Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

command buffer overflow

Signatures Reference Guide
Version 6.5
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 1998-2001. All rights reserved worldwide. Customers may make reasonable numbers of copies of this
publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person
or entity without the express prior written consent of Internet Security Systems, Inc.
Patents pending.
Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System
Scanner, Database Scanner, ActiveAlert, X-Press Update, FlexCheck, SecurePartner, SecureU, Secure Steps, and RealSecure are
trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc. Network ICE, ICEpac, and
ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet
Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of
Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point,
FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco
and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard
Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a
trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks
of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle
Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered
trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered
trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and
UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC
trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and
other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a
registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial
context without intent of infringement. Specifications are subject to change without notice.
Copyright © Sax Software (terminal emulation only).
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have
received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition,
without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties,
either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the
X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the
use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does
not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and
opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for
advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents
Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate
sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send
an email with the topic name, link, and its behavior to support@iss.net.
December 2001
Internet Security Systems, Inc.
Software License Agreement
THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE
SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE
SOFTWARE WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and nontransferable,
limited license for the accompanying ISS software product in machine-readable form and the related documentation (“Software”) for use only on the specific network configuration, for the number of devices, and for the time period (“Term”) that are specified in Licensee’s purchase order, as accepted by ISS, and the invoice and license key
furnished by ISS. ISS limits use of Software based upon the number and type of devices upon which it may be installed, used, gather data from, or report on, depending
upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including remotely, including but not limited to
personal computers, workstations, servers, routers, hubs and printers. Licensee may reproduce, install and use the Software on multiple devices, provided that the total
number and type are authorized in Licensee’s purchase order, as accepted by ISS, and the invoice and license key furnished by ISS. Licensee may make a reasonable
number of backup copies of the Software solely for archival and disaster recovery purposes. If Software is ISS’ SAFEsuite Decisions product, then it is delivered with
Seagate Info, a third party software product of Seagate Software Information Management Group Holdings, Inc. Seagate Info is restricted to use with ISS SAFEsuite Decisions and no other application. A license of ISS SAFEsuite Decisions allows Licensee to implement up to three (3) copies of SAFEsuite Decisions of which one (1) of
these copies may be for production use. Each Seagate Info license includes ten (10) “Client” licenses and one (1) Report/Query Add-In “Designer” license. Additional copies require additional licenses. Seagate Info is subject to the terms and conditions of the license agreement accompanying such software. ISS will provide to Licensee,
upon request and in any event upon delivery of such software, copies of licensing documentation applicable to such software. Seagate Info is supplied by ISS “AS IS”,
without any warranties of ISS whatsoever.
Covenants - ISS reserves all intellectual property rights in the Software. Licensee agrees: (a) the Software is owned by ISS and/or its licensors, is a valuable trade secret
of ISS, and is protected by copyright laws and international treaty provisions; (b) to take all reasonable precautions to protect the Software from unauthorized access, disclosure, copying or use; (c) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software;
(d) not to use ISS trademarks; (e) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software; (f) not to transfer, lease, assign, sublicense, or
distribute the Software or make it available for timesharing, service bureau, or on-line use; and (g) not to disseminate performance information or analysis (including without limitation benchmarks) from any source relating to the Software.
Support and Maintenance - During the term for which Licensee has paid the applicable support and maintenance fees, ISS will, upon request, provide software maintenance and support services that it makes generally available under its then current Maintenance and Support Policy. Support and maintenance include telephone support
and electronic delivery to Licensee of error corrections and updates to the Software (but NOT new releases or products that substantially increase functionality and are
marketed separately) and documentation as described in ISS’ then current Maintenance & Support Policy.
Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period of ninety
(90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Licensed Software will conform to material operational specifications
described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software is installed, implemented, and operated in accordance
with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has
promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software, (ii) modification of the Software, (iii) failure by Licensee to utilize compatible computer and networking
hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall
repair or replace the Software or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license
fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY
ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE ERRORS
WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT LICENSED SOFTWARE IS NO GUARANTEE AGAINST INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED OR THAT THE PERFORMANCE OF THE LICENSED
SOFTWARE WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 4 ARE THE SOLE
AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE IS PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL
WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY
NOT APPLY TO LICENSEE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE
HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software that are granted herein. ISS shall defend and indemnify
Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of
the use or distribution of a current, unmodified version of the Software; but only if ISS is promptly notified in writing of any such suit or claim, and only if Licensee permits
ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The foregoing is the exclusive remedy of
Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software.
Limitation of Liability - Licensee acknowledges that some of the Software is designed to test the security of computer networks and may disclose or create problems in the
operation of the systems tested. Licensee accepts the risk of such possibility and hereby waives all rights, remedies, and causes of action against ISS and releases ISS
from all liabilities arising therefrom. ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT
OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE
RECEIVED THE SOFTWARE. IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT
NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR
COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior
written notice from ISS, at the end of the term of the license, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may immediately terminate
this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of the License, Licensee
shall cease all use of the Software and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.
General Provisions - This License, together with the identification of the Software, pricing and payment terms stated in the applicable Licensee purchase order as
accepted by ISS and ISS invoice and license key, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms
or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. This License will be governed by the
substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on
Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the
validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS.
Notice to United States Government End Users - Licensee acknowledges that any Software furnished under this License is commercial computer software developed at
private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer
software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal
Acquisition Regulations at 48 C.F.R. Section 12.212 and Subsection 227.7202-3 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.
Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, any related technology, or any direct product of either except in
full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will
not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List, or to any country to which the United States has embargoed goods, or for use with chemical or biological weapons, sensitive nuclear end-uses, or
missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software
products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. Please contact ISS’ Customer Operations for export classification information relating to the Software (customer_ops@iss.net). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License.
Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that computer network; (b) the
Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with
all applicable laws, regulations and rules.
13.
No High Risk Use - Licensee acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous environments requiring fail-safe
operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in
which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for
High Risk Use.
Revised October 22, 2001
Maintenance Services Policy Statement
Internet Security Systems, Inc., a Georgia Corporation ("ISS"), provides Maintenance Services to customers who have been offered the opportunity by ISS
to purchase these services and have paid the applicable current support and maintenance fees. Maintenance Services include telephone support, error
corrections, and software and documentation updates.
DEFINITIONS
Capitalized terms used in this Policy Statement and not otherwise defined shall have the same meaning as set forth in the body of the End-User License
Agreement (EULA).
"Error" - a situation where the Licensed Software does not function in accordance with the documentation.
"Fix" - the repair or replacement of binary or executable code versions of the Licensed Software to remedy an Error.
"Workaround - a change in the procedures followed by the Licensee to avoid an Error without substantially impairing use of the Software.
1.
1.1.
1.2.
1.3.
TELEPHONE and EMAIL SUPPORT
Telephone and email support on the installation and use of the Software is available 24 hours a day, every day.
Installation support includes answering questions and providing a reasonable level of guidance to the Licensee on the installation process.
Usage support includes answering questions and providing a reasonable level of guidance to the Licensee about the use of the Software, responding
to reports of errors in the Software and determining if the reported error is a result of a problem in the Software or an environmental or installation
problem. The Licensee is responsible for providing documentation sufficient for ISS to reproduce the Error on its master copy of the Software including
a written, detailed description of the problem, log files, core dumps, data files, or any other information requested by ISS.
2. ERROR CORRECTIONS
2.1. ISS is responsible for using commercially reasonable efforts during normal support hours to correct Errors in the current version of the Software in a
timely manner by providing the repair or replacement of object or executable code versions of the Software.
2.2. PRIORITY 1 - CRITICAL ERRORS - A critical priority error renders the software inoperable or causes the Software to substantially fail. Examples of
Critical Priority Errors may include: blue screen, file corruption, or program hangs and requires reboot. ISS will use commercially reasonable efforts
to: a.) assign ISS software engineers to correct the error within twenty-four (24) business hours of ISS determining that a Critical error exists, b.)
provide Licensee with frequent reports on the status of the corrections, c.) provide Licensee with a workaround or fix within (10) business days and,
d.) to include the Fix for the Error in the next major release of the Software.
2.3. PRIORITY 2 - HIGH ERRORS - A High Priority Error substantially degrades the performance and/or causes serious limitations in the use of the
Software. Examples of High Priority Errors may include: problem results in lack of functionality and major inconvenience for customers, workaround
quite difficult to implement, or prevents other areas of the product from functioning as expected. ISS will use commercially reasonable efforts to: a.)
assign ISS software engineers to correct the error within ten (10) business days of ISS determining that a High Priority error exists, b.) provide
Licensee with periodic reports on the status of the corrections, c.) provide Licensee with a workaround or fix within (30) business days and, d.) to
include the Fix for the Error in the next major release of the Software.
2.4. PRIORITY 3 - MEDIUM ERRORS - A medium priority error has minor impact on overall product use. Examples of Medium Priority Errors may include:
content is formatted/represented incorrectly and, work around exists - but still a bug. ISS will use commercially reasonable efforts to include the Fix
for the Error in the next major release of the Software.
2.5. PRIORITY 4 - LOW ERRORS - A low priority error is any other error in the Software. Low Priority Errors are typically cosmetic in nature (i.e. spelling,
punctuation, etc.). ISS will use commercially reasonable efforts to include the Fix for the Error in a future release of the Software.
2.6. PRIORITY 5 - ENHANCEMENT REQUESTS - any new feature requests. All enhancements requests are submitted to marketing for consideration in
a future release of the Software.
2.7. Errors not caused by the Software. If ISS reasonably believes that a problem reported by Licensee may not be due to an Error in the Software ISS
will so notify Licensee, and ISS shall not proceed further, unless so instructed in writing by Licensee. If upon resolution of the problem it is determined
that Error is not a result of an Error in the Software, the Customer will be invoiced for time and materials at ISS's then standard rates for the time spent
in the resolution process.
2.8. No Support of Altered Versions of the Software. ISS shall have no obligation to correct Errors or provide telephone support on any version of the
Software that has been altered or modified by the Licensee.
3. SOFTWARE AND DOCUMENTATION UPDATES
3.1. ISS shall make available to the Licensee upgrades, improvements and modifications to the Software such as improvements in use and usability and
new vulnerability checks. ISS will provide to Licensee all such upgrades, improvements or modifications of the Software that ISS makes generally
available to other ISS customer and does not market as independent products or modules.
Contents
3Com AirConnect Access Point "Accepts Broadcast Wireless LAN Service Area" feature is enabled
(SNMP_Suspicious_Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3Com AirConnect Access Point "Access Control" function is disabled (SNMP_Suspicious_Set) . . . . . . . . . 2
3Com AirConnect Access Point Access Control Violation Trap is disabled (SNMP_Suspicious_Set) . . . . . . 3
3Com AirConnect Access Point ships with default wireless LAN Service Area ID (SNMP_Suspicious_Set) . 4
3Com AirConnect Access Point telnet logins enabled (SNMP_Suspicious_Set). . . . . . . . . . . . . . . . . . . . 5
VTCP.386 is out of date (Land) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Account policy was changed (Account_policy_change) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Security identifier failed to be written to Windows 2000 security principal sIDHistory (Add_SID_failure) . . . 8
Security identifier added to Windows 2000 security principal sIDHistory (Add_SID_success) . . . . . . . . . . 9
RPC admind insecure authentication (Admind) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IBM C Set ++ pdnsd for AIX contains a remotely exploitable buffer overflow (AIX_Pdnsd_BO) . . . . . . . . . 11
Allaire JRun Server JSP files could be executed as JSP scripts on the server (Allaire_JRun_JSP_Execute) 12
Allaire JRun 2.3.x sample files allow remote access (Allaire_JRun_Sample_Files). . . . . . . . . . . . . . . . . 13
Allaire JRun Server SSIFilter with malformed URL could be used to access files (Allaire_JRun_SSIFilter) . 14
Allaire JRun allows file access using malformed WEB-INF directory request (Allaire_JRun_WebInf_DotSlash)
15
Allaire JRun Server could allow unauthorized access to WEB-INF directory (Allaire_JRun_WebInf_SlashSlash)
15
Automounter daemon buffer overflow can lead to remote root access (Amd_Overflow). . . . . . . . . . . . . 16
Automounter daemon can be remotely queried for its process ID (Amd_Pid). . . . . . . . . . . . . . . . . . . . 18
Automounter daemon allows users to remotely query for system information (Amd_Version). . . . . . . . . 20
Solaris AnswerBook2 administration interface (AnswerBook2_Admin) . . . . . . . . . . . . . . . . . . . . . . . . 22
Solaris AnswerBook2 Web interface could allow remote execution (AnswerBook2_Execute) . . . . . . . . . 23
L0pht AntiSniff ARP test detected (AntiSniff_ARP_Test) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
L0pht AntiSniff DNS test detected (AntiSniff_DNS_Test). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
AOL Admin backdoor for Windows and AOL (AolAdmin) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
ARP host down detection (Arp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Ascend and 3Com router malformed TCP packet denial of service (Ascend_Kill) . . . . . . . . . . . . . . . . . 28
Asylum RAT (Remote Access Tool) backdoor for Windows (Asylum) . . . . . . . . . . . . . . . . . . . . . . . . . 29
Audit log manually cleared by a user with appropriate privileges (Audit_log_cleared) . . . . . . . . . . . . . . . 30
Audit policy settings changed manually (Audit_policy_change) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Authentication package load (Authentication_package_loaded) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Authentication ticket granted to a Windows 2000 security principal (Authentication_ticket_granted) . . . 32
Authentication ticket request failed (Authentication_ticket_request_failed) . . . . . . . . . . . . . . . . . . . . . . 33
BackConstruction backdoor for Windows (BackConstruction) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Backdoor2 for Windows (BackDoor2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Back Orifice default installation (BackOrifice) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Back Orifice 2000 allows complete remote administrative control (BackOrifice2000) . . . . . . . . . . . . . . 36
BigGluck backdoor for Windows (BigGluck) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
BIND Inverse-Query buffer overflow allows remote root access (DNS_Length_Overflow) . . . . . . . . . . . . 38
BIND servers can be remotely queried for their version numbers (Bind_Version_Request). . . . . . . . . . . 40
Blazer5 backdoor for Windows 95/98 and NT (Blazer5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Bootpd remote buffer overflow (Bootp_Remote_Overflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Bootparamd whoami (Bootparam) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Brute force login attack attempted (Brute_force_login_attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Brute force login attack most likely successful (Brute_force_login_likely_successful) . . . . . . . . . . . . . . . 44
Bugs backdoor for Windows 95/98 and NT (Bugs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
vii
Contents
C2 auditing is disabled (C2_AUDIT_IS_OFF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password change attack attempted (Change_password_attack) . . . . . . . . . . . . . . . . . . . . . . .
Password change attack possibly successful (Change_password_attack_likely_successful) . . . . . .
Executable, system file, or other file modified (Changes_to_important_files). . . . . . . . . . . . . . . .
Chargen patch not applied (Chargen_Denial_of_Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chargen denial of service (Chargen_Denial_of_Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AUE_CHMOD or AUE_FCHMOD calls success and setuid bit is being turned on (Chmod_setuid) . .
Chupacabra backdoor for Windows (Chupacabra). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Aironet Access Point Broadcast SSID (SNMP_Suspicious_Set) . . . . . . . . . . . . . . . . . . . .
Cisco land denial of service (Land) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco equipment can be used to send ICMP pings through SNMP (SNMP_Suspicious_Get) . . . . .
Cisco IOS "cable-docsis" community string (Cisco_Cable_Docsis_SNMP_Community). . . . . . . . . .
Cisco Catalyst switches can be remotely crashed (Cisco_CR_DoS). . . . . . . . . . . . . . . . . . . . . .
Cisco equipment identifies itself with packets returned from port 1999 (Cisco_Ident) . . . . . . . . .
Cisco IOS hidden ILMI community string could allow modification of SNMP objects
(Cisco_ILMI_SNMP_Community) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco IOS can be remotely crashed by invalid UDP packet (Cisco_Syslog_DoS) . . . . . . . . . . . . . .
Coma backdoor for Windows 95/98 (Coma). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compaq Web-Based Management buffer overflow (Compaq_Insight_Cpqlogin_Overflow) . . . . . . .
Compaq Management Agent denial of service (Compaq_Insight_DoS). . . . . . . . . . . . . . . . . . . .
Compaq Insight Management Agent allows remote retrieval of files (Compaq_Insight_Fileread) . .
Windows 2000 computer account changed (Computer_account_changed) . . . . . . . . . . . . . . .
Windows 2000 computer account created (Computer_account_created). . . . . . . . . . . . . . . . .
Windows 2000 computer account deleted (Computer_account_deleted) . . . . . . . . . . . . . . . . .
Config file change failed (Config-log_files_delete_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Config-log files deleted (Config-log_files_deleted) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connection backdoor for Windows 95/98 (Connection_Backdoor) . . . . . . . . . . . . . . . . . . . . .
Process created core file; effective UID is root, real id is non-root (Core_event_setuid) . . . . . . . .
CrazzyNet backdoor for Windows (CrazzyNet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CyberCop Scanner is a commercial network vulnerability auditing tool (CyberCop_Scanner) . . . . .
Unauthorized attempt to start DCOM server with DefaultLaunchPermission (dcomdef_deny) . . . .
Unauthorized attempt to start DCOM server (dcomsrv_deny) . . . . . . . . . . . . . . . . . . . . . . . . .
Invalid packet with all TCP options set (IPProtocolViolation) . . . . . . . . . . . . . . . . . . . . . . . . . . .
DeepThroat backdoor for Windows (DeepThroat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deltasource backdoor for Windows (DeltaSource) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RealSecure sensor error message (Detector_Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RealSecure sensor information message (Detector_Info) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RealSecure sensor warning message (Detector_Warning) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Devil backdoor for Windows (Devil) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DG/UX finger shell metacharacters allowed (Finger_Perl) . . . . . . . . . . . . . . . . . . . . . . . . . . .
DHCP Ack from server to client (DHCP_Ack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client broadcasts DHCP Discover messages to locate available servers (DHCP_Discover) . . . . . .
Client DHCP Request (DHCP_Request) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk space at or near capacity (Disk_space_shortage) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS request made for all records (DNS_All) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft DNS Server - excessive bad packets received (dns_bad_pkts) . . . . . . . . . . . . . . . . . .
Microsoft DNS Server - CNAME loop during caching (dns_cname). . . . . . . . . . . . . . . . . . . . . .
DNS HINFO request (DNS_HInfo) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS hostname exceeding maximum length (DNS_Hostname_Overflow) . . . . . . . . . . . . . . . . . .
Microsoft DNS Server - Invalid domain name (dns_inv_dom) . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft DNS Server - Invalid domain name offset in DNS message packet (dns_inv_dom_offset)
Microsoft DNS Server - Invalid domain name in DNS message packet (dns_inv_dom_pkt) . . . . . .
Microsoft DNS Server - Invalid DNS UPDATE message in DNS packet (dns_inv_updated) . . . . . .
DNS server inverse queries (DNS_Iquery) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overflowing DNS IPv4 length allows attackers to gain access (DNS_Length_Overflow). . . . . . . . .
viii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
46
46
47
48
48
49
51
52
53
55
56
56
57
58
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
59
60
61
62
63
64
65
66
67
67
68
69
70
71
72
73
73
74
75
76
77
78
79
80
81
82
82
83
84
84
85
86
87
87
89
89
90
91
92
93
Contents
Microsoft DNS Server - Domain name exceeding maximum packet length (dns_maxlen_pkt) . . . . . .
Microsoft DNS Server - Name offset exceeding DNS message packet length (dns_name_offset) . . .
BIND 8.2 and 8.2.1 remote buffer overflow in the processing of NXT records (DNS_NXT_Overflow)
BIND 8.2.x transaction signature (TSIG) buffer overflow (DNS_TSIG_Overflow) . . . . . . . . . . . . . . . .
Zone transfer request for non-existent or non-authoritative zone (dns_unauth_xfer) . . . . . . . . . . . .
Microsoft DNS Server - DNS Zone Transfers from high ports (DNS_Zone_High_Port). . . . . . . . . . .
Microsoft DNS Server - DNS honors zone transfer requests (DNS_Zone_Transfer) . . . . . . . . . . . .
Doly backdoor for Windows (Doly) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Donald Dick backdoor for Windows (DonaldDick) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Desktop Protection System Server reported a critical event (DPS_Server_Critical_Event). . . . . . . . .
Stack overflow error reported by Dr. Watson diagnostic tool (drw_stack_ovflw) . . . . . . . . . . . . . . .
Echo service (Echo_Denial_of_Service). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ALMail POP3 overflow in SMTP processing code (Email_Almail_Overflow) . . . . . . . . . . . . . . . . . . .
AMaViS virus scanner allows arbitrary command execution as root (Email_Amavis_Exec) . . . . . . . .
SMTP in debug mode (Email_Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sendmail decode/uudecode alias could allow remote file creation (Email_Decode) . . . . . . . . . . . . .
SMTP daemon supports EHLO (Email_Ehlo) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange Server Information Store (store.exe) denial of service (Email_ExchangeStore_DoS) . . . . . .
SMTP EXPN command (Email_Expn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP EXPN buffer overflow can crash or obtain access (Email_Expn_Overflow) . . . . . . . . . . . . . . .
Email From (Email_From) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP HELO buffer overflow can crash or obtain access (Email_Helo_Overflow) . . . . . . . . . . . . . . .
Listserv buffer overflow allows execution of arbitrary code (Email_Listserv_Overflow). . . . . . . . . . . .
Microsoft Outlook date header buffer overflow (Email_Outlook_Date_Overflow) . . . . . . . . . . . . . . . .
Sendmail pipe attack (Email_Pipe). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Qmail long SMTP command denial of service (Email_Qmail_Length) . . . . . . . . . . . . . . . . . . . . . . .
Qmail email RCPT denial of service (Email_Qmail_Rcpt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Third-party mail relaying can be used to obfuscate the origin of emails (Email_Relay_Spam) . . . . . . .
Email subject (Email_Subject) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email to (Email_To). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Avirt mail server allows remote users to create directories (Email_To_Dot_Dot) . . . . . . . . . . . . . .
SMTP TURN command reverses connections (Email_Turn) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP verify (VRFY) command can be used to validate users (Email_Vrfy) . . . . . . . . . . . . . . . . . . .
SMTP VRFY buffer overflow can crash or obtain access (Email_Vrfy_Overflow) . . . . . . . . . . . . . . .
Sendmail wizard (WIZ) backdoor allows anonymous remote root access (Email_WIZ) . . . . . . . . . . .
Microsoft Exchange Server SMTP and NNTP denial of service (Email_Xchg_Auth) . . . . . . . . . . . . .
RealSecure event collector error message (EventCollector_Error) . . . . . . . . . . . . . . . . . . . . . . . .
RealSecure Event Collector information message (EventCollector_Info) . . . . . . . . . . . . . . . . . . . . .
RealSecure event collector warning message (EventCollector_Warning) . . . . . . . . . . . . . . . . . . . .
Event Horizon backdoor for Windows (EventHorizon) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EvilFTP backdoor FTP server for Windows (EvilFTP_Backdoor). . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows event log file corrupted (evt_logcorrupt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows event log full (evt_logfull) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows event log file cannot be opened (evt_openfail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange administrative user connected (Exchange55_administrator_connect) . . . . . . . . . . . . . . .
Exchange Administrator logged in (Exchange55_administrator_login_as_user) . . . . . . . . . . . . . . . .
Exchange POP3 server dropped connection (Exchange55_pop3_authentication_failures) . . . . . . . . .
Exchange POP3 server unauthenticated command (Exchange55_unauthenticated_pop3_command) .
Exchange POP3 server invalid unauthenticated command
(Exchange55_unauthenticated_pop3_command_invalid) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange POP3 server invalid unauthenticated arguments
(Exchange55_unauthenticated_pop3_command_invalidargs) . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange POP3 server incorrect number of unauthenticated arguments
(Exchange55_unauthenticated_pop3_command_wrongargs) . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange View Administrative user logged in (Exchange55_view_administrator_login) . . . . . . . . . . .
Exchange administrative user connected (Exchange_administrator_connect) . . . . . . . . . . . . . . . . .
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
. 95
. 95
. 96
. 98
102
103
103
104
105
106
107
108
109
110
111
112
113
114
115
117
118
118
120
121
122
123
124
125
126
126
127
128
128
130
132
133
134
135
136
136
137
138
139
141
141
142
143
143
. . 144
. . 145
. . 146
. . 146
. . 147
ix
Contents
Exchange Administrator logged in (Exchange_administrator_login_as_user) . . . . . . . . . . . . . . . . . . . .
Exchange anonymous logon (Exchange_anonymous_logon) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange IMAP server dropped connection (Exchange_imap_authentication_failures) . . . . . . . . . . . . .
Exchange mailbox logon failed (Exchange_logon_failure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange mail sent as another user (Exchange_mail_sent_as) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange mail sent on behalf of another user (Exchange_mail_sent_on_behalf) . . . . . . . . . . . . . . . . .
Exchange NNTP server dropped connection (Exchange_nntp_authentication_failures) . . . . . . . . . . . . .
Exchange POP3 server dropped connection (Exchange_pop3_authentication_failures) . . . . . . . . . . . . .
Exchange personal storage file password saved (Exchange_PST_passwords_saved) . . . . . . . . . . . . . .
Exchange security attributes changed (Exchange_security_attribute_change) . . . . . . . . . . . . . . . . . . .
Exchange service account password change (Exchange_service_password_change) . . . . . . . . . . . . . .
Exchange IMAP server unauthenticated command (Exchange_unauthenticated_imap_command) . . . . .
Exchange unauthenticated logon attempt (Exchange_unauthenticated_logon_attempt) . . . . . . . . . . . .
Exchange NNTP server unauthenticated command (Exchange_unauthenticated_nntp_command) . . . . .
Exchange POP3 server unauthenticated command (Exchange_unauthenticated_pop3_command) . . . . .
Exchange POP3 server invalid unauthenticated command
(Exchange_unauthenticated_pop3_command_invalid) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange POP3 server invalid unauthenticated arguments
(Exchange_unauthenticated_pop3_command_invalidargs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange POP3 server incorrect number of unauthenticated arguments
(Exchange_unauthenticated_pop3_command_wrongargs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange mailbox accessed by other user (Exchange_user_login_into_other_users_mailbox) . . . . . . . .
Exchange View Administrative user logged in (Exchange_view_administrator_login) . . . . . . . . . . . . . . .
System file or executable modification attempt failed (Failed_change_of_important_files) . . . . . . . . . . .
Failed login attempt to a disabled user account (Failed_login-account_disabled) . . . . . . . . . . . . . . . . .
Failed login attempt to an expired user account (Failed_login-account_expired). . . . . . . . . . . . . . . . . .
Failed login attempt to a locked user account (Failed_login-account_locked_out) . . . . . . . . . . . . . . . . .
Windows NT user account locked out (Failed_login-account_locked_out_New) . . . . . . . . . . . . . . . . . .
Failed login attempt with invalid username or password (Failed_login-bad_username_or_password). . . .
Failed login attempt when net logon is not active (Failed_login-net_logon_not_active) . . . . . . . . . . . . . .
Login attempt by user not authorized for console login (Failed_login-not_authorized_for_console_login) .
Failed login attempt by user without the right to access the computer from the network (Failed_loginnot_authorized_for_this_type_of_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Failed login with an expired password (Failed_login-password_expired) . . . . . . . . . . . . . . . . . . . . . . .
Failed login attempt during restricted access hours (Failed_login-time_restriction_violation) . . . . . . . . .
Login attempt failed for an unknown reason (Failed_login-unknown_error) . . . . . . . . . . . . . . . . . . . . .
Finger bomb recursive request (Finger_Bomb) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finger perl attempt (Finger_Perl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finger buffer overflow allows root access (Finger_RTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finger user (Finger_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forced Entry backdoor for Windows (ForcedEntry) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fore backdoor for Windows 95/98 (Fore) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Freak88 allows a remote attacker to coordinate small-scale DDoS attacks (Freak88) . . . . . . . . . . . .
Frenzy backdoor for Windows 95/98 (Frenzy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FSP daemon running (FSP_Detected) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTGate Web interface allows remote attackers to read files from the system (HTTP_DotDot) . . . . . . .
AIX ftpd daemon buffer overflow (FTP_AIX_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ftpd args core dump (FTP_Args) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTP bounce attack could allow attackers to 'proxy' connections (FTP_Bounce) . . . . . . . . . . . . . . . . . .
FTP server command contains format string (FTP_Format_String) . . . . . . . . . . . . . . . . . . . . . . . . .
FTP get file (FTP_Get) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multiple FTP servers glob(3) expansion buffer overflow (FTP_Glob_Expansion) . . . . . . . . . . . . . . . . . .
Multiple FTP servers glob(3) implementation buffer overflow (FTP_Glob_Implementation) . . . . . . . . . . .
FTP mkdir (FTP_Mkdir) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetTerm ftp 'dele' command buffer overflow (FTP_NetTerm_Dele_Overflow) . . . . . . . . . . . . . . . . . . .
NetTerm ftp 'dir' command buffer overflow (FTP_NetTerm_Dir_Overflow) . . . . . . . . . . . . . . . . . . . . .
x
148
148
149
149
150
151
151
152
153
153
154
155
155
156
157
158
158
159
160
161
162
162
163
164
165
165
166
167
168
169
169
170
171
172
173
173
174
175
176
176
177
179
179
180
181
182
183
184
186
188
188
189
Contents
NetTerm ftp 'ls' command buffer overflow (FTP_NetTerm_Ls_Overflow) . . . . . . . . . . . . . . . . . . . . . . 190
NetTerm ftp 'mkd' command buffer overflow (FTP_NetTerm_Mkd_Overflow) . . . . . . . . . . . . . . . . . . . 190
NetTerm ftp 'pass' command buffer overflow (FTP_NetTerm_Pass_Overflow) . . . . . . . . . . . . . . . . . . 191
NetTerm ftp 'rmdir' command buffer overflow (FTP_NetTerm_Rmdir_Overflow) . . . . . . . . . . . . . . . . . 192
FTP password (FTP_Pass) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Privileged port attack enabled on FTP server (FTP_PrivilegedBounce) . . . . . . . . . . . . . . . . . . . . . . . . 193
FTP privileged port bounce can conceal attacker's identity (FTP_PrivilegedPort) . . . . . . . . . . . . . . . . . 195
FTP put file (FTP_Put) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
FTP CWD ~root login (FTP_Root) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
FTP root login success detected (FTP_root_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
FTP site command (FTP_Site_Cmd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
FTP SITE EXEC can allow arbitrary command execution (FTP_Site_Exec_DotDot) . . . . . . . . . . . . . . . . 199
FTP Site Exec Tar allows remote access (FTP_Site_Exec_Tar) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
FTP SYST command (FTP_Syst) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
FTP username (FTP_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
FTP user login success detected (FTP_user_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
FireWall-1 misconfiguration could allow attackers to manipulate filter modules (FW1_Auth_As_Local) . . 203
FireWall-1 FWA1 authentication weakness (FW1_Auth_Replay) . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
FireWall-1 allows remote "get topology" requests without authentication (FW1_GetTopology). . . . . . . . 206
GateCrasher backdoor for Windows (GateCrasher) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Gauntlet Firewall CyberPatrol integration buffer overflow (Gauntlet_CyberDaemon_Overflow) . . . . . . . . 208
Gauntlet ICMP packet denial of service (Gauntlet_ICMP_DoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
GayOL backdoor for Windows and AOL (GayOL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Buffer overflows can lead to arbitrary command execution (Generic_Intel_Overflow) . . . . . . . . . . . . . . 211
GirlFriend backdoor for Windows (GirlFriend) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Glacier backdoor for Windows (Glacier) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Global group access or privileges modified (Global_group_changed) . . . . . . . . . . . . . . . . . . . . . . . . . 214
Global group created on the domain (Global_group_created). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Global group deleted from the domain (Global_group_deleted). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Global group membership modified - user added (Global_group_user_added) . . . . . . . . . . . . . . . . . . . 216
Global group membership modified - user removed (Global_group_user_removed) . . . . . . . . . . . . . . . 217
Gnutella Connection (Gnutella_Connect) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Gnutella Download (Gnutella_Download) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Gnutella Worm (Gnutella_Worm) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Windows 2000 group type change (Group_type_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Logon event by a Guest user (Guest_user_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Hack'a'Tack backdoor for Windows (HackATack). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Hacker's Paradise backdoor for Windows 95/98 and NT (HackersParadise) . . . . . . . . . . . . . . . . . . 222
Host Control backdoor for Windows (HostControl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
HP OpenView hidden SNMP community (HP_OpenView_SNMP_Backdoor) . . . . . . . . . . . . . . . . . . . . 225
HP-UX rlpd print protocol daemon buffer overflow (HPUX_RLPD_Overflow) . . . . . . . . . . . . . . . . . . . . 226
Alibaba Web server allows browsing the file system outside the server root directory (HTTP_DotDot) . . 228
Glimpse HTTP aglimpse allows remote command execution (HTTP_Glimpse) . . . . . . . . . . . . . . . . . . . 228
IIS 3.0 script source revealed by appending 2E to requests (HTTP_IIS3_Asp_Dot) . . . . . . . . . . . . . . . 230
IIS ASP source visible (HTTP_IIS3_Asp_Dot) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Sybase PowerDynamo PWS allows remote file system traversal (HTTP_DotDot) . . . . . . . . . . . . . . . . 232
TeamTrack HTTP server allows browsing the file system outside the server root directory (HTTP_DotDot). .
233
3Com AirConnect Easy Setup Web Access (HTTP_3com_AirConnect_EasySetup) . . . . . . . . . . . . . . . 233
3Com AirConnect Filtering Setup Web Access (HTTP_3com_AirConnect_FilteringSetup). . . . . . . . . . . 234
3Com AirConnect Firmware Web Access (HTTP_3com_AirConnect_FirmwareSetup) . . . . . . . . . . . . . 235
3Com AirConnect Modem Setup Web Access (HTTP_3com_AirConnect_ModemSetup) . . . . . . . . . . . 236
3Com AirConnect RF Setup Web Access (HTTP_3com_AirConnect_RFSetup) . . . . . . . . . . . . . . . . . . 236
3Com AirConnect Security Setup Web Access (HTTP_3com_AirConnect_SecuritySetup) . . . . . . . . . . 237
3Com AirConnect SNMP Setup Web Access (HTTP_3com_AirConnect_SNMPSetup). . . . . . . . . . . . . 238
xi
Contents
3Com AirConnect Special Functions Web Access (HTTP_3com_AirConnect_SpecialFunctions). . . . . . . 239
3Com AirConnect System Setup Web Access (HTTP_3com_AirConnect_SystemSetup) . . . . . . . . . . . 239
ActiveX allows local command execution (HTTP_ActiveX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
HTTP Anyform (HTTP_AnyForm). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
AnyForm CGI script allows remote execution of arbitrary commands (HTTP_AnyFormPost) . . . . . . . . . 242
Apache HTTP server beck exploit (HTTP_Apache_DOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
HTTP authentication (HTTP_Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Axis StorPoint CD servers could allow remote access to admin pages (HTTP_Axis_Storpoint) . . . . . . . 244
Win32 CGI programs written as DOS batch files could allow remote command execution (HTTP_BAT_Execute)
245
Brown Orifice HTTPD (HTTP_BrownOrifice) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Squid cachemgr.cgi script can be used to remotely proxy portscans (HTTP_Cachemgr) . . . . . . . . . . . 248
Campas cgi-bin file executes remote commands (HTTP_Campas) . . . . . . . . . . . . . . . . . . . . . . . . . . 249
iCat Carbo Server allows remote file viewing (HTTP_Carbo_Server) . . . . . . . . . . . . . . . . . . . . . . . . . 250
Carello Web shopping cart add.exe allows remote file creation and duplication (HTTP_Carello) . . . . . . 251
Cart32 shopping cart allows remote attackers to change admin password
(HTTP_Cart32_ChangeAdminPassword) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Cart32 shopping cart allows remote access to client lists and admin functions (HTTP_Cart32_ClientList) . .
253
Cart32 shopping cart allows remote access to server installation details (HTTP_Cart32_Expdate) . . . . 254
Cdomain whois_raw.cgi script allows remote execution of arbitrary commands (HTTP_Cdomain) . . . . . 254
Cisco Aironet Web Configuration in use (HTTP_Cisco_Aironet_Webconfig) . . . . . . . . . . . . . . . . . . . . 255
Cisco Catalyst allows anonymous user to execute commands (HTTP_Cisco_Catalyst_Exec) . . . . . . . . . 256
Cisco IOS routers denial of service caused by HTTP commands (HTTP_Cisco_IOS_DoS) . . . . . . . . . . . 257
Cisco IOS query denial of service (HTTP_Cisco_IOS_Query_DoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Classifieds.cgi script allows a remote attacker to read arbitrary files off servers (HTTP_Classifieds_Post) . .
259
ColdFusion Expression Evaluator allows remote file manipulation (HTTP_Cold_Fusion) . . . . . . . . . . . . . 260
ColdFusion Web administration feature can be used to stop the CF server (HTTP_ColdFusion_Admin). . 261
ColdFusion CFCACHE tag could expose temporary files with sensitive information (HTTP_ColdFusion_Cfcache)
262
ColdFusion email example script can be used to view arbitrary files (HTTP_ColdFusion_Email_ExampleApp) .
263
ColdFusion sample program can be used to confirm existence of arbitrary files (HTTP_ColdFusion_FileExists)
264
ColdFusion sample program can allow remote users to read any file (HTTP_ColdFusion_SourceWindow) 265
ColdFusion syntax checker could consume all processor resources (HTTP_ColdFusion_SyntaxChecker_DOS)
266
ColdFusion sample can reveal source to any CFM file (HTTP_ColdFusion_ViewExample) . . . . . . . . . . . . 266
ColdFusion Web publish example script can be used to upload and execute files
(HTTP_ColdFusion_WebPublish_ExampleApp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Cookies passed to Web browser (HTTP_Cookie) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Count.cgi allows remote users to view arbitrary GIF files (HTTP_Count) . . . . . . . . . . . . . . . . . . . . . . 269
Dansie shopping cart backdoor allows attacker to execute arbitrary commands (HTTP_Dansie_Backdoor). .
270
Dansie Shopping Cart contains hidden email routine (HTTP_Dansie_Cart) . . . . . . . . . . . . . . . . . . . . . 271
Dansie shopping cart allows retrieval of sensitive configuration information (HTTP_Dansie_Infoleak) . . . 272
HTTP "dot dot" sequences (HTTP_DotDot) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Dragon Fire IDS allows remote command execution through dfire.cgi script (HTTP_DragonFire). . . . . . 274
ECWare IIS CGI program denial of service (HTTP_ECware_DoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
EZMall 2000 shopping cart misconfiguration exposes the order log (HTTP_EZMall2000) . . . . . . . . . . 276
EZshopper loadpage.cgi could be used to execute arbitrary commands (HTTP_EZShopper_Loadpage) . 276
EZshopper search.cgi could be used to execute arbitrary commands (HTTP_EZShopper_Search). . . . . 277
HylaFax faxsurvey CGI allows execution of commands (HTTP_FaxSurvey) . . . . . . . . . . . . . . . . . . . . . . 278
FormMail CGI program multiple vulnerabilities (HTTP_FormMail) . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
FrontPage Server Extensions device name denial of service (HTTP_FrontPage_DeviceName) . . . . . . . . 280
xii
Contents
FrontPage Server Extensions Visual Studio RAD Support sub-component buffer overflow
(HTTP_Frontpage_Extensions_RAD_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
HTTP get (HTTP_Get) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Glimpse Web server allows remote command execution (HTTP_Glimpse) . . . . . . . . . . . . . . . . . . . . . 283
Guestbook could allow execution of commands from remote (HTTP_Guestbook) . . . . . . . . . . . . . . . . 284
HTTP HEAD request detected (HTTP_Head). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Home Free CGI search.cgi script allows remote directory listings (HTTP_HomeFree_Search). . . . . . . . 286
Htmlscript CGI allows remote file reading (HTTP_HTMLScript) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Internet Explorer 3.0 allows remote command execution (HTTP_IE3_URL) . . . . . . . . . . . . . . . . . . . . 287
Win32 Web servers remote command execution through .CMD and .BAT files (HTTP_IE_BAT) . . . . . . 288
IIS ASP DATA issue could reveal source code (HTTP_IIS$DATA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
IIS ASP dot bug (HTTP_IIS3_Asp_Dot) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
IIS 4.0/5.0 escaped percent found (HTTP_IIS_Double_Eval_Evasion) . . . . . . . . . . . . . . . . . . . . . . . . 291
IIS 4.0/5.0 malformed hex sequence (HTTP_IIS_Hex_Evasion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
IIS idq.dll ISAPI extension buffer overflow (HTTP_IIS_Index_Server_Overflow). . . . . . . . . . . . . . . . . . . . 292
IIS 5.0 ISAPI Internet Printing Protocol extension buffer overflow (HTTP_IIS_ISAPI_Printer_Overflow) . . . 295
IIS allows remote attackers to obtain source code fragments using +.htr (HTTP_IIS_Obtain_Code) . . . . 297
IIS 4.0/5.0 malformed double percent sequence (HTTP_IIS_Percent_Evasion) . . . . . . . . . . . . . . . . . 299
IIS and SiteServer Showcode.asp sample file allows remote file viewing (HTTP_IIS_Showcode) . . . . . . . 299
IIS %u Unicode encoding detected (HTTP_IIS_Unicode_Encoding) . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
IIS Unicode translation error allows remote command execution (HTTP_IIS_Unicode_Translation) . . . . . 301
IIS %u Unicode wide character encoding detected (HTTP_IIS_Unicode_Wide_Encoding) . . . . . . . . . . . . 303
IIS URL decoding error could allow remote code execution (HTTP_IIS_URL_Decoding) . . . . . . . . . . . . . 305
UTF8 found in the HTTP data (HTTP_IIS_UTF8_Evasion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
IIS ExAir sample site denial of service (HTTP_IISExAir_DoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
IIS buffer overflow in HTR requests can allow remote code execution (HTTP_IISHTR_Overflow) . . . . . . . 308
Microsoft Index Server idq.dll allows remote directory traversal (HTTP_IndexServer_IDQ) . . . . . . . . . . 310
Microsoft Index Server webhits.dll allows remote directory traversal (HTTP_IndexServer_Webhits) . . . . 311
info2www script allows remote execution of commands (HTTP_Info2WWW) . . . . . . . . . . . . . . . . . . 312
HTTP Java (HTTP_Java) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
jj CGI program could allow remote command execution (HTTP_JJ) . . . . . . . . . . . . . . . . . . . . . . . . . 314
WebLogic allows users to read source of JSP files (HTTP_JSP_SourceRead) . . . . . . . . . . . . . . . . . . 314
MachineInfo script reveals system information (HTTP_MachineInfo) . . . . . . . . . . . . . . . . . . . . . . . . . 315
IIS unauthorized ODBC data access with RDS (HTTP_MDAC_Access). . . . . . . . . . . . . . . . . . . . . . . . 316
Internet Explorer msradio buffer overflow (HTTP_MSRadio_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . 319
NCSA httpd allows remote users to execute commands (HTTP_NCSA_Buffer_Overflow) . . . . . . . . . . . 320
Netscape Enterprise Server allows remote directory listing (HTTP_Netscape_List_Directories). . . . . . . 321
Netscape Enterprise Server can be tricked into listing Web directories (HTTP_Netscape_PageServices) 322
Netscape Enterprise Server REVLOG denial of service (HTTP_Netscape_Revlog) . . . . . . . . . . . . . . . . 322
Netscape servers could reveal source code to some scripts (HTTP_Netscape_SpaceView) . . . . . . . . . 323
Nimda worm propagation (HTTP_Nimda_Riched20dll) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Novell Convert.bas Web server script (HTTP_Novell_Convert) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Novell CGI script files.pl could allow remote file viewing (HTTP_Novell_Files). . . . . . . . . . . . . . . . . . . . 327
Nph-test-cgi program remote users can list files (HTTP_NphTestCgi) . . . . . . . . . . . . . . . . . . . . . . . . 328
Netscape Enterprise and Fasttrack authentication buffer overflow (HTTP_NS_Admin_Overflow) . . . . . . 329
Win32 Web servers allow access to files requested using the 8.3 format (HTTP_NT8.3_Filename) . . . 330
Oracle Application Server shared library (ndwfn4.so) buffer overflow (HTTP_Oracle_Appserver_Overflow) 332
Order Form shopping cart misconfiguration exposes order information (HTTP_Orderform) . . . . . . . . . 333
PDGSoft’s Shopping Cart misconfiguration exposes config and order files (HTTP_PDGSoft) . . . . . . . . . 334
IRIX pfdispaly.cgi program was not fixed by a previous SGI patch (HTTP_Pfdisplay_Execute) . . . . . . . . . 335
SGI pfdispaly.cgi script allows remote file viewing with server privileges (HTTP_Pfdisplay_Read) . . . . . . 335
Phone book CGI phf allows remote execution of arbitrary commands (HTTP_PHF) . . . . . . . . . . . . . . . 336
PHP/FI php.cgi script contains a remotely exploitable buffer overflow (HTTP_PHP_Overflow) . . . . . . . . 337
PHP remote users can read files (HTTP_PHP_Read) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
PHP-Nuke unauthorized administrator access (HTTP_PHPNuke_Admin_Access) . . . . . . . . . . . . . . . . 339
xiii
Contents
PHP-Nuke could allow attackers to redirect ad banner URL links (HTTP_PHPNuke_URL_Redirect) . . . . 340
HTTP POST request to a script or resource (HTTP_Post) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
QuikStore Shopping Cart misconfiguration exposes the config file (HTTP_QuikStore) . . . . . . . . . . . . . . 342
IRIX reg_echo.cgi reveals server hardware information (HTTP_RegEcho) . . . . . . . . . . . . . . . . . . . . . 343
Robots.txt file controls Web spiders (HTTP_RobotsTxt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Nlog CGI script executes commands (HTTP_RpcNLog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
SCO view-source CGI script allows remote users to read files (HTTP_SCO_View-Source) . . . . . . . . . . . 344
Malformed HTML <SCRIPT> tag could bypass firewall active content stripping (HTTP_Script_Bypass) . . 345
IRIX handler CGI allows remote command execution (HTTP_SGI_Handler) . . . . . . . . . . . . . . . . . . . . . 346
IRIX infosrch.cgi fname variable allows remote attackers to execute commands (HTTP_SGI_Infosrch) . . 347
SGI Webdist CGI script allows remote command execution (HTTP_SGI_Webdist) . . . . . . . . . . . . . . . . 348
SGI IRIX cgi-bin wrap program remote users can list files (HTTP_SGI_Wrap) . . . . . . . . . . . . . . . . . . . 349
Cobalt RaQ Web server could reveal user's command history (HTTP_ShellHistory) . . . . . . . . . . . . . . . 350
Shell interpreters can be used to execute commands on Web servers (HTTP_Shells). . . . . . . . . . . . . 351
Shockwave plugin allows reading of users' email (HTTP_ShockWave) . . . . . . . . . . . . . . . . . . . . . . . . 352
SiteServer 3.0 AdSamples installation could expose SQL server login information (HTTP_SiteCsc_Access). .
