, Unix
> Risk Level: High
> Attack Type: Network Based, Host Based
>
> Tribe Flood Network 2000 (TFN2k) is a distributed denial of service tool
> that can perform a number of different types of floods against a host. It
> consists of a client and a daemon. The client controls one or more
> daemons, which flood a targeted host. The client can use UDP, TCP, or ICMP
> to communicate with the daemon and can spoof (fake) the source IP address
> of outgoing packets. Communication between the client and daemon is
> encrypted.
>
> Reference:
> CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
> http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
>
>
> Vulnerability: Trin00
> Platforms Affected: Linux, Solaris, Unix
> Risk Level: High
> Attack Type: Network Based, Host Based
>
> Trin00 is a distributed denial of service attack tool. It allows an
> attacker to control several hosts to make them send a UDP flood to another
> host. The Trin00 master can make several requests to the Trin00 daemon:
> - - Start flooding a host with UDP packets
> - - Stop flooding a host with UDP packets
> - - Change the UDP flood configuration of the daemon
>
> Reference:
> CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
> http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
>
>
> Vulnerability: Stacheldraht
> Platforms Affected: Any
> Risk Level: High
> Attack Type: Network Based
>
> Stacheldraht is a distributed denial of service tool based on the source
> code of the Tribe Flood Network (TFN) and Trin00 tools. In addition to
> providing the features of these tools, Stacheldraht encrypts communication
> between clients, master servers (sometimes known as handlers), and agents.
> It can also remotely upgrade agents with an account and server name using
> the rcp command.
>
> Stacheldraht was designed to be built and installed on compromised Linux
> and Solaris systems, but it potentially could be installed on any system
> by modifying the source code.
>
> Reference:
> CERT Advisory CA-2000-01: "Denial of Service Developments" at:
> http://www.cert.org/advisories/CA-2000-01.html
>
> Vulnerability: FunTime Apocalypse
> Platforms Affected: Windows 9x, NT, 2K
> Risk Level: High
> Attack Type: Network Based
>
> Funtime Apocalypse is a distributed denial of service (DDoS) tool for
> Windows 9x and Windows NT. Attackers can launch a "timer fused" flood
> against a target computer. Funtime Apocalypse consists of several
> different files:
> - - a flooding program (bmb2.exe)
> - - a host file (funtime.txt)
> - - some batch files (funtime.bat, timer98.bat, and timerNT.bat)
> - - two Windows HTML applications (funtime98.hta and funtimeNT.hta)
> Funtime requires an attacker to make major modifications to the batch
> files and Windows HTML application files, or it will not work.
>
>
> 2. Weak accounts
> _____
>
> Vulnerability: Default Accounts (Firewalls/Routers)
> Platforms Affected: Any
> Risk Level: High
>
> Default accounts are usually unsafe and should always be changed.
>
> Vulnerability: Null passwords for admin/root accounts
> Platforms Affected: Any
> Risk Level: High
>
> Null passwords for admin and root accounts allow anyone access with admin
> or root privileges. A password should be added to protect the computer or
> network.
>
> Vulnerability: SNMP with public/private strings set
> Platforms Affected: Any
> Risk Level: High
>
> An attacker can use SNMP strings to gain valuable information about a
> computer. This information could be used at a later time to launch an
> attack.
>
> Reference:
> Microsoft Knowledge Base Article Q99880: "SNMP Agent Responds to Any
> Community Name" at:
> http://support.microsoft.com/support/kb/articles/q99/8/80.asp
>
>
> 3. IIS (Microsoft Internet Information Server)
> _____
>
>
> Vulnerability: IIS RDS
> Platforms Affected: Microsoft IIS Servers
> Risk Level: High
>
> Implicit remoting is enabled via the Microsoft Internet Information Server
> (IIS) web server. RDS allows an unauthorized user access to ODBC databases
> via IIS.
>
> Reference:
> Microsoft Security Bulletin: "Re-Release: Unauthorized Access to IIS
> Servers through ODBC Data Access with RDS" at:
> http://www.microsoft.com/security/bulletins/ms99-025.asp
>
>
> Vulnerability: IIS HTR
> Platforms Affected: Microsoft IIS Servers
> Risk Level: Medium
>
> An attacker could gain access to the IIS server and run any program.
>
> Reference:
> Microsoft Security Bulletin: "Workaround Available for 'Malformed HTR
> Request' Vulnerability" at:
> http://www.microsoft.com/security/bulletins/ms99-019.asp
>
>
> Vulnerability: IIS Malformed Header
> Platforms Affected: Microsoft IIS Servers
> Risk Level: Medium
>
> A vulnerability in Microsoft Internet Information Server 4.0 (IIS) and
> SiteServer 3.0 could cause the web server to consume all the memory on the
> system, if a remote attacker sends a flood of specifically malformed HTTP
> request headers. The service would have to be stopped and restarted in
> order to resume normal operation.
>
> Reference:
> Microsoft Security Bulletin MS99-029: "Patch Available for 'Malformed HTTP
> Request Header' Vulnerability" at:
> http://www.microsoft.com/security/bulletins/ms99-029.asp
>
>
> Vulnerability: PWS File Access
> Platforms Affected: Microsoft Personal Web Server 4.0
> Risk Level: Medium
>
> A vulnerability in the file access protocols of the Microsoft Personal Web
> Server (PWS) and FrontPage PWS could allow arbitrary files to be remotely
> read. The attacker is required to have prior knowledge of file names to
> exploit this vulnerability, which does not yield any other privileges than
> read access.
>
> Reference:
> Microsoft Security Bulletin MS99-010: "Patch Available for File Access
> Vulnerability in Personal Web Server" at:
> http://www.microsoft.com/security/bulletins/ms99-010.asp
>
>
> Vulnerability: IIS CGI Lasso
> Platforms Affected: CGI
> Risk Level: Medium
>
> The Lasso CGI program installed on many web servers, especially WebSTAR
> servers, contains a vulnerability that could allow remote attackers to
> read arbitrary files from the system. While the problem does not lead to
> direct access to the system, it could potentially compromise sensitive
> files.
>
> Reference:
> BugTraq Mailing List: "Lasso CGI security hole (fwd)" at:
> http://www.netspace.org/cgi-bin/wa?A2=ind9708D&L=bugtraq&P=R1093
>
>
> Vulnerability: PHP3 Metacharacters
> Platforms Affected: PHP3
> Risk Level: High
>
> PHP3 is a scripting language used in webhosting setups. If safe_mode is
> enabled in the hosting setup, a remote attacker can send metacharacters
> from commands that are executed with popen. This could allow the attacker
> to execute commands on the server.
>
> Reference:
> Microsoft Security Bulletin MS99-010: "Patch Available for File Access
> Vulnerability in Personal Web Server" at:
> http://www.microsoft.com/security/bulletins/ms99-010.asp
>
>
> Vulnerability: PHP mlog.html Read Files
> Platforms Affected: PHP, CGI
> Risk Level: Medium
>
> The 'mlog.html' sample script shipped with the PHP/FI package allows
> remote attackers to view any file on the system. Attackers are limited to
> viewing files accessible to the user the httpd server is running under,
> generally "nobody." This vulnerability also exists in the 'mylog.html'
> script shipped with PHP/FI. Exploit information for this hole has been
> widely published.
>
> Reference:
> BugTraq Mailing List: "Vulnerability in PHP Example Logging Scripts" at:
>
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.3.32.1997
1019203840.0075b7b0_at_mail.underworld.net
>
>
> 4. Open databases
> _____
>
> Vulnerability: Oracle default account passwords
> Platforms Affected: Unix
> Risk Level: High
>
> Oracle databases have several well-known default username/password
> combinations. These combinations include the following: SCOTT/TIGER,
> DBSNMP/DBSNMP, SYSTEM/MANAGER, SYS/CHANGE_ON_INSTALL, TRACESVR/TRACE,
> CTXSYS/CTXSYS, MDSYS/MDSYS, DEMO/DEMO, CTXDEMO/CTXDEMO, APPLSYS/FND,
> PO8/PO8, NAMES/NAMES, SYSADM/SYSADM, ORDPLUGINS/ORDPLUGINS, OUTLN/OUTLN,
> ADAMS/WOOD, BLAKE/PAPER, JONES/STEEL, CLARK/CLOTH,
> AURORA$ORB$UNAUTHENTICATED/INVALID, and APPS/APPS. These default
> combinations could allow an attacker to may provide unauthorized access to
> the server.