353
SoftCart misconfiguration exposes passwords or order information (HTTP_Softcart) . . . . . . . . . . . . . 354
Test-cgi sample CGI script allows remote retrieval of file listings (HTTP_TestCgi) . . . . . . . . . . . . . . . . 354
Suspicious URL with tilde (~) appended (HTTP_Tilde) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
passwd file accessed through Web server (HTTP_Unix_Passwords). . . . . . . . . . . . . . . . . . . . . . . . . 356
Verity search97 CGI script allows remote file reading (HTTP_Verity_Search) . . . . . . . . . . . . . . . . . . . 357
HTTP connections from vulnerable clients (HTTP_Vulnerable_Client). . . . . . . . . . . . . . . . . . . . . . . . . 358
Weakness CGI Scanner (HTTP_WeaknessCGIScanner) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Web finger access attempt (HTTP_WebFinger) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
WEBgais CGI script allows remote command execution (HTTP_Webgais) . . . . . . . . . . . . . . . . . . . . . 360
WebLogic FileServlet show code (HTTP_WebLogic_FileServlet_Show_Code) . . . . . . . . . . . . . . . . . . . 361
WebLogic allows users to read source of files (HTTP_WebLogic_FileSourceRead) . . . . . . . . . . . . . . . 362
BEA Systems WebLogic Java injection (HTTP_WebLogic_JavaInjection) . . . . . . . . . . . . . . . . . . . . . . 363
WebLogic redirect request plugin buffer overflow can be used to gain root (HTTP_WebLogic_PluginBO) 364
WebGais websendmail allows remote command execution (HTTP_Websendmail) . . . . . . . . . . . . . . . 365
WebSite 1.1 for Windows NT winsample buffer overflow (HTTP_WebSite_Sample) . . . . . . . . . . . . . . 365
WebSite 1.1 uploader (HTTP_WebSite_Uploader). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
WebSphere Application Server Host: header denial of service (HTTP_WebSphere_HeaderDoS) . . . . . . 367
Selena Sol’s WebStore could expose order information (HTTP_WebStore) . . . . . . . . . . . . . . . . . . . . 368
WindMail remote file retrieval (HTTP_WindMail_FileRead) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Executable command in HTTP path (HTTP_Windows_Executable) . . . . . . . . . . . . . . . . . . . . . . . . . . 370
WWWThreads SQL commands could allow users to gain privileges (HTTP_WWWThreads_Admin) . . . 370
HVL-RAT backdoor for Windows and AOL (Hvl_Rat). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Ident errors may indicate probe of Ident service (Ident_Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Linux identd configuration remote denial of service (Ident_Linux_DoS). . . . . . . . . . . . . . . . . . . . . . . . 374
Ident newline allows remote users to execute commands (Ident_Newline). . . . . . . . . . . . . . . . . . . . . 375
Ident buffer overflow allows remote users to execute commands (Ident_Overflow) . . . . . . . . . . . . . . . 376
Ident user (Ident_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Internet Explorer allows active content to be automatically downloaded (HTTP_ActiveX) . . . . . . . . . . . 378
Internet Explorer is outdated (HTTP_Vulnerable_Client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Attempt to read or modify an 802.11 device's SSID (SNMP_Suspicious_Set) . . . . . . . . . . . . . . . . . . 379
Attempt to read or modify an 802.11 device's WEP encryption key (SNMP_Suspicious_Set) . . . . . . . . 380
IMail buffer overflow in built-in LDAP server (Imail_ldap_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . 381
IMAP2bis server, anonymous login successful (IMAP2bis_server_anonymous_login_successful) . . . . . . 382
IMAP2bis Server, brute force attack (IMAP2bis_server_brute_force_attack) . . . . . . . . . . . . . . . . . . . 383
IMAP2bis Server, pre-authenticated user login successful
(IMAP2bis_server_preauthenticated_user_login_successful) . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
IMAP2bis Server, user Auto-logout (IMAP2bis_server_user_auto-logout) . . . . . . . . . . . . . . . . . . . . . 384
IMAP2bis Server, user login failure (IMAP2bis_server_user_login_failure) . . . . . . . . . . . . . . . . . . . . . 385
xiv
Contents
IMAP2bis Server, user login successful (IMAP2bis_server_user_login_successful) . . . . . . . . . . . . . . . 386
IMAP2bis Server, user logout (IMAP2bis_server_user_logout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
IMAP AUTHENTICATE overflow could allow remote root access (IMAP_Authenticate_Overflow) . . . . . . 387
IMail IMAP service buffer overflow (IMAP_Imail_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Microsoft Outlook date header buffer overflow (IMAP_Outlook_Date_Overflow) . . . . . . . . . . . . . . . . . . 389
IMAP login buffer overflow could allow remote root access (IMAP_Overflow) . . . . . . . . . . . . . . . . . . . 391
IMAP password (IMAP_Password) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
IMAP username (IMAP_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Infector backdoor for Windows (Infector). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
INN control message allows commands to be executed as root (INN_Control) . . . . . . . . . . . . . . . . . 395
INN buffer overflow attack allows users to execute arbitrary code (INN_Overflow) . . . . . . . . . . . . . . . 396
INN verifycancels option allows remote code execution (Innd_Cancel_Overflow) . . . . . . . . . . . . . . . . . 397
NetBSD unaligned IP options (IP_Unaligned_Timestamp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Duplicate IP addresses (IPDuplicate) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
IP fragmentation (IPFrag) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
TCP Half scan (Stealth scan) (IPHalfScan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
IPOP3D, brute force attack (IPOP3D_brute_force_attack). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
IPOP3D, Buffer overflow attack (IPOP3D_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
IPOP3D, user auto-logout (IPOP3D_user_auto-logout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
IPOP3D, user kiss of death logout (IPOP3D_user_kiss_of_death_logout) . . . . . . . . . . . . . . . . . . . . . . 404
IPOP3D, user login failure (IPOP3D_user_login_failure). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
IPOP3D, user login successful (IPOP3D_user_login_successful) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
IPOP3D user login to remote host successful (IPOP3D_user_login_to_remote_host_successful) . . . . . . 406
IPOP3D, user logout (IPOP3D_user_logout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
TCP/IP protocol violations (IPProtocolViolation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Unknown IP protocol (IPUnknownProtocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
IRC buffer overflow allows attackers to execute commands as root (IRC_Daemon_Overflow) . . . . . . . . 409
IRC channel joined (IRC_Join) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
IRC message (IRC_Msg) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
IRC nick (IRC_Nick). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Trinity distributed denial of service tool (IRC_Trinity). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
IRDP can be used to change the default gateway of some systems (IRDP_Gateway_Spoof) . . . . . . . . . 412
Internet Scanner or Desktop Protection System detected a high risk vulnerability (IS_High_Vulnerability_Found)
413
Internet Scanner detected a low risk vulnerability (IS_Low_Vulnerability_Found) . . . . . . . . . . . . . . . . . 414
Internet Scanner detected a medium risk vulnerability (IS_Meduim_Vulnerability_Found) . . . . . . . . . . . 415
Internet Scanner scan completed (IS_Scan_Completed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Internet Scanner scan started (IS_Scan_Started) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
ISA Server component failed (ISA_Abnormal_Termination) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
ISA Alert service failed to log an event (ISA_Alert_Failed_Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
ISA Server failed to start (ISA_Failed_To_Start) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
ISA Firewall service initialization failed (ISA_FW_Init_Failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
ISA Firewall service failed to start (ISA_FW_Start_Failed_Corrupt) . . . . . . . . . . . . . . . . . . . . . . . . . . 418
ISA Firewall service stopped (ISA_FW_Stop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
ISA Server failed to write an event to the log (ISA_LOG_File_Write_Failed) . . . . . . . . . . . . . . . . . . . . . 420
ISA Server stopped logging events (ISA_LOG_Service_Stopped_Logging_Failure) . . . . . . . . . . . . . . . . . 420
ISA Server failed to create a packet filter (ISA_PF_Create_PF_Failure) . . . . . . . . . . . . . . . . . . . . . . . 421
ISA Server packet filter rebind failure (ISA_PF_Dial_Out_Rebind_Failure) . . . . . . . . . . . . . . . . . . . . . . 421
ISA Server packet filter is dropping packets (ISA_PF_Dropping_Packets) . . . . . . . . . . . . . . . . . . . . . . 422
ISA Server packet filters disabled (ISA_PF_Filtering_Disabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
ISA Server packet filter insecure configuration (ISA_PF_Insecure_Config) . . . . . . . . . . . . . . . . . . . . . 423
ISA Server packet filter interface bind failure (ISA_PF_Interface_Bind_Failure) . . . . . . . . . . . . . . . . . . 424
ISA Server failed to create an IP packet filter (ISA_PF_IP_PF_Create_Failure) . . . . . . . . . . . . . . . . . . . 424
ISA Server packet filter did not detect an external interface (ISA_PF_No_Ext_Interface) . . . . . . . . . . . . 425
ISA Server packet filter protocol violation detected (ISA_PF_Protocol_Violation) . . . . . . . . . . . . . . . . . 425
xv
Contents
ISA Server Control service initialization failed (ISA_SCS_Init_Failed) . . . . . . . . . . . . . . . . . . . . . . . . . . 426
ISA Server Control service stopped (ISA_SCS_Stop). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
ISA Server corrupted registry (ISA_Server_Init_Failed_Corrupt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
ISA Server insecure configuration (ISA_Server_NAT_Insecure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
ISA Web Proxy service stopped (ISA_WPS_Stop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
ISA Web Proxy service failed (ISA_WPS_Terminated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Internet Scanner vulnerability assessment (ISS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
IP fragment reassembly denial of service (Jolt2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Kerberos IV peek accesses usernames and information (Kerberos_User_Snarf) . . . . . . . . . . . . . . . . 431
Kuang2 Virus installs remote control functionality on infected systems (Kuang2Virus) . . . . . . . . . . . . 432
Land denial of service (Land) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Windows NT snork attack can disable system (Land_UDP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Microsoft LDAP server blacklist failed (LDAP_blacklist_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Microsoft LDAP server permanent blacklist (LDAP_blacklist_permanent) . . . . . . . . . . . . . . . . . . . . . 437
Microsoft LDAP server temporary blacklist (LDAP_blacklist_short-term) . . . . . . . . . . . . . . . . . . . . . . 438
Local group access or privileges modified (Local_group_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Local group created with assigned members and privileges (Local_group_created) . . . . . . . . . . . . . . 440
Local group deleted from the system (Local_group_deleted) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Local group membership modified - user added (Local_group_user_added) . . . . . . . . . . . . . . . . . . . . 441
Local group membership modified - user removed (Local_group_user_removed) . . . . . . . . . . . . . . . . 442
Windows 2000 account logon failed (Log_on_to_account_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Logon process registered (Logon_process_registered) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Logon event by user with administrative privileges (Logon_with_admin_privileges). . . . . . . . . . . . . . . . 444
Logon event by user with special privileges (Logon_with_special_privileges) . . . . . . . . . . . . . . . . . . . . 445
LOKI ICMP tunneling back door (Loki) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Lotus Notes SMTP server can be crashed with long HELO commands (Email_Helo_Overflow) . . . . . . . 447
Lotus Domino SMTP Server policy feature buffer overflow (Lotus_Domino_SMTP_Overflow) . . . . . . . . . 448
LPRng syslog() call allows user supplied format strings (LPRng_Format_String) . . . . . . . . . . . . . . . . . 449
Mail-Max server allows remote execution of code through a buffer overflow (Email_Helo_Overflow) . . . . 450
Windows 2000 user account mapped for logon (Mapped_account). . . . . . . . . . . . . . . . . . . . . . . . . 451
Map account operation failed (Mapped_account_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Master's Paradise98 backdoor for Windows (Masters_Paradise98) . . . . . . . . . . . . . . . . . . . . . . . . 452
Maverick's Matrix backdoor for Windows 95/98 (MavericksMatrix) . . . . . . . . . . . . . . . . . . . . . . . . 454
MDaemon SMTP server can be crashed with a long HELO (Email_Helo_Overflow) . . . . . . . . . . . . . . . 455
Millenium backdoor for Windows (Millenium) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Mountd export (MountdExport) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Mountd mount request (MountdMnt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Microsoft SQL 6.5 Server shutdown (MSSQL65_Shutdown). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Microsoft SQL Server 6.5 started (MSSQL65_Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Microsoft SQL Server 6.5 non-trusted connection successful (MSSQL65_Successful_NonTrusted_Connection). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Microsoft SQL Server shutdown (MSSQL7_Shutdown). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Microsoft SQL Server started (MSSQL7_Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Microsoft SQL Server non-trusted connection successful (MSSQL7_Successful_Non-Trusted_Connection) . .
461
Microsoft SQL Server failed connection (MSSQL_Failed_Connection) . . . . . . . . . . . . . . . . . . . . . . . . 462
Microsoft SQL Server shutdown (MSSQL_Shutdown). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Microsoft SQL Server started (MSSQL_Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Microsoft SQL Server non-trusted connection successful (MSSQL_Successful_Non-Trusted_Connection) 464
Microsoft SQL Server trusted connection successful (MSSQL_Successful_Trusted_Connection) . . . . . . 464
mstream distributed denial of service tool (master detected) (Mstream_Master) . . . . . . . . . . . . . . . . 465
mstream distributed denial of service tool (zombie detected) (Mstream_Zombie) . . . . . . . . . . . . . . . . 467
Napster client update (Napster_Client_Update). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Napster long command (Napster_Command_Long). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Napster create account (Napster_Create_Account) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
xvi
Contents
Napster download (Napster_Download) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Napster user login (Napster_Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Napster user information submitted (Napster_Login_Info) . . . . . . . . . . . . . . . . . . . . . . .
Napster chat room private message sent (Napster_Private_Msg) . . . . . . . . . . . . . . . . . .
Napster chat room public message sent (Napster_Public_Msg) . . . . . . . . . . . . . . . . . . .
Napster search phrase submitted (Napster_Search). . . . . . . . . . . . . . . . . . . . . . . . . . .
Napster file sharing detected (Napster_Sharing). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Netscape Navigator is outdated (HTTP_Vulnerable_Client) . . . . . . . . . . . . . . . . . . . . . . .
NCX backdoor for Windows (NCX_Backdoor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nestea Linux denial of service (TearDrop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBIOS session grant (Netbios_Session_Granted) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBIOS session reject (Netbios_Session_Rejected) . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBIOS session request (Netbios_Session_Request) . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBus trojan horse for Windows (NetBus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBus trojan horse for Windows (NetBus_Pro). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Network Monitor driver started (netmon_start). . . . . . . . . . . . . . . . . . . . . . . .
NetSphere backdoor for Windows and ICQ (NetSphere) . . . . . . . . . . . . . . . . . . . . . . . .
NetMonitor backdoor for Windows 95/98 and NT (NetSpy) . . . . . . . . . . . . . . . . . . . . .
NetSpy 1.2 backdoor for Windows (NetSpy_v12) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guessable NFS filehandles (NfsGuess). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NFS server could allow remote users to create device files through mknod (NfsMknod) . . .
NFS does not properly identify UID (NfsUid) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rpc.nisd buffer overflow in Solaris (NIS_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nmap scanner can remotely detect an operating system (Nmap_Scan) . . . . . . . . . . . . . .
NNTP group (NNTP_Group). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NNTP password (NNTP_Password) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NNTP username (NNTP_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Exchange Server SMTP and NNTP denial of service (NNTP_XchgAuth). . . . . . . .
AUE_SETAUDIT or AUE_SETAUID calls made where real UID is non-root (Nonroot_setauid) .
AUE_OSETUID or AUE_SETREUID calls made where audit UID is non-root (Nonroot_setruid)
Windows Network Monitor insecure password (Packet_Capturing_Tool) . . . . . . . . . . . . . .
Syncstorm patch missing (SYNFlood) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows WINS exploit using SNMP (SNMP_Suspicious_Get) . . . . . . . . . . . . . . . . . . . . .
Ntpd server readvar control message buffer overflow (NTP_Readvar_Overflow) . . . . . . . . .
HP OpenView Network Node Manager buffer overflow (OpenView_NNM_Overflow) . . . . . . .
Oracle internal connection established (Oracle_Connect_Internal) . . . . . . . . . . . . . . . . . .
Oracle connection failed (Oracle_Failed_Connection) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle object access failed (Oracle_Failed_Object_Access) . . . . . . . . . . . . . . . . . . . . . . .
Oracle shutdown (Oracle_Shutdown) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle startup (Oracle_Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle connection successful (Oracle_Successful_Connection) . . . . . . . . . . . . . . . . . . . .
Oracle object access successful (Oracle_Successful_Object_Access) . . . . . . . . . . . . . . . .
Malformed oshare packet denial of service (Oshare_Attack) . . . . . . . . . . . . . . . . . . . . . .
Virtual memory has been consumed (Out_of_virtual_memory) . . . . . . . . . . . . . . . . . . . . .
Packet capturing tool accessed remotely (Packet_Capturing_Remote) . . . . . . . . . . . . . . .
Packet capturing tool detected (Packet_Capturing_Tool). . . . . . . . . . . . . . . . . . . . . . . . .
Change password attempt failed (Password_change_failed) . . . . . . . . . . . . . . . . . . . . . .
Change password attempt successful (Password_change_successful) . . . . . . . . . . . . . . .
RPC pcnfsd service allows remote command execution as root (PcnfsdExec) . . . . . . . . . .
Perl fingerd program allows remote users to execute commands (Finger_Perl) . . . . . . . . .
phAse zero backdoor for Windows 95/98 and NT (PhaseZero) . . . . . . . . . . . . . . . . . . .
Ping Flood (PingFlood) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ping of Death (PingOfDeath) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Portmapper program dump lists RPC programs (PmapDump) . . . . . . . . . . . . . . . . . . . .
NFS portmapper export (PmapMnt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
471
472
473
473
474
475
475
476
477
477
478
479
479
480
482
483
484
485
486
487
488
489
491
492
492
493
493
494
495
496
497
498
499
501
506
506
507
508
509
509
510
511
511
512
513
514
514
515
516
517
518
519
520
522
522
xvii
Contents
Portmapper proxy call (PmapProxy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Portmap SET procedure requested (PmapSet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Portmap SET procedure requested with spoofed address (PmapSetSpoof) . . . . . . . . . . . . . . . . . . . . 525
Portmap UNSET procedure requested (PmapUnset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Portmap UNSET procedure requested with spoofed address (PmapUnsetSpoof) . . . . . . . . . . . . . . . . 526
University of Washington POP2 daemon remote buffer overflow (POP_Fold_Overflow) . . . . . . . . . . . . . 527
Fuseware Fusemail POP mail service buffer overflow (POP_Fuseware_Overflow) . . . . . . . . . . . . . . . . . 528
Qpopper LIST buffer overflow (POP_List_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Microsoft Outlook date header buffer overflow (POP_Outlook_Date_Overflow). . . . . . . . . . . . . . . . . . . 530
Popd buffer overflow gains root access (POP_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
POP password (POP_Password) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Qpopper auth command buffer overflow (POP_QPopAuth_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . 534
Qpopper contains a buffer overflow that could allow root access (POP_QPopCommand_Overflow). . . . . 535
Qpopper long username buffer overflow (POP_QPopUser_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . 536
Internet Anywhere Mail Server RETR denial of service (POP_Retr_DoS) . . . . . . . . . . . . . . . . . . . . . . 537
SilentRunner Collector 'POP PASS' remote buffer overflow (POP_SilentRunner_Pass_Overflow) . . . . . . . 538
SilentRunner Collector 'POP USER' remote buffer overflow (POP_SilentRunner_User_Overflow) . . . . . . . 538
POP username (POP_User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Portscan attack (Port_Scan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Portal of Doom backdoor for Windows (PortalOfDoom) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Older versions of ComOS could be crashed remotely (Portmaster_Reboot) . . . . . . . . . . . . . . . . . . . . 542
Windows 2000 Kerberos pre-authentication failed (Preauthentication_failed) . . . . . . . . . . . . . . . . . . 543
Service processes can be used to remotely manipulate a system (Privileged_service_called) . . . . . . . . 544
File access attempted for important files (Probing_of_important_files) . . . . . . . . . . . . . . . . . . . . . . . 544
Progenic backdoor for Windows 95/98 and NT (Progenic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Process execution initiated (Program_execution_started) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Process execution exited (Program_exited) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Prosiak backdoor for Windows (Prosiak) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Qaz backdoor for Windows (Qaz_Command) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Qaz backdoor for Windows (Qaz_Connect). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Remote Unix syslog message from Qpopper: authentication access problem (Qpopper_Auth_failed) . . . 551
Remote Unix syslog message from Qpopper: permission access problem (Qpopper_Permission_Problem) .
552
Remote Unix syslog message from Qpopper (QPopper_possible_user_probe) . . . . . . . . . . . . . . . . . . 553
Remote Unix syslog message from Qpopper (QPopper_user_login_failure) . . . . . . . . . . . . . . . . . . . . 553
Remote Unix syslog message from Qpopper: excessive user name (Qpopper_Username_too_long) . . . 554
Quake III Arena auto-download allows servers to access clients' file systems (Quake3Arena_Vulnerable_Client)
555
Quake III Arena auto-download allows servers to access clients' file systems
(Quake3Arena_Vulnerable_Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Queso utility can remotely identify operating systems (Queso_Scan) . . . . . . . . . . . . . . . . . . . . . . . . . 558
RAS user connection terminated - inconsistent authentication principal (ras_auth_rasfail) . . . . . . . . . . 559
RAS user connection terminated - authentication timeout (ras_auth_timeout) . . . . . . . . . . . . . . . . . . 560
RAS user connection terminated - no remote access privileges (ras_noaccess). . . . . . . . . . . . . . . . . 560
RealSecure TCP RST kill action detected (RealSecure_Kill) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Linux lpd could be used to pass arguments to sendmail (RedHat_Lpd_Print_Control) . . . . . . . . . . . . . 562
Registry autorun changed (Registry_autorun_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Registry eventlog settings changed (Registry_eventlog_settings_changed). . . . . . . . . . . . . . . . . . . . . 565
Registry security options changed (Registry_NT_security_options_changed) . . . . . . . . . . . . . . . . . . . 566
Registry remote edit changed (Registry_remote_edit_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Remote root login success detected (Remote_root_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Remote user login success detected (Remote_user_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Remote Storm backdoor for Windows (RemoteStorm) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
RemoteWatch allows root-level access (RemoteWatch). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
RWS backdoor for Windows (RemoteWindowsShutdown) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Rexd running (Rexd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
xviii
Contents
Rexec session (Rexec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ringzero virus (Ringzero) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP entry added (RIPAdd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP Entry timeout (RIPExpire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP Metric change (RIPMetricChange) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rlogin -froot command could allow remote root access (Rlogin_Froot) . . . . . . . . . . . . . . . . . .
Rlogin (Rlogin_Session) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enterasys RoamAbout Access Point console password disabled (SNMP_Suspicious_Set) . . . . .
Enterasys RoamAbout Access Point Secure Access mode disabled (SNMP_Suspicious_Set) . . .
Enterasys RoamAbout Access Point WEP encryption (SNMP_Suspicious_Set) . . . . . . . . . . . . .
Core file owned by root opened (Root_core_access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Directory starting with ". " has been created (Rootkit_install) . . . . . . . . . . . . . . . . . . . . . . . .
CDE rpc.cmsd server remotely exploitable buffer overflow (RPC_Cmsd_Overflow) . . . . . . . . . . .
Solaris snmpXdmid malformed DMI request buffer overflow (RPC_snmpXdmid_Overflow) . . . . .
Rsh (Rsh) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rux Tick backdoor for Windows (RuxTick) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rwhod daemon running (Rwhod_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rwho daemon overflow (Rwhod_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Scanner scan completed (S2_Scan_Completed). . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Scanner scan started (S2_Scan_Started) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Scanner scan detected a vulnerability (S2_Scan_Vulnerability_Found) . . . . . . . . . . . . .
Solaris Solstice AdminSuite (sadmind) daemon buffer overflow (Sadmind_Amslverify_Overflow) . .
Solaris Solstice admin daemon ping procedure (Sadmind_Ping) . . . . . . . . . . . . . . . . . . . . . . .
SATAN is an automated network vulnerability scanner (Satan) . . . . . . . . . . . . . . . . . . . . . . .
Satan's Backdoor for Windows (SatansBackdoor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schwindler backdoor for Windows 95/98 (Schwindler) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logon attempt failure reported by Windows Service Control Manager (scm_logon_fail) . . . . . . .
Windows resources for queuing of audit messages have been exhausted (sec_auditlost) . . . . .
SecretService backdoor for Windows 95/98 (SecretService). . . . . . . . . . . . . . . . . . . . . . . .
Global distribution group changed (Security_disabled_global_group_changed). . . . . . . . . . . . . .
Global distribution group created (Security_disabled_global_group_created). . . . . . . . . . . . . . .
Global distribution group deleted (Security_disabled_global_group_deleted) . . . . . . . . . . . . . . .
Global distribution group membership modified - member added
(Security_disabled_global_group_member_added) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global distribution group membership modified - member removed
(Security_disabled_global_group_member_removed) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local distribution group changed (Security_disabled_local_group_changed) . . . . . . . . . . . . . . .
Local distribution group created (Security_disabled_local_group_created) . . . . . . . . . . . . . . . .
Local distribution group deleted (Security_disabled_local_group_deleted). . . . . . . . . . . . . . . . .
Local distribution group membership modified - member added
(Security_disabled_local_group_member_added) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local distribution group membership modified - member removed
(Security_disabled_local_group_member_removed) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Universal distribution group changed (Security_disabled_universal_group_changed) . . . . . . . . .
Universal distribution group created (Security_disabled_universal_group_created) . . . . . . . . . .
Universal distribution group deleted (Security_disabled_universal_group_deleted) . . . . . . . . . . .
Universal distribution group membership modified - member added
(Security_disabled_universal_group_member_added) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Universal distribution group membership modified - member removed
(Security_disabled_universal_group_member_removed) . . . . . . . . . . . . . . . . . . . . . . . . .
Security enabled universal group changed (Security_enabled_universal_group_changed) . . . . . .
Security enabled universal group created (Security_enabled_universal_group_created) . . . . . . .
Security enabled universal group deleted (Security_enabled_universal_group_deleted) . . . . . . . .
Security enabled universal group membership modified - member added
(Security_enabled_universal_group_member_added) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security enabled universal group membership modified - member removed
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
574
575
576
577
578
578
579
580
581
582
583
584
584
586
587
588
588
589
590
591
592
592
594
594
596
597
598
599
599
600
601
602
. . . . . 602
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
603
604
604
605
. . . . . 606
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
606
607
608
608
. . . . . 609
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
610
610
611
612
. . . . . 613
xix
Contents
(Security_enabled_universal_group_member_removed). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Remote file access through selection service holdfile (SelSvcH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
RealSecure sensor error message (Sensor_Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
RealSecure sensor information message (Sensor_Info) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
RealSecure sensor warning message (Sensor_Warning) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
ServeMe backdoor for Windows 95/98 (ServeMe) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Service ticket granted to a Windows 2000 security principal (Service_ticket_granted) . . . . . . . . . . . . 618
Service ticket request failed (Service_ticket_request_failed). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Service scanner attempting to connect to same port on multiple computers (ServiceScan) . . . . . . . . . 620
Windows 2000 logon session disconnected (Session_disconnected) . . . . . . . . . . . . . . . . . . . . . . . . 620
Windows 2000 logon session reconnected (Session_reconnected) . . . . . . . . . . . . . . . . . . . . . . . . . 621
SLmail HELO command buffer overflow (Email_Helo_Overflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
SLmail VRFY and EXPN commands can crash server (Email_Expn_Overflow) . . . . . . . . . . . . . . . . . . . 622
SMB cleartext password (SMB_Client_Cleartext_Password) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Windows NT SMB logon denial of service (SMB_Malformed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Samba SMB password buffer overflow (SMB_Password_Overflow). . . . . . . . . . . . . . . . . . . . . . . . . . 625
SMTP Exchange denial of service (Email_Helo_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
SMTP servers may perform third-party relaying on UUCP style addresses (Email_Relay_Spam) . . . . . . 627
Sendmail overflows in EXPN and VRFY could allow remote access (Email_Expn_Overflow) . . . . . . . . . . 628
Smurf denial of service (Smurf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Snid X2 backdoor for Windows (SnidX2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
SniperNet backdoor for Windows 95/98 (SniperNet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
SNMP agents can be instructed not to notify management stations (SNMP_Suspicious_Get). . . . . . . . 632
SNMP kill interface (SNMP_Suspicious_Get). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
SNMP agents reveal information about network interfaces (SNMP_Suspicious_Get) . . . . . . . . . . . . . . 634
SNMP RMON agents can monitor network and application activity (SNMP_Suspicious_Get). . . . . . . . . 634
SNMP agents reveal information about network routing (SNMP_Suspicious_Get) . . . . . . . . . . . . . . . . 635
SNMP messages (SNMP_Activity) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
SNMP community string (SNMP_Community). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
WINS records deletion using SNMP (SNMP_Delete_WINS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
SNMP_Set can modify SNMP variables (SNMP_Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
SNMP suspicious GET (SNMP_Suspicious_Get). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
SNMP suspicious SET (SNMP_Suspicious_Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Solaris Snoop GETQUOTA decoding buffer overflow (Snoop_GetQuota_Overflow). . . . . . . . . . . . . . . . . 641
Sockets de Troie (Socket23) backdoor for Windows (Sockets_de_Troie) . . . . . . . . . . . . . . . . . . . . . . 642
Solaris in.lpd print protocol daemon buffer overflow (Solaris_LPD_Overflow) . . . . . . . . . . . . . . . . . . . 643
Routing IP packets through different paths can avoid filtering routers (SourceRoute) . . . . . . . . . . . . . 645
Microsoft SQL Server login failed (SQLServer_login_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Microsoft SQL Server login failed - user not Administrator (SQLServer_login_failed_not_administrator) . 646
Microsoft SQL Server login failed - user not trusted (SQLServer_login_failed_not_trusted) . . . . . . . . . . 647
Microsoft SQL Server login failed - invalid user (SQLServer_login_failed_not_valid_user) . . . . . . . . . . . . 647
Microsoft SQL Server login failed - too many users (SQLServer_login_failed_too_many_users) . . . . . . . 648
SSH2 - Agent forwarding denied (SSH2_Agent_forwarding_denied) . . . . . . . . . . . . . . . . . . . . . . . . . 649
SSH2 - User authentication failed due to non-user specific reason (SSH2_Common_auth_failed_host) . . 650
SSH2 - User authentication failed due to user specific reason (SSH2_Common_auth_failed_user). . . . . 651
SSH2 - DNS lookup failed (SSH2_DNS_lookup_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
SSH2 - host-based authentication failed, possible DNS spoofing (SSH2_Hostbased_auth_failed_DNS_spoofing)
652
SSH2 - host-based authentication failed for user-specific reason (SSH2_Hostbased_auth_failed_for_user) . .
653
SSH2 - host-based authentication failed, root login not allowed (SSH2_Hostbased_auth_failed_no_root). 654
SSH2 - host-based authentication failed, packet error (SSH2_Hostbased_auth_failed_packet_error) . . . 654
SSH2 - host-based authentication failed, public key (SSH2_Hostbased_auth_failed_pubkey) . . . . . . . . . 655
SSH2 - host-based authentication successful (SSH2_Hostbased_auth_successful) . . . . . . . . . . . . . . . 656
SSH2 - illegal port forwarding (SSH2_Illegal_port_forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
xx
Contents
SSH - Kerberos authentication failed (SSH2_Kerberos_auth_failed) . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Kerberos authentication successful (SSH2_Kerberos_auth_successful) . . . . . . . . . . . . . . . . . .
SSH2 - user login successful (SSH2_Login_General) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH2 - PAM authentication failed (SSH2_Pam_auth_failed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH2 - password authentication failure, empty password (SSH2_Passwd_auth_failed_empty_passwd) .
SSH2 - password authentication failure, root login not allowed (SSH2_Passwd_auth_failed_root) . . . . .
SSH2 - password authentication failure, wrong password (SSH2_Passwd_auth_failed_wrong_passwd) .
SSH - successful password authentication (SSH2_Passwd_auth_successful) . . . . . . . . . . . . . . . . . . .
SSH2 - public key authentication failed (SSH2_Pubkey_auth_failed). . . . . . . . . . . . . . . . . . . . . . . . . .
SSH2 - public key authentication failed, root login denied (SSH2_Pubkey_auth_failed_root). . . . . . . . . .
SSH2 - public key authentication successful (SSH2_Pubkey_auth_successful) . . . . . . . . . . . . . . . . . .
SSH - Rhosts authentication attempt refused (SSH2_Rhosts_auth_failed) . . . . . . . . . . . . . . . . . . . . .
SSH2 - SSH1 agent forwarding denied (SSH2_SSH1_Agent_forwarding_denied) . . . . . . . . . . . . . . . .
SSH2 - TCP/IP forwarding denied (SSH2_TCPIP_forwarding_denied) . . . . . . . . . . . . . . . . . . . . . . . .
SSH - username length overflow attack (SSH2_Username_too_long) . . . . . . . . . . . . . . . . . . . . . . . .
SSH - agent authentication failure (SSH_agent_auth._failure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - command execution (SSH_command_execution) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - connection success (SSH_connection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - connection for user not allowed (SSH_connection_for_user_not_allowed) . . . . . . . . . . . . . . . . .
SSH - connection for user not allowed from host (SSH_connection_for_user_not_allowed_From_Host). .
SSH Server, Connection from host not allowed (SSH_connection_from_host_not_allowed) . . . . . . . . . .
Secure Shell (SSH) session (SSH_Detected) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - no reverse mapping (SSH_DNS_spoofing_attack-no_reverse_mapping). . . . . . . . . . . . . . . . . . .
SSH - reverse mapping different (SSH_DNS_spoofing_attack-reverse_mapping_different). . . . . . . . . . .
SSH - IP options used (SSH_IP_options_used) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Kerberos authentication failed (SSH_Kerberos_auth._failed) . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Kerberos authentication successful (SSH_Kerberos_auth._successful). . . . . . . . . . . . . . . . . . .
SSH - Kerberos KDC possible spoofing (SSH_Kerberos_KDC_possible_spoofing) . . . . . . . . . . . . . . . .
SSH - Kerberos password authentication failed (SSH_Kerberos_password_auth._failed) . . . . . . . . . . .
SSH - Kerberos TGT not verified (SSH_Kerberos_TGT_not_verified) . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Kerberos TGT rejected (SSH_Kerberos_TGT_rejected). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Kerberos ticket authentication failed (SSH_Kerberos_ticket_auth._failed) . . . . . . . . . . . . . . . . .
SSH - OSF-1 security level (SSH_OSF-1_security_level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Rhosts authentication attempt from unprivileged port
(SSH_Rhosts_auth._attempt_from_unprivileged_port). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - Rhosts authentication attempt refused (SSH_Rhosts_auth._refused) . . . . . . . . . . . . . . . . . . . .
SSH - Root command execution (SSH_Root_command_execution) . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - root login (SSH_Root_login). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - RSA authentication failed (SSH_RSA_auth._failed). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - RSA authenticated from restricted host (SSH_RSA_auth._from_restricted_host) . . . . . . . . . . . .
SSH - RSA authentication refused (SSH_RSA_auth._refused) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH - SecurID authentication required (SSH_SecurID_auth._required) . . . . . . . . . . . . . . . . . . . . . . .
SSH - successful password authentication (SSH_Successful_password_auth.) . . . . . . . . . . . . . . . . . .
SSH - Rhosts authentication successful (SSH_Successful_rhosts_auth.) . . . . . . . . . . . . . . . . . . . . . .
SSH - username length overflow attack (SSH_User_name_length_overflow_attack) . . . . . . . . . . . . . . .
Stacheldraht distributed denial of service tool (Stacheldraht_DOS) . . . . . . . . . . . . . . . . . . . . . . . . . .
StarTech POP3 proxy contains a buffer overflow that can crash the service (POP_Overflow) . . . . . . . .
Important programs started (Startup_of_important_programs) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
automountd allows users to change mount options (Statd_Automount_Exec). . . . . . . . . . . . . . . . . . .
RPC statd remote file creation and removal (Statd_DotDot) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux rpc.statd/kstatd server allows remote code execution (Statd_Format_Attack). . . . . . . . . . . . . .
RPC statd daemon buffer overflow (Statd_Overflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
StealthSpy backdoor for Windows (StealthSpy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stream.c denial of service (Stream_DoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SubSeven backdoor for Windows (SubSeven) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
657
658
658
659
660
660
661
662
663
663
664
665
665
666
667
667
668
669
669
670
671
671
672
673
673
674
675
675
676
677
677
678
679
679
680
681
681
682
682
683
684
684
685
686
686
691
691
692
694
696
698
699
700
702
xxi
Contents
SubSeven backdoor for Windows (SubSeven_Scan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User login successful (Successful_login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Successful network login (Successful_Network_login). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sun SNMP hidden community string (Sun_SNMP_Backdoor) . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Finger port (Suspect_Finger) . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to FTP port (Suspect_FTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to IMAP port (Suspect_IMAP) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Netbus port (Suspect_Netbus) . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Netstat port (Suspect_Netstat) . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to POP2 port (Suspect_POP2) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to POP3 port (Suspect_POP3) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection attempts to common service ports (Suspect_portscan) . . . . . . . . . .
Suspicious TCP connection to SMTP port (Suspect_SMTP). . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to SSH port (Suspect_SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Sunrpc port (Suspect_Sunrpc) . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Systat port (Suspect_Systat) . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Telnet port (Suspect_Telnet) . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Time port (Suspect_Time) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to Whois port (Suspect_Whois) . . . . . . . . . . . . . . . . . . . . . . . . . .
Suspicious TCP connection to WWW port (Suspect_WWW) . . . . . . . . . . . . . . . . . . . . . . . . .
Swift Remote backdoor for Windows 95/98 (Swift) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sybase failed connection (Sybase_Failed_Connection). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sybase configuration file not specified (Sybase_No_Configuration_File) . . . . . . . . . . . . . . . . . . .
Sybase shutdown (Sybase_Shutdown) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sybase startup (Sybase_Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sybase successful connection (Sybase_Successful_Connection). . . . . . . . . . . . . . . . . . . . . . . .
SYN flood denial of service (SYNFlood) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syphillis backdoor for Windows 95/98 (Syphillis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syphillis backdoor for Windows 95/98 (Syphillis_Scan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System time changed (System_time_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Talk flash attack (Talk_Flash) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Talk request (Talk_Request). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP hijacking allows attackers to execute commands into someone's session (TCP_Hijacking_Tool) .
TCP segments with overlapping data that did not match (TCP_Overlap_Data) . . . . . . . . . . . . . .
TCP Port bind (TCP_Port) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Out of band data can be used for IDS evasion (TCP_Urgent_Data) . . . . . . . . . . . . . . . . . . . . . .
Modified teardrop denial of service (TearDrop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Teardrop IP fragmentation (TearDrop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telecommando backdoor for Windows 95/98 (TeleCommando). . . . . . . . . . . . . . . . . . . . . . .
Kerberos4 telnet authentication (TelnetAuthKerb4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kerberos5 telnet authentication (TelnetAuthKerb5). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loki telnet authentication (TelnetAuthLoki) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Null telnet authentication (TelnetAuthNull) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSA telnet authentication (TelnetAuthRsa). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SPX telnet authentication (TelnetAuthSpx) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Username telnet authentication (TelnetAuthUser) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Long username telnet authentication (TelnetAuthUserLong) . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet environment variables (TelnetEnvAll) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Long telnet environment variables (TelnetEnvLong) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet termcap environment variable (TelnetEnvTermcap) . . . . . . . . . . . . . . . . . . . . . . . . . . .
BSD-derived telnetd options 'telrcv' buffer overflow (TelnetExcessiveAYTs). . . . . . . . . . . . . . . . .
Telnet excessive tabs (TelnetExcessiveTabs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic Linker telnet gains root access (TelnetLinkerBug). . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet terminal type (TelnetTerminaltype). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet long terminal type option (TelnetTerminaltypeLong) . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
703
704
705
706
707
708
708
709
710
711
711
712
713
714
714
715
716
717
717
718
719
720
721
722
722
723
724
725
726
728
728
729
729
730
731
732
732
733
735
736
736
737
738
738
739
739
740
741
741
742
743
746
747
749
749
Contents
Telnet X Display (TelnetXdisplay). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet long X Display type (TelnetXdisplayLong). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tribe Flood Network 2000 DDoS tool (TFN2000). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TFTP GET command (TFTP_Get). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TFTP PUT command (TFTP_Put) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Thing backdoor for Windows (TheThing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows 2000 Kerberos ticket renewed (Ticket_granted_renewed) . . . . . . . . . . . . . . . . . . . . . . . .
Tini backdoor for Windows (Tini) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tivoli LCF HTTP interface has a default password (Tivoli_LCF_Default_Password) . . . . . . . . . . . . . . . .
Tivoli LCF httpd can be used to remotely access files as root (Tivoli_LCF_File_Read) . . . . . . . . . . . . . .