>
>
> Vulnerability: Oracle setuid root oratclsh
> Platforms Affected: Unix
> Risk Level: High
>
> The Oracle 8.x Intelligent Agent for Unix installs a program called
> 'oratclsh' that is suid root. This program allows full access to the Tcl
> interpreter and can be used by any local user to run any program.
>
> Reference:
> BugTraq Mailing List: "Huge security hole in Oracle 8.0.5 with Intellegent
> agent installed" at:
> http://www.netspace.org/cgi-bin/wa?A2=ind9904E&L=bugtraq&P=R1249
>
>
> Vulnerability: SQL Server Xp_sprintf buffer overflow
> Platforms Affected: Any
> Risk Level: High
>
> In versions of SQL Server earlier than Release 6.5, Service Pack 5 the
> extended stored procedure xp_sprintf can be exploited using buffer
> overflows. An attacker can use xp_sprintf to crash the server or to
> possibly gain admin privileges on the system running SQL Server.
>
>
> Vulnerability: SQL Server Xp_cmdshell extended
> Platforms Affected: Windows
> Risk Level: Medium
>
> Microsoft SQL Server extended stored procedure, xp_cmdshell, can be used
> to gain Windows NT administrator rights.
>
>
> 5. E-Business web applications
> _____
>
> Vulnerability: Netscape Get Buffer Overflow
> Platforms Affected: Netscape FastTrack, Netscape Enterprise Server
> Risk Level: High
>
> A vulnerability in the Netscape Enterprise Server and Netscape FastTrack
> Server allows an attacker to send the web server an overly long HTTP GET
> request, overflowing a buffer in the Netscape httpd service and
> overwriting the process's stack. This allows a sophisticated attacker to
> force the machine to execute any program code that they send. It is
> possible to use this vulnerability to execute arbitrary code as SYSTEM on
> the server, giving an attacker full control of the machine.
>
> Reference:
> Microsoft Knowledge Base Article: "Buffer Overflow in Netscape Enterprise
> and FastTrack Web Servers" at:
> http://xforce.iss.net/alerts/advise37.php3
>
>
> Vulnerability: Netscape HTTP Index Server Reveals Path
> Platforms Affected: IIS4, Microsoft Index Server
> Risk Level: Medium
>
> Microsoft Index Server reveals sensitive path information in certain error
> messages. Microsoft Index Server is a web search engine included in the
> Windows NT 4.0 Option Pack. When a user requests a non-existent Internet
> Data Query (IDQ) file, the program returns an error message that provides
> the physical path to the web directory that was contained in the request.
> An attacker could use this to gain information about the file structure of
> the web server that would be helpful in an attack.
>
> Reference:
> Microsoft Security Bulletin MS00-006: "Patch Available for "Malformed
> Hit-Highlighting Argument" Vulnerability" at:
> http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
>
>
> Vulnerability: Frontpage Extensions
> Platforms Affected: Microsoft Frontpage
> Risk Level: High
>
> Microsoft FrontPage extensions under Unix systems sporadically create
> 'service.pwd' files with world readable (or sometimes, world writable)
> permissions. This file contains encrypted user passwords that can be later
> cracked offline.
>
> Reference:
> BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
> http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547
>
>
> Vulnerability: Frontpage Pwd Administrators
> Platforms Affected: Microsoft Frontpage
> Risk Level: High
>
> Microsoft FrontPage Extensions creates an administrators.pwd file inside
> the _vti_pvt directory in the HTTP server's document root. This file
> contains encrypted passwords which could be remotely retrieved by an
> attacker and cracked offline. If the passwords in this file are weak
> enough, or enough time is spent cracking them, the attacker could
> potentially obtain the cleartext password and use it to access resources
> on the server.
>
> Reference:
> BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
> http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547
>
>
> 6. Open Email
>
> Vulnerability: Sendmail pipe attack
> Platforms Affected: Sendmail
> Risk Level: High
>
> By inserting a pipe character into certain fields in an e-mail, Sendmail
> may be forced to execute a command on the remote machine. This behavior
> may result in a remote attacker being able to execute commands as root.
>
> Reference:
> Sendmail Consortium: "Sendmail FAQ" at:
> http://www.sendmail.org/faq
>
>
> Vulnerability: Sendmail MIME Buffer Overflow
> Platforms Affected: Sendmail versions 8.8.3 and 8.8.4
> Risk Level: High
>
> A vulnerability exists in Sendmail 8.8.3 and 8.8.4 in the MIME handling
> code. A buffer overflow in this code could allow a remote attacker to send
> the server a message with specially crafted headers that would cause
> Sendmail to execute arbitrary commands with root privileges.
>
> Reference:
> CERT Advisory CA-97.05: "MIME Conversion Buffer Overflow in Sendmail
> Versions 8.8.3 and 8.8.4" at:
> http://www.cert.org/advisories/CA-97.05.sendmail.html
>
>
>
> Vulnerability: Sendmail pipe attack
> Platforms Affected: Sendmail
> Risk Level: High
>
> By inserting a pipe character into certain fields in an e-mail, Sendmail
> may be forced to execute a command on the remote machine. This behavior
> may result in a remote attacker being able to execute commands as root.
>
> Reference:
> Sendmail Consortium: "Sendmail FAQ" at:
> http://www.sendmail.org/faq
>
>
> 7. FileSharing
> _____
>
> Vulnerability: NetBIOS
> Platforms Affected: NetBIOS
> Risk Level: High
>
> NetBIOS file sharing could allow an attacker to access to files on the
> system and perform brute force password cracking.
>
>
> Vulnerability: NFS
> Platforms Affected: NFS
> Risk Level: High
>
> NFS systems could allow an attacker to access files on systems across the
> network.
>
>
> 8. RPC
> _____
>
> Vulnerability: rpc.cmsd
> Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6, Common
> Desktop Environments (CDE)
> Risk Level: High
>
> Sun has found a vulnerability in the database manager rpc.cmsd, which is
> used as an appointment and resource-scheduler with clients such as
> Calendar Manager in Openwindows, and Calendar in CDE. The vulnerability,
> if exploited, would allow an attacker to overwrite arbitrary files and
> gain root level access.
>
> Reference:
> Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/166
>
>
> Vulnerability: Sun RPC Statd
> Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6
> Risk Level: High
>
> The RPC service statd works with lockd to provide crash and recovery
> functions for file locking over NFS. Under Solaris and SunOS, a remote
> attacker can use statd's ability to indirectly call other RPC services to
> bypass the access controls of those RPC services. This hole could
> potentially be used to exploit other security weaknesses in Sun servers.
>
> Reference:
> Sun Microsystems, Inc. Security Bulletin #00186: "rpc.statd" at:
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/186
>
>
> Vulnerability: Sadmin
> Platforms Affected: Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7
> Risk Level: High
>
> The sadmind daemon is part of the Solstice AdminSuite distributed system
> adminisitration package distributed with Sun's Solaris operating system.
> The program contains a remotely exploitable buffer overflow in calls made
> to NETMGT_PROC_SERVICE, which could allow an attacker to execute arbitrary
> code with root privileges.
>
> Reference:
> Sun Microsystems, Inc. Security Bulletin #00191: "Sadmin" at:
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/191
>
>
> Vulnerability: Amd
> Platforms Affected: Linux
> Risk Level: High
>
> The Automounter daemon (amd) has a buffer overflow in the mount code that
> affects Linux and some BSD platforms. Amd automatically mounts file
> systems in response to attempts to access files that reside on those file
> systems. Passing a long string to the AMQPROC_MOUNT procedure can cause a
> remote attacker to obtain root credentials.