ToolTalk CDE rpc.ttdbserver daemon buffer overflow (ToolTalk_Overflow) . . . . . . . . . . . . . . . . . . . . .
Total Eclypse backdoor FTP server for Windows (TotalEclypse) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traceroute can be used to map network topologies (Trace_Route) . . . . . . . . . . . . . . . . . . . . . . . . .
TransScout backdoor for Windows (TransScout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tribe Flood Network denial of service tool (Tribe_Flood_Network). . . . . . . . . . . . . . . . . . . . . . . . . . .
Trin00 DDoS tool - Daemon activity (TrinooDaemon) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trin00 DDoS tool - daemon registration attempt (TrinooDaemonRegister) . . . . . . . . . . . . . . . . . . . .
Trinoo DDoS tool - Master connection attempt (TrinooMasterAttempt) . . . . . . . . . . . . . . . . . . . . . .
Trin00 DDoS tool - Master successful connection (TrinooMasterConnect) . . . . . . . . . . . . . . . . . . . .
Trusted domain relationship added between two domains (Trusted_domain_added) . . . . . . . . . . . . . .
Trusted domain relationship removed between two domains (Trusted_domain_removed) . . . . . . . . . .
Truva 1.2 backdoor for Windows 95/98 (Truva) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
UDP denial of service attacks (Echo_Denial_of_Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Datagram Protocol (UDP) scan for active ports (UDP_Port_Scan) . . . . . . . . . . . . . . . . . . . . . .
SunOS can be crashed with malformed UDP packets (UDPBomb) . . . . . . . . . . . . . . . . . . . . . . . . . .
Ultors backdoor for Windows (Ultors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Unexplained 1.0 backdoor for Windows 95/98 and NT (Unexplained) . . . . . . . . . . . . . . . . . . . .
Root login successful from Unix tty (UNIX_Root_Login_Successful). . . . . . . . . . . . . . . . . . . . . . . . . .
Unix root su failure (UNIX_Root_Su_Failure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unix root su successful (UNIX_Root_Su_Successful) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User rights exercised successfully (Use_of_user_rights) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User account modified (User_account_changed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows NT user account created (User_account_created). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows NT user account deleted (User_account_deleted) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows NT user account disabled (User_account_disabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows NT user account enabled (User_account_enabled). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows 2000 user account locked out (User_account_locked_out) . . . . . . . . . . . . . . . . . . . . . . . .
Windows 2000 account used for logon (User_account_used_for_logon). . . . . . . . . . . . . . . . . . . . . .
User account added to global administrator group (User_added_to_global_admin_group) . . . . . . . . . .
User account added to local administrator group (User_added_to_local_admin_group) . . . . . . . . . . . .
Administrative privileges granted to a user or group (User_admin_right_granted) . . . . . . . . . . . . . . .
Administrative privileges revoked from a user or group (User_admin_right_revoked). . . . . . . . . . . . . .
User environment file opened (User_environment_file_change) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User logout occurred (User_logout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User account granted additional privileges (User_right_granted) . . . . . . . . . . . . . . . . . . . . . . . . . . .
User account had specific privileges revoked (User_right_revoked) . . . . . . . . . . . . . . . . . . . . . . . . .
TCPIP.sys Land exploit (Land) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Network Computing server detected (VNC_Detected) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WinVNC DebugLevel > 0 HTTP logging buffer overflow (VNC_HTTP_Get_Overflow) . . . . . . . . . . . . . . .
VNC connection attempt failed due to bad password (VNC_Login_Failed) . . . . . . . . . . . . . . . . . . . . .
VNC No Authentication Required (VNC_NoAuthentication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WinVNC client rfbConnFailed reason string buffer overflow (VNC_RFBConnFailed_Overflow) . . . . . . . . .
Malformed IGMP packet could cause some systems to crash or hang (Win_IGMP_DOS) . . . . . . . . . .
Windows allows source routing when configured to reject source routed packets (Win_IP_Src_Route) .
Windows file-sharing access error (Windows_Access_Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
750
750
751
753
754
755
756
757
758
758
759
760
761
762
763
765
769
771
773
775
776
777
778
779
780
780
781
782
783
783
784
785
785
786
787
788
788
789
790
791
791
792
793
793
794
795
795
796
797
798
799
800
800
802
803
xxiii
Contents
LSA connect (Windows_LSA_Connect) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows null session (Windows_Null_Session) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Out of Band (OOB) data denial of service (Windows_OOB). . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password cache files accessible (Windows_PWL_Access) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows registry can be opened remotely (Windows_Registry_Read) . . . . . . . . . . . . . . . . . . .
WinGate POP3 proxy long username overflow (POP_Overflow) . . . . . . . . . . . . . . . . . . . . . . . .
Wu-ftpd allows local users to gain root privileges (FTP_Site_Cmd) . . . . . . . . . . . . . . . . . . . . . .
WU-FTPD allows remote code execution with special SITE EXEC commands (FTP_Format_String).
Y3K RAT backdoor for Windows (Y3K_RAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ypupdated daemon allows remote command execution (Ypupdate_Exec) . . . . . . . . . . . . . . . . .
xxiv
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
804
805
805
807
809
810
811
812
814
816
3Com AirConnect Access Point "Accepts Broadcast Wireless
LAN Service Area" feature is enabled (SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or change the "Accept Broadcast Wireless LAN
Service Area" feature of a 3com Wireless Access Point. This is detected by the
SNMP_Suspicious_Get signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
The 3Com AirConnect Access Point installation process allows the installer to specify
whether Access Point should accept and respond to wireless client probe packets. A
standard Access Point probe response includes the Wireless LAN Service Area ID (SSID)
and other information about the network. When the "Accept Broadcast Wireless LAN
Service Area" feature is enabled, any wireless client can associate with the Access Point
without any prior knowledge of the Wireless LAN Service Area ID of the Access Point. As
a result, any malicious user can establish an association with the Access Point to exploit
the network.
By default, the "Accept Broadcast Wireless LAN Service Area" feature is disabled. As
listed in the 3ComAP MIB (Management Information Base), enabling this feature is not
recommended. Enabling this feature may weaken the wireless network's authentication
security.
How to remove this
vulnerability
Disable the "Accept Broadcast Wireless LAN Service Area" feature.
To disable the "Accept Broadcast Wireless LAN Service Area" feature:
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the 3Com AirConnect Access Point of interest in the browser's
Address field, then press Enter.
3. In the Access Point frame, click Access Point to expand the Access Point sub-tree.
4. Click Configuration to expand the Configuration sub-tree.
5. Click "RF."
6. Type the appropriate user name and password when prompted.
7. Under the RF Setup frame, select "Disabled" for "Accept Broadcast Wireless LAN
Service Area."
8. Click Save.
1
3Com AirConnect Access Point "Access Control" function is disabled (SNMP_Suspicious_Set)
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Access Point "Accepts Broadcast Wireless LAN Service Area" feature is
enabled
http://xforce.iss.net/static/6272.php
3Com AirConnect Access Point "Access Control" function is
disabled (SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or change the MAC address access control
configuration on a 3com Wireless Access Point. This is detected by the
SNMP_Suspicious_Get signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
3Com AirConnect Access Point, in addition to standard SSID (Service Set Identifier) and
WEP (Wired Equivalent Privacy) encryption, supports an Access Control function that
allows an administrator to configure access control lists for tighter security.
Using the Access Control function, you can require that only wireless clients with known
MAC addresses are allowed to associate with the Access Point, while devices with
unknown MAC addresses are not allowed to join the wireless network.
By default, the 3Com AirConnect Access Point ships with the Access Control function
disabled. Though this function is not part of the IEEE 802.11 standard and does not cover
stolen equipment, it is a good security practice to enable the Access Control function.
Using this function, you can configure the access control list to prevent unauthorized
access of wireless networks by unknown wireless clients.
How to remove this
vulnerability
Enable the 3Com AirConnect Access Point Access Control function and use this function
to allow or disallow wireless clients in accordance with your security management policy.
To enable the 3Com AirConnect Access Point Access Control function and configure the
access control lists:
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the 3Com AirConnect AP-4111 Access Point of interest in the
Address field of the browser, and then press Enter.
3. In the Access Point frame, click Access Point to display the Access Point sub-tree.
2
3Com AirConnect Access Point Access Control Violation Trap is disabled (SNMP_Suspicious_Set)
4. Click Configuration to display the Configuration sub-tree, and then click "Security."
5. Type the appropriate username and password when prompted.
6. Under the Security Setup frame, find the Access Control setting, and select "Enabled."
7. Configure the Allowed Wireless Clients, Ranges of Allowed Wireless Clients, and
Disallowed Wireless Clients access control lists, in accordance with your security
management policy.
8. Click Save.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Access Point "Access Control" function is disabled
http://xforce.iss.net/static/6274.php
3Com AirConnect Access Point Access Control Violation Trap is
disabled (SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to enable or disable SNMP traps on a 3com Wireless
Access Point. This is detected by the SNMP_Suspicious_Get signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
The 3Com AirConnect Access Point SNMP agent supports its own enterprise- specific
access violation trap: the ap3ComACLViolationTrap. The ap3ComACLViolationTrap can
alert a network administrator of unauthorized access attempts by sending any wireless
client that is not in the AP Access Control List to the network management station. The
MAC address of an offending wireless client is included in the trap variable binding list
and can be useful information for tracing purposes.
By default, the 3Com AirConnect Access Point ships with all SNMP traps disabled. For
installations that have access control lists enabled, it is important to also enable the access
control violation trap. Enabling the access control violation trap will allow for real-time
responses to potential unauthorized access attempts to the wireless network.
How to remove this
vulnerability
Enable the 3Com AirConnect Access Point Access Control Violation trap.
3
3Com AirConnect Access Point ships with default wireless LAN Service Area ID (SNMP_Suspicious_Set)
To enable the 3Com AirConnect Access Point Access Control Violation trap:
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the 3Com AirConnect Access Point of interest in the Address
field of the browser, then press Enter.
3. In the Access Point frame, click Access Point to display the Access Point sub-tree.
4. Click Configuration to display the Configuration sub-tree.
5. Click "SNMP."
6. Type the appropriate username and password when prompted.
7. Under the SNMP Setup section, ensure that SNMP Agent Mode is not "Disabled" (the
default setting is "Read-Write").
8. Ensure that both the "Trap Host 1 IP address" and the "Trap Host 2 IP address" are
properly configured.
9. Under the SNMP Traps section, select "Enable Selected" for All SNMP Traps (the
default setting is "Disable All").
10. Select either "Trap Host 1" or "Trap Host 2," or select "Both Trap Hosts" for Access
Control Violation (the default setting is "Deselected").
11. Click Save.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Access Point Access Control Violation Trap is disabled
http://xforce.iss.net/static/6280.php
3Com AirConnect Access Point ships with default wireless LAN
Service Area ID (SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or write the SSID of a 3com Wireless Access
Point. This is detected by the SNMP_Suspicious_Get signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
3Com AirConnect Access Points ship with a default, installed LAN Service Area ID (also
known as the SSID - Service Set Identifier). This default SSID is "101." If WEP (Wired
4
3Com AirConnect Access Point telnet logins enabled (SNMP_Suspicious_Set)
Equivalent Privacy) encryption is not enabled, this default SSID is the only information a
wireless client would need to submit to the Access Point in order to establish an
association. If this default SSID is not changed, any user with basic knowledge of 3Com
AirConnect Access Points can use this SSID to gain access to the wireless network.
How to remove this
vulnerability
Change the wireless LAN Service Area ID (SSID).
To change the wireless LAN Service Area ID (SSID):
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the 3Com AirConnect Access Point of interest in the Address
field of the browser, then press Enter.
3. In the Configuration Management System frame, click Easy Setup.
4. Enter the appropriate username and password when prompted.
5. In the Easy Setup frame, type the new SSID in the Wireless LAN Service Area box.
6. Click Save Settings.
7. Reset the 3Com AirConnect Access Point. (The new settings do not take effect until
the Access Point is restarted.)
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Access Point ships with default wireless LAN Service Area ID
http://xforce.iss.net/static/6266.php
3Com AirConnect Access Point telnet logins enabled
(SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to enable or disable telnet access to a 3com Wireless
Access Point. This is detected by the SNMP_Suspicious_Get signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
3Com AirConnect Access Points ship with telnet remote management capability enabled
by default. This telnet capability is one of several remote management capabilities
5
VTCP.386 is out of date (Land)
provided by 3Com AirConnect Access Points. Telnet allows remote administration of the
Access Point without a graphical user interface or local console attachment.
3Com AirConnect Access Point's telnet capability could allow a malicious user to execute
brute-force login attempts without being detected by the network administrator. Invalid
password events can be recorded in the Access Point local event log. However, unlike the
Access Point's SNMP authentication trap, administrators are not notified of these events
in real-time. Also, the Access Point local event log is stored in a 128-entry circular buffer,
which could allow a malicious user to overwrite the log to remove evidence.
How to remove this
vulnerability
Based on your security administration policy, determine the management method (SNMP,
telnet, Web, or console) required for your implementation of 3Com AirConnect Access
Point. If telnet logins are not required, disable telnet logins for the 3Com AirConnect
Access Point.
To disable telnet logins for the 3Com AirConnect Access Point:
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the 3Com AirConnect Access Point of interest in the Address
field of the browser, then press Enter.
3. In the Access Point frame, click Access Point to display the Access Point sub-tree.
4. Click Configuration to display the Configuration sub-tree.
5. Click Security.
6. Type the appropriate username and password when prompted.
7. Under the Security Setup frame, select "Disabled" for Telnet Logins.
8. Click the Save Settings box.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Access Point telnet logins enabled
http://xforce.iss.net/static/6278.php
VTCP.386 is out of date (Land)
About this
signature or
vulnerability
This vulnerability is detected by the Land signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.0
Systems affected
Windows 95
6
Account policy was changed (Account_policy_change)
Type
Denial of Service
Vulnerability
description
The version of vtcp.386 is vulnerable to the Land exploit.
How to remove this
vulnerability
Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows
NT Service Packs Web page. See References.
— OR —
As an alternative, Windows SP3 users can apply the post-SP3 teardrop2-fix patch, as listed
in Microsoft Knowledge Base Article Q165005. See References.
— AND —
Apply the Winsock 2 update, as listed in Microsoft Knowledge Base Article Q177539. See
References.
References
Microsoft Knowledge Base Article Q177539
Windows 95 Stops Responding Because of Land Attack
http://support.microsoft.com/support/kb/articles/q177/5/39.asp
Microsoft Market Bulletin
Microsoft Windows NT and Windows 95 - TCP/IP Denial of Service - 'LAND' Program
http://www.microsoft.com/windows/platform/info/land.htm
Microsoft Knowledge Base Article Q165005
Windows NT Slows Down Due to Land Attack
http://support.microsoft.com/support/kb/articles/q165/0/05.asp
Microsoft Product Support Services
Windows NT Service Packs
http://support.microsoft.com/support/ntserver/Content/ServicePacks/
ISS X-Force
VTCP.386 is out of date
http://xforce.iss.net/static/912.php
CVE
CVE-1999-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0016
Account policy was changed (Account_policy_change)
About this
signature or
vulnerability
This signature detects that an account policy has been changed.
Default risk level
Medium
7
Security identifier failed to be written to Windows 2000 security principal sIDHistory (Add_SID_failure)
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
In Windows NT/2000 and Solaris, the account policy files control policies that govern the
strength of user passwords and how often a user can fail at logging in before being locked
out of a system. Account policies are also the first level of control that encourage users to
follow good password practices. An attacker who has gained access to a system may
attempt to change policy settings to allow for weaker passwords.
Windows NT/2000: Windows NT/2000 systems include a series of controls that help
control how all users access a system. These controls determine how passwords must be
used by all user accounts and whether user accounts are automatically locked out after a
series of incorrect logon attempts. This includes controls on password age and length.
Collectively, these controls are referred to as the "Account policy" and can be set from
within the User Manager utility.
Solaris: Solaris can require passwords to be of a minimum or maximum length and can
give passwords a minimum and maximum number of weeks to remain valid. These
controls are contained in the file /etc/default/passwd. Collectively, these controls are
sometimes referred to as the account policy.
How to remove this
vulnerability
Take notice of changes to the account policy. Changes in the account policy apply to all
users and are only done infrequently. If legitimate administrative work cannot account for
the event, then further investigation is needed.
References
ISS X-Force
Account policy was changed
http://xforce.iss.net/static/1574.php
Security identifier failed to be written to Windows 2000
security principal sIDHistory (Add_SID_failure)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a Security ID (SID)
failed to be added to a security principal’s sIDHistory.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Unix, Windows NT, Windows 2000
Type
Host Sensor
8
Security identifier added to Windows 2000 security principal sIDHistory (Add_SID_success)
Vulnerability
description
Adding SIDs (Security Identifiers) to a security principal's sIDHistory is a securitysensitive operation that can grant the target security principal access to all resources that
are accessible to the source security principal. The sIDHistory is used by Active Directory
security principals to store previous SIDs of moved objects such as users and security
groups.
If an SID is added to the sIDHistory of an unauthorized security principal, it could
indicate an attempt by an attacker to gain privileges on the Windows 2000 domain. Events
indicating the failure of such an operation are equally suspicious.
How to remove this
vulnerability
Verify that the sIDHistory operation was authorized.
References
ISS X-Force
Security identifier failed to be written to Windows 2000 security principal sIDHistory
http://xforce.iss.net/static/4863.php
Security identifier added to Windows 2000 security principal
sIDHistory (Add_SID_success)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a Security ID (SID)
has been successfully added to a security principal’s sIDHistory.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Unix, Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Adding SIDs (Security Identifiers) to a security principal's sIDHistory is a securitysensitive operation that can grant the target security principal access to all resources that
are accessible to the source security principal. The sIDHistory is used by Active Directory
security principals to store previous SIDs of moved objects such as users and security
groups.
If an SID is added to the sIDHistory of an unauthorized security principal, it could
indicate an attempt by an attacker to gain privileges on the Windows 2000 domain.
How to remove this
vulnerability
Verify that the sIDHistory operation was authorized.
References
ISS X-Force
Security identifier added to Windows 2000 security principal sIDHistory
http://xforce.iss.net/static/4862.php
9
RPC admind insecure authentication (Admind)
RPC admind insecure authentication (Admind)
About this
signature or
vulnerability
This signature detects that the rpc.admind daemon is being used with insecure
authentication.
False positives
RealSecure Network Sensor: It is possible that normal operation of the Solstice
Administration Suite can trigger this signature. Examine the source address of the
computer that triggered this event. An unknown or inappropriate device could indicate
an attack.
RealSecure Server Sensor: It is possible that normal operation of the Solstice
Administration Suite can trigger this signature. Examine the source address of the
computer that triggered this event. An unknown or inappropriate device could indicate
an attack.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 6.5
Systems affected
Solaris
Type
Unauthorized Access Attempt
Vulnerability
description
The rpc.admind daemon is used for remote administration of Solaris computers. If
rpc.admind is used with insecure authentication, a remote attacker could compromise the
computer, allowing the attacker to add user accounts.
This relatively complex attack may indicate the presence of a sophisticated attacker.
How to remove this
vulnerability
Examine the source address of the rpc.admind daemon to determine if this event is
coming from a non-admin computer. If this is not from an authorized computer, you
should consider the system compromised and take appropriate action.
To protect your system from future attacks:
References
●
Edit the /etc/inetd.conf file, ensuring that rpc.admind is started with the "-s 2"
argument.
●
Restart the inetd process.
ISS X-Force
RPC admind insecure authentication
http://xforce.iss.net/static/626.php
CVE
CAN-1999-0568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0568
10
IBM C Set ++ pdnsd for AIX contains a remotely exploitable buffer overflow (AIX_Pdnsd_BO)
IBM C Set ++ pdnsd for AIX contains a remotely exploitable
buffer overflow (AIX_Pdnsd_BO)
About this
signature or
vulnerability
This signature detects a large string of data being sent to pdnsd on TCP port 4242,
indicating a potential buffer overflow.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
AIX: 3.1, AIX: 3.2, AIX: 3.2.4, AIX: 3.2.5, AIX: 2.2.1
Type
Unauthorized Access Attempt
Vulnerability
description
The Source Code Browser's Program Database Name Server Daemon (pdnsd) component
of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This
vulnerability could allow local or remote attackers to compromise root privileges on
vulnerable systems.
How to remove this
vulnerability
The C Set ++ compiler is no longer a supported product of IBM. Users are encouraged to
disable the pdnsd daemon on affected hosts by executing the following commands as
root:
1. rmitab browser
2. chown root.system /usr/lpp/xlC/browser/pdnsd
3. chmod 0 /usr/lpp/xlC/browser/pdnsd
4. /usr/lpp/xlC/browser/pdnsdkill
References
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1999:003.1
The IBM C Set ++ for AIX Source Code Browser allows local and remote users to become
root.
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
8FE7BF46758BA6ED8525680F0077E4EE/$file/sva003.txt
CIAC Information Bulletin J-059
IBM AIX (pdnsd) Buffer Overflow Vulnerability
http://www.ciac.org/ciac/bulletins/j-059.shtml
ISS X-Force
IBM C Set ++ pdnsd for AIX contains a remotely exploitable buffer overflow
http://xforce.iss.net/static/3135.php
CVE
CVE-1999-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0745
11
Allaire JRun Server JSP files could be executed as JSP scripts on the server (Allaire_JRun_JSP_Execute)
Allaire JRun Server JSP files could be executed as JSP scripts
on the server (Allaire_JRun_JSP_Execute)
About this
signature or
vulnerability
This signature detects an HTTP GET request that could execute arbitrary JSP (Java Server
Page) code on an Allaire JRun server.
RealSecure is configured to detect HTTP GET requests to an Allaire JRun server on TCP
port 8000, the default port for Allaire JRun server. If you run Allaire JRun server on a port
other than 8000, you can configure this port in the RealSecure policy editor, under the
service name Allaire JRun.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
JRun: 2.3.x
Type
Unauthorized Access Attempt
Vulnerability
description
Allaire JRun version 2.3x could be used to execute arbitrary code on the Web server, due to
a vulnerability in the way Java Server Pages (JSP files) are executed. JRun is used to
develop Web applications with JSP and Java Servlets. A remote attacker could insert
executable code in the form of JSP tags into any file on the Web server, then force this file
to be compiled and executed as a JSP file. An attacker can send a specially-crafted URL
containing the /servlet/ prefix and "dot dot" (../) sequences to traverse directories and
execute files on the Web server. It may be possible for an attacker to use this vulnerability
to gain administrative privileges on the system.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Allaire Security Bulletin ASB0029. See References.
References
Allaire Security Bulletin ASB00-29
JRun 2.3.3: Patch available for "JSP execution of arbitrary file" security issue
http://www.allaire.com/handlers/index.cfm?ID=17969
Foundstone Security Advisory FS-102300-14-JRUN
Remote command execution
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=229
ISS X-Force
Allaire JRun Server JSP files could be executed as JSP scripts on the server
http://xforce.iss.net/static/5406.php
CVE
CAN-2000-1053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1053
12
Allaire JRun 2.3.x sample files allow remote access (Allaire_JRun_Sample_Files)
Allaire JRun 2.3.x sample files allow remote access
(Allaire_JRun_Sample_Files)
About this
signature or
vulnerability
Enter the JRun Admin Server port:
Internet Scanner checks port 8000 for vulnerable versions of Allaire JRun that could allow
a remote user to view files on the Web server.
Enter the sample file:
Internet Scanner checks this directory (/servlet/SessionServlet) to determine whether a
remote attacker can view sample files, online documentation, or any files containing
sensitive information.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
JRun: 2.3.x
Type
Unauthorized Access Attempt
Vulnerability
description
Allaire JRun is a Java application server that supports Java Servlet APIs and Java Server
Pages (JSP). JRun 2.3.x includes sample files that could allow a remote user to view files
on the Web server. By requesting specially crafted URLs, a remote attacker could read
online documentation or sample files, as well as other files on the Web server. An attacker
could use this vulnerability to retrieve sensitive information.
How to remove this
vulnerability
Apply Allaire JRun 2.3.3 Maintenance Patch Build 158, available from the Allaire Web site.
See References.
— AND —
Remove all sample code, example applications, tutorials and documentation from
production servers. JRun 2.3.x examples are installed in the JRUN_HOME/servlets
directory and the JRUN_HOME/jsm-default/services/jws/htdocs directory. Remove all
files placed in these directories by the JRun installation. As a rule, sample code and
example applications should not be installed on production servers.
References
Allaire Security Bulletin ASB00-15
Workaround available for vulnerabilities exposed by JRun 2.3.x code sample
http://www.allaire.com/handlers/index.cfm?ID=16290
Allaire Corporation Web Site
Allaire Download System
http://www.allaire.com/download/
ISS X-Force
Allaire JRun 2.3.x sample files allow remote access
http://xforce.iss.net/static/4774.php
13
Allaire JRun Server SSIFilter with malformed URL could be used to access files (Allaire_JRun_SSIFilter)
CVE
CVE-2000-0540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0540
Allaire JRun Server SSIFilter with malformed URL could be used
to access files (Allaire_JRun_SSIFilter)
About this
signature or
vulnerability
This signature detects an HTTP GET request that could retrieve arbitrary files outside the
root directory of an Allaire JRun server.
RealSecure is configured to detect HTTP GET requests to an Allaire JRun server on TCP
port 8000, the default port for Allaire JRun server. If you run Allaire JRun server on a port
other than 8000, you can configure this port in the RealSecure policy editor, under the
service name Allaire JRun.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
JRun: 2.3.x
Type
Unauthorized Access Attempt
Vulnerability
description
Allaire JRun version 2.3x could allow a remote attacker to retrieve unauthorized files from
the Web server, due to a vulnerability in the way Java Server Pages (JSP files) are executed.
JRun is used to develop Web applications with JSP and Java Servlets. The JRun server fails
to properly check for "dot dot" (../) sequences in URLs. By using the JRun server's
SSIFilter, a remote attacker can send a specially-crafted URL that contains "dot dot" (../)
sequences to traverse directories and access any file on the server. An attacker could also
use this to access the source code of arbitrary files in the server's document root.
Potentially proprietary Web server files (such as Java Server Pages) may contain sensitive
information (such as user IDs and passwords) embedded in the source code.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Allaire Security Bulletin ASB0028. See References.
References
Allaire Security Bulletin ASB00-28
JRun 2.3.3: Patch available for "non-webroot requests" security issue
http://www.allaire.com/handlers/index.cfm?ID=17968
Foundstone Security Advisory FS-102300-13-JRUN
Arbitrary File Retrieval
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=230
ISS X-Force
Allaire JRun Server SSIFilter with malformed URL could be used to access files
http://xforce.iss.net/static/5405.php
14
Allaire JRun Server could allow unauthorized access to WEB-INF directory (Allaire_JRun_WebInf_SlashSlash)
CVE
CAN-2000-1052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1052
Allaire JRun allows file access using malformed WEB-INF
directory request (Allaire_JRun_WebInf_DotSlash)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the WEB-INF directory preceded with a
dot slash character sequence ("/./"). This GET request could indicate an attempt by a
remote user to obtain the contents of this otherwise restricted directory.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
JRun: 3.0
Type
Unauthorized Access Attempt
Vulnerability
description
Allaire JRun Web Server version 3.0 could allow a remote attacker to obtain directory
listings and retrieve file contents from the WEB-INF directory. A remote attacker can
submit a specially-crafted URL containing "/./WEB-INF/" to obtain a directory listing
and view files from the WEB-INF directory.
How to remove this
vulnerability
Apply the latest Service Pack for JRun 3.0 (SP2 or later), as listed in Allaire Security
Bulletin ASB01-02. See References.
References
Allaire Security Bulletin ASB01-02
JRun 3.0: Patch available for JRun malformed URI WEB-INF directory information and
web.xml file retrieval issue
http://www.allaire.com/handlers/index.cfm?ID=19546&Method=Full
ISS X-Force
Allaire JRun allows file access using malformed WEB-INF directory request
http://xforce.iss.net/static/6008.php
CVE
CVE-2001-0179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0179
Allaire JRun Server could allow unauthorized access to WEBINF directory (Allaire_JRun_WebInf_SlashSlash)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the WEB-INF directory preceded with
two slash ('/') characters. This GET request could indicate an attempt by a remote user to
obtain the contents of this otherwise restricted directory.
15
Automounter daemon buffer overflow can lead to remote root access (Amd_Overflow)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
JRun: 3.0
Type
Unauthorized Access Attempt
Vulnerability
description
Allaire JRun version 3.0 and version 3.0 with SP1 could allow unauthenticated read access
to the WEB-INF directory. JRun is used to develop Web applications with Java Server
Pages (JSP files) and Java Servlets. The WEB-INF directory contains information on
precompiled JSP files, Web application classes, server side libraries, session information,
and sensitive files (including web.xml and webapp.properties). A remote attacker could
request the WEB-INF directory using a specially-crafted URL with an additional slash (/)
to view the contents of the WEB-INF directory and reveal all of its subdirectories.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Allaire Security Bulletin ASB0027. See References.
References
Allaire Security Bulletin ASB00-27
JRun 3.0: Patch available for 'extra leading slash' security issue
http://www.allaire.com/handlers/index.cfm?ID=17966
Foundstone Security Advisory FS-102300-12-JRUN
Unauthenticated Access to WEB-INF directory
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=231
ISS X-Force
Allaire JRun Server could allow unauthorized access to WEB-INF directory
http://xforce.iss.net/static/5407.php
CVE
CAN-2000-1050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1050
Automounter daemon buffer overflow can lead to remote root
access (Amd_Overflow)
About this
signature or
vulnerability
This signature detects a long query directed at the amd service. Legitimate amd queries
are usually very small.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
16
Automounter daemon buffer overflow can lead to remote root access (Amd_Overflow)
Systems affected
FreeBSD, Red Hat Linux: 4.2, Caldera OpenLinux, Debian Linux, Red Hat Linux: 5.2, Red
Hat Linux: 6.0, BSD/OS: 4.0.1, BSD/OS: 3.1, BSD/OS: 4.0
Type
Unauthorized Access Attempt
Vulnerability
description
The Automounter daemon (amd) is vulnerable to a buffer overflow in the mount code
that affects Linux and some BSD platforms. The amd daemon responds to attempts to
access files by automatically mounting file systems on which those files reside. By passing
a long string to the AMQPROC_MOUNT procedure, a remote attacker can overflow the
buffer and gain root privileges on the system.
How to remove this
vulnerability
Upgrade to the latest version of amd-utils (6.0.1 or later), as listed in CERT Advisory CA1999-12. See References.
As a workaround, disable the amd daemon. However, this may prevent your system from
operating normally.
For Red Hat Linux 6.0:
Upgrade to the latest version of am-utils (6.01S11-1 or later), as listed in Red Hat, Inc.
Security Advisory RHSA-1999:032-01. See References.
For Caldera OpenLinux 2.2:
Upgrade to the latest version of am-utils (6.0-7 or later), as listed in Caldera Systems, Inc.
Security Advisory CSSA-1999:024.0. See References.
For BSDI (BSD/OS 4.0.1 and 3.1):
Apply the mods M410-017 for 4.0.1 and M310-057 patch, as listed in CERT Advisory CA99-12. See References.
For FreeBSD:
Upgrade to the latest version of FreeBSD (3.3-RELEASE or later), as listed in FreeBSD, Inc.
Security Advisory FreeBSD-SA-99:06. See References.
— OR —
Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory
FreeBSD-SA-99:06. See References.
For Debian Linux 2.1:
Upgrade to the latest version of amd (upl102-23.slink2 or later), as listed in Debian
Security Advisory 19991018a. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Red Hat Linux: 4.2
The am-utils package based on code base shipped with many Linux distributions has
been updated am-utils at ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
Caldera OpenLinux
The am-utils package based on code base shipped with many Linux distributions has
been updated am-utils at ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
17
Automounter daemon can be remotely queried for its process ID (Amd_Pid)
Red Hat Linux: 5.2
The am-utils package based on code base shipped with many Linux distributions has
been updated am-utils at ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
Red Hat Linux: 6.0
The am-utils package based on code base shipped with many Linux distributions has
been updated am-utils at ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
References
Red Hat Linux Errata Advisory RHSA-1999:032-01
Buffer overrun in amd
http://www.redhat.com/support/errata/RHSA1999032_O1.html
Caldera Systems, Inc. Security Advisory CSSA-1999-024.0
buffer overflow in amd
http://www.calderasystems.com/support/security/advisories/CSSA-1999-024.0.txt
CERT Advisory CA-1999-12
Buffer Overflow in amd
http://www.cert.org/advisories/CA-1999-12.html
BSDI Internet Super Server 4.0.1 Mods (patches)
BSDI Mod M401-017
http://www.bsdi.com/services/support/patches/patches-4.0.1/
FreeBSD, Inc. Security Advisory FreeBSD-SA-99:06 (from SecurityFocus Archive)
remote amd attack
http://www.securityfocus.com/advisories/1786
CIAC Information Bulletin J-071
Buffer Overflow Vulnerability in amd
http://www.ciac.org/ciac/bulletins/j-071.shtml
Debian Security Advisory 19991018a
amd: Buffer overflow in amd -- update
http://www.debian.org/security/1999/19991018a
ISS X-Force
Automounter daemon buffer overflow can lead to remote root access
http://xforce.iss.net/static/3171.php
CVE
CVE-1999-0704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0704
Automounter daemon can be remotely queried for its process
ID (Amd_Pid)
About this
signature or
vulnerability
18
This signature detects a query to the amd service for program ID (PID) information.
Automounter daemon can be remotely queried for its process ID (Amd_Pid)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
Systems affected
Unix
Type
Suspicious Activity
Vulnerability
description
The Automounter daemon (amd) on some systems allows a remote user to query the
service for its current process ID (PID). By obtaining the PID of other processes, an
attacker can determine the randomness of the PIDs used on the system. Predictable PIDs
can be useful to an attacker for some kinds of attacks. PID information should not be
provided to untrusted users.
How to remove this
vulnerability
Block traffic to the RPC portmapper and the ports used by the automounter service at
your border gateway(s), firewall(s), or a combination of both.
— AND —
Upgrade to the latest version of amd-utils (6.0.1 or later), as listed in CERT Advisory CA1999-12. See References.
For Red Hat Linux 6.0:
Upgrade to the latest version of am-utils (6.01S11-1 or later), as listed in Red Hat, Inc.
Security Advisory RHSA-1999:032-01. See References.
For Caldera OpenLinux 2.2:
Upgrade to the latest version of am-utils (6.0-7 or later), as listed in Caldera Systems, Inc.
Security Advisory CSSA-1999:024.0. See References.
For BSDI (BSD/OS 4.0.1 and 3.1):
Apply the mods M410-017 for 4.0.1 and M310-057 patch, as listed in CERT Advisory CA1999-12. See References.
For FreeBSD:
Upgrade to the latest version of FreeBSD (3.3 Release or later), as listed in FreeBSD, Inc.
Security Advisory FreeBSD-SA-99:06. See References.
— OR —
Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory
FreeBSD-SA-99:06. See References.
For Debian Linux:
Upgrade to the latest version of amd (up1102-23.slink2 or later), as listed in Debian
Security Advisory 19991018a. See References.
For other distributions: Contact your vendor for upgrade or patch information.
19
Automounter daemon allows users to remotely query for system information (Amd_Version)
References
Red Hat Linux Errata Advisory RHSA-1999:032-01
Buffer overrun in amd
http://www.redhat.com/support/errata/RHSA1999032_O1.html
Caldera Systems, Inc. Security Advisory CSSA-1999-024.0
buffer overflow in amd
http://www.calderasystems.com/support/security/advisories/CSSA-1999-024.0.txt
CERT Advisory CA-1999-12
Buffer Overflow in amd
http://www.cert.org/advisories/CA-1999-12.html
BSDI Internet Super Server 4.0.1 Mods (patches)
BSDI Mod M401-017
http://www.bsdi.com/services/support/patches/patches-4.0.1/
FreeBSD, Inc. Security Advisory FreeBSD-SA-99:06
remote amd attack
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-99:06.amd.asc
CIAC Information Bulletin J-071
Buffer Overflow Vulnerability in amd
http://www.ciac.org/ciac/bulletins/j-071.shtml
Debian Security Advisory 19991018a
amd: Buffer overflow in amd -- update
http://www.debian.org/security/1999/19991018a
ISS X-Force
Automounter daemon can be remotely queried for its process ID
http://xforce.iss.net/static/3232.php
Automounter daemon allows users to remotely query for
system information (Amd_Version)
About this
signature or
vulnerability
This signature detects a query to the amd service for version information.
False positives
RealSecure Network Sensor: Although highly unlikely, a false positive is possible if a
legitimate user queries his or her own amd server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
Systems affected
Unix
Type
Pre-attack Probe
20
Automounter daemon allows users to remotely query for system information (Amd_Version)
Vulnerability
description
The Automounter daemon (amd) allows a remote user to query the service for
information about the system, including what operating system is in use, who built it, and
when it was built. This information could be useful to an attacker in performing an attack.
How to remove this
vulnerability
Block traffic to the RPC portmapper and the ports used by the automounter service at
your border gateway(s), firewall(s), or a combination of both.
— AND —
Upgrade to the latest version of amd-utils (6.0.1 or later), as listed in CERT Advisory CA1999-12. See References.
For Red Hat Linux 6.0:
Upgrade to the latest version of am-utils (6.01S11-1.6.0 or later), as listed in Red Hat, Inc.
Security Advisory RHSA-1999:032-01. See References.
For Caldera OpenLinux 2.2:
Upgrade to the latest version of am-utils (6.0-7 or later), as listed in Caldera Systems, Inc.
Security Advisory CSSA-1999:024.0. See References.
For BSDI (BSD/OS 4.0.1 and 3.1):
Apply the mods M410-017 for 4.0.1 and M310-057 patch, as listed in CERT Advisory CA99-12. See References.
For FreeBSD:
Upgrade to the latest version of FreeBSD (3.3 RELEASE or later), as listed in FreeBSD, Inc.
Security Advisory FreeBSD-SA-99:06. See References.
— OR —
Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory
FreeBSD-SA-99:06. See References.
For Debian Linux:
Upgrade to the latest version of amd (up1102-23.slink2 or later), as listed in Debian
Security Advisory 19991018a. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References
Red Hat Linux Errata Advisory RHSA-1999:032-01
Buffer overrun in amd
http://www.redhat.com/support/errata/RHSA1999032_O1.html
Caldera Systems, Inc. Security Advisory CSSA-1999-024.0
buffer overflow in amd
http://www.calderasystems.com/support/security/advisories/CSSA-1999-024.0.txt
CERT Advisory CA-1999-12
Buffer Overflow in amd
http://www.cert.org/advisories/CA-1999-12.html
21
Solaris AnswerBook2 administration interface (AnswerBook2_Admin)
BSDI Internet Super Server 4.0.1 Mods (patches)
BSDI Mod M401-017
http://www.bsdi.com/services/support/patches/patches-4.0.1/
FreeBSD, Inc. Security Advisory FreeBSD-SA-99:06
remote amd attack
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-99:06.amd.asc
CIAC Information Bulletin J-071
Buffer Overflow Vulnerability in amd
http://www.ciac.org/ciac/bulletins/j-071.shtml
Debian Security Advisory 19991018a
amd: Buffer overflow in amd -- update
http://www.debian.org/security/1999/19991018a
ISS X-Force
Automounter daemon allows users to remotely query for system information
http://xforce.iss.net/static/3236.php
Solaris AnswerBook2 administration interface
(AnswerBook2_Admin)
About this
signature or
vulnerability
This signature detects an HTTP GET request to a Solaris AnswerBook2 server, which is
attempting to add an administrative user. Some versions of the AnswerBook2 HTTP
server fail to require authentication to add new users to the service, which could allow
unauthorized access to the system.
RealSecure is configured to detect HTTP GET requests to a Solaris AnswerBook2 server
on TCP port 8888, the default port for Solaris AnswerBook2. If you run AnswerBook2
server on a port other than 8888, you can configure this port in the RealSecure policy
editor, under the service name AnswerBook2.
False positives
RealSecure Network Sensor: It is possible that this signature may detect an authorized
adminsitrator adding a user to the AnswerBook2 server. Check the source and destination
addresses to verify that this is an authorized action.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Answerbook2
Type
Unauthorized Access Attempt
Vulnerability
description
Sun Solaris AnswerBook2 versions 1.3x, 1.4, 1.4.1, and 1.4.2 could allow an unauthorized
user to access the administration interface. Due to improper authentication checking on
specific CGI scripts, an unauthorized user could create a new user by passing values to
22
Solaris AnswerBook2 Web interface could allow remote execution (AnswerBook2_Execute)
the CGI without being authenticated. An unauthorized user could use this to read files
and gain control over content.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security
Bulletin #00196. See References.
References
BugTraq Mailing List, Mon Aug 07 2000 21:01:11
Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
http://www.securityfocus.com/archive/1/74382
Sun Microsystems, Inc. Security Bulletin #00196
AnswerBook2
http://www.securityfocus.com/advisories/2486
CIAC Information Bulletin L-031
Sun AnswerBook2 Vulnerability
http://www.ciac.org/ciac/bulletins/l-031.shtml
ISS X-Force
Solaris AnswerBook2 administration interface
http://xforce.iss.net/static/5069.php
CVE
CAN-2000-0696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0696
Solaris AnswerBook2 Web interface could allow remote
execution (AnswerBook2_Execute)
About this
signature or
vulnerability
This signature detects a specially formatted HTTP GET request to a Solaris AnswerBook2
server. This GET request could execute the "reset_error_log" command with a file
argument containing a shell metacharacter or a dot dot ("../") character sequence. This
GET request indicates an attempt to manipulate files or execute arbitrary commands on
the AnswerBook2 server.
RealSecure is configured to detect HTTP GET requests to a Solaris AnswerBook2 server
on TCP port 8888, the default port for Solaris AnswerBook2. If you run AnswerBook2
server on a port other than 8888, you can configure this port in the RealSecure policy
editor, under the service name AnswerBook2.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Answerbook2
Type
Unauthorized Access Attempt
23
L0pht AntiSniff ARP test detected (AntiSniff_ARP_Test)
Vulnerability
description
Solaris AnswerBook2 ships with an HTTP server that allows users to access Solaris
documentation using a Web browser. Due to a vulnerability in the HTTP server
(dwhttpd), a remote attacker can access the administration interface of AnswerBook2 and
execute arbitrary commands on the remote host with the privileges of the Web server. The
Web server usually runs as user daemon.
How to remove this
vulnerability
Upgrade to the latest version of AnswerBook2 (1.4.2 or later), and then apply the
appropriate patch for your system, as listed in Sun Microsystems, Inc. Security Bulletin
#00196. See References.
References
BugTraq Mailing List, Mon Aug 07 2000 14:01:11
Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
http://www.securityfocus.com/archive/1/74382
Sun Microsystems, Inc. Security Bulletin #00196
AnswerBook2
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/196
CIAC Information Bulletin L-031
Sun AnswerBook2 Vulnerability
http://www.ciac.org/ciac/bulletins/l-031.shtml
ISS X-Force
Solaris AnswerBook2 Web interface could allow remote execution
http://xforce.iss.net/static/5058.php
CVE
CAN-2000-0697
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0697
L0pht AntiSniff ARP test detected (AntiSniff_ARP_Test)
About this
signature or
vulnerability
This signature detects the L0pht AntiSniff program performing an ARP test to scan your
network for systems in promiscuous (sniffing) mode.
False positives
RealSecure Network Sensor: A false positive is possible if RealSecure detects a packet
from a similar tool that is not AntiSniff.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Any
Type
Pre-attack Probe
Vulnerability
description
The L0pht AntiSniff program is performing an ARP test to scan your network for systems
in promiscuous (sniffing) mode.
24
L0pht AntiSniff DNS test detected (AntiSniff_DNS_Test)
The AntiSniff program developed by L0pht Heavy Industries determines if a device is
listening to traffic on the local network. An attacker could use L0pht AntiSniff to gain
information about a network that could be useful in an attack. AntiSniff can detect if an
IDS (Intrusion Detection System) is being used on the network, prompting an attacker to
use IDS evasion techniques. An attacker could also use L0pht AntiSniff to locate a
compromised system that has been placed in promiscuous (sniffing) mode that could be
used by the attacker.