>
> Reference:
> CERT Advisory CA-99-12: "Buffer Overflow in amd" at:
> http://www.cert.org/advisories/CA-99-12-amd.html
>
>
> Vulnerability: Mountd
> Platforms Affected: Linux
> Risk Level: High
>
> There is a vulnerability in some implementations of the software that NFS
> servers use to log requests to use file systems. Attackers who exploit the
> vulnerability are able to gain administrative access to the vulnerable NFS
> file server. That is, they can do anything the system administrator can
> do. This vulnerability can be exploited remotely and does not require an
> account on the target machine.
>
> Reference:
> CERT Advisory CA-98.12: "Remotely Exploitable Buffer Overflow
> Vulnerability in mountd" at:
> http://www.cert.org/advisories/CA-98.12.mountd.html
>
>
> 9. BIND
> _____
>
> Vulnerability: BIND nxt
> Platforms Affected: Bind: 8.2, 8.2 P1, and 8.2.1
> Risk Level: High
>
> A vulnerability has been discovered in the processing of NXT records in
> the 8.2 and 8.2.1 versions of BIND. BIND is a freely available DNS server
> produced by the Internet Software Consortium. This buffer overflow could
> allow a remote attacker to execute arbitrary code on vulnerable servers
> with root privileges.
>
> Reference:
> Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
> http://www.cert.org/advisories/CA-99-14-bind.html
>
>
> Vulnerability: BIND Qinv
> Platforms Affected: Bind
> Risk Level: High
>
> A buffer overflow exists in BIND versions prior to 4.9.7, and BIND
> versions prior to 8.1.2. A malicious remote user can send a specially
> formatted inverse-query TCP stream that would crash the BIND server and
> allow the attacker to gain root access.
>
> Reference:
> CERT Advisory CA-98.05: "Multiple Vulnerabilities in BIND" at:
> http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems
>
>
> 10. Linux buffer overflows
> _____
>
> Vulnerability: IMAP Buffer Overflow
> Platforms Affected: IMAP
> Risk Level: High
>
> IMAP4rev1 servers up to and including 10.234 contain a buffer overflow
> that allows a remote attacker to execute arbitrary commands on the victim
> site as the user running imapd, generally root.. This is not the same
> vulnerability described in CERT CA-97.09, which was a buffer overflow in
> the IMAP LOGIN command whereas this vulnerability affects the IMAP
> AUTHENTICATE command. It is important to note that fixed versions of IMAP
> were distributed under the 10.234 version number as well, so version
> numbers alone are not indicative of a safe or vulnerable server.
>
> Reference:
> CERT Advisory CA-98.09: "Buffer Overflow in Some Implementations of IMAP
> Servers" at: http://www.cert.org/advisories/CA-98.09.imapd.html
>
>
> Vulnerability: QPopper Buffer Overflow
> Platforms Affected: Qpopper, SCO Open Server, SCO Internet FastStart
> Risk Level: High
>
> Qualcomm qpopper server versions earlier than 2.5 contain a buffer
> overflow. A remote attacker can issue a PASS command of excessive length
> to the server and cause an internal buffer to be overflowed. This could
> allow an attacker to execute arbitrary code on the server with root
> privileges.
>
> Reference:
> CERT Advisory CA-98.08: "Buffer overflows in some POP servers" at:
> http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
>
> Vulnerability: Overwrite Stack
> Platforms Affected: wu-ftpd
> Risk Level: High
>
> Wu-ftpd macro variables in the message file allow local or remote
> attackers to overwrite the stack in the FTP daemon and execute code as
> root. This is caused by improper bounds checking during the expansion of
> macro variables in the message file.
>
> Reference:
> CERT Advisory CA-99.013: "Multiple Vulnerabilities in WU-FTPD" at:
> http://www.cert.org/advisories/CA-99-13-wuftpd.html
>
>
> Vulnerability: WU-FTP Directory Buffer Overflow
> Platforms Affected: wu-ftpd: 2.5, BeroFTPD,
> Risk Level: High
>
> A vulnerability in Washington University's FTP server (wu-ftpd) and
> servers derived from its source could allow a local or remote attacker to
> execute code as root. A buffer overflow condition exists in bounds
> checking of directory names supplied by users when the server is compiled
Received on Wed May 10 2000 - 17:42:06 CDT