How to remove this
vulnerability
This occurrence may identify a local attacker on your network, because the AntiSniff ARP
test can only be performed on a local LAN, not across the Internet. Determine which
computer is using L0pht AntiSniff, and determine if it is in compliance with your system
policies.
References
@stake, Inc./L0pht Heavy Industries, Inc. Web site
AntiSniff
http://www.l0pht.com/antisniff/
ISS X-Force
L0pht AntiSniff ARP test detected
http://xforce.iss.net/static/4653.php
L0pht AntiSniff DNS test detected (AntiSniff_DNS_Test)
About this
signature or
vulnerability
This signature detects the L0pht AntiSniff program performing a DNS test to scan your
network for systems in promiscuous (sniffing) mode.
False positives
RealSecure Network Sensor: A false positive is possible if RealSecure detects a packet
from a similar tool that is not AntiSniff.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Any
Type
Pre-attack Probe
Vulnerability
description
The L0pht AntiSniff program is performing a DNS test to scan your network for systems
in promiscuous (sniffing) mode.
The AntiSniff program developed by L0pht Heavy Industries determines if a device is
listening to traffic on the local network. An attacker could use L0pht AntiSniff to gain
information about a network that could be useful in an attack. AntiSniff can detect if an
IDS (Intrusion Detection System) is being used on the network, prompting an attacker to
use IDS evasion techniques. An attacker could also use L0pht AntiSniff to locate a
compromised system that has been placed in promiscuous (sniffing) mode that could be
used by the attacker.
25
AOL Admin backdoor for Windows and AOL (AolAdmin)
How to remove this
vulnerability
This occurrence may identify a local attacker on your network, because the AntiSniff DNS
test can only be performed on a local LAN, not across the Internet. Determine which
computer is using L0pht AntiSniff, and determine if it is in compliance with your system
policies.
References
@stake, Inc./L0pht Heavy Industries, Inc. Web site
AntiSniff
http://www.l0pht.com/antisniff/
ISS X-Force
L0pht AntiSniff DNS test detected
http://xforce.iss.net/static/4661.php
AOL Admin backdoor for Windows and AOL (AolAdmin)
About this
signature or
vulnerability
This signature detects a TCP connection on port 30029 to an AOL Admin backdoor on
your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The AOL Admin backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the AOL Admin
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
execute programs
●
delete files
●
send Instant Messages to an AOL user
●
monitor Instant Messages that you receive
●
send email from your AOL account
To remove AOL Admin from your computer:
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry that is named dat92003 and has a data value of dat92003.exe.
3. Delete this registry entry.
4. Delete dat92003.exe from your Windows system directory.
26
ARP host down detection (Arp)
References
PestControl Web site
AOL Admin
http://safersite.com/PestInfo/A/AOL_Admin.asp
ISS X-Force
AOL Admin backdoor for Windows and AOL
http://xforce.iss.net/static/3131.php
ARP host down detection (Arp)
About this
signature or
vulnerability
This signature detects a series of ARP requests with no corresponding replies. This
condition could indicate that a host on the network has crashed or has stopped
responding to network traffic.
False positives
RealSecure Network Sensor: A false positive is possible if RealSecure is monitoring a
network segment that is using Layer 2 bridging or switching. False positives may occur
when both systems involved are across a bridge or switch from the sensor. This is because
the bridging/switching causes the sensor to see the ARP requests (which are broadcasts)
but to miss the ARP replies (which are unicast packets).
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
On Ethernet segments, hosts periodically send Address Resolution Protocol (ARP) queries
to other computers on the network to translate between IP and Ethernet MAC addresses.
During normal operation of a computer, a host will respond to these queries with an ARP
reply. If a host has crashed or otherwise stopped responding to network traffic, ARP
queries will accumulate on the network with no corresponding ARP replies being
returned. By examining the relationship between an ARP query and a lack of ARP replies,
it is possible to passively determine if a host on a network is non-responsive. If a
computer is not responding to ARP requests, it may have crashed, or it may be the victim
of a denial of service attack.
How to remove this
vulnerability
No remedy available as of June 2001.
References
ISS X-Force
ARP host down detection
http://xforce.iss.net/static/395.php
27
Ascend and 3Com router malformed TCP packet denial of service (Ascend_Kill)
Ascend and 3Com router malformed TCP packet denial of
service (Ascend_Kill)
About this
signature or
vulnerability
This signature detects malformed TCP packets that an attacker could use to cause internal
errors on Ascend routers that use certain versions of the Ascend operating system.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Ascend Routers: R 4.5Ci12and earlie
Type
Denial of Service
Vulnerability
description
Ascend routers that use certain versions of the Ascend operating system and some 3Com
routers are vulnerable to a denial of service attack. An attacker could send a malformed
TCP packet to an Ascend router to cause an internal error on the router; this internal error
will cause the router to restart. This attack can disconnect you from the Internet or
disconnect remote users from your site. The router may not automatically restart, in which
case the router must be restarted in order to restore normal functionality.
How to remove this
vulnerability
Ping the router that received the attack to determine if it is still active. Restart the router if
it is not active.
— AND —
Upgrade the Ascend router to Release 4.5Ci12 or later. Contact Lucent Technologies for
upgrade information.
References
BugTraq Mailing List, Sat Nov 16 1996 10:53:33
El Programa Matador de Ascendes
http://www.securityfocus.com/archive/1/5682
BugTraq Mailing List, Wed Oct 30 1996 03:44:20
Someone reminded me of something today ;)
http://www.securityfocus.com/archive/1/5640
BugTraq Mailing List, Wed Oct 30 1996 22:10:38
Re: BoS: Someone reminded me of something today ;)
http://www.securityfocus.com/archive/1/5647
ISS X-Force
Ascend and 3Com router malformed TCP packet denial of service
http://xforce.iss.net/static/614.php
CVE
CAN-1999-0193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0193
28
Asylum RAT (Remote Access Tool) backdoor for Windows (Asylum)
Asylum RAT (Remote Access Tool) backdoor for Windows
(Asylum)
About this
signature or
vulnerability
This signature detects a TCP connection to an Asylum backdoor on port 23432 on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows NT, Windows 95, Windows 98, Windows 2000
Type
Unauthorized Access Attempt
Vulnerability
description
The Asylum remote administration tool (RAT) is one of many backdoor programs that
attackers can use to access your computer system without your knowledge or consent.
With the Asylum backdoor, an attacker can upload and execute files on the host and
restart the computer.
Asylum is distributed with an "edit server" program that allows the attacker to customize
the backdoor server to run on arbitrary ports (TCP 23432 by default) and use
combinations of startup methods, making it difficult to remove from an infected host.
How to remove this
vulnerability
To remove a default installation of Asylum from your computer:
1. Open C:\Windows\System.ini and remove the entry for wincmp32.exe in the shell
key under the [boot] section.
2. Restart your computer.
3. Delete C:\Windows\wincmp32.exe.
The Asylum backdoor can be difficult to remove manually, because it is configurable,
making it difficult to identify on your system. If the above instructions do not remove the
Asylum backdoor, refer to the steps below for using an anitvirus program to remove the
backdoor.
To use an antivirus program to remove the Asylum backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Asylum backdoor from your computer.
References
[sd] inc. Web site Asylum http://asylum.slak.org/index2.html
29
Audit policy settings changed manually (Audit_policy_change)
ISS X-Force Asylum RAT (Remote Access Tool) backdoor for Windows http://
xforce.iss.net/static/4849.php
Audit log manually cleared by a user with appropriate privileges
(Audit_log_cleared)
About this
signature or
vulnerability
This signature detects that the Windows NT audit log has been manually cleared by a user
with appropriate privileges.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
The Windows NT system records event records in the audit log, which is the principal
record of activity on the system. The audit log records events according to the audit
policies that have been set by the system administrator. A user with appropriate privileges
may clear the log, which deletes all records from the log. When a log is cleared, Windows
NT writes an event message to the log indicating that fact.
Audit logs are not typically cleared manually. Using the "log settings" option in the Event
Viewer utility, an administrator can control the size of the log and when records are
removed from the log. An attacker that has gained access to a system may attempt to erase
indications of his activities by deleting all records from the security audit log.
How to remove this
vulnerability
Any instance of manually clearing the security audit log should be investigated. If
legitimate administrative work cannot account for the event, then further investigation is
needed. Investigate any recently recorded events.
References
ISS X-Force
Audit log manually cleared by a user with appropriate privileges
http://xforce.iss.net/static/1576.php
Audit policy settings changed manually (Audit_policy_change)
About this
signature or
vulnerability
This signature detects an attempt to manually change a system's audit policy. Normally,
the audit policy is automatically set according to the audit functions chosen in the policy
setup of RealSecure OS Sensor, and it should not be changed manually.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
30
Authentication package load (Authentication_package_loaded)
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Windows NT/2000 and Solaris use an audit log to record events. The audit log is the
principal record of activity on the system and records events according to the audit
policies that have been set up by the system administrator.
The system's audit policy can be viewed or changed as follows:
●
For Windows NT/2000: Access the audit policy details through the User Manager
utility.
●
For Solaris: The audit policy is contained in the directory /etc/security in the files
audit_control, audit_class, and audit_event. The audit policy can be manipulated by
using the auditconfig command.
How to remove this
vulnerability
Any instance of changing audit policy should be investigated. If legitimate administrative
work cannot account for the event, then further investigation is needed. Ensure that the
appropriate audit policy is re-established.
References
ISS X-Force
Audit policy settings changed manually
http://xforce.iss.net/static/1578.php
Authentication package load (Authentication_package_loaded)
About this
signature or
vulnerability
This signature detects a Windows NT/2000 or Solaris system loading a program, called an
authentication package, that controls how users are authenticated when they log on to the
system.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Windows NT/2000: The Local Security Authority (LSA) has loaded an authentication
package. This authentication package will be used to authenticate any subsequent logon
attempts. Typically, the default authentication package (msv1_0.dll) is loaded at system
startup.
Solaris: Solaris uses PAM, the Pluggable Authentication Module, to provide a number of
authentication services. A PAM provides functionality for up to four services:
●
authentication: authenticates a user and sets up user credentials
●
account management: determines if the user account is valid
31
Authentication ticket granted to a Windows 2000 security principal (Authentication_ticket_granted)
●
session management: sets up and terminates login sessions
●
password management: provides functionality to change a user's authentication
token or password
Each of the four service modules can be implemented as a shared library object that can be
referenced in the pam.conf configuration file.
How to remove this
vulnerability
Windows NT/2000: This event should not appear under normal usage of Windows NT/
2000, except at system startup time. If this event appears and the package name is not as
expected or if legitimate system administration activities cannot account for this event,
examine the authentication package and determine if the correct authentication package
should be restored.
Solaris: An authentication module is responsible for authenticating a user's access to the
system. Changing this package entails making a change to the pam.conf configuration file.
This event should not appear as part of the typical use of the system. If this event appears,
check the pam.conf file. If the module name is not as expected, or if legitimate system
administration activities cannot account for this event, examine the authentication
package and determine if the correct authentication package should be restored.
References
ISS X-Force
Authentication package load
http://xforce.iss.net/static/2217.php
Authentication ticket granted to a Windows 2000 security
principal (Authentication_ticket_granted)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an authentication
ticket has been granted.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
When a Windows 2000 security principal successfully authenticates with a Windows 2000
domain controller, an authentication ticket is granted to that security principal. The
granting of an authentication ticket to a suspicious security principal could indicate an
attempt by an attacker to tamper with the Windows 2000 domain.
How to remove this
vulnerability
Verify that the authenticated security principal is authorized.
32
BackConstruction backdoor for Windows (BackConstruction)
References
ISS X-Force
Authentication ticket granted to a Windows 2000 security principal
http://xforce.iss.net/static/4864.php
Authentication ticket request failed
(Authentication_ticket_request_failed)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an authentication
ticket request has failed.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
When a Windows 2000 security principal successfully authenticates with a Windows 2000
domain controller, an authentication ticket is granted to that security principal. Frequent
failures for an authentication ticket to be granted to a security principal could indicate
attempts by an attacker to tamper with the Windows 2000 domain.
How to remove this
vulnerability
Determine the cause of the authentication ticket request failure.
References
ISS X-Force
Authentication ticket request failed
http://xforce.iss.net/static/4870.php
BackConstruction backdoor for Windows (BackConstruction)
About this
signature or
vulnerability
This signature detects a TCP connection on port 5400 or 666 to a BackConstruction
backdoor on your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
33
Backdoor2 for Windows (BackDoor2)
Vulnerability
description
The BackConstruction backdoor is one of many backdoor programs that attackers can use
to access your computer system without your knowledge or consent. With the
BackConstruction backdoor, an attacker can create, retrieve, and manipulate files using a
built-in FTP server.
How to remove this
vulnerability
To remove BackConstruction from your computer:
1. Using Regedit, find the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\She
ll registry key.
2. Delete this registry key.
3. Delete Cmctl32.exe from the Windows directory.
4. Restart your computer to remove the backdoor from memory.
References
TL Security Web site
TL Security
http://tlsecurity.cjb.net/
ISS X-Force
BackConstruction backdoor for Windows
http://xforce.iss.net/static/3222.php
Backdoor2 for Windows (BackDoor2)
About this
signature or
vulnerability
This signature detects a TCP connection on port 1999 to a BackDoor2 server on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Backdoor2 backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Backdoor2
backdoor, an attacker can access files and retrieve system information.
How to remove this
vulnerability
To remove Backdoor2 from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
34
Back Orifice default installation (BackOrifice)
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
registry key.
2. Find the registry entry named Notepad that has a data value of
C:\Windows\Notpa.exe /o=yes.
3. Delete this registry entry.
4. Delete Notpa.exe from C:\Windows.
References
ISS X-Force
Backdoor2 for Windows
http://xforce.iss.net/static/2389.php
Back Orifice default installation (BackOrifice)
False negatives
RealSecure Network Sensor: No false negatives are known for this signature. RealSecure
can detect BackOrifice traffic on all ports, with any password.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 6.0.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Back Orifice backdoor, released by the hacker group Cult of the Dead Cow, is one of
many backdoor programs for Windows 95 and Windows 98 that attackers can use to
access your computer system without your knowledge or consent. With the Back Orifice
backdoor, an attacker can obtain total control of the system.
How to remove this
vulnerability
To remove a default installation of Back Orifice from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSe
rvices registry key.
2. Find and delete the registry entry named (Default) that has a data value of .exe.
3. Restart the computer.
4. Delete the file exe~1 from C:\Windows\System.
35
Back Orifice 2000 allows complete remote administrative control (BackOrifice2000)
References
Cult of the Dead Cow (cDc) Web site
cDc Home Page
http://www.cultdeadcow.com
Internet Security Systems Security Alert #05
Cult of the Dead Cow Back Orifice Backdoor
http://xforce.iss.net/alerts/advise5.php
Internet Security Systems Security Alert #08
Windows Backdoors Update
http://xforce.iss.net/alerts/advise8.php
ISS X-Force
Back Orifice default installation
http://xforce.iss.net/static/1218.php
Back Orifice 2000 allows complete remote administrative
control (BackOrifice2000)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1.2
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
Back Orifice 2000 is one of many backdoor programs that attackers can use to access your
computer system without your knowledge or consent. Back Orifice 2000 allows remote
operation of infected Windows 95/98 and Windows NT computers. With the Back Orifice
2000 backdoor, an attacker can do the following:
How to remove this
vulnerability
36
●
gather information about your network
●
perform system commands
●
reconfigure computers on your network
●
redirect network traffic
The Back Orifice 2000 backdoor can be very difficult to remove manually, because it is
highly configurable, making it difficult to identify on your system. By default, the Back
Orifice 2000 backdoor will install itself in the Windows system directory as the file
UMGR32.EXE. On Windows NT, it will install a service listed as "Remote Administration
Service." However, this default name can be changed. Refer to the steps below for using
an antivirus program to remove the backdoor.
BigGluck backdoor for Windows (BigGluck)
To use an antivirus program to remove the Back Orifice 2000 backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Back Orifice 2000 backdoor from your computer.
References
Microsoft Security Bulletin
What Customers Should Know About 'BackOrifice 2000'
http://www.microsoft.com/security/bulletins/bo2k.asp
Cult of the Dead Cow (cDc) Web site
Back Orifice 2000
http://www.bo2k.com/indexnews.html
Internet Security Systems Security Alert #31
Back Orifice 2000
http://xforce.iss.net/alerts/advise31.php
Trend Micro, Inc. Security Alert
Back Orifice 2000
http://www.antivirus.com/vinfo/security/sa071299.htm
Symantec AntiVirus Research Center
BackOrifice2K.Trojan
http://www.norton.com/avcenter/venc/data/back.orifice.2000.trojan.html
ISS X-Force
Back Orifice 2000 allows complete remote administrative control
http://xforce.iss.net/static/2343.php
BigGluck backdoor for Windows (BigGluck)
About this
signature or
vulnerability
This signature detects a telnet connection on port 34324 to a BigGluck backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
37
BIND Inverse-Query buffer overflow allows remote root access (DNS_Length_Overflow)
Vulnerability
description
The BigGluck backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the BigGluck backdoor,
an attacker can retrieve Dial-Up Networking accounts and their passwords through a
remote telnet connection.
How to remove this
vulnerability
To remove BigGluck from your computer:
1. Find and delete Windll.exe.
2. Using Regedit, find the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windll.exe registry
key.
3. Delete this registry key.
4. Find the HKLM\Software\Microsoft\NetDDU registry key.
5. Delete this registry key.
References
ISS X-Force
BigGluck backdoor for Windows
http://xforce.iss.net/static/3162.php
BIND Inverse-Query buffer overflow allows remote root access
(DNS_Length_Overflow)
About this
signature or
vulnerability
This vulnerability is detected by the DNS_Length_Overflow signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
BIND
Type
Unauthorized Access Attempt
Vulnerability
description
BIND versions prior to 4.9.7 and BIND versions prior to 8.1.2 are vulnerable to a denial of
service attack caused by a buffer overflow. By sending a specially-crafted inverse-query
TCP stream, a remote attacker can overflow a buffer and cause the BIND server to crash.
An attacker can use this vulnerability to gain root access to the system.
How to remove this
vulnerability
Disable inverse queries and upgrade to the latest version of BIND (8.1.2 or later) or BIND
(4.9.7 or later), as listed in CERT Advisory CA-98.05. See References. Upgrading to BIND
8.1.2 is highly recommended.
— OR —
Apply the BIND 8.1.1._patch, as listed in CERT Advisory CA-98.05. See References.
38
BIND Inverse-Query buffer overflow allows remote root access (DNS_Length_Overflow)
For SunOS 2.x:
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security
Bulletin #00180. See References.
The inverse query feature is disabled by default, so only the systems that have been
explicitly configured to allow it are vulnerable. In BIND 8, review the options block in the
configuration file (typically /etc/named.conf). If there is a "fake-iquery yes;" line, then the
server is vulnerable. In BIND 4.9, examine the option lines in the configuration file
(typically /etc/named.boot). If there is a line containing "fake-iquery," then the server is
vulnerable.
In addition, unlike BIND 8, inverse query support can be enabled when the server is
compiled. Examine conf/options.h in the source. If the line #defining INVQ is not
commented out, then the server is vulnerable.
Disabling inverse query support can break ancient versions of nslookup. If nslookup fails,
replace it with a version from any BIND 4.9 or BIND 8 distribution.
Disabling inverse query support can break ancient versions of nslookup. If nslookup fails,
replace it with a version from any BIND 4.9 or BIND 8 distribution. See CERT Advisory
CA-98.05 for vulnerable systems and vendor-specific patches.
References
CERT Advisory CA-1998-05
Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-98.05.bind_problems.html
CIAC Information Bulletin I-044A
BIND Vulnerabilities
http://ciac.llnl.gov/ciac/bulletins/i-044a.shtml
Sun Microsystems, Inc. Security Bulletin #00180
BIND
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
180&type=0&nav=sec.sba
SCO Security Bulletin 98:03
Security Vulnerability in named
ftp://ftp.sco.com/SSE/security_bulletins/SB-98.03a
Hewlett-Packard Security Bulletin HPSBUX9808-083
Security Vulnerability in BIND on HP-UX
http://us-support.external.hp.com/index.html
SGI Security Advisory 19980603-02-PX
IRIX BIND DNS Vulnerabilities
ftp://patches.sgi.com/support/free/security/advisories/19980603-02-PX
SGI Security Advisory 19980603-01-PX
IRIX BIND DNS Vulnerabilities
ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
ISS X-Force
BIND Inverse-Query buffer overflow allows remote root access
http://xforce.iss.net/static/895.php
39
Blazer5 backdoor for Windows 95/98 and NT (Blazer5)
CVE
CVE-1999-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009
BIND servers can be remotely queried for their version numbers
(Bind_Version_Request)
About this
signature or
vulnerability
This signature detects a DNS request for BIND version information.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 6.5
Systems affected
BIND
Type
Pre-attack Probe
Vulnerability
description
BIND (Berkeley Internet Name Domain) servers support the ability to be remotely
queried for their version numbers. An attacker could use this feature to query computers
for vulnerable versions of BIND. This information could be useful to an attacker in
performing an attack.
How to remove this
vulnerability
Disable the BIND version query feature. Refer to the BIND documentation for information
on this procedure.
References
Internet Software Consortium (ISC) Web site
BIND page
http://www.isc.org/bind.html
ISS X-Force
BIND servers can be remotely queried for their version numbers
http://xforce.iss.net/static/197.php
Blazer5 backdoor for Windows 95/98 and NT (Blazer5)
About this
signature or
vulnerability
This signature detects a TCP connection on port 5000 to a Blazer5 backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
40
Bootpd remote buffer overflow (Bootp_Remote_Overflow)
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Blazer5 backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Blazer5 backdoor, an
attacker can access files and the system registry.
How to remove this
vulnerability
To remove Blazer5 from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Load MSchv32 Drv that has a data value of
C:\Windows\System\Mschv32.exe.
3. Delete this registry entry.
4. Delete Mschv32.exe from the Windows system directory.
References
ISS X-Force
Blazer5 backdoor for Windows 95/98 and NT
http://xforce.iss.net/static/3099.php
Bootpd remote buffer overflow (Bootp_Remote_Overflow)
About this
signature or
vulnerability
This signature detects specially-crafted packets that have a destination port of 67 (the
bootpd server). This kind of packet could indicate an attempt by an attacker to crash the
bootpd server or possibly execute arbitrary commands on the server as root.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
Linux kernel, FreeBSD, SCO Open Server, OpenBSD: 2.3, OpenBSD: 2.4, BSD/OS, SCO
Internet FastStart, SCO UnixWare: 7.0.0, SCO UnixWare: 7.0.1
Type
Unauthorized Access Attempt
Vulnerability
description
The Internet Bootstrap Protocol (BOOTP) daemon bootpd is used in providing boot
images and other information to diskless workstations. The bootp daemon shipped with
several popular operating systems could allow a remote attacker to crash the bootpd
server or possibly execute arbitrary commands on the server as root. Any operating
system that has a bootp daemon derived from the original bootp sources is considered to
41
Bootparamd whoami (Bootparam)
be vulnerable to this denial of service attack. Remote command execution has been
confirmed on only the OpenBSD and BSDI platforms.
How to remove this
vulnerability
For OpenBSD:
Apply the patch for this vulnerability, as listed in OpenBSD Security Advisory, Nov 27,
1998. See References.
For SCO Unix:
Apply the sse018 patch for this vulnerability, as listed in SCO Security Bulletin SB-99.01.
See References.
As a workaround, disable the bootpd service, if possible.
References
BugTraq Mailing List, Fri Dec 04 1998 07:45:40
bootpd remote vulnerability
http://www.securityfocus.com/archive/1/11526
OpenBSD Security Advisory, November 27, 1998
There is a remotely exploitable problem in bootpd(8)
http://www.openbsd.org/errata24.html#bootpd
SCO Security Bulletin 99.01
Security Vulnerability in bootpd
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
ISS X-Force
Bootpd remote buffer overflow
http://xforce.iss.net/static/1608.php
CVE
CAN-1999-0798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0798
Bootparamd whoami (Bootparam)
About this
signature or
vulnerability
This signature detects a Bootparamd Whoami query. A Bootparamd query typically
occurs when a diskless workstation boots. This event is suspicious if it occurs without a
mount request within a several-minute period. This event is highly suspicious if the
bootparamd query originates from outside your organization's network.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Unix
Type
Protocol Signature
42
Brute force login attack attempted (Brute_force_login_attack)
Vulnerability
description
Bootparamd is a Remote Procedure Call (RPC) program used to facilitate diskless booting.
An attacker attempting to obtain a computer's Network Information Services (NIS)
domain name can query Bootparamd's Whoami procedure for the domain name.
Knowing the domain name allows the attacker to mount more NIS-based attacks.
How to remove this
vulnerability
A Bootparamd query typically occurs in combination with a mount request when a
diskless workstation boots, which may indicate a problem with the workstation.
However, if you see this query without a mount request within a few minutes, you should
be suspicious. If this query originated from outside your organization, you should be
highly suspicious. Consider blocking external bootparam requests.
References
CERT Advisory CA-1992-13
SunOS NIS Vulnerability
http://www.cert.org/advisories/CA-1992-13.html
CERT Advisory CA-1993-01
Revised Hewlett-Packard NIS ypbind Vulnerability
http://www.cert.org/advisories/CA-1993-01.html
AUSCERT Advisory AA-95.03
An overview of SATAN
http://ftp.sunet.se/pub/security/csir/auscert/auscert-advisory/AA95.03.An.overview.of.SATAN
ISS X-Force
Bootparamd whoami
http://xforce.iss.net/static/642.php
Brute force login attack attempted (Brute_force_login_attack)
About this
signature or
vulnerability
This signature detects a series of login attempts that could indicate a brute force login
attack on a system. Specifically, this signature detects when 5 or more Failed_loginbad_username_or_password events occur within any 60-second time period.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Solaris, Windows NT
Type
Unauthorized Access Attempt
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the operating system's security log. The most typical cause of these failures is
a typing error when entering the username or password. However, repeated login failures
within a relatively short time period could indicate a brute-force password or username
guessing attack.
43
Brute force login attack most likely successful (Brute_force_login_likely_successful)
Unsophisticated attackers use repeated attempts to guess passwords. Attackers may also
use automated tools to perform a large number of login attempts. Despite the relative
simplicity of this kind of attack, it can be successful if users choose weak or easy-to-guess
passwords.
How to remove this
vulnerability
Well-chosen passwords are effective at defeating a brute force login attack. It is prudent to
implement a security policy that requires users to change their passwords on a regular
basis.
Windows NT/2000: Setting up the account policy from the User Manager Utility can
enforce strong password policy on a Windows system. It also can be used to cause an
account to be disabled if several failed logins occur in a short time.
References
ISS X-Force
Brute force login attack attempted
http://xforce.iss.net/static/1599.php
Brute force login attack most likely successful
(Brute_force_login_likely_successful)
About this
signature or
vulnerability
This signature detects the possible success of a brute force login attack (a series of failed
login attempts correlated with a successful login). Specifically, this signature detects when
the Brute_Force_Login_attack and Successful_Login events both occur within any 30second time period. This signature will detect this event correlation regardless of the order
in which the events occur.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Solaris, Windows NT
Type
Unauthorized Access Attempt
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the security log. The most typical cause of these failures is a typing error
when entering the username or password. However, a series of login failures occurring in
a relatively short time period could indicate a brute-force login attack. A series of login
failures followed by a successful login may indicate the success of such an attack.
Unsophisticated attackers use repeated login attempts to guess passwords. Attackers may
also use automated tools to perform a large number of login attempts. Despite the relative
simplicity of this kind of attack, it can be successful if users choose weak or easy-to-guess
passwords.
How to remove this
vulnerability
44
Well-chosen passwords are effective at defeating a brute force login attack. It is prudent to
implement a security policy that requires users to change their passwords on a regular
basis.
Bugs backdoor for Windows 95/98 and NT (Bugs)
Windows NT/2000: Setting up the account policy from the User Manager Utility can
enforce strong password policy on a Windows system. It also can be used to cause an
account to be disabled if several failed logins occur in a short time.
References
ISS X-Force
Brute force login attack most likely successful
http://xforce.iss.net/static/1600.php
Bugs backdoor for Windows 95/98 and NT (Bugs)
About this
signature or
vulnerability
This signature detects a TCP connection on port 2115 to a Bugs backdoor on your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Bugs backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Bugs backdoor, an
attacker can do the following:
How to remove this
vulnerability
●
access files
●
add and remove programs that Windows loads at boot time (autoloading programs)
●
control the appearance of the Windows desktop (by minimizing and maximizing
windows, for example)
●
retrieve shared information from programs using DDE (Dynamic Data Exchange)
To remove Bugs from your computer:
1. Delete systemtr.exe from the Windows system directory.
2. Using Regedit, find the
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\run\Sys
Tra registry key.
3. Delete this registry key.
References
Dark Eclipse Software
Bugs
http://www.dark-e.com/archive/trojans/bugs/index.html
ISS X-Force
Bugs backdoor for Windows 95/98 and NT
http://xforce.iss.net/static/3336.php
45
Password change attack attempted (Change_password_attack)
C2 auditing is disabled (C2_AUDIT_IS_OFF)
About this
signature or
vulnerability
This signature detects an IBM AIX or HP-UX syslog message indicating that C2 auditing
has been disabled.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: SR 1.2
Systems affected
HP-UX: 11.00, AIX: 4.3
Type
Suspicious Activity
Vulnerability
description
C2 is a security rating established by the U.S. National Computer Security Center (NCSC).
A C2 rating is granted to products that pass certain Department of Defense (DoD) Trusted
Computer System Evaluation Criteria (TCSEC) tests. In summary, C2-rated systems
ensure that users are individually accountable for their actions through login procedures,
auditing of security-related events, and other criteria.
For IBM AIX and HP-UX systems with a C2 rating, C2 auditing should be enabled.
How to remove this
vulnerability
Enable C2 auditing.
References
ISS X-Force
C2 auditing is disabled
http://xforce.iss.net/static/7331.php
Password change attack attempted (Change_password_attack)
About this
signature or
vulnerability
This signature detects failed attempts (five or more within one minute or less) by a user to
change a password. Specifically, this signature detects when 5 or more
Password_change_Failed events occur within any one-minute time period. This could
indicate an attempt by an attacker to guess a user's password.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Solaris, Windows NT, Windows 2000
Type
Host Sensor
46
Password change attack possibly successful (Change_password_attack_likely_successful)
Vulnerability
description
Many failed attempts to change a password within a short period of time may indicate
attempts by an attacker to guess a password. Windows NT/2000 and Solaris will produce
a "Password change failed" event for every time a user attempts and fails to change a
password.
Changing passwords is a common user activity. An isolated failure to change a password
should not be viewed as a security event. However, something inappropriate may be
happening when more than a few attempts at changing a password fail within a short
period of time. In such a case, an attacker may be trying to guess a password.
How to remove this
vulnerability
Determine what username is involved in the change attempt. If possible, verify that the
owner of the account is in fact the person who is attempting to change the password.
When the event first appears, you may want to temporarily disable that user account until
you can investigate. Additionally, it is advisable to establish password requirements by
setting a prudent account policy.
References
ISS X-Force
Password change attack attempted
http://xforce.iss.net/static/2225.php
Password change attack possibly successful
(Change_password_attack_likely_successful)
About this
signature or
vulnerability
This signature detects the possible success of a password change attack (a series of
password change attempts correlated with a successful password change). Specifically,
this signature detects when the Change_password_attack and
Password_Change_successful events both occur within any 30-second time period. This
signature will detect this event correlation regardless of the order in which the events
occur.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Solaris, Windows NT
Type
Host Sensor
Vulnerability
description
Failed attempts to change a password followed by a successful password change may
indicate an attacker’s success in guessing and changing a password. Windows NT/2000
and Solaris will produce a "Password change successful" event for every time a user
succeeds in changing a password.
How to remove this
vulnerability
If possible, verify that the owner of the account is in fact the person who has changed the
password. When the event first appears, you may want to temporarily disable the user
account until you can investigate. Additionally, it is advisable to establish password
requirements by setting a prudent account policy.
47
Chargen patch not applied (Chargen_Denial_of_Service)
References
ISS X-Force
Password change attack possibly successful
http://xforce.iss.net/static/2226.php
Executable, system file, or other file modified
(Changes_to_important_files)
About this
signature or
vulnerability
This signature detects a change made to a file on a Solaris or Windows NT/2000 system.
This file should only be changed by a user with administrative privileges.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
On Windows NT/2000 or Solaris systems, whenever a program file is accessed for
modification or new ownership, an object open message is written into the security log.
A list of important system files and executables can be monitored for any instance where
they are being modified. Because of their importance to system security, these are files that
are modified infrequently and only by an administrator. Similarly, there are certain
registry keys that should only be modified by an administrator because of their
importance to system security. An attacker will often install an altered executable or
subvert system behavior by changing an important registry key.
How to remove this
vulnerability
Any instance of these important files and keys being modified justifies investigation. If
legitimate administrative work cannot account for the event, then further investigation is
needed. Examine the events and determine which files were altered. It may be safest to reinstall (or retrieve from backup) any files that were touched.
References
ISS X-Force
Executable, system file, or other file modified
http://xforce.iss.net/static/1601.php
Chargen patch not applied (Chargen_Denial_of_Service)
About this
signature or
vulnerability
This vulnerability is detected by the Chargen_Denial_of_Service signature.
Default risk level
Medium
48
Chargen denial of service (Chargen_Denial_of_Service)
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Windows NT
Type
Denial of Service
Vulnerability
description
An unpatched version of Windows NT Simple TCP/IP services has been detected. An
attacker can cause a denial of service attack by sending broadcast UDP packets to the
Windows NT chargen service.
How to remove this
vulnerability
Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows
NT Service Packs Web page. See References.
— OR —
As an alternative, Windows SP3 users can apply the post-SP3 simptcp-fix patch, as listed
in Microsoft Knowledge Base Article Q1544460. See References.
Windows NT
Apply the latest Windows NT 4.0 Service Pack or, for Windows NT 4.0 Service Pack 3
(SP3) users, apply the post-SP3 simptcp-fix hotfix.
References
Microsoft Knowledge Base Article Q154460
Denial of Service Attack Against WinNT Simple TCP/IP Services
http://support.microsoft.com/support/kb/articles/q154/4/60.asp
CERT Advisory CA-1996-01
UDP Port Denial-of-Service Attack
http://www.cert.org/advisories/CA-1996-01.html
Microsoft Product Support Services
Windows NT Service Packs
http://support.microsoft.com/support/ntserver/Content/ServicePacks/
ISS X-Force
Chargen patch not applied
http://xforce.iss.net/static/259.php
CVE
CVE-1999-0103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
Chargen denial of service (Chargen_Denial_of_Service)
About this
signature or
vulnerability
This signature detects attempts at performing a denial of service attack against a
computer on the network by attempting to engage a computer in a chargen flood against
itself.
49
Chargen denial of service (Chargen_Denial_of_Service)
Additional
Vulnerabilities
Found
■
chargen-patch
■
udp-dos
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Denial of Service
Vulnerability
description
The chargen service was detected as running. The chargen (port 19) service can be spoofed
into sending data from one service on one computer to another service on another
computer. This action causes an infinite loop and creates a denial of service attack. The
attack can consume increasing amounts of network bandwidth, causing loss of
performance or a total shutdown of the affected network segments.
In addition, URLs such as "http://localhost:19" could cause a similar denial of service to a
system running Lynx and chargen. Netscape Navigator disallows access to port 19 and is
not vulnerable.
This attack can effectively disable a Unix server by causing it to spend all its time
processing packets that it has echoed back to itself.
How to remove this
vulnerability
Disable the service, unless it is needed.
In Unix: To disable chargen when started from inetd:
1. Edit the /etc/inetd.conf (or equivalent) file.
2. Locate the line that controls the chargen daemon.
3. Type a # at the beginning of the line to comment out the daemon.
4. Restart inetd.
Windows: The chargen service is not native to Windows, but may be present.
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
To disable only the chargen service:
1. Open the registry editor.
2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parame
ters.
3. Double-click the EnableTcpChargen key to display the DWORD Editor.
4. Replace the value in the Data field with 0.
50
AUE_CHMOD or AUE_FCHMOD calls success and setuid bit is being turned on (Chmod_setuid)
5. Click OK.
6. Repeat steps 3 through 5 for the EnableUdpChargen key.
7. To implement your changes, stop and restart the Simple TCP/IP Service.
Novell:
Disable the chargen port as described in Novell Technical Information Document
#2946023:
1. Install NIAS4.0 or later.
2. Load INETCFG —> Protocols —> TCP/IP, and set filter support to ENABLED.
3. Load FILTCFG —> TCP/IP —> Packet Forwarding filters, and set the status to
ENABLED.
4. Verify that the action is Deny packets in filter list. Press ENTER on "(Filters: list of
denied packets)".
5. Press INSERT go to packet type: Name: <all>.
6. Press ENTER, find the port chargen TCP 19.
7. Press ENTER, ESCAPE, save filters: YES.
References
CERT Advisory CA-1996-01
UDP Port Denial-of-Service Attack
http://www.cert.org/advisories/CA-1996-01.html
BugTraq Mailing List, Mon Mar 10 1997 12:05:20
Lynx/MSIE denial-of-service
http://www.securityfocus.com/archive/1/6407
Novell Technical Information Document #2946023
TCPIP blocking ports (7, 9, 19, etc)
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10022164.htm
ISS X-Force
Chargen denial of service
http://xforce.iss.net/static/36.php
CVE
CVE-1999-0103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
AUE_CHMOD or AUE_FCHMOD calls success and setuid bit is
being turned on (Chmod_setuid)
About this
signature or
vulnerability
This signature detects when an AUE_CHMOD or AUE_FCHMOD call succeeds and the
setuid bit is being turned on.
False positives
RealSecure Server Sensor: A false positive is possible if the user is legitimately adding a
setuid to a binary. However, regardless of any user's intent, turning on the setuid bit is
51
Chupacabra backdoor for Windows (Chupacabra)
considered a poor security practice. Any setuid program is difficult to secure. The creation
of new setuid programs should be considered suspicious.
False negatives
RealSecure Server Sensor: A false negative is possible if the user process is not subject to
BSM (Basic Security Module) auditing.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Unix, Solaris: 7
Type
Suspicious Activity
Vulnerability
description
On Unix systems, a set of "mode" bits is associated with every file. Some of these bits
describe the permitted operations on the file (read/write/execute). One of these bits is the
"setuid" bit. For an executable file, if the setuid bit is set to 1, any process running that file
will have the permissions of the owner of the file. Administrators should be suspicious of
any file that has the setuid bit set.
How to remove this
vulnerability
Determine why the setuid bit was turned on for that file. Disable the setuid bit if there is
not a legitimate reason for it being turned on.
To disable the setuid bit, use the command 'chmod u-s FileName', where FileName is the
name of the file with the setuid bit.
References
ISS X-Force
AUE_CHMOD or AUE_FCHMOD calls success and setuid bit is being turned on
http://xforce.iss.net/static/5121.php
Chupacabra backdoor for Windows (Chupacabra)
About this
signature or
vulnerability
This signature detects a client communicating with a Chupacabra backdoor server on TCP
port 13473.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
52
Cisco Aironet Access Point Broadcast SSID (SNMP_Suspicious_Set)
Vulnerability
description
How to remove this
vulnerability
The Chupacabra backdoor is one of many backdoor programs for Windows 95 and
Windows 98 that attackers can use to access your computer system without your
knowledge or consent. With the Chupacabra backdoor, an attacker can do the following:
●
retrieve system and user information
●
delete files
●
shut down and restart the system
To remove the Chupacabra backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Restart the computer in MS-DOS mode.
2. Delete the file C:\Windows\System\winprot.exe.
3. Restart the computer to Windows. Error messages will appear as the system attempts
to execute the deleted winprot.exe binary.
4. In Windows, open C:\WINDOWS\WIN.INI and remove all instances of winprot.exe.
These will most likely be found under the "[windows]" section on lines beginning
with load= and run=.
5. Using Regedit, find each of the following registry keys, and then find and delete the
registry entry named System Protect that has a value of winprot.exe:
References
■
HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ISS X-Force
Chupacabra backdoor for Windows
http://xforce.iss.net/static/5304.php
Cisco Aironet Access Point Broadcast SSID
(SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or change the "Allow Associations from
Broadcast SSID" feature of a Cisco Aironet Wireless Access Point. This is detected by the
SNMP_Suspicious_Get signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
Cisco Aironet Access Point
Type
Suspicious Activity
53
Cisco Aironet Access Point Broadcast SSID (SNMP_Suspicious_Set)
Vulnerability
description
Cisco Aironet Access Point's installation process allows the installer to specify if devices
that do not specify an SSID (Service Set Identifier) are allowed to associate with Access
Point. When this feature is enabled, Access Point will respond to Broadcast SSID probe
requests and also broadcast its own SSID with its Beacons.
By default, Cisco Aironet Access Points ship with the "Allow Broadcast SSID to Associate"
setting enabled. If this default setting is not changed, any malicious user could establish
associations with Access Point to gain access to the wireless network.
How to remove this
vulnerability
Disable the "Allow Broadcast SSID to Associate" setting.
To disable the "Allow Broadcast SSID to Associate" setting:
1. Open a Web browser (for example, Microsoft Internet Explorer).
2. Type the IP address of the Cisco Aironet Access Point of interest in the browser's
Address field. Depending on the security settings of Access Point, you may be
prompted for a user name and password.
3. On the Summary Status page, under the Network Ports section, click the AP Radio
link. There may be more than one AP Radio link.
4. On the AP Radio Port page, under the Configuration section, click the Set Properties
link.
5. On the AP Radio Hardware page, select "no" for "Allow Broadcast SSID to Associate."
6. Click Apply.
7. If there was more than one AP Radio Link listed (from step 3, above), repeat steps 3
through 6 for each AP Radio Link listed.
References
Cisco AWCVX MIB
awcVx Management Information Base
http://www.ee.ethz.ch/~slist/mrtg/bin00138.bin
Cisco Systems, Inc. Documentation
Aironet 340 Series Wireless LAN products
http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/index.htm
Cisco Technology Solutions
Wireless Solutions
http://www.cisco.com/warp/public/779/smbiz/netsolutions/find/wireless.shtml
mrtg Mailing List, Fri, 23 Mar 2001 15:40:25 +1100
Re: [mrtg] MIBs on Radio bridges
http://www.ee.ethz.ch/~slist/mrtg/msg09026.html
ISS X-Force
Cisco Aironet Access Point Broadcast SSID
http://xforce.iss.net/static/6287.php
54
Cisco land denial of service (Land)
Cisco land denial of service (Land)
About this
signature or
vulnerability
This vulnerability is detected by the Land signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.0
Systems affected
Cisco
Type
Denial of Service
Vulnerability
description
The Cisco system is vulnerable to the land denial of service attack. Recovery may require
physically visiting the affected hardware. The exploit initiates a TCP connection, giving
the target host's address as both source and destination, and using the same port on the
target host as both the source and destination.
How to remove this
vulnerability
IOS v10.3 to v11.2 users should upgrade to 10.3(19a), 11.0(17), 11.0(17)BT, 11.1(15),
11.1(15)AA, 11.1(15)CA, 11.1(15)IA, 11.2(10), 11.2(9)P, 11.2(4)F1, or the latest supported
version for the device. As with any software upgrade, you should verify that your
hardware can support the new software before upgrading.
As a workaround, appropriate firewalls and some configuration workarounds to block
this attack. Other workarounds using input access lists are described in the Cisco Field
Notice.
Patches: Cisco customers with contracts should obtain upgraded software through their
regular update channels (generally via Cisco's Web site). Customers without contracts
should contact Cisco TAC at tac@cisco.com.
References
Cisco Systems Field Notice, December 10, 1997
TCP Loopback DoS Attack (land.c) and Cisco Devices
http://www.cisco.com/warp/public/770/land-pub.shtml
ISS X-Force
Cisco land denial of service
http://xforce.iss.net/static/1246.php
CVE
CVE-1999-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0016
55
Cisco IOS "cable-docsis" community string (Cisco_Cable_Docsis_SNMP_Community)
Cisco equipment can be used to send ICMP pings through
SNMP (SNMP_Suspicious_Get)
About this
signature or
vulnerability
This vulnerability is detected by the SNMP_Suspicious_Set signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Network Sensor: 3.1
Systems affected
Cisco
Type
Protocol Signature
Vulnerability
description
Some Cisco routers can be configured to issue ICMP echo requests through the SNMP
agent. This capability can be used to load other networked devices with echo response
activity.
As coded here, the router is the target for the ICMP echo. This condition results in no
appreciable network traffic. If repeated many times, the ICMP echo activities starve the
router's I/O and memory resources and causes the router to not respond to ICMP echo.
How to remove this
vulnerability
Set the community string to a value that is not easily guessed. Use uppercase, lowercase,
and numeric characters. The router should also apply access control to allow SNMP
requests from known valid source sub-networks and authorized IP addresses.
References
Cisco Systems Product Overview
Simple Network Management Protocol (SNMP)
http://www.cisco.com/warp/public/535/3.html
ISS X-Force
Cisco equipment can be used to send ICMP pings through SNMP
http://xforce.iss.net/static/1794.php
Cisco IOS "cable-docsis" community string
(Cisco_Cable_Docsis_SNMP_Community)
About this
signature or
vulnerability
This signature detects an SNMP request utilizing the "cable-docsis" community name.
This could indicate an attacker's attempt to compromise a Cisco router.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
56
Cisco Catalyst switches can be remotely crashed (Cisco_CR_DoS)
Systems affected
Cisco IOS
Type
Unauthorized Access Attempt
Vulnerability
description
Cisco Internetwork Operating System Software (IOS) versions 12.1(3) and 12.1(3)T could
allow a remote attacker to obtain the "cable-docsis" read-write community string to
reconfigure the Cisco device. This is caused by a vulnerability in the implementation of
DOCSIS (Data Over Cable Service Interface Specification)-compliant standards. By
default, the "cable-docsis" read-write community string is undocumented and enabled.
How to remove this
vulnerability
Upgrade to the latest version of Cisco IOS appropriate for your system, as listed in Cisco
Systems Field Notice, February 28, 2001. See References.
References
Cisco Systems Field Notice, February 28, 2001
Cisco IOS Software Multiple SNMP Community String Vulnerabilities
http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml
CERT Vulnerability Note VU#840665
Cisco IOS/X12-X15 has default SNMP read/write string of "cable-docsis"
http://www.kb.cert.org/vuls/id/840665
ISS X-Force
Cisco IOS "cable-docsis" community string
http://xforce.iss.net/static/6180.php
Cisco Catalyst switches can be remotely crashed
(Cisco_CR_DoS)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1
Systems affected
Cisco
Type
Denial of Service
Vulnerability
description
A vulnerability in some versions of the Cisco Catalyst switch firmware code could allow a
remote attacker to cause the device to stop functioning and reload, causing a denial of
service. This vulnerability has been identified in some of the Catalyst 5xxx, 29xx, and 12xx
models of this hardware.
How to remove this
vulnerability
Apply the appropriate upgrade for your system, as listed in Cisco Systems Field Notice,
March 24, 1999. See References. In summary, users of affected Catalyst 5xxx and 29xx
switches should upgrade to at least 2.1(6), and users of Catalyst 12xx models should
upgrade to at least 4.30.
57
Cisco equipment identifies itself with packets returned from port 1999 (Cisco_Ident)
References
Cisco Systems Field Notice, March 24, 1999
Cisco Catalyst Supervisor Remote Reload
http://www.cisco.com/warp/public/770/cat7161-pub.shtml
Internet Security Systems Security Alert #24
Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches
http://xforce.iss.net/alerts/advise24.php
ISS X-Force
Cisco Catalyst switches can be remotely crashed
http://xforce.iss.net/static/2019.php
CVE
CVE-1999-0430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0430
Cisco equipment identifies itself with packets returned from
port 1999 (Cisco_Ident)
About this
signature or
vulnerability
This signature detects an RST packet on port 1999 with 'cisco' in the data payload.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.2
Systems affected
Cisco
Type
Pre-attack Probe
Vulnerability
description
Some Cisco equipment implements a simple identification protocol that can be used to
locate devices on networks. When a TCP connection is opened to port 1999 on a Cisco
router, the device returns an RST packet (normal activity) with 'cisco' in the data payload.
This information could be useful to attacker in performing an attack.
How to remove this
vulnerability
Disable connectivity for TCP port 1999 at your firewalls and border gateways to prevent
remote attackers from querying your network for Cisco equipment.
References
BugTraq Mailing List, Sun Jan 17 1999 17:48:52
Remote Cisco Identification
http://www.securityfocus.com/archive/1/11980
BugTraq Mailing List, Mon Jan 18 1999 13:40:23
Re: Remote Cisco Identification (fwd)
http://www.securityfocus.com/archive/1/11985
58
Cisco IOS hidden ILMI community string could allow modification of SNMP objects (Cisco_ILMI_SNMP_Community)
ISS X-Force
Cisco equipment identifies itself with packets returned from port 1999
http://xforce.iss.net/static/2289.php
CVE
CAN-1999-0453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0453
Cisco IOS hidden ILMI community string could allow modification
of SNMP objects (Cisco_ILMI_SNMP_Community)
About this
signature or
vulnerability
This signature detects an SNMP request utilizing the "ILMI" community string, which
could indicate an attacker's attempt to modify settings on Cisco or Olicom routers.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
Cisco IOS: 11.x, Cisco IOS: 12.0, Crosscomm/Olicom XLT-F Router
Type
Unauthorized Access Attempt
Vulnerability
description
Cisco Internetworking Operating System Software (IOS) versions 11.x and 12.0 could
allow a remote attacker to view or modify SNMP objects. IOS contains access permissions
on undocumented Interim Local Management Interface (ILMI) community strings. An
attacker who knows of these undocumented ILMI community strings could use them to
view or modify SNMP objects and gain read and write access.
This vulnerability also affects Crosscomm/Olicom XLT-F Series routers.
How to remove this
vulnerability
Upgrade to the latest version of Cisco IOS appropriate for your system, as listed in Cisco
Systems Field Notice, February 27, 2001. See References.
References
Cisco Security Advisory 2001 February 27
Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
CERT Vulnerability Note VU#976280
Multiple networking devices allow SNMP objects to be viewed/modified via ILMI
community string
http://www.kb.cert.org/vuls/id/976280
BugTraq Mailing List, Sun Mar 25 2001 10:53:52
ILMI community in olicom/crosscomm routers
http://www.securityfocus.com/archive/1/171337
59
Cisco IOS can be remotely crashed by invalid UDP packet (Cisco_Syslog_DoS)
CIAC Information Bulletin L-052
Cisco IOS Software SNMP Read-Write ILMI Community String
http://www.ciac.org/ciac/bulletins/l-052.shtml
ISS X-Force
Cisco IOS hidden ILMI community string could allow modification of SNMP objects
http://xforce.iss.net/static/6169.php
CVE
CAN-2001-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0711
Cisco IOS can be remotely crashed by invalid UDP packet
(Cisco_Syslog_DoS)
About this
signature or
vulnerability
This signature detects malformed UDP packets directed to the Cisco syslog port (port
514).
False positives
RealSecure Network Sensor: A false positive may be triggered by some UDP port scans,
specifically those which send malformed or dataless UDP messages. In addition, the
attack detected by the IRDP_Gateway_Spoof signature may also generate a false positive
for Cisos_Syslog_DoS, due to the type of UDP message used in that attack.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
Cisco
Type
Denial of Service
Vulnerability
description
Cisco equipment running IOS versions 12.x, 11.3AA, or 11.3DB is vulnerable to a denial of
service attack, due to how IOS handles some types of UDP packets directed at the syslog
port (514). An attacker can send an invalid UPD packet to port 514 to cause the device to
crash, restart, or behave in an unpredictable way.
How to remove this
vulnerability
Upgrade to the latest fixed version of Cisco IOS, as listed in Cisco Systems Field Notice,
January 11, 1999. See References.
As a workaround, configure ACL entries to block access to the syslog port (514), as listed
in Cisco Systems Field Notice, January 11, 1999. See References.
References
Cisco Systems Field Notice, January 11, 1999
Cisco IOS Syslog Crash
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
60
Coma backdoor for Windows 95/98 (Coma)
CIAC Information Bulletin J-023
Cisco IOS Syslog Denial-of-Service Vulnerability
http://www.ciac.org/ciac/bulletins/j-023.shtml
AUSCERT External Security Bulletin Redistribution ESB-98.197
Cisco Security Issue Update: Update on Cisco IOS 12.0 security bug
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.197
BugTraq Mailing List, Tue Dec 22 1998 06:27:56
Re: Nmap network auditing/exploring tool V. 2.00 released
http://www.securityfocus.com/archive/1/11648
ISS X-Force
Cisco IOS can be remotely crashed by invalid UDP packet
http://xforce.iss.net/static/1558.php
CVE
CVE-1999-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0063
Coma backdoor for Windows 95/98 (Coma)
About this
signature or
vulnerability
This signature detects a TCP connection on port 10607 to a Coma backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Coma backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Coma backdoor, an
attacker can do the following:
How to remove this
vulnerability
●
retrieve system information
●
execute programs
●
transfer files using FTP
●
log your keystrokes
To remove Coma from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
61
Compaq Web-Based Management buffer overflow (Compaq_Insight_Cpqlogin_Overflow)
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ registry key.
2. Find the registry entry named RunTime that has a data value of
C:\Windows\Msgsrv36.exe.
3. Delete this registry entry.
4. Delete Msgsrv36.exe from the C:\Windows directory.
References
ISS X-Force
Coma backdoor for Windows 95/98
http://xforce.iss.net/static/2386.php
Compaq Web-Based Management buffer overflow
(Compaq_Insight_Cpqlogin_Overflow)
About this
signature or
vulnerability
This signature detects an HTTP GET request to TCP port 2301 for the "cpqlogin.htm"
object with a username parameter that is equal to or greater than 460 characters.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Tru64 DIGITAL UNIX: 4.0F, Tru64 DIGITAL UNIX: 5.0, Tru64 DIGITAL UNIX: 4.0G,
Compaq Armada Insight Manager: 4.20 - 4.20J, Compaq Foundation Agents: 4.90 and
earlier, Compaq Enterprise Volume Manager: 1.1 and earlier, Intelligent Cluster
Administrator: 2.1 and earlier, Compaq Management Agents: 4.37E and earlier, Compaq
Survey Utility: 2.17 - 2.33, Compaq System Healthcheck: 3.0, Insight Management
Desktop Agent: 3.70, Open SAN Manager: 1.0, SANWorks Resource Monitor: 1.0, Storage
Allocation Reporter: 1.0, Compaq Insight Manager XE: 2.1 and earlier, Compaq Insight
Manager LC: 1.50A and earlier
Type
Denial of Service
Vulnerability
description
Compaq Web-based Management Software version 4.70 is vulnerable to a buffer overflow
in the authentication page "cpqlogin.htm." By default, Compaq Web-based Management
Software is installed on TCP port 2301 and is accessible by everyone. Insufficient bounds
checking of the "cpqlogin.htm" authentication page could allow a remote attacker to send
a username containing exactly 460 bytes to overflow a buffer and execute arbitrary code
on the system with administrator privileges.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Compaq Security Advisory;
Reference SSRT0705. See References.
62
Compaq Management Agent denial of service (Compaq_Insight_DoS)
References
eSecurityOnline Web Site
Compaq web-enabled management software buffer overflow vulnerability
http://www.esecurityonline.com/vulnerabilities.asp
BugTraq Mailing List, Tue Jan 16 2001 15:56:06
iXsecurity.20001120.compaq-authbo.a
http://www.securityfocus.com/archive/1/156486
Compaq Security Advisory, Reference SSRT0705
Compaq web-enabled management software security vulnerability.
http://www5.compaq.com/products/servers/management/agentsecurity.html
CIAC Information Bulletin L-042
Compaq Web-enabled Management Software Buffer Overflow
http://www.ciac.org/ciac/bulletins/l-042.shtml
CERT Vulnerability Note VU#137024
Compaq web-enabled management software contains buffer overflow in authentication
username
https://www.kb.cert.org/vuls/id/137024
ISS X-Force
Compaq Web-Based Management buffer overflow
http://xforce.iss.net/static/5935.php
CVE
CAN-2001-0134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0134
Compaq Management Agent denial of service
(Compaq_Insight_DoS)
About this
signature or
vulnerability
This signature detects traffic on TCP port 2301 that includes a GET request containing
more than 220 characters.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Compaq Insight Management Agent, Compaq Power Management: 2.0
Type
Denial of Service
Vulnerability
description
Compaq Management Agent and Compaq Survey Utility are vulnerable to a denial of
service attack. Both the Management Agent and the Survey Utility provide HTTP services
that allow information to be accessed through a Web browser. A vulnerability with these
services could allow a user to force the Web service to stop responding.
63
Compaq Insight Management Agent allows remote retrieval of files (Compaq_Insight_Fileread)
How to remove this
vulnerability
Compaq has fixed this issue in all Compaq Insight Management Agents after version 4.23
and Compaq Power Management after 2.0. Patches have also been made available as
SSRT0612U for Tru64/DIGITAL UNIX 4.0F, Softpaq 10566 for NetWare and Softpaq 10567
for Windows NT.
References
BugTraq Mailing List, Thu May 27 1999 21:43:09
Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post)
http://www.securityfocus.com/archive/1/13944
Compaq Security Advisory, June 8, 1999
Compaq Management Agent Security Vulnerability
http://www.compaq.com/products/servers/management/security.html
Compaq FTP Download Page
Index of /public/Digital_UNIX/v4.0f
http://ftp1.support.compaq.com/public/Digital_UNIX/v4.0f/
Compaq Support Web site
Software Patches
http://ftp1.support.compaq.com/patches/public/Readmes/dunix/
ssrt0612u_im_upd06991.README
ISS X-Force
Compaq Management Agent denial of service
http://xforce.iss.net/static/2259.php
CVE
CVE-1999-0772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0772
Compaq Insight Management Agent allows remote retrieval of
files (Compaq_Insight_Fileread)
About this
signature or
vulnerability
This signature detects traffic on TCP port 2301 that indicates an attempt by an attacker to
use "dot dot" (/../) sequences to access files on the computer.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Compaq Insight Management Agent, Compaq Power Management: 2.0
Type
Unauthorized Access Attempt
Vulnerability
description
The Compaq Insight Management Agent and Compaq Survey Utility provide HTTP
services that allow information to be accessed through a Web browser. A vulnerability in
these services could allow a user who possesses certain information about the computer to
read a known file on the system.
64
Windows 2000 computer account changed (Computer_account_changed)
How to remove this
vulnerability
Apply the SSRT0612U patch, available from the Compaq Web site. See References. This
patch applies to Tru64/DIGITAL UNIX 4.0F, Softpaq 10566 for Netware, and Softpaq
10567 for Windows NT. Compaq has issued a fix for this vulnerability in all Compaq
Insight Management Agents after version 4.23 and with Compaq Power Management
after version 2.0.
For Conectiva Linux 4.0, 4.1, 4.2, 5.0, and 5.1:
Upgrade to the latest version of pam (0.72-15cl or later), as listed in CONECTIVA LINUX
SECURITY ANNOUNCEMENT - pam. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References
BugTraq Mailing List, Mon Jun 07 1999 11:28:22
Update on compaq webadmin
http://www.securityfocus.com/archive/1/14429
Compaq Services Software Patches
New Version Insight Manager Web Agent for Compaq Tru64 UNIX V4.0F
http://ftp1.support.compaq.com/public/Readmes/unix/
ssrt0612u_im_upd06991.README
BugTraq Mailing List, Wed May 26 1999 16:41:36
Infosec.19990526.compaq-im.a
http://www.securityfocus.com/archive/1/13912
Conectiva Linux Security Announcement CLSA-2000:112 (from SecurityFocus Archive)
pam: Remote users being treated as local ones
http://www.securityfocus.com/advisories/2451
ISS X-Force
Compaq Insight Management Agent allows remote retrieval of files
http://xforce.iss.net/static/2258.php
CVE
CVE-1999-0771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0771
Windows 2000 computer account changed
(Computer_account_changed)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a computer account
has been changed.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
65
Windows 2000 computer account created (Computer_account_created)
Type
Host Sensor
Vulnerability
description
A Windows 2000 computer account has been changed. Changes to a computer account
could include changing the computer's description or trust status. Windows 2000
operating system records this event in the event log so that an audit record can be
retained. Alarm should be raised if unauthorized change has been applied on the
computer as this might be an indication of malicious users trying to tamper with the
Windows 2000 domain.
How to remove this
vulnerability
Verify that the computer account change was authorized.
References
ISS X-Force
Windows 2000 computer account changed
http://xforce.iss.net/static/4785.php
Windows 2000 computer account created
(Computer_account_created)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a computer account
has been created.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
A Windows 2000 computer account has been created. In order to authenticate with the
domain controller, each computer is required to have a computer account in the Windows
2000 domain. The creation of an unauthorized computer account could indicate an
attempt by an attacker to tamper with the Windows 2000 domain.
How to remove this
vulnerability
Verify that the creation of the computer account was authorized. If necessary, remove the
computer account.
References
ISS X-Force
Windows 2000 computer account created
http://xforce.iss.net/static/4786.php
66
Config file change failed (Config-log_files_delete_failed)
Windows 2000 computer account deleted
(Computer_account_deleted)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a computer account
has been deleted.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
A Windows 2000 computer account has been deleted. In order to authenticate with the
domain controller, each computer is required to have a computer account in the Windows
2000 domain. Unauthorized or frequent deletion of a computer account could indicate an
attempt by an attacker to tamper with the Windows 2000 domain.
How to remove this
vulnerability
Verify that the deletion of the computer account was authorized. If necessary, re-add the
computer account.
References
ISS X-Force
Windows 2000 computer account deleted
http://xforce.iss.net/static/4784.php
Config file change failed (Config-log_files_delete_failed)
About this
signature or
vulnerability
This signature detects a failed attempt to alter or delete an important file related to system
configuration or logging.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
An attempt to alter or delete an important file related to system configuration or logging
has failed. An attempt to alert a file includes attempts to modify the contents of the file, or
to change its ownership or permissions. These important files are those found under
"%SystemRoot%\system32\config" and "%SystemRoot%\repair".
67
Config-log files deleted (Config-log_files_deleted)
Files stored under "%SystemRoot%\system32\config" include registry files and event log
files. They should only be accessed through appropriate tools provided by Windows NT
(such as RegEdit or Regedt32 for the registry and Event Viewer for event logs). They
should be owned by the system administrator and ordinary users should only have read
access to them. These files should never be deleted. The files stored under
"%SystemRoot%\repair" are backup copies of files under
"%SystemRoot%\system32\config" and should not be manually changed.
How to remove this
vulnerability
When this event happens, you should immediately determine who is trying to access
these files and why. You should make sure that the ownership and permission of these
files are correct.
References
ISS X-Force
Config file change failed
http://xforce.iss.net/static/2220.php
Config-log files deleted (Config-log_files_deleted)
About this
signature or
vulnerability
This signature detects a failed attempt to modify, delete, change ownership, or change
permissions of an important file related to system configuration or logging.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
An attempt to modify, delete, change ownership, or change permissions of an important
file related to system configuration or logging has occurred. That attempt has failed. These
important files are those found under "%SystemRoot%\system32\config" and
"%SystemRoot%\repair".
Files stored under "%SystemRoot%\system32\config" include registry files and event log
files. They should only be accessed through appropriate tools provided by Windows NT
(such as Regedit or Regedt32 for the registry and Event Viewer for event logs). They
should be owned by the system administrator and ordinary users should only have read
access to them. These files should never be deleted. The files stored under
"%SystemRoot%\repair" are backup copies of files under
"%SystemRoot%\system32\config" and should not be manually changed.
How to remove this
vulnerability
68
When this event happens, immediately determine who is making the changes and why.
You should immediately restore the original files or correct the ownership/permissions
on the affected files.
Connection backdoor for Windows 95/98 (Connection_Backdoor)
References
ISS X-Force
Config-log files deleted
http://xforce.iss.net/static/2219.php
Connection backdoor for Windows 95/98
(Connection_Backdoor)
About this
signature or
vulnerability
This signature detects a TCP connection on port 60411 to a Connection backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Connection backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Connection
backdoor, an attacker can view the contents of the file system and display cached
passwords.
How to remove this
vulnerability
To remove the Connection backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor
may cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Press Ctrl+Alt+Del to display the Close Programs dialog box.
2. Select the Winoldap program from the list.
3. Click the End Task button.
4. Using Regedit, find the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
5. Find and delete the registry entry named Winrun that has a data value of
c:\win\system\winrun.exe.
6. If the file C:\win\system\winrun.exe exists, delete it.
7. Restart your computer.
References
TL Security Web site
Connection
http://www.tlsecurity.net/backdoor/connection.htm
69
Process created core file; effective UID is root, real id is non-root (Core_event_setuid)
ISS X-Force
Connection backdoor for Windows 95/98
http://xforce.iss.net/static/4848.php
Process created core file; effective UID is root, real id is nonroot (Core_event_setuid)
About this
signature or
vulnerability
This signature detects when a process creates a core file, the effective UID is root, the real
ID is not root, and there is no path for the core file. This particular circumstance could
indicate an attacker's attempts to refine buffer overflow attacks on setuid processes.
False positives
RealSecure Server Sensor: A false positives is possible if an event other than an attack
causes the program to dump core. Regardless, all causes of core dumps should be
investigated.
False negatives
RealSecure Server Sensor: A false negative is possible for processes that are not subject to
BSM (Basic Security Module) auditing.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Unix, Solaris: 2.6, Solaris: 7
Type
Suspicious Activity
Vulnerability
description
Occasionally, flaws in root processes can cause those processes to generate core files. This
can create security concerns for two reasons. First, root processes sometimes have parts of
the shadow password file in memory when they core out. The core file contains this
shadow password information. Second, core events could be the result of an attacker's
attempts to exploit buffer overflow vulnerabilities. If the attacker's attempted exploit has
not been fine-tuned, it could result in generating a core instead of providing a root shell.
How to remove this
vulnerability
Determine what setuid program is dumping core and immediately remove the setuid bit
from that program. As an immediate follow-up, search for security advisories that address
that program and install any patches that might be recommended in those advisories. It is
possible that the program is under attack and needs to be fixed before the attacker
manages to successfully exploit the vulnerability.
References
ISS X-Force
Process created core file; effective UID is root, real id is non-root
http://xforce.iss.net/static/5122.php
70
CrazzyNet backdoor for Windows (CrazzyNet)
CrazzyNet backdoor for Windows (CrazzyNet)
About this
signature or
vulnerability
This signature detects a CrazzyNet backdoor server active on TCP port 17499 on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The CrazzyNet backdoor is one of many backdoor programs for Windows 95 and
Windows 98 that attackers can use to access your computer without your knowledge or
consent. Once a system is infected, the backdoor places a server on TCP ports 17499 and
17500, which allows a remote client to connect and perform dozens of functions on the
host including:
How to remove this
vulnerability
●
retrieve cached passwords
●
manipulate the current Windows session
●
modify and retrieve system settings
●
log all keystrokes
●
upload, download and execute arbitrary files
To remove a default installation of CrazzyNet from your computer:
CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor
may cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Open C:\Windows\Win.ini and find the run key under the [windows] section and
delete the file entry named Registry32.exe.
2. Open C:\Windows\System.ini and find the shell key under the [boot] section and
delete the file entry named Registry32.exe.
3. Using Regedit, find the registry key named Reg32 that has a data value of
Registry32.exe. Select Edit —> Find. Select the "Values" checkbox, and then type
"registry32.exe" in the Find What field. Click the Find Next button. (This key is placed
by the backdoor inside the HKEY_USERS hive under the username of the person who
originally executed the backdoor.)
4. Delete the Reg32 registry key.
5. Restart your computer.
6. Delete the file C:\Windows\Registry32.exe.
71
CyberCop Scanner is a commercial network vulnerability auditing tool (CyberCop_Scanner)
The CrazzyNet backdoor can be difficult to remove manually, because it is configurable,
making it difficult to identify on your system. If the above instructions do not remove the
CrazzyNet backdoor, refer to the steps below for using an anitvirus program to remove
the backdoor.
To use an antivirus program to remove the CrazzyNet backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the CrazzyNet backdoor from your computer.
References
ISS X-Force
CrazzyNet backdoor for Windows
http://xforce.iss.net/static/5541.php
CyberCop Scanner is a commercial network vulnerability
auditing tool (CyberCop_Scanner)
About this
signature or
vulnerability
This signature detects a scan performed by CyberCop Scanner.
False positives
RealSecure Network Sensor: RealSecure detects any use of CyberCop Scanner, including
legitimate and authorized use the product.
RealSecure Server Sensor: RealSecure detects any use of CyberCop Scanner, including
legitimate and authorized use the product.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Pre-attack Probe
Vulnerability
description
Network Associates, Inc. CyberCop Scanner is a commercial network and systems
vulnerability scanner. The results of a scan by this utility could provide an attacker
information about the weaknesses of your network and systems. This information could
be useful to an attacker in performing an attack.
How to remove this
vulnerability
If the scan is determined to be unauthorized, determine the origin of the scan and deny
access to your networks from the offending host.
72
Unauthorized attempt to start DCOM server (dcomsrv_deny)
References
ISS X-Force
CyberCop Scanner is a commercial network vulnerability auditing tool
http://xforce.iss.net/static/2049.php
Unauthorized attempt to start DCOM server with
DefaultLaunchPermission (dcomdef_deny)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an attempt to launch
a DCOM server using DefaultLaunchPermission was denied.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
DCOM (Distributed Component Object Model) application security settings permit
default launch permissions for all DCOM applications that do not provide their own
security permission settings. Users that are not in the Default Launch Permissions list will
be denied access. Any unauthorized attempt to start the DCOM server could be an
indication of attacker activity.
How to remove this
vulnerability
Identify the user that attempted to start the DCOM server. Run dcomcnfg.exe to review
and configure the security properties and launch permissions for the DCOM application
in question. For stronger security, review and manage the security permissions at the
individual file level for the DCOM application so that only intended security principals
have access.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Unauthorized attempt to start DCOM server with DefaultLaunchPermission
http://xforce.iss.net/static/4633.php
Unauthorized attempt to start DCOM server (dcomsrv_deny)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an unauthorized
attempt to start the DCOM server has occurred.
Default risk level
High
73
Invalid packet with all TCP options set (IPProtocolViolation)
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
DCOM (Distributed Component Object Model) application security settings permit
custom launch permissions to be set for any DCOM application that provides its own list
of authorized users who can launch the application. Users that are not in the custom
launch permissions list will be denied access. Any unauthorized attempt to start the
DCOM server could be an indication of attacker activity.
How to remove this
vulnerability
Identify the user that attempted to start the DCOM server. Run dcomcnfg.exe to review
and configure the security properties and launch permissions for the DCOM application
in question. For stronger security, review and manage the security permissions at the
individual file level for the DCOM application so that only intended security principals
have access.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Unauthorized attempt to start DCOM server
http://xforce.iss.net/static/4634.php
Invalid packet with all TCP options set (IPProtocolViolation)
About this
signature or
vulnerability
This vulnerability is detected by the IPProtocolViolation signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Any
Type
Pre-attack Probe
Vulnerability
description
A "lamp test segment" is a packet in which all TCP flags are set (SYN, FIN, URG, ACK,
RST, and PSH). This type of packet is often referred to as a christmas tree or xmas tree
packet, kamikaze packet, or a nastygram and is commonly used in port scanning software
in a pre-attack probe. This type of packet is never legal and indicates either severely
misconfigured equipment or malicious intent.
74
DeepThroat backdoor for Windows (DeepThroat)
How to remove this
vulnerability
This type of packet is not legal. Configure your routers to drop packets of this nature.
References
Request for Comment document RFC 1025
TCP AND IP BAKE OFF
http://www.merit.edu/internet/documents/rfc/rfc1025.txt
ISS X-Force
Invalid packet with all TCP options set
http://xforce.iss.net/static/1476.php
DeepThroat backdoor for Windows (DeepThroat)
About this
signature or
vulnerability
This signature detects a connection to a DeepThroat backdoor on your network on UDP
port 2140.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The DeepThroat backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the DeepThroat
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access files and the system registry
●
execute programs
●
open a Web browser to a URL
●
open and close your CD-ROM drive
●
start and stop an FTP server on your computer
●
send messages that appear on your screen
●
retrieve cached passwords
To remove the DeepThroat backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
75
Deltasource backdoor for Windows (DeltaSource)
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Identify the DeepThroat registry entry. The entry could have one of two names:
■
SystemDLL32 (for DeepThroat version 1.0)
■
Systemtray (for DeepThroat version 2.0 or 3.0)
3. Stop the DeepThroat program from running. This process is different based on the
version of Windows you are running.
■
Windows 95/98: Restart the computer in MS-DOS mode. Proceed to step 4.
■
Windows NT: Press CTRL+ALT+DEL, then click the Task Manager button to start
the NT Task Manager. Click the Processes tab, and search the list for the file you
identified in step 2. Select the file, and click End Process.
4. Delete the DeepThroat program file that you identified in step 2.
■
Windows 95/98: From the DOS command prompt, delete the file from the path
named in the registry value.
■
Windows NT: Delete the file from the path named in the registry value.
5. Using Regedit, delete the registry entry you identified in step 2.
References
DarkLightCorp Web site
Deep Throat Backdoor
http://dlcorp.hypermart.net/index2.html
Internet Security Systems Security Alert #30
Windows Backdoor Update III
http://xforce.iss.net/alerts/advise30.php
ISS X-Force
DeepThroat backdoor for Windows
http://xforce.iss.net/static/2290.php
Deltasource backdoor for Windows (DeltaSource)
About this
signature or
vulnerability
This signature detects a connection to a Deltasource backdoor on your network on UDP
port 47262.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
76
RealSecure sensor error message (Detector_Error)
Vulnerability
description
How to remove this
vulnerability
The Deltasource backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Deltasource
backdoor, an attacker can do the following:
●
access files
●
access your system registry
●
execute programs
To remove the Deltasource backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ registry key.
2. Find the registry entry named DS admin tool. The entry's data value contains the path
to the program file, Server.exe. Remember the location of the file.
3. Delete this registry entry.
4. Delete Server.exe from the path named in the registry value.
References
ISS X-Force
Deltasource backdoor for Windows
http://xforce.iss.net/static/3122.php
RealSecure sensor error message (Detector_Error)
About this
signature or
vulnerability
This signature detects a RealSecure sensor error message, which may indicate that the
sensor has stopped functioning.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.01
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
RealSecure sensors notify the console when significant events occur that relate to the
sensor's operation. There are three types of events that may be reported by the sensor:
Error, Warning, and Information. Error events indicate that the sensor may have stopped
functioning, and they should be investigated immediately.
The specific error message will give further details about the problem, and how it may
have affected the sensor. If the error applies to only one subsystem of the sensor, it is
77
RealSecure sensor information message (Detector_Info)
possible that the sensor may continue to function; however, a RealSecure administrator
should inspect the sensor to verify that it is functioning properly. An example of a
RealSecure error message is "Operation Failed - WSAECONNRESET - Connection reset
by peer".
How to remove this
vulnerability
Verify that the sensor is functioning properly. Correct any problems with the sensor as
appropriate.
More information about common RealSecure sensor error messages is available in the
SAFEsuite Support Knowledgebase. See References.
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
ISS X-Force
RealSecure sensor error message
http://xforce.iss.net/static/6127.php
RealSecure sensor information message (Detector_Info)
About this
signature or
vulnerability
This signature detects a RealSecure sensor information message, which may provide
useful information about normal sensor operations.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.01
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
RealSecure sensors notify the console when significant events occur that relate to the
sensor's operation. There are three types of events that may be reported by the sensor:
Error, Warning, and Information. Information events are usually status messages about
normal system operation that are helpful for logging but do not require individual
attention.
The specific information message will give further details about the event. Information
messages are often associated with services initializing and other successful operations.
While these types of activities do not require any immediate intervention, they often
contain useful information, and a RealSecure administrator may want to track these
events for logging purposes.
How to remove this
vulnerability
78
No action is needed to respond to Information event messages, because they are a part of
normal sensor operation.
RealSecure sensor warning message (Detector_Warning)
More information about common RealSecure sensor information messages is available in
the SAFEsuite Support Knowledgebase. See References.
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
ISS X-Force
RealSecure sensor information message
http://xforce.iss.net/static/6128.php
RealSecure sensor warning message (Detector_Warning)
About this
signature or
vulnerability
This signature detects RealSecure sensor warning messages, which may indicate that a
minor problem has occurred with the sensor.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.01
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
RealSecure sensors notify the console when significant events occur that relate to the
sensor's operation. There are three types of events that may be reported by the sensor:
Error, Warning, and Information. Warning events are usually status messages about minor
problems encountered by the sensor that do not need immediate attention.
The specific warning message will give further details about the problem, and how it may
have affected the sensor. Warning messages are typically associated with recoverable
problems that do not cause a loss of functionality or data; however, a RealSecure
administrator may want to inspect the sensor to verify that it is functioning properly. An
example of a RealSecure warning message is "An error occurred when attempting to
obtain the sensor's current.policy file. The system cannot find the path specified".
How to remove this
vulnerability
Verify that the sensor is functioning properly. Correct any problems with the sensor as
appropriate.
More information about common RealSecure sensor warning messages is available in the
SAFEsuite Support Knowledgebase. See References.
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
79
Devil backdoor for Windows (Devil)
ISS X-Force
RealSecure sensor warning message
http://xforce.iss.net/static/6129.php
Devil backdoor for Windows (Devil)
About this
signature or
vulnerability
This signature detects commands being sent on TCP port 65000 to a Devil backdoor on
your network. The specific command executed and a description of that command will be
reported in the Raw Command and Command Description information fields,
respectively.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Devil backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Devil backdoor, an
attacker can:
How to remove this
vulnerability
●
open and close your CD-ROM drive door
●
perform application bombs (an application is executed so many times that it floods
the screen)
●
make your computer's speaker beep
●
stop ICQ if it is running
●
restart your computer
To remove the Devil backdoor from your computer:
1. Restart Windows to stop the Devil backdoor. The Devil backdoor does not
automatically restart when Windows loads.
2. Find and delete the Devil server program file. The program may be disguised as any
one of the following file names:
80
■
Devil13.exe
■
ICQFlood.exe
■
Mswinsck.ocx (required to run the Trojan)
■
Opscript.exe
■
Socket.exe
■
Winamp34.exe
■
Wingenocide.exe
■
Winrar.exe
DG/UX finger shell metacharacters allowed (Finger_Perl)
■
References
Taupe.zip
Simovits Consulting Web site
Devil
http://www.simovits.com/trojans/tr_data/y334.html
ISS X-Force
Devil backdoor for Windows
http://xforce.iss.net/static/4144.php
DG/UX finger shell metacharacters allowed (Finger_Perl)
About this
signature or
vulnerability
This vulnerability is detected by the Finger_Perl signature.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0
Systems affected
DG/UX
Type
Unauthorized Access Attempt
Vulnerability
description
Some older DG/UX finger daemons were vulnerable to shell metacharacter attacks,
allowing attackers to execute arbitrary commands on the system through the finger port.
How to remove this
vulnerability
Upgrade to the latest version of DG/UX (4.20 or later), available from the Data General
Web site. See References.
References
BugTraq Mailing List, Wed Aug 20 1997 13:55:46
Re: in.fingerd vulnerability
http://www.securityfocus.com/archive/1/7510
BugTraq Mailing List, Mon Aug 11 1997 09:32:38
dgux in.fingerd vulnerability
http://www.securityfocus.com/archive/1/7486
Data General Web site
DG/UX Release 4.2 Operating System
http://www.dg.com/products/html/dg_ux.html
ISS X-Force
DG/UX finger shell metacharacters allowed
http://xforce.iss.net/static/302.php
CVE
CVE-1999-0152
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152
81
Client broadcasts DHCP Discover messages to locate available servers (DHCP_Discover)
DHCP Ack from server to client (DHCP_Ack)
About this
signature or
vulnerability
This signature detects DHCP (Dynamic Host Configuration Protocol) Ack packets
originating from a DHCP server.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 6.5, RealSecure Network Sensor: XPU 3.4, RealSecure Server
Sensor: 6.5
Systems affected
Windows, Unix
Type
Protocol Signature
Vulnerability
description
Dynamic Host Configuration Protocol (DHCP) aids in the administration of IP networks
by providing individual client computers their respective configurations. Clients send
DHCP Requests to the DHCP server. In turn, the DHCP server replies with an
acknowledgement (Ack) message that contains configuration parameters, including the
committed network address.
How to remove this
vulnerability
This issue does not directly indicate any type of vulnerability. Monitor DHCP server log
files for suspicious activity.
References
RFC 2131
Dynamic Host Configuration Protocol
http://sunsite.dk/RFC/
ISS X-Force
DHCP Ack from server to client
http://xforce.iss.net/static/7131.php
Client broadcasts DHCP Discover messages to locate available
servers (DHCP_Discover)
About this
signature or
vulnerability
This signature detects DHCP (Dynamic Host Configuration Protocol) Discover packets
originating from a client.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 6.5, RealSecure Network Sensor: XPU 3.4, RealSecure Server
Sensor: 6.5
Systems affected
Windows, Unix
Type
Protocol Signature
82
Client DHCP Request (DHCP_Request)
Vulnerability
description
Dynamic Host Configuration Protocol (DHCP) aids in the administration of IP networks
by providing individual client computers their respective configurations. A client will
broadcast DHCP Discover messages in attempts to locate available DHCP servers. The
client then sends DHCP Requests to a discovered DHCP server, which in turn provides
configuration information to the client.
How to remove this
vulnerability
This issue does not directly indicate any type of vulnerability. Monitor DHCP server log
files for suspicious activity.
References
RFC 2131
Dynamic Host Configuration Protocol
http://sunsite.dk/RFC/
ISS X-Force
Client broadcasts DHCP Discover messages to locate available servers
http://xforce.iss.net/static/7132.php
Client DHCP Request (DHCP_Request)
About this
signature or
vulnerability
This signature detects DHCP (Dynamic Host Configuration Protocol) Request packets
originating from a client.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 6.5, RealSecure Network Sensor: XPU 3.4, RealSecure Server
Sensor: 6.5
Systems affected
Windows, Unix
Type
Protocol Signature
Vulnerability
description
Dynamic Host Configuration Protocol (DHCP) aids in the administration of IP networks
by providing individual client computers their respective configurations. Clients send
DHCP Requests to the DHCP server, which in turn provides configuration information to
the client.
The various kinds of DHCP Request messages a client can send include:
How to remove this
vulnerability
●
requests for offered parameters from one server (offers from other DHCP servers are
implicitly declined)
●
requests to confirm the correctness of previously allocated addresses after, for
example, a system restart
●
requests to extend the lease for a particular network address
This issue does not directly indicate any type of vulnerability. Monitor DHCP Server log
files for suspicious activity.
83
DNS request made for all records (DNS_All)
References
RFC 2131
Dynamic Host Configuration Protocol
http://sunsite.dk/RFC/
ISS X-Force
Client DHCP Request
http://xforce.iss.net/static/7133.php
Disk space at or near capacity (Disk_space_shortage)
About this
signature or
vulnerability
This signature detects a Windows system log message indicating that a Windows drive is
at or near its capacity.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
This event is an alert to the condition that a Windows NT drive is at or near its capacity.
This condition is detected from an entry that appears in the Windows NT system log. A
full disk device can result in failures for any processes that may use the drive.
How to remove this
vulnerability
A full disk device is not typically the result of an attacker's activities. However, a full drive
can compromise the performance of a system and result in program failure or a
compromise to the security system. Take action to free up disk space and to provide more
disk space as needed.
References
ISS X-Force
Disk space at or near capacity
http://xforce.iss.net/static/1596.php
DNS request made for all records (DNS_All)
About this
signature or
vulnerability
This signature detects a DNS request for all records about a host.
False positives
RealSecure Network Sensor: A DNS request of this type can occur during normal use of
DNS and may not indicate an attack.
Default risk level
Medium
84
Microsoft DNS Server - excessive bad packets received (dns_bad_pkts)
Sensors that have
this signature
RealSecure Network Sensor: 3.2
Systems affected
DNS
Type
Pre-attack Probe
Vulnerability
description
A DNS request for all records about a host can indicate a pre-attack probe of a network.
With tools such as "dig," an attacker may make such DNS requests to gain information
about your network, which could be useful to an attacker in performing an attack.
However, normal, legitimate use of DNS may also involve such DNS requests.
How to remove this
vulnerability
Events of this type are most likely part of normal and benign DNS queries. Sites
requesting this information should be monitored for events that could indicate an attack
or further probing.
References
Acme Byte & Wire LLC
Securing Your Name Server
http://www.acmebw.com/papers/securing.pdf
ISS X-Force
DNS request made for all records
http://xforce.iss.net/static/1444.php
Microsoft DNS Server - excessive bad packets received
(dns_bad_pkts)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that Microsoft DNS Server
is receiving an excess number of bad packets and is suppressing event logging of bad
packets.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Bad DNS packets occur infrequently in a production DNS environment. Receiving an
excess number of bad DNS packets in a short period of time could indicate a problem with
the remote DNS application, or an attack on the DNS server.
In addition, after an excessive number of bad packets, the DNS server may stop logging
these packets and DNS server tracing capability may be lost.
85
Microsoft DNS Server - CNAME loop during caching (dns_cname)
How to remove this
vulnerability
Investigate the origin of the bad DNS packets.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - excessive bad packets received
http://xforce.iss.net/static/4676.php
Microsoft DNS Server - CNAME loop during caching
(dns_cname)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a CNAME loop has
been detected by Microsoft DNS Server during caching.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Microsoft DNS Server is capable of detecting when a new CNAME resource record forms
a CNAME loop with an existing CNAME resource record while trying to cache the new
resource record. If this happens, the new CNAME resource record will be ignored.
This CNAME loop may cause the DNS server to loop while trying to resolve a queried
name. This may indicate an error in the remote DNS application, or an attempt by an
attacker to pollute the DNS server cache.
How to remove this
vulnerability
Ensure that the DNS server does not cache polluted CNAME resource records. Investigate
the source of the bad CNAME resource record.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the system. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
86
DNS hostname exceeding maximum length (DNS_Hostname_Overflow)
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - CNAME loop during caching
http://xforce.iss.net/static/4635.php
DNS HINFO request (DNS_HInfo)
About this
signature or
vulnerability
This signature detects a Domain Name System (DNS) request for an HINFO (Host Info)
record about a target host. The target system name will be listed in the event.
False positives
RealSecure Network Sensor: Some network management tools or other services may
make these requests while scanning a network. However, if you have no such tools and no
HINFO records on your DNS server, then this attack is almost always indicative of
malicious intent.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
DNS
Type
Pre-attack Probe
Vulnerability
description
Domain Name System (DNS) requests can be made for an HINFO (Host Info) record
about a target host. These records list, among other things, the CPU type and host
operating system of the target system. Such information could be useful to an attacker in
planning an attack.
How to remove this
vulnerability
Remove all HINFO records from your DNS server, unless their presence is required. Also,
following the HINFO request, monitor the target system for suspicious activity.
References
ISS X-Force
DNS HINFO request
http://xforce.iss.net/static/1224.php
DNS hostname exceeding maximum length
(DNS_Hostname_Overflow)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a domain name
exceeding the maximum name length has been detected by the Microsoft DNS Server.
87
DNS hostname exceeding maximum length (DNS_Hostname_Overflow)
False positives
RealSecure Network Sensor: Queries requesting non-RFC compliant hostnames will
appear to be this attack.
RealSecure Server Sensor: Queries requesting non-RFC compliant hostnames will
appear to be this attack.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: XPU 1.1, RealSecure Server
Sensor: 5.5
Systems affected
Windows NT, DNS, Windows 2000, BIND: 4.x
Type
Suspicious Activity
Vulnerability
description
DNS responses for hostnames should not exceed a certain fixed length. A domain name
exceeding the maximum length of 255 octets could indicate one of the following events:
●
a zone file error
●
incorrectly entered hostnames in nslookup queries
●
an attempt by an attacker to manipulate the DNS server
When Microsoft DNS Server encounters a resource record with a domain name exceeding
the maximum length of 255 octets, the resource record is ignored by the DNS server.
Versions 4.x and earlier of BIND (Berkeley Internet Name Domain, a DNS server available
for most versions of Unix) do not validate the maximum domain name length of 255
octets. Hostnames longer than this length can be returned to client programs performing
DNS lookups. Client programs that do not check the length of the hostnames returned
may overflow internal buffers when copying this hostname, allowing a remote attacker to
gain root access or execute arbitrary commands on a targeted client computer.
How to remove this
vulnerability
Investigate the source of the invalid domain name. Ensure that the master DNS server is
using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS
resource records, that are reported in the DNS error log. Ensure that security permissions
are configured so that only the intended security principals have access.
— AND —
If you are using a version of BIND earlier than 4.x, upgrade to the latest version of BIND
(8.2.2 patchlevel 5 or later), available from the BIND Web site. See References.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
Internet Software Consortium (ISC) Web site
Current release
http://www.isc.org/products/BIND/
88
Microsoft DNS Server - Invalid domain name offset in DNS message packet (dns_inv_dom_offset)
ISS X-Force
DNS hostname exceeding maximum length
http://xforce.iss.net/static/636.php
Microsoft DNS Server - Invalid domain name (dns_inv_dom)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an invalid domain
name has been detected by Microsoft DNS Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Microsoft DNS Server encountered an invalid domain name. An invalid domain name
could indicate an error in the DNS zone file, or an attempt by an attacker to manipulate
the DNS Server.
How to remove this
vulnerability
Investigate the source of the invalid domain name. Ensure that the master DNS server is
using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS
resource records, that are reported in the DNS error log. Ensure that security permissions
are configured so that only the intended security principals have access.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Invalid domain name
http://xforce.iss.net/static/4663.php
Microsoft DNS Server - Invalid domain name offset in DNS
message packet (dns_inv_dom_offset)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an invalid domain
name offset in the DNS message packet has been detected by Microsoft DNS Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
89
Microsoft DNS Server - Invalid domain name in DNS message packet (dns_inv_dom_pkt)
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
An invalid domain name offset in a DNS message packet occurs infrequently in a
production DNS environment. An invalid domain name offset could be the result of a
remote DNS application error, or an attempt by an attacker to manipulate the DNS server
remotely.
How to remove this
vulnerability
Investigate the origin of the invalid DNS message packet.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Invalid domain name offset in DNS message packet
http://xforce.iss.net/static/4675.php
Microsoft DNS Server - Invalid domain name in DNS message
packet (dns_inv_dom_pkt)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an invalid domain
name in a DNS message packet has been detected by Microsoft DNS Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
An invalid domain name in a DNS message packet occurs infrequently in a production
DNS environment. An invalid domain name in the DNS message packet could be the
result of a remote DNS application error, or an attempt by an attacker to manipulate the
DNS server remotely. Even though the bad packet has been rejected, this event should be
considered suspicious.
90
Microsoft DNS Server - Invalid DNS UPDATE message in DNS packet (dns_inv_updated)
How to remove this
vulnerability
Investigate the origin of the invalid DNS packet.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Invalid domain name in DNS message packet
http://xforce.iss.net/static/4654.php
Microsoft DNS Server - Invalid DNS UPDATE message in DNS
packet (dns_inv_updated)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that an invalid DNS
UPDATE message in a DNS packet has been detected by Microsoft DNS Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
The DNS UPDATE operation can be used to modify DNS resource records dynamically on
the master DNS server. Normally, DNS updates should only be accepted from trusted
hosts.
Invalid DNS UPDATE messages occur infrequently in a production DNS environment,
and could be the result of a remote DNS application error, or an attempt by an attacker to
manipulate the DNS server remotely. Even though the bad packet has been rejected, this
event should be considered suspicious.
How to remove this
vulnerability
Investigate the origin of the invalid DNS UPDATE packet.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
91
DNS server inverse queries (DNS_Iquery)
Review and configure your DNS server policy so that DNS UPDATE is only accepted
from authorized hosts.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Invalid DNS UPDATE message in DNS packet
http://xforce.iss.net/static/4677.php
DNS server inverse queries (DNS_Iquery)
About this
signature or
vulnerability
This signature detects an IQUERY probe directed at your DNS server, which could
indicate an attacker's attempt to obtain a zone transfer.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 6.5
Systems affected
DNS
Type
Suspicious Activity
Vulnerability
description
The Inverse Query (iquery) feature supported on some DNS servers could allow an
attacker to obtain a zone transfer. Zone transfers identify every computer registered with
your DNS server and can be used by an attacker to better understand your network. Even
if you have disabled zone transfers on your DNS server, the iquery feature will still permit
a zone transfer to occur.
How to remove this
vulnerability
Configure your DNS server to disable inverse queries.
According to ISC, there are no known vulnerabilities in the current iquery code as of
BIND 8.2.2-P5 and BIND 8.2.3-TB2.
For more information on inverse queries, see RFC 1035, "Domain Names Implementation and Specification" as listed in the References.
References
Request for Comment document RFC 1035
Domain Names - Implementation and Specification
http://www.rfc-editor.org/rfc/rfc1035.txt
Acme Byte & Wire LLC
Securing Your Name Server
http://www.acmebw.com/papers/securing.pdf
92
Overflowing DNS IPv4 length allows attackers to gain access (DNS_Length_Overflow)
BIND Users Mailing List Archive, Fri, 14 Apr 2000 09:36:11 +1000
Re: iquery and Cybercop Scanner
http://www.isc.org/ml-archives/bind-users/2000/04/msg00680.html
ISS X-Force
DNS server inverse queries
http://xforce.iss.net/static/206.php
Overflowing DNS IPv4 length allows attackers to gain access
(DNS_Length_Overflow)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects a DNS response for which the length field is not 4 bytes long.
■
bind-bo
False positives
RealSecure Network Sensor: It is possible a DNS lookup of a string greater than or equal
to 255 bytes will trigger this attack. It is also possible than an IPv6 DNS response on an
IPv4 network will trigger it as well. However, these events are very unlikely. Consider
each event as suspicious.
RealSecure Server Sensor: It is possible a DNS lookup of a string greater than or equal to
255 bytes will trigger this attack. It is also possible than an IPv6 DNS response on an IPv4
network will trigger it as well. However, these events are very unlikely. Consider each
event as suspicious.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 6.5
Systems affected
DNS, Solaris: 2.5, Solaris: 2.5.1, AIX: 3.2.x, AIX: 4.1.x, AIX: 4.2.x, SunOS: 5.5, SunOS: 5.5.1
Type
Unauthorized Access Attempt
Vulnerability
description
Domain Name System (DNS) is a distributed database used to map IP addresses to host
names. DNS responses containing an IP address value larger than 4 bytes will overflow
internal buffers in a vulnerable gethostbyname() library function. Any program that uses
the vulnerable function to perform DNS lookups may allow a remote attacker to execute
arbitrary commands or gain root access on a targeted system.
How to remove this
vulnerability
For AIX 3.2.x, 4.1.x, and 4.2.x:
Apply the appropriate patch for your system, as listed in IBM Emergency Response
Service Security Vulnerability Alert ERS-SVA-E01-1997:001.1. See References.
93
Overflowing DNS IPv4 length allows attackers to gain access (DNS_Length_Overflow)
For Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1):
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security
Bulletin #00137a. See References.
References
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1996:007.1
Possible buffer overrun condition in "gethostbyname()" library function
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
339C9BBFF919554A8525680F0077E2F3/$file/ERS-SVA-E01-1996_007_1.txt
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1996:007.2
Update of ERS-SVA-E01-1996:007.1
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
97E24C45F60272748525680F0077E307/$file/ERS-SVA-E01-1996_007_2.txt
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:001.1
Update of ERS-SVA-E01-1996:007.1
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
F15B71C1AFF8A88A8525680F0077E2F4/$file/ERS-SVA-E01-1997_001_1.txt
Sun Microsystems, Inc. Security Bulletin #00137a
Revised security patches for Solaris 2.5 and 2.5.1
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
137&type=0&nav=sec.sba
Network Associates, Inc. COVERT Labs Security Advisory #01
Vulnerability in Unchecked DNS Data
http://www.pgp.com/research/covert/advisories/001.asp
CIAC Information Bulletin H-13
IBM AIX(r) Security Vulnerabilities (gethostbyname,lquerypv)
http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
BugTraq Mailing List, Tue Jun 12 2001 11:40:20
rsh bufferoverflow on AIX 4.2
http://www.securityfocus.com/archive/1/190482
BugTraq Mailing List, Tue Jun 12 2001 12:02:50
Re: (forw) rsh bufferoverflow on AIX 4.2
http://www.securityfocus.com/archive/1/190630
ISS X-Force
Overflowing DNS IPv4 length allows attackers to gain access
http://xforce.iss.net/static/637.php
CVE
CVE-1999-0101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0101
94
Microsoft DNS Server - Name offset exceeding DNS message packet length (dns_name_offset)
Microsoft DNS Server - Domain name exceeding maximum
packet length (dns_maxlen_pkt)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a domain name
exceeding the maximum packet length has been detected by Microsoft DNS Server.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Microsoft DNS Server encountered a domain name exceeding the maximum packet
length. A domain name should never exceed the maximum length in the DNS message
packet. This may indicate a remote DNS application error, or an attempt by an attacker to
manipulate the DNS server.
How to remove this
vulnerability
Investigate the origin of the invalid DNS packet.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Domain name exceeding maximum packet length
http://xforce.iss.net/static/4637.php
Microsoft DNS Server - Name offset exceeding DNS message
packet length (dns_name_offset)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a name offset
exceeding the DNS message packet length has been detected by Microsoft DNS Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
95
BIND 8.2 and 8.2.1 remote buffer overflow in the processing of NXT records (DNS_NXT_Overflow)
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Microsoft DNS Server encountered a DNS message with a name offset exceeding the
packet length. The name offset of a valid DNS message should never exceed the packet
length. An invalid name offset in the packet could be an indication of a remote DNS
application error, or an attempt by an attacker to manipulate the DNS server.
How to remove this
vulnerability
Investigate the origin of the invalid DNS packet.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the computer. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Microsoft DNS Server - Name offset exceeding DNS message packet length
http://xforce.iss.net/static/4679.php
BIND 8.2 and 8.2.1 remote buffer overflow in the processing of
NXT records (DNS_NXT_Overflow)
About this
signature or
vulnerability
This signature detects a DNS packet containing a long rdata length, which may be an
attempt to overflow a buffer in Bind’s NXT record processing code.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Red Hat Linux: 6.0, BIND: 8.2, BIND: 8.2 P1, BIND: 8.2.1
Type
Unauthorized Access Attempt
Vulnerability
description
BIND is a freely available DNS server produced by the Internet Software Consortium.
BIND is vulnerable to a buffer overflow in the processing of NXT records in the 8.2 and
8.2.1 versions of BIND. A remote attacker can overflow this buffer and execute arbitrary
code on vulnerable servers with root privileges.
How to remove this
vulnerability
Upgrade to the latest version of BIND (8.2.2-P5 or later), available from the Internet
Software Consortium Web site. See References.
96
BIND 8.2 and 8.2.1 remote buffer overflow in the processing of NXT records (DNS_NXT_Overflow)
For Red Hat Linux:
Upgrade to the latest version of BIND (8.2.2_P3-1 or later), as listed in Red Hat, Inc.
Security Advisory RHSA-1999:054-01. See References.
For Caldera OpenLinux:
Upgrade to the latest version of BIND (8.2.2p3-1 or later), as listed in Caldera Systems,
Inc. Security Advisory CSSA-1999:034.0. See References.
For TurboLinux:
Upgrade to the latest version of BIND (8.2.2P5-1 or later), available from the TurboLinux
Web site. See References.
For Hewlett-Packard:
Apply the appropriate patch for your system (4.9.7 or later), as listed in Hewlett-Packard
Security Bulletin HPSBUX0005-114. As an alternative, upgrade to the latest version of
BIND (8.1.2 or later), as listed in Hewlett-Packard Security Bulletin HPSBUX0005-114.
For SuSE Linux:
Upgrade to the latest version of BIND 4 (4.9.7-101 or later), or BIND 8 (8-8.2.2-8 or later),
as listed in SuSE Security Announcement #28. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Red Hat Linux: 6.0
Upgrade to the latest version of bind (8.2.2_P3-1 or later), as listed in Red Hat Security
Advisory RHSA-1999:054-01.
References
Internet Software Consortium (ISC) Web site
BIND Vulnerabilities
http://www.isc.org/products/BIND/bind-security-19991108.html
CERT Advisory CA-1999-14
Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-1999-14.html
Red Hat Linux Errata Advisory RHSA-1999:054-01
Security problems in bind
http://www.redhat.com/support/errata/RHSA1999054-01.html
Caldera Systems, Inc. Security Advisory CSSA-1999-034.0
several vulnerabilities in bind
http://www.calderasystems.com/support/security/advisories/CSSA-1999-034.0.txt
CIAC Information Bulletin K-007
Multiple Vulnerabilities in BIND
http://www.ciac.org/ciac/bulletins/k-007.shtml
TurboLinux Security Updates
bind-8.2.2P5-1.i386.rpm
http://www1.turbolinux.com/security/
97
BIND 8.2.x transaction signature (TSIG) buffer overflow (DNS_TSIG_Overflow)
SuSE Security Announcement #28
Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
http://www.suse.de/de/support/security/suse_security_announce_28.txt
Hewlett-Packard Security Bulletin HPSBUX0005-114
Security vulnerability in the BIND executable
http://us-support.external.hp.com/index.html
CERT Vulnerability Note VU#16532
BIND T_NXT record processing may cause buffer overflow
https://www.kb.cert.org/vuls/id/16532
Debian Security Announcement Mailing List
Denial of service vulnerabilities in bind
http://www.debian.org/security/1999/19991116
SCO System Security Enhancement (SSE) SSE033
System Security Enhancement (SSE) <SSE033> - 16 Nov 1999
ftp://ftp.sco.com/SSE/sse033.ltr
CERT Advisory CA-2000-03
Continuing Compromises of DNS servers
http://www.cert.org/advisories/CA-2000-03.html
Internet Software Consortium (ISC) Web site
BIND Vulnerabilities
http://www.isc.org/products/BIND/bind-security-19991108.html
ISS X-Force
BIND 8.2 and 8.2.1 remote buffer overflow in the processing of NXT records
http://xforce.iss.net/static/3476.php
CVE
CVE-1999-0833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833
BIND 8.2.x transaction signature (TSIG) buffer overflow
(DNS_TSIG_Overflow)
About this
signature or
vulnerability
This signature detects a DNS packet of excessive length that contains a TSIG (Transaction
SIGnature) resource record. This may indicate an attempt by an attacker overflow a buffer
in the error handling code in some versions of the BIND (Berkeley Internet Name
Daemon) server. If your network's DNS architecture is not utilizing RFC2845 TSIG
authentication, this signature is highly indicative of an attack.
Configurable Parameters:
The length of the DNS packet that this signature detects can be configured in the Policy
Editor for DNS_TSIG_Overflow.
Default risk level
98
High
BIND 8.2.x transaction signature (TSIG) buffer overflow (DNS_TSIG_Overflow)
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
FreeBSD, TurboLinux, SuSE Linux, Slackware Linux, Red Hat Linux: 5.2, BIND: 8.2,
Caldera OpenLinux: 2.3, Red Hat Linux: 6.2, Debian Linux: 2.2, Mandrake Linux,
Conectiva Linux, Caldera OpenLinux eDesktop: 2.4, Red Hat Linux: 7.0, Immunix OS: 6.2,
Immunix OS: 7.0-beta, Caldera OpenLinux eServer: 2.3.1, Caldera OpenServer: 5.0.6a and
earlier
Type
Unauthorized Access Attempt
Vulnerability
description
ISC BIND (Berkeley Internet Name Daemon) is the most popular implementation of the
DNS (Domain Name Server) protocol for Unix and Linux DNS servers. BIND versions 8.2
through 8.2.3-beta, including all patchlevels and interim releases, are vulnerable to a
remotely exploitable buffer overflow in the code that handles Transaction Signatures
(TSIG).
Transaction Signatures are a method of providing transaction-level authentication for
DNS requests defined in RFC2845. When a BIND server receives a request with a TSIG
resource record that contains an invalid key, it will branch into an error processing
function. This function fails to accurately determine the memory available to form a
response to the client and the stack or heap space containing the buffer can be
manipulated to execute arbitrary code.
How to remove this
vulnerability
Upgrade to the latest version of ISC BIND 9 (9.1.0 or later) or BIND 8 (8.2.3 or later),
available from the Internet Software Consortium Web page. See References.
If possible, upgrading to BIND 9.1.0 or later is highly recommended.
For Linux-Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, and Corporate Server 1.0.1:
Upgrade to the latest version of BIND (8.2.3-1 or later), as listed in Linux-Mandrake
Security Update Advisory MDKSA-2001:017. See References.
For Slackware Linux 7.1 and -current:
Upgrade to the latest version of BIND (8.2.3 or later), as listed in Slackware Advisory1121. See References.
For Immunix OS 6.2 and 7.0-beta:
Upgrade to the latest version of BIND (8.2.3-0.6.x or later), as listed in Immunix OS
Security Advisory IMNX-2001-70-001-01. See References.
For Red Hat Linux 5.2:
Upgrade to the latest version of BIND (8.2.3-0.5 or later), as listed in Red Hat, Inc. Red
Hat Security Advisory RHSA-2001:007-03. See References.
For Red Hat Linux 6.2:
Upgrade to the latest version of BIND (8.2.3-0.6 or later), as listed in Red Hat, Inc. Red
Hat Security Advisory RHSA-2001:007-03. See References.
For Red Hat Linux 7.0:
Upgrade to the latest version of BIND (8.2.3-1 or later), as listed in Red Hat, Inc. Red Hat
Security Advisory RHSA-2001:007-03. See References.
99
BIND 8.2.x transaction signature (TSIG) buffer overflow (DNS_TSIG_Overflow)
For Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0:
Upgrade to the latest version of BIND (8.2.3-1cl or later), as listed in Conectiva Linux
Security Announcement CLA-2001:377. See References.
For Caldera OpenLinux 2.3, 2.3.1, and 2.4:
Upgrade to the latest version of BIND (8.2.3-1 or later), as listed in Caldera Systems, Inc.
Security Advisory CSSA-2001-008.1. See References.
For SuSE Linux 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, and 7.1:
Upgrade to the latest version of BIND (8.2.3 or later), as listed in SuSE Security
Announcement SuSE-SA:2001:03. See References.
For Debian Linux 2.2 potato:
Upgrade to the latest version of BIND (8.2.3-0 or later), as listed in Debian Security
Advisory DSA-026-1. See References.
For FreeBSD 3.x, 4.x, 3.5-STABLE, 4.2-STABLE:
Upgrade to the latest version of BIND (8.2.3 or later), as listed in FreeBSD, Inc. Security
Advisory FreeBSD-SA-01:18. See References.
For NetBSD current, 1.4, 1.5:
Upgrade to the latest version of BIND, as listed in NetBSD Security Advisory 2001-001.
See References.
For TurboLinux 6.0.5 and earlier:
Upgrade to the latest version of BIND (8.2.3-2 or later), as listed in TurboLinux Security
Announcement TLSA2001004-1. See References.
References
Network Associates, Inc. COVERT Labs Security Advisory #47
Vulnerabilities in BIND 4 and 8
http://www.pgp.com/research/covert/advisories/047.asp
CERT Advisory CA-2001-02
Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.html
Internet Software Consortium (ISC) Web site
BIND Vulnerabilities
http://www.isc.org/products/BIND/bind-security.html
Internet Security Systems Security Alert #72
Remote Vulnerabilities in BIND versions 4 and 8
http://xforce.iss.net/alerts/advise72.php
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-2001:002.1
4 Vulnerabilities in BIND4 and BIND8
http://www.securityfocus.com/archive/1/160002
Linux-Mandrake Security Update Advisory MDKSA-2001:017
bind update
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-017.php3
Slackware Security Advisory-1121
multiple vulnerabilities in bind 8.x
http://search.linuxsecurity.com/advisories/slackware_advisory-1121.html
100
BIND 8.2.x transaction signature (TSIG) buffer overflow (DNS_TSIG_Overflow)
Immunix OS Security Advisory IMNX-2001-70-001-01 (from SecurityFocus Archive)
bind
http://www.securityfocus.com/advisories/3063
Red Hat Linux Errata Advisory RHSA-2001:007-03
Updated bind packages available
http://www.redhat.com/support/errata/RHSA-2001-007.html
Conectiva Linux Security Announcement CLA-2001:377
bind
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000377
Caldera Systems, Inc. Security Advisory CSSA-2001-008.1
BIND buffer overflow
http://www.calderasystems.com/support/security/advisories/CSSA-2001-008.1.txt
SuSE Security Announcement SuSE-SA:2001:03
bind8
http://www.suse.com/de/support/security/2001_003_bind8_txt.txt
Debian Security Advisory DSA-026-1
buffer overflows and information leak
http://www.debian.org/security/2001/dsa-026
FreeBSD, Inc. Security Advisory FreeBSD-SA-01:18
BIND remotely exploitable buffer overflow
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc
NetBSD Security Advisory 2001-001 (from SecurityFocus Archive)
Multiple BIND vulnerabilities
http://www.securityfocus.com/advisories/3091
TurboLinux Security Announcement TLSA2001004-1
[TL-Security-Announce] Bind-8.2.3-2 TLSA2001004-1
http://www.turbolinux.com/pipermail/tl-security-announce/2001-February/
000034.html
CERT Vulnerability Note VU#196945
ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
https://www.kb.cert.org/vuls/id/196945
CIAC Information Bulletin L-030
Four Vulnerabilities in ISC BIND
http://www.ciac.org/ciac/bulletins/l-030.shtml
CIAC Information Bulletin L-127
Sun BIND Vulnerabilities
http://www.ciac.org/ciac/bulletins/l-127.shtml
Sun Microsystems, Inc. Security Bulletin #00204
BIND
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
204&type=0&nav=sec.sba
101
Zone transfer request for non-existent or non-authoritative zone (dns_unauth_xfer)
Caldera International, Inc. Security Advisory CSSA-2001-SCO.13
OpenServer: BIND buffer overflows
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.13/CSSA-2001SCO.13.txt
ISS X-Force
BIND 8.2.x transaction signature (TSIG) buffer overflow
http://xforce.iss.net/static/6015.php
CVE
CVE-2001-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010
Zone transfer request for non-existent or non-authoritative zone
(dns_unauth_xfer)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that Microsoft DNS Server
has received a DNS zone transfer request for a non-existent or non-authoritative zone.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
DNS zone transfer requests can only be honored by a DNS server if the DNS server is
authoritative for the domain ("zone") requested. DNS zone transfer requests for nonexistent or non-authoritative zones rarely occur in a production DNS environment, and
could be the result of a remote DNS application error, or an attempt by an attacker to
retrieve DNS zone information.
How to remove this
vulnerability
Investigate the origin and purpose of the zone transfer request.
If the sending host is located inside the firewall, determine if any suspicious applications
are running on the system. Remove the host from the network if necessary.
If the sending host is located outside the firewall, create a filter on the firewall to prevent
bad packets from reaching the DNS server.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Zone transfer request for non-existent or non-authoritative zone
http://xforce.iss.net/static/4666.php
102
Microsoft DNS Server - DNS honors zone transfer requests (DNS_Zone_Transfer)
Microsoft DNS Server - DNS Zone Transfers from high ports
(DNS_Zone_High_Port)
About this
signature or
vulnerability
This signature detects a zone transfer originating from a non-privileged port number
(above 1024).
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
DNS
Type
Pre-attack Probe
Vulnerability
description
A DNS zone transfer that originates from a non-privileged port number (above 1024)
suggests that the zone transfer is occurring between your DNS server and a DNS client
program, such as nslookup. Zone transfers contain a list of the systems on your network.
Such information could be useful to an attacker in performing an attack.
How to remove this
vulnerability
Observe the source address, and watch for additional events originating at that address.
Configure your DNS server to disallow zone transfers from systems other than the peer
DNS servers it must participate with, or at least from non-privileged port numbers. If it is
a standalone DNS server, disallow zone transfers entirely.
References
ISS X-Force
Microsoft DNS Server - DNS Zone Transfers from high ports
http://xforce.iss.net/static/1226.php
Microsoft DNS Server - DNS honors zone transfer requests
(DNS_Zone_Transfer)
About this
signature or
vulnerability
This signature detects a zone transfer being made between your DNS server and what
may well be another DNS server. The source port of the request is a privileged port
number (below 1024) indicating another server possibly made the request.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 6.5
Systems affected
Any
Type
Pre-attack Probe
103
Doly backdoor for Windows (Doly)
Vulnerability
description
Zone transfers contain lists that identify every computer registered with the DNS server.
This information could be useful to an attacker in performing an attack.
If the source port of the DNS zone transfer request is a privileged port number (below
1024), it could indicate that another DNS server has made the request.
How to remove this
vulnerability
If your DNS server should not be participating in zone transfers, configure your DNS
server to prevent zone transfers. Refer to your DNS server's documentation for details.
References
ISS X-Force
Microsoft DNS Server - DNS honors zone transfer requests
http://xforce.iss.net/static/212.php
Doly backdoor for Windows (Doly)
About this
signature or
vulnerability
This signature detects a TCP connection on port 1015 to a Doly backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Doly backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Doly backdoor, an
attacker can do the following:
How to remove this
vulnerability
●
log your keystrokes
●
start an FTP server
●
capture an image of your screen
●
shut down or restart your computer
To remove the Doly backdoor from your computer:
1. Using Regedit, find the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Ms tesk that has a data value of C:\Program
Files\Mdm.exe.
3. Delete this registry entry.
4. Delete Mdm.exe from C:\Program Files.
104
Donald Dick backdoor for Windows (DonaldDick)
5. Delete Mdm.exe from the Startup folder in the Windows Start menu. Go to Start ->
Programs -> Startup. Right-click Mdm.exe and select Delete from the pop-up menu.
References
ISS X-Force
Doly backdoor for Windows
http://xforce.iss.net/static/3130.php
Donald Dick backdoor for Windows (DonaldDick)
About this
signature or
vulnerability
This signature detects a TCP connection on port 23476 to a Donald Dick backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Donald Dick backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Donald Dick
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access your files and system registry
●
retrieve screensaver and BIOS passwords
●
access program windows
●
restart or shutdown your computer
●
send messages to you that appear on your screen
To remove the Donald Dick backdoor from your computer, follow the instructions for
your operating system:
For Windows 95 or 98:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the HKLM\System\CurrentControlSet\Service\VxD\VMLDR
registry key. It should contain a registry entry named StaticVxD that has a data value
of vmldr.vxd.
2. Delete the entire VMLDR registry key and all of its values.
3. Delete the following files from C:\Windows\System:
105
Desktop Protection System Server reported a critical event (DPS_Server_Critical_Event)
■
oleproc.exe
■
vmldr.vxd
■
jpegcomp.dll
For Windows NT:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Open Regedt32. (From the Start menu, click Run. Type regedt32, and then click OK.)
2. Using Regedt32, find the HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager registry key.
3. Find the registry entry named BootExecute.
4. Double-click this registry entry. A list of programs is shown.
5. Find and delete the text "bootexec". Be careful not to delete any other characters from
this list.
6. Click OK, and then close the Registry Editor.
7. Delete the following files from C:\WINNT\system32:
■
oleproc.exe
■
bootexec.exe
■
jpegcomp.dll
8. Restart your computer.
References
Donald Dick Official Web site
Last News
http://donalddick.da.ru/
ISS X-Force
Donald Dick backdoor for Windows
http://xforce.iss.net/static/4148.php
Desktop Protection System Server reported a critical event
(DPS_Server_Critical_Event)
About this
signature or
vulnerability
This event detects a Windows Application event log message written by the DPS Server
when an internal problem is detected.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows 2000
106
Stack overflow error reported by Dr. Watson diagnostic tool (drw_stack_ovflw)
Type
Host Sensor
Vulnerability
description
Desktop Protection System Server reported a critical event that may have rendered it
inoperable. This could include a full database or a full or expired license key, either of
which would cause the server to no longer process incoming sensor data.
How to remove this
vulnerability
Locate the Desktop Protection System host on which the event was detected. Use the
Desktop Protection System Management Console and documentation to determine the
cause of the problem and how to correct it.
References
ISS X-Force
Desktop Protection System Server reported a critical event
http://xforce.iss.net/static/6120.php
Stack overflow error reported by Dr. Watson diagnostic tool
(drw_stack_ovflw)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating a stack overflow error.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
Dr. Watson is a diagnostic tool for Windows NT and Windows 2000 that records system
information when a system fault occurs. Dr. Watson intercepts software faults, identifies
the software that faulted, and offers a detailed description of the cause. When Dr. Watson
reports a stack overflow error with a failing application, it may indicate problems with the
application.
How to remove this
vulnerability
Examine the Dr. Watson log file. Investigate the cause of application failure. Restart the
failing application if necessary.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Stack overflow error reported by Dr. Watson diagnostic tool
http://xforce.iss.net/static/4669.php
107
Echo service (Echo_Denial_of_Service)
Echo service (Echo_Denial_of_Service)
Additional
Vulnerabilities
Found
■
udp-dos
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Denial of Service
Vulnerability
description
The echo service was detected as running. The echo (port 7) service can be spoofed into
sending data from one service on one computer to another service on another computer.
This action causes an infinite loop and creates a denial of service attack. The attack can
consume increasing amounts of network bandwidth, causing loss of performance or a
total shutdown of the affected network segments. The attack can also disable your Unix
server by causing it to spend all its time processing packets that it's echoed back to itself.
How to remove this
vulnerability
Disable the echo service if it is not being used.
Unix: Disable the echo service by commenting out the echo entry in the /etc/inetd.conf
file, then restarting the inetd process.
Windows: The echo service is not native to Windows, but may be present. To disable this
service:
1. Open the Services control panel. From the Windows NT Start menu, select Settings -->
Control Panel and Services.
2. Select the Simple TCP/IP Services service and click Stop.
3. Click Startup.
4. To permanently stop all TCP/IP services, click Disabled.
— OR —
If you only want to disable the echo service:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Open the registry editor. From the Windows NT Start menu, select Run. Type regedt32
and click OK.
2. Select the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parame
ters key.
108
ALMail POP3 overflow in SMTP processing code (Email_Almail_Overflow)
3. Set EnableTcpEcho and EnableUdpEcho to 0.
4. Restart the Simple TCP/IP service.
Novell:
Disable the echo port as described in Novell Technical Information Document #2946023:
1. Install NIAS4.0 or later.
2. Load INETCFG —> Protocols —> TCP/IP, and set filter support to ENABLED.
3. Load FILTCFG —> TCP/IP —> Packet Forwarding filters, and set the status to
ENABLED.
4. Verify that the action is Deny packets in filter list. Press ENTER on '(Filters: list of
denied packets)'.
5. Press INSERT go to packet type: Name: <all>.
6. Press ENTER, find the port echo TCP 7.
7. Press ENTER, ESCAPE, save filters: YES.
References
CERT Advisory CA-1996-01
UDP Port Denial-of-Service Attack
http://www.cert.org/advisories/CA-1996-01.html
Novell Technical Information Document #2946023
TCPIP blocking ports (7, 9, 19, etc)
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2946023
ISS X-Force
Echo service
http://xforce.iss.net/static/44.php
CVE
CVE-1999-0103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
ALMail POP3 overflow in SMTP processing code
(Email_Almail_Overflow)
About this
signature or
vulnerability
This signature detects a long SMTP header directed at the ALMail POP3 client.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 5.5.2
Systems affected
ALMail pop3 Server
Type
Unauthorized Access Attempt
109
AMaViS virus scanner allows arbitrary command execution as root (Email_Amavis_Exec)
Vulnerability
description
The ALMail POP3 client is vulnerable to a buffer overflow in the code that parses the
SMTP headers. By sending mail with long FROM, TO, or REPLY-TO headers, an attacker
can overflow a buffer and execute arbitrary code.
How to remove this
vulnerability
No remedy available as of September 2000.
References
Shadow Penguin Security
AL-Mail32 Version 1.10 Exploit for Windows98
http://shadowpenguin.backsection.net/advisories/old/ex_almail.c
ISS X-Force
ALMail POP3 overflow in SMTP processing code
http://xforce.iss.net/static/3541.php
CVE
CAN-1999-0673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0673
AMaViS virus scanner allows arbitrary command execution as
root (Email_Amavis_Exec)
About this
signature or
vulnerability
This signature detects SMTP "MAIL FROM" commands containing specific characters,
which could indicate an attempt by an attacker to execute arbitrary commands on the
system by sending specially-crafted emails.
False negatives
RealSecure Network Sensor: A false negative is possible if an attacker includes a pipe
character ("|") in the exploit. In this case, RealSecure may incorrectly report the occurence
of an smtppipe attack.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
AMaViS Virus Scanner: 0.2pre-4
Type
Suspicious Activity
Vulnerability
description
AMaViS is an email virus scanner for Linux systems. AMaViS version 0.2.0Pre-4 could
allow a remote attacker to execute arbitrary commands on the victim system by sending a
virus-infected email containing specially-crafted headers to a system protected by
AMaViS. When the AMaViS scanner attempts to reply to the originator of the infected
email, arbitrary commands from the email can be executed with the privileges of the user
receiving the email.
How to remove this
vulnerability
Upgrade to the latest version of AmaVis (0.2.0-pre5 or later), available from the AMaVis
Web site. See References.
110
SMTP in debug mode (Email_Debug)
References
BugTraq Mailing List, Fri Jul 16 1999 17:00:43
AMaViS virus scanner for Linux - root exploit
http://www.securityfocus.com/archive/1/18755
AMaViS Web site
AMaViS
http://aachalon.de/AMaViS/
ISS X-Force
AMaViS virus scanner allows arbitrary command execution as root
http://xforce.iss.net/static/2349.php
CVE
CAN-1999-1512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1512
SMTP in debug mode (Email_Debug)
False positives
RealSecure Network Sensor: It is possible that an e-mail with the word "debug" in the line
could appear to be this vulnerability.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Sendmail: Old Versions
Type
Unauthorized Access Attempt
Vulnerability
description
Sendmail was found in debug mode. Debug mode allows an attacker to gain access to a
computer through the Sendmail port. This option looks for old versions of Sendmail that
allow debug mode and could provide an attacker access to the computer. An attacker
could use debug mode to initiate a root-level shell on the target host.
How to remove this
vulnerability
Upgrade to the latest version of sendmail (5.59 or later), which does not implement the
DEBUG feature, as listed in CERT Advisory CA-1988-01. See References.
References
CERT Advisory CA-1993-14
Internet Security Scanner (ISS)
http://www.cert.org/advisories/CA-1993-14.html
Sendmail Consortium Web site
Sendmail Homepage
http://www.sendmail.org
CERT Advisory CA-1988-01
ftpd vulnerability
http://www.cert.org/advisories/CA-1988-01.html
111
Sendmail decode/uudecode alias could allow remote file creation (Email_Decode)
ISS X-Force
SMTP in debug mode
http://xforce.iss.net/static/125.php
CVE
CVE-1999-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
Sendmail decode/uudecode alias could allow remote file
creation (Email_Decode)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
Unix, Sendmail
Type
Unauthorized Access Attempt
Vulnerability
description
A common configuration for older mail transfer agents (MTAs) is to include an alias for
the decode user. All mail sent to this user is sent to the uudecode program, which
automatically converts and stores files. A remote attacker can send mail to the decode or
uudecode alias that is present on some systems to create or overwrite files on the remote
host. This allows an attacker to gain remote access to the system.
How to remove this
vulnerability
Disable mail aliases for decode and uudecode. If the /etc/aliases or /usr/lib/aliases (mail
alias) file contains entries for these programs, remove them or disable them by placing # at
the beginning of the line, and then executing the newaliases command. For more
information on Unix mail aliases, refer to the man page for aliases. Disabled aliases would
be similar to these examples:
# decode: |/usr/bin/uudecode
# uudecode: |/usr/bin/uuencode -d
References
CIAC Information Bulletin A-14
Additional information on the vulnerability in the UNIX DECODE alias
http://www.ciac.org/ciac/bulletins/a-14.shtml
CIAC Information Bulletin A-13
Vulnerability in DECODE alias
http://www.ciac.org/ciac/bulletins/a-13.shtml
Sun Microsystems, Inc. Security Bulletin #00122
New security patches for tar and sendmail
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
122&type=0&nav=sec.sba
112
SMTP daemon supports EHLO (Email_Ehlo)
ISS X-Force
Sendmail decode/uudecode alias could allow remote file creation
http://xforce.iss.net/static/126.php
CVE
CVE-1999-0096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0096
SMTP daemon supports EHLO (Email_Ehlo)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
SMTP servers
Type
Unauthorized Access Attempt
Vulnerability
description
SMTP daemons that support Extended HELO (EHLO) can release information that could
be useful to an attacker in performing an attack. Attackers have been known to use the
EHLO command to determine configuration information on SMTP daemons.
Internet Scanner users: This check may crash a Dmail Manager if the Dmail Manager is on
a subdomain.
How to remove this
vulnerability
Extended SMTP provides some useful features that basic SMTP does not support.
However, if you are uncomfortable with the information that the Extended SMTP features
can reveal, you may choose to disable EHLO on your mail server. Consult your mail
server documentation or contact your vendor for information on how to modify your mail
server configuration to disable EHLO.
References
Microsoft Exchange 5.5 Product Documentation
Disabling ESMTP Support
http://www.microsoft.com/Exchange/en/55/help/default.asp?url=/Exchange/en/
55/help/documents/server/XOG05031.HTM
ISS X-Force
SMTP daemon supports EHLO
http://xforce.iss.net/static/323.php
CVE
CAN-1999-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0531
113
Exchange Server Information Store (store.exe) denial of service (Email_ExchangeStore_DoS)
Exchange Server Information Store (store.exe) denial of service
(Email_ExchangeStore_DoS)
About this
signature or
vulnerability
This signature detects an email containing a specially-crafted MIME header, which could
indicate an attacker's attempt to cause the Information Store service to fail and crash the
Exchange Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Server Sensor: 6.5
Systems affected
Windows NT: 4.0, Microsoft Exchange: 5.5
Type
Denial of Service
Vulnerability
description
Microsoft Exchange Server version 5.5 is vulnerable to a denial of service attack caused by
a vulnerability in the Information Store service (store.exe). An attacker can send an email
with malformed MIME headers containing "" in the boundary field to cause the
Information Store service to fail and crash the Exchange Server. The service must be
stopped, and the email must be removed before restarting the service.
How to remove this
vulnerability
Apply the latest Service Pack available for Exchange 5.5 (Service Pack 4 or later).
— OR —
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS00-082.
See References.
References
BugTraq Mailing List, Tue Sep 12 2000 08:30:48
Possible Exchange 5.5 Server DoS
http://www.securityfocus.com/archive/1/82334
Microsoft Security Bulletin MS00-082
Patch Available for "Malformed MIME Header" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-082.asp
Microsoft Security Bulletin MS00-082 FAQ
Microsoft Security Bulletin (MS00-082): Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-082.asp
Microsoft Knowledge Base Article Q275714
XADM: Information Store Stops Unexpectedly with Multipart or Mixed Message and
Null Boundary String
http://www.microsoft.com/technet/support/kb.asp?ID=275714
ISS X-Force
Exchange Server Information Store (store.exe) denial of service
http://xforce.iss.net/static/5265.php
114
SMTP EXPN command (Email_Expn)
CVE
CAN-2000-1006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1006
SMTP EXPN command (Email_Expn)
Additional
Vulnerabilities
Found
■
smtp-sendmail-version5
■
slmail-vrfyexpn-overflow
False positives
RealSecure Network Sensor: EXPN is a valid command, and false positive is possible for
legitimate use of the EXPN command.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers, Solaris: 2.5.1, Solaris: 2.6, HP-UX: 10.20, Solaris: 7, Red Hat Linux: 6.0,
Solaris: 8, AIX: 4.0, HP-UX: 11, Compaq: Tru64 UNIX
Type
Pre-attack Probe
Vulnerability
description
Simple Mail Transfer Protocol (SMTP)-compliant applications, such as the Sendmail
program EXPN, could allow an attacker to determine if an account exists on a system.
Such information could provide an attacker significant assistance in executing a brute
force attack on user accounts. EXPN provides additional information concerning users on
the system, such as if particular users exist and users' full names. This information could
also assist an attacker in further attacks.
How to remove this
vulnerability
If you are running Sendmail, add the line 'Opnoexpn' to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail servers, contact your vendor for
information on how to disable the expand command.
—AND—
Upgrade to the latest version of Sendmail (8.11.4 or later), available from the Sendmail
Consortium Web site. See References.
—OR—
Apply the appropriate patch for your system, available from the Sendmail Consortium
FTP site. See References.
Solaris: 2.5.1
Add the option 'Opnoexpn' to the sendmail.cf file.
Solaris: 2.6
115
SMTP EXPN command (Email_Expn)
Add the option 'Opnoexpn' to the sendmail.cf file.
HP-UX: 10.20
Add the option 'Opnoexpn' to the sendmail.cf file.
Solaris: 7
Add the option 'Opnoexpn' to the sendmail.cf file.
Red Hat Linux: 6.0
Add the option 'Opnoexpn' to the sendmail.cf file.
Solaris: 8
Add the option 'Opnoexpn' to the sendmail.cf file.
AIX: 4.0
Add the option 'Opnoexpn' to the sendmail.cf file.
HP-UX: 11
Add the option 'Opnoexpn' to the sendmail.cf file.
Compaq: Tru64 UNIX
If you are running Sendmail, add the line Opnoexpn to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail servers, contact your vendor for
information on how to disable the expand command. Upgrade to the latest version of
Sendmail (8.11.4 or later), available from the Sendmail Consortium Web site. See
References. --OR-- Apply the appropriate patch for your system, available from the
Sendmail Consortium FTP site.
References
Sendmail Consortium Web site
Welcome to sendmail.org
http://www.sendmail.org/
Sendmail Consortium FTP site
FTP site
ftp://ftp.cs.berkeley.edu/ucb/sendmail/
ISS X-Force
SMTP EXPN command
http://xforce.iss.net/static/128.php
CVE
CAN-1999-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0531
116
SMTP EXPN buffer overflow can crash or obtain access (Email_Expn_Overflow)
SMTP EXPN buffer overflow can crash or obtain access
(Email_Expn_Overflow)
Additional
Vulnerabilities
Found
■
smtp-sendmail-version5
■
slmail-vrfyexpn-overflow
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers, SLMail: v2.6 and earlier, Mercury Mail Server, AppleShare IP Mail Server
Type
Suspicious Activity
Vulnerability
description
Several freeware, shareware, and commercial SMTP servers contain buffer overflows.
Different SMTP commands can cause the SMTP server to crash or to execute arbitrary
byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail
SMTP server contains overflows in the VRFY and EXPN commands. AppleShare, Stalker,
and Mercury SMTP servers contain overflows in the HELO command as well. Other
lesser-known SMTP servers may also contain overflows.
How to remove this
vulnerability
Determine if your SMTP server is vulnerable to the attack and take appropriate actions
depending on the extent of your vulnerability.
Manually test for this vulnerability by connecting to port 25 on your computer and
sending the appropriate command (HELO, VRFY, or EXPN) followed by at least 1024 X's.
If the SMTP server returns an OK or an error message, then you are not vulnerable. If your
connection closes immediately, then the system is most likely vulnerable.
If your system is vulnerable, then it may have already been compromised. If the attack
was a denial of service attack, restart your SMTP server. Watch for further attacks from the
source address. If your system is not vulnerable, then you have not been compromised,
but the attack may be a sign of an attacker probing your network for vulnerabilities.
References
BugTraq Mailing List, Wed Mar 11 1998 17:44:56
SLMail 2.6 DoS
http://www.securityfocus.com/archive/1/8748
BugTraq Mailing List, Wed Apr 08 1998 04:10:25
smtp overflows
http://www.securityfocus.com/archive/1/8947
BugTraq Mailing List, Wed Apr 08 1998 13:34:09
Re: AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8951
117
SMTP HELO buffer overflow can crash or obtain access (Email_Helo_Overflow)
BugTraq Mailing List, Wed Apr 08 1998 18:11:17
AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8952
Seattle Labs, Inc. Web site
SLMAIL
http://www.seattlelab.com/index.asp?page=http://www.seattlelab.com/slmail/*
ISS X-Force
SMTP EXPN buffer overflow can crash or obtain access
http://xforce.iss.net/static/888.php
CVE
CAN-1999-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0531
Email From (Email_From)
About this
signature or
vulnerability
This signature records the sender of an SMTP email message by looking for SMTP MAIL
FROM: messages. In combination with other email signatures, this signature can construct
a log of all email activity, including date, time, usernames, and the subject of the message.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
SMTP servers
Type
Protocol Signature
Vulnerability
description
The Simple Mail Transfer Protocol (SMTP) uses specific commands to transfer mail. The
MAIL FROM: field identifies the user on the sending system.
How to remove this
vulnerability
This activity can be examined for compliance with acceptable use policies, or for suspicion
of unauthorized disclosure of sensitive information.
References
ISS X-Force
Email From
http://xforce.iss.net/static/643.php
SMTP HELO buffer overflow can crash or obtain access
(Email_Helo_Overflow)
Additional
Vulnerabilities
Found
118
■
smtp-exchangedos
■
slmail-helo-overflow
■
mailmax-bo
SMTP HELO buffer overflow can crash or obtain access (Email_Helo_Overflow)
■
lotus-notes-helo-crash
■
mdaemon-helo-bo
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers, SLMail: v2.6 and earlier, Mercury Mail Server, AppleShare IP Mail Server
Type
Suspicious Activity
Vulnerability
description
Several freeware, shareware, and commercial SMTP servers contain buffer overflows.
Different SMTP commands can cause the SMTP server to crash or to execute arbitrary
byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail
SMTP server software contains overflows in the VRFY and EXPN commands.
AppleShare, Stalker, and Mercury SMTP servers contain overflows in the HELO
command as well. Other lesser-known SMTP servers may also contain overflows.
How to remove this
vulnerability
Determine if your SMTP server is vulnerable to the attack and take appropriate actions
depending on the extent of your vulnerability.
Manually test for this vulnerability by connecting to port 25 on your computer and
sending the appropriate command (HELO, VRFY, or EXPN), followed by at least 1024 X's.
If the SMTP server returns an OK or an error message, then you are not vulnerable. If your
connection closes immediately, then the system is most likely vulnerable.
If your system is vulnerable, then it may have already been compromised. If the attack
was a denial of service attack, restart your SMTP server. Watch for further attacks from the
source address. If your system is not vulnerable, then you have not been compromised,
but the attack may be a sign of an attacker probing your network for vulnerabilities.
References
BugTraq Mailing List, Wed Mar 11 1998 17:44:56
SLMail 2.6 DoS
http://www.securityfocus.com/archive/1/8748
BugTraq Mailing List, Wed Apr 08 1998 04:10:25
smtp overflows
http://www.securityfocus.com/archive/1/8947
BugTraq Mailing List, Wed Apr 08 1998 13:34:09
Re: AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8951
BugTraq Mailing List, Wed Apr 08 1998 18:11:17
AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8952
Seattle Labs, Inc. Web site
SLmail Overview
http://www.seattlelabs.com/slmail/
119
Listserv buffer overflow allows execution of arbitrary code (Email_Listserv_Overflow)
ISS X-Force
SMTP HELO buffer overflow can crash or obtain access
http://xforce.iss.net/static/886.php
CVE
CAN-1999-1504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1504
Listserv buffer overflow allows execution of arbitrary code
(Email_Listserv_Overflow)
About this
signature or
vulnerability
This signature detects a buffer overflow attack against the Listserv mailing list
management software.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
Listserv
Type
Unauthorized Access Attempt
Vulnerability
description
Listserv is a publicly available software package for managing mailing lists. Some
versions of Listserv are vulnerable to a buffer overflow. By sending a specially crafted
email to the listserv process, a remote attacker can overflow the buffer and execute
arbitrary code on the system on which Listserv is running, or crash the system.
How to remove this
vulnerability
This vulnerability does not exist in the commercial ListServ package distributed by L-Soft.
Upgrade to the latest version of ListServ, available from the L-Soft Web site. See
References.
References
BugTraq Mailing List, Fri Jun 20 1997 10:03:11
listserv buffer overflow(s)
http://www.securityfocus.com/archive/1/7053
L-Soft Web site
E-Mail List Management Software and Hosting Services - L-Soft
http://www.lsoft.com/
ISS X-Force
Listserv buffer overflow allows execution of arbitrary code
http://xforce.iss.net/static/617.php
CVE
CVE-1999-0252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0252
120
Microsoft Outlook date header buffer overflow (Email_Outlook_Date_Overflow)
Microsoft Outlook date header buffer overflow
(Email_Outlook_Date_Overflow)
About this
signature or
vulnerability
The Email_Outlook_Date_Overflow signature detects SMTP server traffic containing a
"Date:" line longer than 150 characters.
Configurable Parameters:
The length of the "Date:" line this signature detects can be configured in the Policy Editor
for Email_Outlook_Date_Overflow.
False positives
RealSecure Network Sensor: A false positive is possible if any line in an email sent by
SMTP contains the text "Date:" and is 150 characters long.
RealSecure Server Sensor: A false positive is possible if any line in an email sent by
SMTP contains the text "Date:" and is 70 characters long.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 5.5.2
Systems affected
Windows NT, Microsoft Outlook: 98, Microsoft Outlook Express: 5.0, Windows 2000,
Microsoft Outlook Express: 4.0, Microsoft Outlook: 2000, Microsoft Outlook: 97
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Outlook and Microsoft Outlook Express are vulnerable to a buffer overflow in
the inetcomm.dll component shared by both programs. By sending an email message with
a long date header value, using either the POP3 or IMAP4 protocols, a remote attacker can
overflow the buffer and execute arbitrary code on the system. The user does not have to
open the message for the attack to be successful. A malicious email can begin executing
code when it is retrieved from the server, before the user previews or opens the message.
Only the POP3 and IMAP4 Internet email protocols are affected by this vulnerability.
Microsoft Outlook also supports the MAPI (Microsoft Messaging API), the protocol used
by Microsoft Exchange. Outlook users who retrieve mail using MAPI, and do not use
either POP3 and IMAP4, are not affected by this vulnerability.
How to remove this
vulnerability
For Internet Explorer 5.01:
Apply the critical security patch, as listed in Microsoft Security Bulletin MS00-043. See
References.
For all other versions of Internet Explorer:
Upgrade to Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, as listed in
Microsoft Security Bulletin MS00-043. See References. (Windows 2000 users: Upgrading to
Internet Explorer 5.5 does not correct this vulnerability on Windows 2000 systems.)
Windows NT
Apply the "Malformed E-mail Header" patch detailed in Microsoft Security Bulletin
MS00-043
121
Sendmail pipe attack (Email_Pipe)
Windows 2000
Apply the "Malformed E-mail Header" patch detailed in Microsoft Security Bulletin
MS00-043
References
Microsoft Security Bulletin MS00-043
Patch Available for 'Malformed E-mail Header' Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-043.asp
Internet Security Systems Security Alert #57
Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients
http://xforce.iss.net/alerts/advise57.php
Underground Security Systems Research advisory USSR-2000050
Remotely Exploitable Buffer Overflow in Outlook 'Malformed E-mail MIME Header'
Vulnerability
http://www.ussrback.com/labs50.html
Microsoft TechNet
Microsoft Security Bulletin (MS00-043):Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
Microsoft Knowledge Base Article Q267884
E-mail Security Vulnerability Fixed in Internet Explorer 5.01 SP1
http://www.microsoft.com/technet/support/kb.asp?ID=267884
CIAC Information Bulletin K-060
Microsoft's Malformed E-Mail Header Vulnerability
http://www.ciac.org/ciac/bulletins/k-060.shtml
ISS X-Force
Microsoft Outlook date header buffer overflow
http://xforce.iss.net/static/4953.php
CVE
CVE-2000-0567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0567
Sendmail pipe attack (Email_Pipe)
False positives
RealSecure Network Sensor: Some e-mail messages that contains a pipe character could
possibly appear to be this attack.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Sendmail: Old Versions
Type
Unauthorized Access Attempt
122
Qmail long SMTP command denial of service (Email_Qmail_Length)
Vulnerability
description
By inserting a pipe character into certain fields in an email, Sendmail may be forced to
execute a command on the remote computer. This behavior may result in a remote
attacker being able to execute commands and gain root access.
How to remove this
vulnerability
Upgrade to the latest version of Sendmail (8.11.4 or later), available from the Sendmail
Consortium Web site. See References.
— OR —
Apply the appropriate patch for your system, available from the Sendmail Consortium
FTP site. See References.
References
Sendmail Consortium Web site
Sendmail FAQ
http://www.sendmail.org/faq
Sendmail Consortium FTP site
FTP site
ftp://ftp.cs.berkeley.edu/ucb/sendmail/
ISS X-Force
Sendmail pipe attack
http://xforce.iss.net/static/616.php
CVE
CAN-1999-0565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0565
Qmail long SMTP command denial of service
(Email_Qmail_Length)
About this
signature or
vulnerability
This signature detects an extremely long string (greater than 8000 characters) in an SMTP
command sent to a Qmail server.
False positives
RealSecure Network Sensor: It is possible that a very large email on a single line will
trigger this signature, but not represent an attack.
RealSecure Server Sensor: It is possible that a very large e-mail on a single line will
trigger this signature, but not represent an attack.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
Qmail: 1.01 and earlier
Type
Denial of Service
123
Qmail email RCPT denial of service (Email_Qmail_Rcpt)
Vulnerability
description
The Qmail server is vulnerable to a denial of service attack. An attacker can include an
extremely long string in an SMTP command sent to a qmail server to consume all memory
resources on the server and cause the server to crash.
How to remove this
vulnerability
Upgrade to the latest version of qmail (1.03 or later), available from the qmail Web site.
See References.
References
Qmail Web site
qmail: a replacement for sendmail
http://www.qmail.org/top.html
ISS X-Force
Qmail long SMTP command denial of service
http://xforce.iss.net/static/207.php
Qmail email RCPT denial of service (Email_Qmail_Rcpt)
About this
signature or
vulnerability
This signature detects a message with an extremely large number of recipients (RCPTs)
directed at the Qmail server.
False positives
RealSecure Network Sensor: It is possible that a single email with a large number of
recipients (in excess of 65535) will trigger this signature, but not be an attack. This can be
useful in detecting spam e-mail sent to your site.
RealSecure Server Sensor: It is possible that a very large e-mail on a single line will
trigger this signature, but not represent an attack.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Qmail: 1.01 and earlier
Type
Denial of Service
Vulnerability
description
The qmail server is vulnerable to a denial of service attack. By configuring the ‘Threshold’
advanced parameter, an attacker can adjust the number of RCPTs that are legitimately
allowed in a session. The default value for this parameter is 65535. An attacker can send
an RCPT command with an extremely large number of recipients to the Qmail server to
consume all memory resources on the server and crash the server.
How to remove this
vulnerability
Upgrade to the latest version of qmail (1.03 or later), available from the qmail Web site.
See References.
References
Qmail Mailing List
qmail-dos-2.c, another denial of service attack
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/msg00322.html
124
Third-party mail relaying can be used to obfuscate the origin of emails (Email_Relay_Spam)
Qmail Web site
qmail: a replacement for sendmail
http://www.qmail.org/top.html
ISS X-Force
Qmail email RCPT denial of service
http://xforce.iss.net/static/208.php
Third-party mail relaying can be used to obfuscate the origin of
emails (Email_Relay_Spam)
Additional
Vulnerabilities
Found
■
smtp-relay-uucp
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Sendmail, SMTP servers
Type
Suspicious Activity
Vulnerability
description
Some SMTP servers support third-party or %style mail relaying. Third-party mail
relaying occurs when a mail server processes a mail message where neither the sender nor
the recipient is local to the server's mail domain.
While third party relaying has some legitimate purposes, such as allowing mail messages
to be routed around known mail problems, email hijackers (or spammers) primarily use it
to obscure their identity while sending large amounts of junk mail.
How to remove this
vulnerability
Reconfigure your SMTP server to enforce that all mail messages must either originate or
terminate locally (on the mail host). Information on how to secure your mail system
against relaying is available from the "How Can I Fix the Problem?" document listed in the
references.
References
Sendmail Consortium Web site
Anti-Spam Provisions in Sendmail 8.8
http://www.sendmail.org/antispam.html
Mail Abuse Protection System (MAPS)
MAPS, LLC home page
http://maps.vix.com
Scott Hazen Mueller Web site
Fight Spam on the Internet!
http://spam.abuse.net/
125
Email to (Email_To)
Anti-Relay: Stop Third-Party Mail Relay
How Can I Fix the Problem?
http://mail-abuse.org/tsi/ar-fix.html
CIAC Information Bulletin I-005c
E-Mail Spamming countermeasures: Detection and prevention of E-Mail spamming
http://www.ciac.org/ciac/bulletins/i-005c.shtml
ISS X-Force
Third-party mail relaying can be used to obfuscate the origin of emails
http://xforce.iss.net/static/210.php
CVE
CAN-1999-0512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0512
Email subject (Email_Subject)
About this
signature or
vulnerability
This signature records the subject of an SMTP email message by looking for SMTP
SUBJECT: messages. In combination with the other email signatures, this signature can
construct a log of all email activity, including date, time, usernames, and the subject of the
message.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
SMTP servers
Type
Protocol Signature
Vulnerability
description
The Simple Mail Transfer Protocol (SMTP) uses specific commands to transfer mail. The
SUBJECT: field identifies the subject of the emails.
How to remove this
vulnerability
This activity can be examined for compliance with acceptable use policies, or for suspicion
of unauthorized disclosure of sensitive information.
References
ISS X-Force
Email subject
http://xforce.iss.net/static/644.php
Email to (Email_To)
About this
signature or
vulnerability
This signature records the receiver of an SMTP email message by looking for SMTP RCPT
TO: messages. In combination with the other email signatures, this signature can construct
a log of all email activity, including date, time, usernames, and the subject of the message.
Default risk level
Low
126
Avirt mail server allows remote users to create directories (Email_To_Dot_Dot)
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
SMTP servers
Type
Protocol Signature
Vulnerability
description
The Simple Mail Transfer Protocol (SMTP) uses specific commands to transfer mail. The
RCPT TO: field identifies the receiver of an SMTP email message. A large number of To
lines in a single SMTP message may indicate that this message is "spam" (electronic
unsolicited literature disseminated to a large number of recipients).
How to remove this
vulnerability
This activity can be examined for compliance with acceptable use policies, or for suspicion
of unauthorized disclosure of sensitive information.
References
ISS X-Force
Email to
http://xforce.iss.net/static/645.php
Avirt mail server allows remote users to create directories
(Email_To_Dot_Dot)
About this
signature or
vulnerability
This signature detects email messages containing specially-crafted data in the RCPT TO:
field, which may indicate an attempt by an attacker to create arbitrary directories on the
mail server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
Avirt Mail Server: 3.3a, Avirt Mail Server: 3.5
Type
Unauthorized Access Attempt
Vulnerability
description
Avirt Mail Server versions 3.3a and 3.5 could allow a remote attacker to create arbitrary
directories anywhere on the mail server. A remote attacker could send a specially-crafted
email to create a directory at any location on the mail server.
How to remove this
vulnerability
No remedy available as of March 2001.
References
BugTraq Mailing List, Tue Nov 02 1999 08:12:41
Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability
http://www.securityfocus.com/archive/1/33318
127
SMTP verify (VRFY) command can be used to validate users (Email_Vrfy)
ISS X-Force
Avirt mail server allows remote users to create directories
http://xforce.iss.net/static/3432.php
SMTP TURN command reverses connections (Email_Turn)
False positives
RealSecure Network Sensor: E-mail content containing the "turn" string in the proper
configuration can trigger this signature inappropriately. Since only particularly old
versions of Sendmail are vulnerable to this attack, an E-Mail Turn event is likely to be a
false positive.
RealSecure Server Sensor: E-mail content containing the "turn" string in the proper
configuration can trigger this signature inappropriately. Since only very, very old versions
of Sendmail are vulnerable to this attack, an E-Mail Turn event is likely to be a false
positive.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers
Type
Protocol Signature
Vulnerability
description
The SMTP TURN command described in RFC 821 allows an SMTP session to be "turned
around" so the server can then send any mail it has to the caller, avoiding the need for a
separate TCP connection. However, since there is no way to truly verify the identity of the
caller, this could be used by an attacker to pick up mail intended for other hosts.
How to remove this
vulnerability
This command is often unimplemented in modern servers, but if it is found to exist in
yours you should disable it.
References
Request for Comment document RFC 821
Simple Mail Transfer Protocol
http://www.sendmail.org/rfc/0821.html
ISS X-Force
SMTP TURN command reverses connections
http://xforce.iss.net/static/1227.php
SMTP verify (VRFY) command can be used to validate users
(Email_Vrfy)
Additional
Vulnerabilities
Found
128
■
smtp-sendmail-version5
■
slmail-vrfyexpn-overflow
SMTP verify (VRFY) command can be used to validate users (Email_Vrfy)
False positives
RealSecure Network Sensor: VRFY is a valid command, and false positive is possible for
legitimate use of the VFRY command.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers, Solaris: 2.5.1, Solaris: 2.6, HP-UX: 10.20, Solaris: 7, Red Hat Linux: 6.0,
Solaris: 8, AIX: 4.0, HP-UX: 11, Compaq: Tru64 UNIX
Type
Pre-attack Probe
Vulnerability
description
The SMTP VRFY command is enabled. The VRFY (Verify) command allows an attacker to
determine if an account exists on a system, providing significant assistance to a brute force
attack on user accounts. VRFY provides additional information about users on the system,
such as if they exist and their full names. This information can be useful in futher attacks.
How to remove this
vulnerability
If you are running Sendmail, add the line Opnovrfy to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail servers, contact your vendor for
information on how to disable the verify command.
Upgrade to the latest version of Sendmail (8.11.3 or later), available from the Sendmail
Consortium Web site. See References.
Solaris: 2.5.1
Add the option 'Opnovrfy' to your sendmail.cf file.
Solaris: 2.6
Add the option 'Opnovrfy' to your sendmail.cf file.
HP-UX: 10.20
Add the option 'Opnovrfy' to your sendmail.cf file.
Solaris: 7
Add the option 'Opnovrfy' to your sendmail.cf file.
Red Hat Linux: 6.0
Add the option 'Opnovrfy' to your sendmail.cf file.
Solaris: 8
Add the option 'Opnovrfy' to your sendmail.cf file.
AIX: 4.0
Add the option 'Opnovrfy' to your sendmail.cf file.
129
SMTP VRFY buffer overflow can crash or obtain access (Email_Vrfy_Overflow)
HP-UX: 11
Add the option 'Opnovrfy' to your sendmail.cf file.
Compaq: Tru64 UNIX
If you are running Sendmail, add the line Opnovrfy to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail servers, contact your vendor for
information on how to disable the verify command. Upgrade to the latest version of
Sendmail (8.11.3 or later), available from the Sendmail Consortium Web site.
References
Sendmail Consortium Web site
Sendmail FAQ
http://www.sendmail.org/faq
Sendmail Consortium Web site
Latest software version
http://www.sendmail.org
Sendmail Consortium FTP site
Latest software version
ftp://ftp.cs.berkeley.edu/ucb/sendmail
ISS X-Force
SMTP verify (VRFY) command can be used to validate users
http://xforce.iss.net/static/130.php
CVE
CAN-1999-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0531
SMTP VRFY buffer overflow can crash or obtain access
(Email_Vrfy_Overflow)
Additional
Vulnerabilities
Found
■
smtp-sendmail-version5
■
slmail-vrfyexpn-overflow
False positives
RealSecure Network Sensor: There are legitimate uses for VRFY during e-mail. You
should use this attack signature carefully. You may want to record all VRFY requests and
then analyze them off line for indications that your network is being probed.
RealSecure Server Sensor: There are legitimate uses for VRFY during e-mail. You should
use this attack signature carefully. You may want to record all VRFY requests and then
analyze them off line for indications that your network is being probed.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
SMTP servers, SLMail: v2.6 and earlier, Mercury Mail Server, AppleShare IP Mail Server
130
SMTP VRFY buffer overflow can crash or obtain access (Email_Vrfy_Overflow)
Type
Unauthorized Access Attempt
Vulnerability
description
Several freeware, shareware, and commercial SMTP servers contain buffer overflows.
Different SMTP commands can cause the SMTP server to crash or to execute arbitrary
byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail
SMTP server contains overflows in the VRFY and EXPN commands. AppleShare, Stalker,
and Mercury SMTP servers contain overflows in the HELO command as well. Other
lesser-known SMTP servers may also contain overflows.
How to remove this
vulnerability
Determine if the SMTP server is vulnerable to the attack and take appropriate actions
depending on the extent of the vulnerability.
Test for this vulnerability by connecting to port 25 on the system and sending the
appropriate command (HELO, VRFY, or EXPN) followed by at least 1024 X's. If the SMTP
server returns an OK or an error message, then this system is not vulnerable. If the
connection closes immediately, then the system is likely vulnerable.
If the system is vulnerable, it may have already been compromised. If the attack was a
denial of service attack, restart the SMTP server and watch for further attacks from the
source address. If the system is not vulnerable, then it has not been compromised.
However, the attack may be a sign of an attacker probing the network for other
vulnerabilities.
To remove this vulnerability, disable the VRFY service on the mail server. This will not
affect your system's ability to receive or send email.
References
BugTraq Mailing List, Wed Mar 11 1998 17:44:56
SLMail 2.6 DoS
http://www.securityfocus.com/archive/1/8748
BugTraq Mailing List, Wed Apr 08 1998 04:10:25
smtp overflows
http://www.securityfocus.com/archive/1/8947
BugTraq Mailing List, Wed Apr 08 1998 13:34:09
Re: AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8951
BugTraq Mailing List, Wed Apr 08 1998 18:11:17
AppleShare IP Mail Server
http://www.securityfocus.com/archive/1/8952
Seattle Labs, Inc. Web site
SLmail Overview
http://www.seattlelabs.com/slmail/
ISS X-Force
SMTP VRFY buffer overflow can crash or obtain access
http://xforce.iss.net/static/887.php
CVE
CAN-1999-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0531
131
Sendmail wizard (WIZ) backdoor allows anonymous remote root access (Email_WIZ)
Sendmail wizard (WIZ) backdoor allows anonymous remote root
access (Email_WIZ)
False positives
RealSecure Network Sensor: E-mail content containing the 'wiz' string could appear to be
this attack.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Sendmail: Old Versions
Type
Unauthorized Access Attempt
Vulnerability
description
Very old installations of the Sendmail mailing system contained a feature that allows a
remote attacker connecting to the SMTP port to enter the "WIZ" command and be given
an interactive shell with root privileges.
How to remove this
vulnerability
If the WIZ command is enabled on Sendmail, it should be disabled by adding this line to
the sendmail.cf configuration file (note that it must be typed in uppercase).
OW*
For the change to take effect, kill the Sendmail process, refreeze the sendmail.cf file, and
restart the Sendmail process.
References
CERT Advisory CA-1993-14
Internet Security Scanner (ISS)
http://www.cert.org/advisories/CA-1993-14.html
Sendmail Consortium Web site
Sendmail Homepage
http://www.sendmail.org
Dan Farmer and Wietse Venema
Improving the Security of Your Site by Breaking Into it
http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html
ISS X-Force
Sendmail wizard (WIZ) backdoor allows anonymous remote root access
http://xforce.iss.net/static/131.php
CVE
CVE-1999-0145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145
132
Microsoft Exchange Server SMTP and NNTP denial of service (Email_Xchg_Auth)
Microsoft Exchange Server SMTP and NNTP denial of service
(Email_Xchg_Auth)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Microsoft Exchange: 5.0, Microsoft Exchange: 5.5
Type
Denial of Service
Vulnerability
description
Microsoft Exchange Server 5.0 and 5.5 are vulnerable to a denial of service attack caused
by a buffer overflow in multiple commands (HELO, RCPT TO, and MAIL FROM). By
exploiting this buffer overflow, a remote attacker can overflow the buffer and crash the
server, and under some circumstances possibly execute arbitrary code on the system.
This attack will stop email and other services that Exchange provides. However, the attack
itself does not directly have any impact on the integrity of data stored by the Exchange
Server.
How to remove this
vulnerability
For Microsoft Exchange 5.5:
Apply Exchange 5.5 Service Pack 1 or later, as listed in Microsoft Security Bulletin MS98007. See References.
For Microsoft Exchange 5.0:
Apply the appropriate hotfix for your system, as listed in Microsoft Security Bulletin
MS98-007. See References.
References
Internet Security Systems Security Alert #04
Denial of Service attacks against Microsoft Exchange 5.0 to 5.5
http://xforce.iss.net/alerts/advise4.php
CIAC Information Bulletin I-080
Microsoft Exchange Denial of Service Attacks
http://ciac.llnl.gov/ciac/bulletins/i-080.shtml
Microsoft Security Bulletin MS98-007
Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Microsoft Exchange
Server
http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Microsoft Knowledge Base Article Q188369
XADM: AUTHINFO Command Causes Information Store Problems
http://support.microsoft.com/support/kb/articles/q188/3/69.asp
Microsoft Knowledge Base Article Q188341
XFOR: AUTH and EHLO Commands Cause Internet Mail Service to Stop
http://support.microsoft.com/support/kb/articles/q188/3/41.asp
133
RealSecure event collector error message (EventCollector_Error)
Microsoft Web site
Microsoft Servers - Exchange Server Home
http://www.microsoft.com/exchange/
Microsoft Knowledge Base Article Q169174
XFOR: IMS Halts if RFC821 Address Over 1k in Size is Received
http://support.microsoft.com/support/kb/articles/q169/1/74.asp
ISS X-Force
Microsoft Exchange Server SMTP and NNTP denial of service
http://xforce.iss.net/static/1223.php
CVE
CAN-1999-1043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1043
RealSecure event collector error message
(EventCollector_Error)
About this
signature or
vulnerability
This signature detects a RealSecure event collector error message, which may indicate that
the event collector has stopped functioning.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 6.0
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
The RealSecure event collector notifies the console when significant events occur that
relate to the event collector's operation. There are three types of events that may be
reported by the event collector: Error, Warning, and Information. Error events indicate
that the event collector may have stopped functioning, and they should be investigated
immediately.
The specific error message will give further details about the problem and how it may
have affected the event collector. If the error applies to only one subsystem of the event
collector, it is possible that the event collector may continue to function; however, a
RealSecure administrator should inspect the system to verify that it is functioning
properly.
How to remove this
vulnerability
Verify that the Event Collector is functioning properly. Correct any problems with the
Event Collector as appropriate.
More information about common RealSecure error messages is available in the SAFEsuite
Support Knowledgebase. See References.
134
RealSecure Event Collector information message (EventCollector_Info)
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
ISS X-Force
RealSecure event collector error message
http://xforce.iss.net/static/6469.php
RealSecure Event Collector information message
(EventCollector_Info)
About this
signature or
vulnerability
This signature detects a RealSecure event collector information message, which may
provide useful information about normal event collector operations.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 6.0
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
The RealSecure event collector notifies the console when significant events occur that
relate to the event collector's operation. There are three types of events that may be
reported by the event collector: Error, Warning, and Information. Information events are
usually status messages about normal system operation that are helpful for logging but do
not require individual attention.
The specific information message will give further details about the event. Information
messages are often associated with services initializing and other successful operations.
While these types of activities do not require any immediate intervention, they often
contain useful information, and a RealSecure administrator may want to track these
events for logging purposes.
How to remove this
vulnerability
No action is needed to respond to Information event messages, because they are a part of
normal event collector operation.
More information about common RealSecure information messages is available in the
SAFEsuite Support Knowledgebase. See References.
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
ISS X-Force
RealSecure Event Collector information message
http://xforce.iss.net/static/6470.php
135
Event Horizon backdoor for Windows (EventHorizon)
RealSecure event collector warning message
(EventCollector_Warning)
About this
signature or
vulnerability
This signature detects RealSecure event collector warning messages, which may indicate
that a minor problem has occurred with the event collector.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 6.0
Systems affected
RealSecure
Type
Protocol Signature
Vulnerability
description
The RealSecure event collector notifies the console when significant events occur that
relate to the event collector's operation. There are three types of events that may be
reported by the event collector: Error, Warning, and Information. Warning events are
usually status messages about minor problems encountered by the event collector that do
not need immediate attention.
The specific warning message will give further details about the problem and how it may
have affected the event collector. Warning messages are typically associated with
recoverable problems that do not cause a loss of functionality or data; however, a
RealSecure administrator may want to inspect the system to verify that it is functioning
properly.
How to remove this
vulnerability
Verify that the event collector is functioning properly. Correct any problems with the
event collector as appropriate.
More information about common RealSecure warning messages is available in the
SAFEsuite Support Knowledgebase. See References.
References
Internet Security Systems, Inc.
SAFEsuite Support Knowledgebase
http://www.iss.net/customer_care/knowledgebase/
ISS X-Force
RealSecure event collector warning message
http://xforce.iss.net/static/6471.php
Event Horizon backdoor for Windows (EventHorizon)
About this
signature or
vulnerability
This signature detects a TCP connection on port 4488 to an Event Horizon backdoor on
your network.
Default risk level
High
136
EvilFTP backdoor FTP server for Windows (EvilFTP_Backdoor)
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Event Horizon backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Event
Horizon backdoor, an attacker can do the following:
●
execute arbitrary programs
●
hijack passwords
●
manipulate the current user's Windows session
The Event Horizon backdoor listens on TCP port 4488 for a remote client (an attacker) to
connect. Once connected, an attacker can begin sending commands to the host system.
How to remove this
vulnerability
To remove the Event Horizon backdoor from your computer, restart the computer. Unlike
many backdoors programs, the Event Horizon backdoor does not add itself to the
computer's registry or system files and does not start automatically.
References
ISS X-Force
Event Horizon backdoor for Windows
http://xforce.iss.net/static/5389.php
EvilFTP backdoor FTP server for Windows (EvilFTP_Backdoor)
About this
signature or
vulnerability
This signature detects a TCP connection on port 23456 to an EvilFTP backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 6.5
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The EvilFTP backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. When the program
containing the trojan is run, EvilFTP installs an FTP server on port 12346 with the login
"yo" and the password "connect." With the EvilFTP backdoor, an attacker can upload and
download files from the system on which it was installed.
137
Windows event log file corrupted (evt_logcorrupt)
How to remove this
vulnerability
To remove EvilFTP from your computer:
For Windows 95 and Windows 98:
In win.ini, delete the line run=c:\windows\system\msrun.exe.
For Windows NT:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find and delete the HKCU\Software\Microsoft\Windows
NT\Windows\run=msrun.exe registry key.
2. Remove Msrun.exe from the Windows system directory.
References
Internet Security Systems Security Alert #30
Windows Backdoor Update III
http://xforce.iss.net/alerts/advise30.php
PestPatrol Web site
EvilFTP
http://safersite.com/PestInfo/E/EvilFTP.asp
ISS X-Force
EvilFTP backdoor FTP server for Windows
http://xforce.iss.net/static/2310.php
Windows event log file corrupted (evt_logcorrupt)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that the Windows event
log has been corrupted and will be cleared.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
The Eventlog service for Windows NT and Windows 2000 is part of the core Windows
operating system and is maintained by the operating system itself. Corruption of any
Windows event log should be an infrequent event and should be considered highly
suspicious.
If a Windows event log is cleared, all previously recorded event messages will be lost. This
limits the ability to trace events prior to the clearing of the event log.
138
Windows event log full (evt_logfull)
The corruption of a Windows event log could be caused by a Windows operating system
error, or it could be an indication that an attacker has accessed the Windows system
directory.
How to remove this
vulnerability
Ensure that the Windows system directory is not corrupted and that the Windows
operating system is functioning properly. Verify that security permissions for Windows
event logs and the system directory are configured so that only intended security
principals are granted access.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Windows event log file corrupted
http://xforce.iss.net/static/4670.php
Windows event log full (evt_logfull)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that the Windows event
log is full.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
When a Windows event log reaches its maximum size, new events associated with that
part of the operating system can no longer be recorded in the event log until the event log
is cleared or the log size is increased.
If a Windows event log becomes full, the operating system loses tracing capability for the
operating system functions affected. This could compromise computer security, especially
if the security log is full.
Each Windows event log should be configured to contain at least two weeks of messages.
This permits important events to be retained for tracing and debugging purposes.
Possible causes of Windows event logs becoming full frequently may include the
following:
●
limited log file size
●
operating system or application failure
●
attacker activity directed at the Windows operating system
139
Windows event log full (evt_logfull)
How to remove this
vulnerability
Ensure that the operating system and all applications are functioning properly. Investigate
for evidence of tampering of the system.
Increase the Windows event log size and adjust event log wrapping options if necessary.
See below.
To increase the event log size:
For Windows NT:
1. Open the Windows NT Event Viewer. From the Windows NT Start menu, select
Programs, Administrative Tools (Common), Event Viewer.
2. From the Log menu, select Log Settings.
3. Select the event log of interest.
4. In the Maximum Log Size field, increase the maximum size of the event log.
For Windows 2000:
1. Open the Windows 2000 Event Viewer. From the Windows Start menu, select Settings
—> Control Panel, double-click Administrative Tools, and then double-click Event
Viewer.
2. In the Event Viewer Tree, select the log of interest.
3. From the Action menu, select Properties.
4. In the Maximum Log Size field, increase the maximum size of the event log.
To modify event log wrapping options for the Windows event log:
For Windows NT:
1. Open the Windows NT Event Viewer. From the Windows NT Start menu, select
Programs, Administrative Tools (Common), Event Viewer.
2. From the Log menu, select Log Settings.
3. Select the event log of interest.
4. In the Event Log Wrapping group box, select "Overwrite events older than," and set
the value to 14 days or greater.
For Windows 2000:
1. Open the Windows 2000 Event Viewer. From the Windows Start menu, select Settings
—> Control Panel, double-click Administrative Tools, and then double-click Event
Viewer.
2. In the Event Viewer Tree, select the log of interest.
3. From the Action menu, select Properties.
4. In the Log Size group box, select "Overwrite events older than," and set the value to 14
days or greater.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
140
Exchange administrative user connected (Exchange55_administrator_connect)
ISS X-Force
Windows event log full
http://xforce.iss.net/static/4702.php
Windows event log file cannot be opened (evt_openfail)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a Windows event log
file cannot be opened.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: XPU 1.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows 2000
Type
Host Sensor
Vulnerability
description
The Windows event log is critical to the security and operation of the Windows NT and
Windows 2000 operating system. When the Windows Eventlog service is unable to open
any particular event log, the corresponding part of the operating system loses its tracing
capability.
Possible causes of the Windows event log failing to open include the following:
●
misconfiguration of log file permissions
●
attacker activity directed at the Windows operating system
How to remove this
vulnerability
Examine the permissions of the log file in question. Ensure that the Windows NT system
directory is not corrupted and that the log file is not locked by another process. Verify that
the security permissions of the Windows NT event logs and system directory are
configured so that only intended security principals are granted access.
References
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp
ISS X-Force
Windows event log file cannot be opened
http://xforce.iss.net/static/4671.php
Exchange administrative user connected
(Exchange55_administrator_connect)
About this
signature or
vulnerability
The Exchange55_administrator_connect signature detects when a user with administrator
privileges connects to a Microsoft Exchange 5.5 server.
141
Exchange Administrator logged in (Exchange55_administrator_login_as_user)
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with administrative privileges has connected to Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative activity is monitored and retained in an audit history. If there
is no legitimate reason for this connection to occur, or if the connection occurs at unusual
times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange administrative user connected
http://xforce.iss.net/static/3188.php
Exchange Administrator logged in
(Exchange55_administrator_login_as_user)
About this
signature or
vulnerability
The Exchange55_administrator_login_as_user signature detects when a user with
administrator privileges logs on to a Microsoft Exchange 5.5 server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with administrative privileges has logged into Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative logins (both successful and unsuccessful logins) are
monitored and retained in an audit history. If there is no legitimate reason for a login to
occur, or if logins occur at unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange Administrator logged in
http://xforce.iss.net/static/3186.php
142
Exchange POP3 server unauthenticated command (Exchange55_unauthenticated_pop3_command)
Exchange POP3 server dropped connection
(Exchange55_pop3_authentication_failures)
About this
signature or
vulnerability
The Exchange55_pop3_authentication_failures signature detects that a Microsoft
Exchange 5.5 POP3 server has dropped its connection, due to repeated authentication
failures.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Denial of Service
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. Repeated authentication failures have caused the Microsoft Exchange POP3
Server to drop its connection.
How to remove this
vulnerability
A connection dropped by the server may indicate that a user has repeatedly mistyped the
password. Multiple instances of this event should be considered suspicious and could
indicate a brute force attack.
References
ISS X-Force
Exchange POP3 server dropped connection
http://xforce.iss.net/static/3175.php
Exchange POP3 server unauthenticated command
(Exchange55_unauthenticated_pop3_command)
About this
signature or
vulnerability
The Exchange55_unauthenticated_pop3_command signature detects when a client has
connected to the Microsoft Exchange 5.5 POP3 server and has issued commands before
being authenticated.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Suspicious Activity
143
Exchange POP3 server invalid unauthenticated command (Exchange55_unauthenticated_pop3_command_invalid)
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. A client has connected to the Microsoft Exchange POP3 server and has issued
commands before being authenticated.
Unauthenticated commands may indicate that an attacker is attempting to identify
servers that allow anonymous login. It is also possible that improperly configured or
unusual client software may trigger this event during a legitimate logon.
How to remove this
vulnerability
Inspect the unauthenticated command that was executed for malicious characteristics. For
example, an especially long command may be an attempt to exploit potential buffer
overflows.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally not good
security practice. Under these conditions, this event would only be useful in monitoring
activity, not detecting potential attacks. Consider disabling anonymous access for tighter
security.
References
ISS X-Force
Exchange POP3 server unauthenticated command
http://xforce.iss.net/static/3179.php
Exchange POP3 server invalid unauthenticated command
(Exchange55_unauthenticated_pop3_command_invalid)
About this
signature or
vulnerability
The Exchange55_unauthenticated_pop3_command_invalid signature detects when
Microsoft Exchange 5.5 POP3 server receives an unauthenticated and invalid POP
command.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated and invalid POP command was issued to the Microsoft
Exchange POP3 server. This activity suggests a manual or malicious connection, because
most compatible mail client software packages issue properly formed commands.
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If you have the ability to trace the command back to its originator, then it may
be possible to determine the reason for this anomaly, or to block access to the source of the
problem.
144
Exchange POP3 server invalid unauthenticated arguments (Exchange55_unauthenticated_pop3_command_invalidargs)
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server invalid unauthenticated command
http://xforce.iss.net/static/3182.php
Exchange POP3 server invalid unauthenticated arguments
(Exchange55_unauthenticated_pop3_command_invalidargs)
About this
signature or
vulnerability
The Exchange55_unauthenticated_pop3_command_invalidargs signature detects when
Microsoft Exchange 5.5 POP3 server receives an unauthenticated POP command with
invalid arguments.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated POP command containing invalid arguments was issued to
the Microsoft Exchange POP3 server. This activity suggests a manual or malicious
connection, because most compatible mail client software packages issue properly formed
commands.
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If possible, trace the command back to its originator to determine the reason
for this anomaly, or to block access to the source of the problem.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be a poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server invalid unauthenticated arguments
http://xforce.iss.net/static/3181.php
145
Exchange View Administrative user logged in (Exchange55_view_administrator_login)
Exchange POP3 server incorrect number of unauthenticated
arguments
(Exchange55_unauthenticated_pop3_command_wrongargs)
About this
signature or
vulnerability
The Exchange55_unauthenticated_pop3_command_wrongargs signature detects when
Microsoft Exchange 5.5 POP3 server receives an unauthenticated POP command with an
incorrect number of arguments.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated POP command containing the incorrect number of
arguments was issued to the Microsoft Exchange POP3 server. This activity suggests a
manual or malicious connection, because most compatible mail client software packages
issue properly formed commands.
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If possible, trace the command back to its originator to determine the reason
for this anomaly, or to block access to the source of the problem.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be a poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server incorrect number of unauthenticated arguments
http://xforce.iss.net/static/3180.php
Exchange View Administrative user logged in
(Exchange55_view_administrator_login)
About this
signature or
vulnerability
The Exchange55_view_administrator_login signature detects when a user with view
administrative privileges logs on to a Microsoft Exchange 5.5 server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.0
146
Exchange administrative user connected (Exchange_administrator_connect)
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with view administrative privileges has logged into Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative logins (both successful and unsuccessful logins) are
monitored and retained in an audit history. If there is no legitimate reason for a login to
occur, or if logins occur at unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange View Administrative user logged in
http://xforce.iss.net/static/3187.php
Exchange administrative user connected
(Exchange_administrator_connect)
About this
signature or
vulnerability
The Exchange_administrator_connect signature detects when a user with administrator
privileges connects to a Microsoft Exchange server. This signature applies to versions of
Microsoft Exchange prior to 5.5.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with administrative privileges has connected to Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative activity is monitored and retained in an audit history. If there
is no legitimate reason for this connection to occur, or if the connection occurs at unusual
times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange administrative user connected
http://xforce.iss.net/static/3188.php
147
Exchange anonymous logon (Exchange_anonymous_logon)
Exchange Administrator logged in
(Exchange_administrator_login_as_user)
About this
signature or
vulnerability
The Exchange_administrator_login_as_user signature detects when a user with
administrator privileges logs on to a Microsoft Exchange server. This signature applies to
versions of Microsoft Exchange prior to 5.5.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with administrative privileges has logged into Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative logins (both successful and unsuccessful logins) are
monitored and retained in an audit history. If there is no legitimate reason for a login to
occur, or if logins occur at unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange Administrator logged in
http://xforce.iss.net/static/3186.php
Exchange anonymous logon (Exchange_anonymous_logon)
About this
signature or
vulnerability
This signature detects when a client has anonymously logged on to the Microsoft
Exchange server. This signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Exchange can be configured to allow logins without authentication (anonymous
login). Allowing anonymous login is generally considered a poor security practice.
148
Exchange mailbox logon failed (Exchange_logon_failure)
How to remove this
vulnerability
Configure the Microsoft Exchange server to prevent anonymous logins.
References
ISS X-Force
Exchange anonymous logon
http://xforce.iss.net/static/3176.php
Exchange IMAP server dropped connection
(Exchange_imap_authentication_failures)
About this
signature or
vulnerability
This signature detects that a Microsoft Exchange IMAP server has dropped its connection,
due to repeated authentication failures. This signature applies to Microsoft Exchange
version 5.5 and earlier.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Denial of Service
Vulnerability
description
Repeated authentication failures have caused the Microsoft Exchange IMAP Server to
drop its connection. The Internet Messaging Access Protocol (IMAP) server is a standard
mail server that holds incoming email until users log on and download it.
How to remove this
vulnerability
A connection dropped by the server may indicate that a user has repeatedly mistyped the
password. Multiple instances of this event should be considered suspicious and could
indicate a brute force attack.
References
ISS X-Force
Exchange IMAP server dropped connection
http://xforce.iss.net/static/3173.php
Exchange mailbox logon failed (Exchange_logon_failure)
About this
signature or
vulnerability
This signature detects failed attempts to log on to a Microsoft Exchange mailbox. This
signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
149
Exchange mail sent as another user (Exchange_mail_sent_as)
Type
Host Sensor
Vulnerability
description
A failed attempt to log on to a Microsoft Exchange mailbox has occurred.
How to remove this
vulnerability
Frequent logon failures may indicate a misconfigured mail client or user error. Attempts
to log on using an inappropriate account could indicate attempts by an attacker to brute
force the Exchange server, access the mailbox user's account, or change the user's settings.
References
ISS X-Force
Exchange mailbox logon failed
http://xforce.iss.net/static/3190.php
Exchange mail sent as another user (Exchange_mail_sent_as)
About this
signature or
vulnerability
This signature detects when a mail user sends an email message as another user. This
signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Some types of mail activity require or encourage messages to be sent from users other
than the mailbox owner. Anonymous mailers, departmental or company-wide broadcast
mail, and special purpose announcements use this type of remailing feature.
How to remove this
vulnerability
Determine if the mailbox owner has authorized other users to send messages using the
owner's user name:
References
●
If the mailbox owner has authorized others to send messages using the owner's user
name, and your organization considers this activity a poor security practice, then
instruct the user on the proper policy.
●
If the mailbox owner has not authorized others to send mail using the owner's user
name, then another user may be forging or spoofing the user name in the message.
Refer to the mail logs and mail headers to determine the source of the message.
ISS X-Force
Exchange mail sent as another user
http://xforce.iss.net/static/3192.php
150
Exchange NNTP server dropped connection (Exchange_nntp_authentication_failures)
Exchange mail sent on behalf of another user
(Exchange_mail_sent_on_behalf)
About this
signature or
vulnerability
This signature detects when a mail user has sent an email message on behalf of another
user. This signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
It is possible for a mail user to send an email message on behalf of another user. These
types of messages may be sent without consulting the primary mail user, and the message
or its contents may have been sent without the primary user's knowledge or approval.
How to remove this
vulnerability
Some types of mail activity require or encourage the use of 'on behalf of' messages.
Mailing lists, mail redirectors, and moderated lists take advantage of this feature.
Determine if the primary mailbox user is aware that other users are sending messages on
their behalf:
References
●
If the primary user has authorized others to send messages on his or her behalf, and
your organization considers this activity a poor security practice, then instruct the
user on the proper policy.
●
If the primary user has not authorized others to send mail on their behalf, then
another user may have unauthorized access to the account.
ISS X-Force
Exchange mail sent on behalf of another user
http://xforce.iss.net/static/3191.php
Exchange NNTP server dropped connection
(Exchange_nntp_authentication_failures)
About this
signature or
vulnerability
This signature detects that a Microsoft Exchange NNTP server has dropped its
connection, due to repeated authentication failures. This signature applies to Microsoft
Exchange version 5.5 and earlier.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
151
Exchange POP3 server dropped connection (Exchange_pop3_authentication_failures)
Systems affected
Windows NT
Type
Denial of Service
Vulnerability
description
Repeated authentication failures have caused the Microsoft Exchange NNTP Server to
drop its connection. The Network News Transfer Protocol (NNTP) server allows users to
access and read Usenet newsgroups on their newsreaders.
How to remove this
vulnerability
A connection dropped by the server may indicate that a user has repeatedly mistyped the
password. Multiple instances of this event should be considered suspicious and could
indicate a brute force attack.
References
ISS X-Force
Exchange NNTP server dropped connection
http://xforce.iss.net/static/3174.php
Exchange POP3 server dropped connection
(Exchange_pop3_authentication_failures)
About this
signature or
vulnerability
The Exchange_pop3_authentication_failures signature detects that a Microsoft Exchange
POP3 server has dropped its connection, due to repeated authentication failures. This
signature applies to versions of Microsoft Exchange prior to 5.5.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Denial of Service
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. Repeated authentication failures have caused the Microsoft Exchange POP3
Server to drop its connection.
How to remove this
vulnerability
A connection dropped by the server may indicate that a user has repeatedly mistyped the
password. Multiple instances of this event should be considered suspicious and could
indicate a brute force attack.
References
ISS X-Force
Exchange POP3 server dropped connection
http://xforce.iss.net/static/3175.php
152
Exchange security attributes changed (Exchange_security_attribute_change)
Exchange personal storage file password saved
(Exchange_PST_passwords_saved)
About this
signature or
vulnerability
This signature detects when Microsoft Exchange has saved the passwords for certain
Personal Storage (PST) files in the specified file. This signature applies to Microsoft
Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Microsoft Exchange Personal storage (PST) files maintain the user messages for an
individual user. Microsoft Exchange may automatically create these files during the use of
the Migration Wizard. When the Migration Wizard creates PST files, Microsoft Exchange
may automatically assign random passwords to the files. Exchange stores these
passwords in the file described in this event. Due to the sensitive password information
contained in this file, an administrator should ensure that the file is sufficiently protected.
How to remove this
vulnerability
Locate any PST files and set file permissions to allow full control only to the user and
other authorized accounts. Remove any permissions that allow unauthorized users to
read or otherwise access the file.
References
ISS X-Force
Exchange personal storage file password saved
http://xforce.iss.net/static/3193.php
Exchange security attributes changed
(Exchange_security_attribute_change)
About this
signature or
vulnerability
This signature detects when security attributes of objects used through Microsoft
Exchange have been changed. This signature applies to Microsoft Exchange version 5.5
and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
153
Exchange service account password change (Exchange_service_password_change)
Vulnerability
description
Security attributes of objects used through Microsoft Exchange are being changed.
Security attributes control how objects, such as files, can be used within Microsoft
Exchange.
How to remove this
vulnerability
During normal administrative activities, security attributes may sometimes change.
However, if there is no legitimate reason for a change to occur, or if attribute changes
occur at unusual times, then this activity may be an indication of misuse. Changes in
security attributes should be monitored and retained in an audit history.
References
ISS X-Force
Exchange security attributes changed
http://xforce.iss.net/static/3185.php
Exchange service account password change
(Exchange_service_password_change)
About this
signature or
vulnerability
This signature detects when the password for a Microsoft Exchange service account has
been changed. This signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
The service account used by Microsoft Exchange is a Windows NT account that has
administrator privileges. The password for this service account has been changed.
How to remove this
vulnerability
Regularly changing passwords on sensitive or administrative accounts is good security
practice. Verify that an authorized administrator changed the password. As an
administrative activity, all instances of password changes to the Microsoft Exchange
service account should be monitored or retained in an audit history.
If the password was not changed by an authorized administrator, it may indicate that an
intruder or other unauthorized person has administrative access to this system. If you
determine that the password change was unauthorized, then this computer and perhaps
other computers on the network may be compromised.
References
ISS X-Force
Exchange service account password change
http://xforce.iss.net/static/3183.php
154
Exchange unauthenticated logon attempt (Exchange_unauthenticated_logon_attempt)
Exchange IMAP server unauthenticated command
(Exchange_unauthenticated_imap_command)
About this
signature or
vulnerability
This signature detects when a client has connected to the Microsoft Exchange IMAP server
and has issued commands before being authenticated. This signature applies to Microsoft
Exchange version 5.5 and earlier.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
The Internet Messaging Access Protocol (IMAP) server is a standard mail server that
holds incoming email until users log on and download it. A client has connected to the
Microsoft Exchange IMAP server and has issued commands before being authenticated.
Unauthenticated commands may indicate that an attacker is attempting to identify
servers that allow anonymous login. It is also possible that improperly configured or
unusual client software may trigger this event during a legitimate logon.
How to remove this
vulnerability
Inspect the unauthenticated command that was executed for malicious characteristics. For
example, an especially long command may be an attempt to exploit potential buffer
overflows.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be a poor security practice. Under these conditions, this event would only be useful in
monitoring activity, not detecting potential attacks. Consider disabling anonymous access
for stronger security.
References
ISS X-Force
Exchange IMAP server unauthenticated command
http://xforce.iss.net/static/3177.php
Exchange unauthenticated logon attempt
(Exchange_unauthenticated_logon_attempt)
About this
signature or
vulnerability
This signature detects when a Microsoft Exchange server has received a logon attempt
without prior authentication. This signature applies to Microsoft Exchange version 5.5
and earlier.
Default risk level
Medium
155
Exchange NNTP server unauthenticated command (Exchange_unauthenticated_nntp_command)
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
Microsoft Exchange received a logon attempt without prior authentication. Exchange
versions prior to Exchange 2000 allow unauthenticated users to log on because the
Exchange security model can operate independently from the Windows security model.
How to remove this
vulnerability
For all users, require Windows authentication before allowing users to attempt to log into
an Exchange server.
References
ISS X-Force
Exchange unauthenticated logon attempt
http://xforce.iss.net/static/3184.php
Exchange NNTP server unauthenticated command
(Exchange_unauthenticated_nntp_command)
About this
signature or
vulnerability
This signature detects when a client has connected to the Microsoft Exchange NNTP
server and has issued commands before being authenticated. This signature applies to
Microsoft Exchange version 5.5 and earlier.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
The Network News Transfer Protocol (NNTP) server allows users to access and read
Usenet newsgroups on their news client software. A client has connected to the Microsoft
Exchange NNTP server and has issued commands before being authenticated.
Unauthenticated commands may indicate that an attacker is attempting to identify
servers that allow anonymous login. It is also possible that improperly configured or
unusual client software may trigger this event during a legitimate logon.
How to remove this
vulnerability
Inspect the unauthenticated command that was executed for malicious characteristics. For
example, an especially long command may be an attempt to exploit potential buffer
overflows.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
156
Exchange POP3 server unauthenticated command (Exchange_unauthenticated_pop3_command)
to be a poor security practice. Under these conditions, this event would only be useful in
monitoring activity, not detecting potential attacks. Consider disabling anonymous access
for tighter security.
References
ISS X-Force
Exchange NNTP server unauthenticated command
http://xforce.iss.net/static/3178.php
Exchange POP3 server unauthenticated command
(Exchange_unauthenticated_pop3_command)
About this
signature or
vulnerability
The Exchange_unauthenticated_pop3_command signature detects when a client has
connected to the Microsoft Exchange POP3 server and has issued commands before being
authenticated. This signature applies to versions of Microsoft Exchange prior to 5.5.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. A client has connected to the Microsoft Exchange POP3 server and has issued
commands before being authenticated.
Unauthenticated commands may indicate that an attacker is attempting to identify
servers that allow anonymous login. It is also possible that improperly configured or
unusual client software may trigger this event during a legitimate logon.
How to remove this
vulnerability
Inspect the unauthenticated command that was executed for malicious characteristics. For
example, an especially long command may be an attempt to exploit potential buffer
overflows.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally not good
security practice. Under these conditions, this event would only be useful in monitoring
activity, not detecting potential attacks. Consider disabling anonymous access for tighter
security.
References
ISS X-Force
Exchange POP3 server unauthenticated command
http://xforce.iss.net/static/3179.php
157
Exchange POP3 server invalid unauthenticated arguments (Exchange_unauthenticated_pop3_command_invalidargs)
Exchange POP3 server invalid unauthenticated command
(Exchange_unauthenticated_pop3_command_invalid)
About this
signature or
vulnerability
The Exchange_unauthenticated_pop3_command_invalid signature detects when
Microsoft Exchange POP3 server receives an unauthenticated and invalid POP command.
This signature applies to versions of Microsoft Exchange prior to 5.5.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated and invalid POP command was issued to the Microsoft
Exchange POP3 server. This activity suggests a manual or malicious connection, because
most compatible mail client software packages issue properly formed commands.
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If you have the ability to trace the command back to its originator, then it may
be possible to determine the reason for this anomaly, or to block access to the source of the
problem.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server invalid unauthenticated command
http://xforce.iss.net/static/3182.php
Exchange POP3 server invalid unauthenticated arguments
(Exchange_unauthenticated_pop3_command_invalidargs)
About this
signature or
vulnerability
The Exchange_unauthenticated_pop3_command_invalidargs signature detects when
Microsoft Exchange POP3 server receives an unauthenticated POP command with invalid
arguments. This signature applies to versions of Microsoft Exchange prior to 5.5.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
158
Exchange POP3 server incorrect number of unauthenticated arguments
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated POP command containing invalid arguments was issued to
the Microsoft Exchange POP3 server. This activity suggests a manual or malicious
connection, because most compatible mail client software packages issue properly formed
commands.
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If possible, trace the command back to its originator to determine the reason
for this anomaly, or to block access to the source of the problem.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be a poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server invalid unauthenticated arguments
http://xforce.iss.net/static/3181.php
Exchange POP3 server incorrect number of unauthenticated
arguments
(Exchange_unauthenticated_pop3_command_wrongargs)
About this
signature or
vulnerability
The Exchange_unauthenticated_pop3_command_wrongargs signature detects when
Microsoft Exchange POP3 server receives an unauthenticated POP command with an
incorrect number of arguments. This signature applies to versions of Microsoft Exchange
prior to 5.5.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Suspicious Activity
Vulnerability
description
A Post Office Protocol 3 (POP3) server is a simple mail server commonly used on the
Internet. An unauthenticated POP command containing the incorrect number of
arguments was issued to the Microsoft Exchange POP3 server. This activity suggests a
manual or malicious connection, because most compatible mail client software packages
issue properly formed commands.
159
Exchange mailbox accessed by other user (Exchange_user_login_into_other_users_mailbox)
How to remove this
vulnerability
Inspect the unauthenticated command for malicious characteristics. For example, an
especially long command or argument may be an attempt to exploit potential buffer
overflows. If possible, trace the command back to its originator to determine the reason
for this anomaly, or to block access to the source of the problem.
If your security policies allow anonymous access to the server, then no authentication is
required before executing commands. Allowing anonymous login is generally considered
to be a poor security practice. Consider disabling anonymous access for tighter security.
References
ISS X-Force
Exchange POP3 server incorrect number of unauthenticated arguments
http://xforce.iss.net/static/3180.php
Exchange mailbox accessed by other user
(Exchange_user_login_into_other_users_mailbox)
About this
signature or
vulnerability
This signature detects when a user other than the primary mailbox user has accessed a
mailbox. This signature applies to Microsoft Exchange version 5.5 and earlier.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Microsoft Exchange monitors the identity of the primary Windows NT user for each
Exchange mailbox. A user other than the primary mailbox user has accessed a mailbox. It
is possible to share an account, but doing so may indicate poor security practice. It may
also indicate that a Windows NT user has gained illegitimate access to the account.
How to remove this
vulnerability
In some environments, such as collaborative efforts or departmental mail accounts,
mailbox sharing is an accepted practice. Determine if the primary mailbox user is sharing
the account:
References
●
If the primary user is sharing the account and your organization considers sharing
accounts as poor security practice, then instruct the user on the proper policy.
●
If the primary user is not sharing their account, then another user may have
unauthorized access to the account.
ISS X-Force
Exchange mailbox accessed by other user
http://xforce.iss.net/static/3189.php
160
Exchange View Administrative user logged in (Exchange_view_administrator_login)
Exchange View Administrative user logged in
(Exchange_view_administrator_login)
About this
signature or
vulnerability
The Exchange_view_administrator_login signature detects when a user with view
administrative privileges logs on to a Microsoft Exchange server. This signature applies to
versions of Microsoft Exchange prior to 5.5.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user with view administrative privileges has logged into Microsoft Exchange. All
administrative activities should be monitored and retained in an audit history.
How to remove this
vulnerability
Verify that all administrative logins (both successful and unsuccessful logins) are
monitored and retained in an audit history. If there is no legitimate reason for a login to
occur, or if logins occur at unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Exchange View Administrative user logged in
http://xforce.iss.net/static/3187.php
161
Failed login attempt to a disabled user account (Failed_login-account_disabled)
System file or executable modification attempt failed
(Failed_change_of_important_files)
About this
signature or
vulnerability
This signature detects a security event log message indicating that an attempt to modify a
system file or executable has failed.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
In Windows NT/2000 and Solaris systems, a message is written into the security log when
an attempt to modify an important file fails. If an important executable is accessed for
modification, it should only be by users with proper authority and reason to modify it. A
failed attempt to modify key programs may indicate the actions of an attacker.
How to remove this
vulnerability
Investigate these actions immediately. An attacker may be attempting to compromise an
important executable by replacing it with a modified file.
References
ISS X-Force
System file or executable modification attempt failed
http://xforce.iss.net/static/1604.php
Failed login attempt to a disabled user account (Failed_loginaccount_disabled)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a login attempt to a
disabled user account has failed.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
162
Failed login attempt to an expired user account (Failed_login-account_expired)
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the Windows NT security log. When a user attempts to log in to a disabled
account, this particular event is triggered.
A good account management practice is to selectively disable accounts that are not being
used (for example, disabling a user's account during a time when the user will be away
from the system for an extended period of time).
How to remove this
vulnerability
Attempts to access a disabled account can be the sign of a would-be attacker. You can
disable and re-enable a user's account in the Windows NT User Manager utility.
References
ISS X-Force
Failed login attempt to a disabled user account
http://xforce.iss.net/static/1511.php
Failed login attempt to an expired user account (Failed_loginaccount_expired)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a login attempt to
an expired user account has failed.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
In Windows NT, the system administrator can specify that a user account should expire
on a specific date. The expiration of an account is independent of normal password
expiration.
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the Windows NT security log.
How to remove this
vulnerability
To discourage a would-be intruder, implement a policy that watches for failed logins
directly. Set the account policy in the Windows NT User Manager utility to expire
passwords once every 60 days.
Normally it is preferred to delete or disable user accounts that are no longer valid. A user
attempting to access an expired account may be confused about the termination of access,
or the user may be attempting to access the network inappropriately. In either case, the
user should be notified that the account is no longer valid.
163
Failed login attempt to a locked user account (Failed_login-account_locked_out)
References
ISS X-Force
Failed login attempt to an expired user account
http://xforce.iss.net/static/1504.php
Failed login attempt to a locked user account (Failed_loginaccount_locked_out)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has
attempted to log in using a locked user account.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user has attempted to log in using a locked user account. Any time a user attempts to
log in using a locked account, an audit message is written to the Windows NT security
event log.
When a user repeatedly attempts and fails to log in, the user account may be locked out. A
user can also be locked out by a system administrator. Subsequent attempts by the user to
log in to the account will fail. Windows NT will recognize these failed attempts as login
attempts from a locked account.
If a user continues to attempt to log in after an account has been locked out, then the event
is a good indication that there is an intrusion attempt occurring, or that the user is
misusing the login process. A brute force login attempt by an unsophisticated attacker
may involve repeated attempts to guess a user's password.
How to remove this
vulnerability
References
To discourage misuse of Windows NT user accounts:
●
Implement a policy that watches for failed logins directly.
●
Set the account policy in the Windows NT User Manager utility to lock out accounts
with more than 5 failed logon attempts.
●
Contact any user who persists in trying to log in to a locked account. Inform the user
of proper login procedure, and require the user to choose a new password.
ISS X-Force
Failed login attempt to a locked user account
http://xforce.iss.net/static/1502.php
164
Failed login attempt with invalid username or password (Failed_login-bad_username_or_password)
Windows NT user account locked out (Failed_loginaccount_locked_out_New)
About this
signature or
vulnerability
This signature detects that a Windows NT user account has been locked out.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 5.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT: 4.0 SP4, Windows 2000
Type
Host Sensor
Vulnerability
description
A Windows NT user account has been locked out. Any time a user account is locked out,
an audit message is written to the Windows NT security event log in Windows NT Service
Pack 4 and later.
When a user repeatedly attempts and fails to log in, the user account may be locked out. A
user can also be locked out by a system administrator. Subsequent attempts by the user to
log in to the account will fail. Windows NT will recognize these failed attempts as login
attempts from a locked account.
If a user continues to attempt to log in after an account has been locked out, then the event
is a good indication that there is an intrusion attempt occurring, or that the user is
misusing the login process. A brute force login attempt by an unsophisticated attacker
may involve repeated attempts to guess a user's password.
How to remove this
vulnerability
References
To discourage misuse of Windows NT user accounts:
●
Implement a policy that watches for failed logins directly.
●
Set the account policy in the Windows NT User Manager utility to lock out accounts
with more than 5 failed logon attempts.
●
Contact any user who persists in trying to log in to a locked account. Inform the user
of proper login procedure, and require the user to choose a new password.
ISS X-Force
Windows NT user account locked out
http://xforce.iss.net/static/4517.php
Failed login attempt with invalid username or password
(Failed_login-bad_username_or_password)
About this
signature or
vulnerability
This signature detects a security log message indicating that a login attempt has failed due
to an invalid username or password.
165
Failed login attempt when net logon is not active (Failed_login-net_logon_not_active)
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the security log. The most typical cause of these failures is a typing error
when entering the username or password.
A brute force login attempt by an unsophisticated attacker may involve repeated attempts
to guess a user's password. These attempts may become obvious when an administrator
notices a significant number of "bad password" event messages, particularly if they
originate from a single user account.
How to remove this
vulnerability
Windows NT/2000: To discourage a would-be intruder, implement a policy that watches
for failed logins directly. Set the account policy in the User Manager utility to disable
accounts with more than five failed logon attempts. This will disable accounts an intruder
may be trying to gain access to.
Solaris: To discourage a would-be intruder, implement a policy that imposes appropriate
authentication checking when logging on to the host. For more information, see the man
pages for pam.conf(4) and pam_unix(5).
References
ISS X-Force
Failed login attempt with invalid username or password
http://xforce.iss.net/static/1500.php
Failed login attempt when net logon is not active (Failed_loginnet_logon_not_active)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has
attempted a net logon while the Net Logon service is not active.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
166
Login attempt by user not authorized for console login (Failed_login-not_authorized_for_console_login)
Vulnerability
description
The Net Logon service operates by pass-through authentication of account logons and
may be used when the system is part of a domain. This requires the Net Logon service to
be running. This event message is generated when a user attempts a net logon while the
Net Logon service is not active.
Very commonly, an installation may choose not to use the Net Logon service. A potential
attacker may not know this and attempt remote logon while probing for a point of entry.
How to remove this
vulnerability
If you have chosen to not use the Net Logon service, this event can be a good indicator of
suspect access attempts. If this is the case, investigate the account from which these
attempts originate. If you do use the Net Logon service, then this event message is an
indication that something has caused the Net Logon service to fail, and legitimate users
are being denied access.
References
ISS X-Force
Failed login attempt when net logon is not active
http://xforce.iss.net/static/1514.php
Login attempt by user not authorized for console login
(Failed_login-not_authorized_for_console_login)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user without
local login privileges has attempted and failed to log on to the system.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the Windows NT security log. The right to log in to a system locally (at its
console) is a special user right granted by the administrator. This event indicates a user
has attempted to log in to a system locally and has not been granted this right.
Typically the right to log in to a system's console is restricted to the primary user of that
system or the administrator of that system. This is especially true for a system acting as a
network server. Unauthorized attempts to log in at a system's console are particularly
suspicious.
How to remove this
vulnerability
The right to log on to a system locally is a specially-granted user right. It is prudent to
only grant this right to users who have a specific, valid need to log on to the system. Grant
individuals the right to log on to their workstations, but grant the logon rights to servers
only to administrators and users with a specific, valid need to do so. These rights are
granted through the Windows NT User Manager Utility.
167
Failed login attempt by user without the right to access the computer from the network (Failed_login-
References
ISS X-Force
Login attempt by user not authorized for console login
http://xforce.iss.net/static/1512.php
Failed login attempt by user without the right to access the
computer from the network (Failed_loginnot_authorized_for_this_type_of_login)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user without
remote login privileges has attempted and failed to log on to the system.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the Windows NT security log. The right to log in to a system from the
network is a special user right granted by the administrator. This event indicates a user
who has not been granted this right has attempted to log in to a system remotely.
Typically the right to log in to a system from the network is assigned to the Everyone
group. This is especially true for a system acting as a network server. If network access to
a system has been restricted, unauthorized attempts to log in to the system from the
network may be suspicious.
How to remove this
vulnerability
The right to log on to a system remotely is normally granted to the Everyone group. If
there is a need to restrict access to a system from the network, this right can be restricted
to privileged individuals only. These rights are granted through the Windows NT User
Manager Utility.
References
Microsoft Knowledge Base Article Q159930
Event ID 534 In The Security Log
http://support.microsoft.com/support/kb/articles/Q159/9/30.asp
ISS X-Force
Failed login attempt by user without the right to access the computer from the network
http://xforce.iss.net/static/1513.php
168
Failed login attempt during restricted access hours (Failed_login-time_restriction_violation)
Failed login with an expired password (Failed_loginpassword_expired)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a logon has failed
due to use of an expired password.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Any time a user attempts to log in to the system and fails to do so, an event message is
written into the Windows NT security log. An expired password will require the user to
enter a new password in order to continue the login process.
Choosing to have user passwords expire encourages users to change their passwords
frequently. In the event that an attacker is able to access a legitimate user account,
frequent password changes can limit the number of days an attacker is able to use the
account.
How to remove this
vulnerability
To discourage a would-be intruder, implement a policy that watches for failed logins
directly. Set the account policy in the Windows NT User Manager utility to expire
passwords once every 60 days.
References
ISS X-Force
Failed login with an expired password
http://xforce.iss.net/static/1506.php
Failed login attempt during restricted access hours
(Failed_login-time_restriction_violation)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has
attempted and failed to log on to the system during restricted access hours.
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
169
Login attempt failed for an unknown reason (Failed_login-unknown_error)
Type
Host Sensor
Vulnerability
description
Any time a user attempts to log on to the system and fails to do so, an event message is
written into the Windows NT security log. A time restriction violation occurs when a user
tries to log on before or after the hours that that user is allowed to access the system.
A user (or an attacker assuming the identity of a legitimate user) may attempt access at
off-hours. Failed attempts to log in during off-hours are suspicious.
How to remove this
vulnerability
To discourage a would-be intruder, implement a policy that restricts the access times of
user accounts to only those hours that the user requires. It is reasonable to grant 24x7 hour
access to users who actually require it. However, broad access times should be granted
sparingly. You can set the hours of access from the Account Properties window in the
Windows NT User Manager for domains.
References
ISS X-Force
Failed login attempt during restricted access hours
http://xforce.iss.net/static/1501.php
Login attempt failed for an unknown reason (Failed_loginunknown_error)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has
attempted to log in and been denied access for an unknown reason.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A user has attempted to log in and been denied access for an unknown reason. This event
most likely indicates a system problem or a software failure, rather than intrusion or
misuse.
How to remove this
vulnerability
Determine why the user was denied access to the system. Check the system in question
for software problems and determine if the account database has been corrupted.
References
ISS X-Force
Login attempt failed for an unknown reason
http://xforce.iss.net/static/1515.php
170
Finger bomb recursive request (Finger_Bomb)
Finger bomb recursive request (Finger_Bomb)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Finger Service
Type
Denial of Service
Vulnerability
description
The system is vulnerable to a Finger Bomb attack. A Finger Bomb attack allows an
attacker to disrupt your network using the redirection capability in the finger daemon.
Some finger daemons allow redirecting a finger request to remote sites using the form
finger username@hostname1@hostname2. The finger goes through hostname2, then to
hostname1. This technique allows an attacker to conceal his presence, because hostname1
sees a finger coming from hostname2 instead of from the original service used by the
attacker. Attackers have used this technique to penetrate improperly configured firewalls.
This can happen by using the command finger user@host@firewall.
An attacker could also use a recursive finger, such as finger
username@hostname@hostname@hostname. Finger then call itself repeatedly, using
increasing amounts of the system’s resources until the system has consumed all its
resources. A similar denial of service attack may happen when an attacker types finger
username@@@@@@@@@@@@@@@@@@@@@hostname1. The repeated @ causes finger to
repeatedly finger the same system until the memory and hard drive swap space are
consumed. This causes the system to stop or slow to an unusable speed.
How to remove this
vulnerability
Disable finger, or install a version of finger that turns off redirection. GNU Finger can be
configured to not allow redirection.
In Unix: Disable the finger daemon. To disable a Unix daemon started from inetd:
1. Edit the /etc/inetd.conf (or equivalent) file.
2. Locate the line that controls the daemon.
3. Type a # at the beginning of the line to comment out the daemon.
4. Restart inetd.
— OR —
To turn off finger redirection, Unix systems can use GNU finger available from the GNU
finger 1.37 download site. See References.
Windows: Fingerd is not native to Windows, but may be present. To disable fingerd:
1. Open the Services control panel. From the Windows NT Start menu, select Settings,
Control Panel, Services.
2. Select the service.
3. Click Stop.
171
Finger perl attempt (Finger_Perl)
4. When the service has stopped, click Startup.
5. Choose one of these options:
■
To permanently disable the service, click Disabled.
■
To turn the service off unless manually activated by the user or a program, click
Manual.
6. Click OK, then click Close.
References
FTP directory /pub/gnu/finger/ at prep.ai.mit.edu
GNU finger 1.37 download
ftp://prep.ai.mit.edu/gnu/finger/
NetworkICE AdvICE Database
finger bomb
http://www.toyo.co.jp/security/ice/advice_old/Exploits/Services/finger/
finger_bomb/default.htm
ISS X-Force
Finger bomb recursive request
http://xforce.iss.net/static/47.php
Finger perl attempt (Finger_Perl)
Additional
Vulnerabilities
Found
■
dgux-fingerd
■
perl-fingerd
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
Systems affected
Perl fingerd: Old Versions
Type
Unauthorized Access Attempt
Vulnerability
description
Finger perl attempt could be used to execute arbitrary commands.
How to remove this
vulnerability
Upgrade to the most recent version of the Perl finger daemon. This vulnerability existed
in the Perl finger daemon through version 0.2. Later versions should have corrected this
problem. See perl-fingerd.
For DG/UX fingerd, obtain the appropriate patch for your system, available from Data
General. This problem has been reported as fixed in revision R4.11MU03 and later of DG/
UX. See dguz-fingerd.
172
Finger user (Finger_User)
References
ISS X-Force
Finger perl attempt
http://xforce.iss.net/static/4190.php
Finger buffer overflow allows root access (Finger_RTM)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
BSD/OS: 2.x and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Finger is a program used to discover the name associated with an email address, as well
as other user information. The finger service is vulnerable to a buffer overflow. A remote
attacker can overflow a buffer and execute arbitrary code on the system. This
vulnerability could allow a remote attacker to gain root access. This vulnerability is
named for Robert T. Morris, author of the Internet Worm that originally popularized this
vulnerability.
How to remove this
vulnerability
Upgrade to the latest version of your operating system. Consider disabling the finger
service, which has a number of known vulnerabilities in addition to this buffer overflow.
References
Bill Maloy's Web site
Morris Worm
http://www.goldinc.com/html/maloy/SECURITY/morris_worm.html
COAST Security FTP Archive
Morris Worm article archive
ftp://coast.cs.purdue.edu/pub/doc/morris_worm
ISS X-Force
Finger buffer overflow allows root access
http://xforce.iss.net/static/641.php
Finger user (Finger_User)
About this
signature or
vulnerability
This signature detects finger attempts and reports the user (or all users if the attempt was
aimed at the whole computer) that the finger targeted.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
173
Forced Entry backdoor for Windows (ForcedEntry)
Systems affected
Finger Service
Type
Protocol Signature
Vulnerability
description
Finger is a program used to discover the name associated with an email address, as well
as other user information. Finger has a legitimate use, but is also often used by attackers to
acquire information about a computer, such as account names, real names, and trusted
hosts. Multiple finger requests in a short time period suggest brute force username or
password guessing by an attacker.
How to remove this
vulnerability
Determine if there have been other finger events from this same source address. A
significant number of events (for example, more than 6) in a short time period (a minute)
may indicate a username or password guessing attack by the source. Monitor this source
closely for other signs of malicious intent, and block access for that address if this
behavior continues.
References
ISS X-Force
Finger user
http://xforce.iss.net/static/646.php
Forced Entry backdoor for Windows (ForcedEntry)
About this
signature or
vulnerability
This signature detects a TCP connection on port 9999 to a Forced Entry backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Forced Entry backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Forced Entry
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
establish a telnet connection to your computer
●
access files
●
access your system registry
To remove the Forced Entry backdoor from your computer:
1. Open C:\Windows\WIN.INI.
2. Find the line run=msreg32.exe.
174
Fore backdoor for Windows 95/98 (Fore)
3. Delete that line.
4. Delete Msreg32.exe from C:\Windows\System.
References
ISS X-Force
Forced Entry backdoor for Windows
http://xforce.iss.net/static/2387.php
Fore backdoor for Windows 95/98 (Fore)
About this
signature or
vulnerability
This signature detects a TCP connection on port 50766 to a Fore backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Fore backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Fore backdoor, an
attacker can do the following:
●
execute programs
●
retrieve system information
●
restart the computer
●
retrieve Dial-Up Networking accounts and passwords
●
create, retrieve, and manipulate files using a built-in FTP server
●
open and close your CD-ROM drive
How to remove this
vulnerability
To remove the Fore backdoor from your computer, find and delete Fore.exe.
References
SECURED anti-trojan Web site
F0re beta
http://anti-trojan.virtualave.net/page35.html
ISS X-Force
Fore backdoor for Windows 95/98
http://xforce.iss.net/static/3354.php
175
Frenzy backdoor for Windows 95/98 (Frenzy)
Freak88 allows a remote attacker to coordinate small-scale
DDoS attacks (Freak88)
About this
signature or
vulnerability
This signature detects a command being sent from TCP port 7001 to a Freak88 server
program on your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows NT: 4.0, Windows 2000
Type
Unauthorized Access Attempt
Vulnerability
description
Freak88 is a simple server program that can allows attackers to use compromised systems
as "zombies" for larger distributed denial of service (DDoS) attacks. Once installed on a
system, a remote attacker can connect to the server and instruct it to launch a Ping flood
against a specified IP address. An attack cannot be stopped by the attacker once it has
been launched.
How to remove this
vulnerability
To remove the Freak88 server from your computer:
1. Open the Task Manager. In Windows NT, press Ctrl+Alt+Del, and then click the Task
Manager button.
2. Select the PROJECT1 program from the list.
3. Click the End Task button.
Freak88 does not write to the registry or any other files, and it does not restart after its
initial invocation.
References
TL Security Web site
Freak88
http://www.tlsecurity.net/backdoor/freak88.htm
ISS X-Force
Freak88 allows a remote attacker to coordinate small-scale DDoS attacks
http://xforce.iss.net/static/4850.php
Frenzy backdoor for Windows 95/98 (Frenzy)
About this
signature or
vulnerability
This signature detects a TCP connection on port 1257 to a Frenzy backdoor on your
network.
Default risk level
High
176
FSP daemon running (FSP_Detected)
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Frenzy backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Frenzy backdoor, an
attacker can do the following:
How to remove this
vulnerability
●
open and close your CD-ROM drive
●
make your computer beep
●
hide the taskbar
●
move your mouse pointer
●
restart your computer
To remove the Frenzy backdoor from your computer:
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Explore that has a data value of
C:\Windows\Msgsrv36.exe.
3. Delete this registry entry.
4. Delete Msgsrv36.exe from C:\Windows.
References
ISS X-Force
Frenzy backdoor for Windows 95/98
http://xforce.iss.net/static/3100.php
FSP daemon running (FSP_Detected)
False positives
RealSecure Network Sensor: The majority of FSP activity should be considered
suspicious, but there may occasionally be legitimate uses.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1
Systems affected
Any, Solaris: 2.5.1, Solaris: 2.6, HP-UX: 10.20, Solaris: 7, Red Hat Linux: 6.0, Solaris: 8, AIX:
4.0, HP-UX: 11, Compaq: Tru64 UNIX
Type
Unauthorized Access Attempt
177
FSP daemon running (FSP_Detected)
Vulnerability
description
A File Service Protocol (FSP) server has been detected as running. FSP is an alternative to
FTP that transfers files using User Datagram Protocol (UDP). The majority of FSP activity
should be considered suspicious. Use of FSP could allow an attacker to overwrite files.
How to remove this
vulnerability
Investigate the FSP server and determine if its presence is legitimate. Remove the FSP
server if it is not needed.
Solaris: 2.5.1
Check to ensure that the specified user is authorized to run an FSP server on the system.
Solaris: 2.6
Check to ensure that the specified user is authorized to run an FSP server on the system.
HP-UX: 10.20
Check to ensure that the specified user is authorized to run an FSP server on the system.
Solaris: 7
Check to ensure that the specified user is authorized to run an FSP server on the system.
Red Hat Linux: 6.0
Check to ensure that the specified user is authorized to run an FSP server on the system.
Solaris: 8
Check to ensure that the specified user is authorized to run an FSP server on the system.
AIX: 4.0
Check to ensure that the specified user is authorized to run an FSP server on the system.
HP-UX: 11
Check to ensure that the specified user is authorized to run an FSP server on the system.
Compaq: Tru64 UNIX
Investigate the FSP server and determine if its presence is legitimate. Remove the FSP
server if it is not needed.
References
Internet FAQ Archives
File Service Protocol (FSP) Frequently Asked Questions
http://www.faqs.org/faqs/fsp-faq/
ISS X-Force
FSP daemon running
http://xforce.iss.net/static/304.php
178
AIX ftpd daemon buffer overflow (FTP_AIX_Overflow)
FTGate Web interface allows remote attackers to read files
from the system (HTTP_DotDot)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_DotDot signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
FTGate
Type
Unauthorized Access Attempt
Vulnerability
description
Floosietek FTGate is a mail server for Windows 95, Windows 98, and Windows NT 4.0.
FTGate 2.1 features a built-in Web server that allows administrators to use a Web browser
to check the status of the mail server. A vulnerability in the FTGate Web interface could
allow an attacker to use "dot dot" (/../) sequences to traverse directories and retrieve
arbitrary files on the server.
How to remove this
vulnerability
No remedy available as of April 2001. As a workaround, disable the FTGate Web
interface.
References
Floosietek Ltd. Web site
FTGate Mail Server Homepage
http://www.floosietek.com/
eEye Digital Security Team Alert AD05261999
Multiple Web Interface Security Holes
http://www.eeye.com/html/Research/Advisories/AD19990526.html
ISS X-Force
FTGate Web interface allows remote attackers to read files from the system
http://xforce.iss.net/static/2241.php
CVE
CVE-1999-0887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0887
AIX ftpd daemon buffer overflow (FTP_AIX_Overflow)
About this
signature or
vulnerability
This signature detects a specific FTP command that could overflow a buffer in the AIX
ftpd daemon.
False negatives
RealSecure Network Sensor: RealSecure detects this attack when an attacker uses the
exploit that was publicly released for this overflow attack. A false negative is possible if an
179
Ftpd args core dump (FTP_Args)
attacker attempts to exploit this buffer overflow using code other than the published shell
code.
RealSecure Server Sensor: RealSecure detects this attack when an attacker uses the
exploit that was publicly released for this overflow attack. A false negative is possible if an
attacker attempts to exploit this buffer overflow using code other than the published shell
code.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 5.5.2
Systems affected
AIX: 4.3
Type
Unauthorized Access Attempt
Vulnerability
description
Version 4.3 of the IBM AIX ftpd daemon is vulnerable to a buffer overflow. By using a
specially formatted FTP command, a remote attacker can overflow a buffer in the ftpd
daemon and execute arbitrary code on the system as root.
How to remove this
vulnerability
Apply AIX APAR IY04477, or the temporary fix, as listed in IBM Emergency Response
Service Security Vulnerability Alert ERS-SVA-E01-1999:004.1. See References.
References
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1999:004.1
Remote buffer overflow in ftpd daemon
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
C246FD0FCD6FB7988525680F0077E2E9/$file/sva004.txt
CIAC Information Bulletin J-072
IBM AIX Buffer Overflow Vulnerability
http://www.ciac.org/ciac/bulletins/j-072.shtml
BugTraq Mailing List, Mon Sep 27 1999 23:03:18
Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000
http://www.securityfocus.com/archive/1/28906
ISS X-Force
AIX ftpd daemon buffer overflow
http://xforce.iss.net/static/3758.php
CVE
CVE-1999-0789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0789
Ftpd args core dump (FTP_Args)
About this
signature or
vulnerability
180
This signature detects a specially-crafted command sent to the FTP daemon, which could
indicate an attempt by an attacker to overflow the ftpd memory space and crash the
system.
FTP bounce attack could allow attackers to 'proxy' connections (FTP_Bounce)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Unauthorized Access Attempt
Vulnerability
description
Some FTP daemons are vulnerable to a denial of service attack caused by a buffer
overflow core dump. By sending a malicious command to the FTP daemon, an attacker
can overflow the ftpd memory space (an FTP core dump) and crash the system. FTP core
dumps cause the ftpd memory space to become populated with usernames, encrypted
passwords, or other system information that could be useful to an attacker in performing
an attack. For example, using password information gained by this vulnerability, a remote
attacker could log into the system or gain root access.
How to remove this
vulnerability
Upgrade to the latest version of FTP (2.4.2 or later), available from the Academ Consulting
Services Web site. See References.
References
Academ Consulting Services Web site
WU-FTP Server Software Release Information
http://ftp.academ.com/academ/wu-ftpd/release.html
ISS X-Force
Ftpd args core dump
http://xforce.iss.net/static/201.php
FTP bounce attack could allow attackers to 'proxy' connections
(FTP_Bounce)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Unauthorized Access Attempt
Vulnerability
description
A normal FTP session occurs by establishing a connection to the FTP control port (TCP
port 21). Once this control channel is established, any files to be sent are transferred using
a separate connection (the data connection). This is done by the FTP client sending a
PORT command containing the IP address and port that it will listen for a TCP connection
on. The FTP server then connects back to that port and transfers the file. (There is also a
mechanism called Passive FTP whereby the client connects to the server instead, but this
method is not involved in this form of attack.) By specifying a different IP address than its
own, an FTP client can trick some FTP servers into making a connection and sending data
181
FTP server command contains format string (FTP_Format_String)
to another host on the network; that host will look like it is being probed or attacked by
the FTP server when it fact it is the FTP client that is indirectly attacking it.
This can mask an attacker's identity in attacking a network. It is also possible that an
attacker could use this vulnerability to bypass some poorly configured packet filters or
firewalls. For example, if the mail server allows telnet connections from an internal FTP
server but not from external hosts on the Internet, an attacker may be able to connect to
the telnet port on the SMTP server by "bouncing" through the FTP server.
How to remove this
vulnerability
Upgrade to the latest version of your FTP server, which should include fixes for this
problem.
References
Academ Consulting Services Web site
WU-FTP Server Software Release Information
http://ftp.academ.com/academ/wu-ftpd/release.html
CERT Advisory CA-1997-27
FTP Bounce
http://www.cert.org/advisories/CA-1997-27.html
Hewlett-Packard Security Bulletin HPSBUX9511-028
Security Vulnerability in FTP
http://us-support.external.hp.com/index.html
ISS X-Force
FTP bounce attack could allow attackers to 'proxy' connections
http://xforce.iss.net/static/199.php
CVE
CVE-1999-0017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017
FTP server command contains format string
(FTP_Format_String)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects an FTP protocol command with an argument that contains a
'printf()-style' format specifier. This event is highly indicative of an attacker's attempt to
crash or otherwise execute code on a vulnerable FTP server, although it does not indicate
whether or not the attack was successful. The command executed will be listed in the
Command information field, along with its arguments.
■
wuftp-format-string-stack-overwrite
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
182
FTP get file (FTP_Get)
Systems affected
FTP
Type
Suspicious Activity
Vulnerability
description
FTP (File Transfer Protocol) is a TCP-based protocol for transferring files between
systems. Many FTP servers, such as earlier versions of wu-ftpd (Washington University
FTP daemon), are vulnerable to format string attacks. In a format string attack, a remote
attacker sends printf()-style format specifiers as arguments to certain commands. When a
vulnerable FTP server attempts to process data that contains such format strings, the data
can overwrite or corrupt portions of the stack. This type of attack could lead to system
failure or allow an attacker to execute arbitrary code on your FTP server.
How to remove this
vulnerability
Not all FTP servers are vulnerable to format string attacks. Contact your FTP server
vendor to determine if your system is vulnerable to a format string attack. Upgrade to the
latest version of your FTP server software, and apply any patches or updates that correct
format string vulnerabilities.
References
ISS X-Force
FTP server command contains format string
http://xforce.iss.net/static/6182.php
FTP get file (FTP_Get)
About this
signature or
vulnerability
This signature detects FTP GET requests to download files from an FTP server. This
signature will report all files that are being transferred to the source host over FTP. In
combination with the other FTP signatures, this signature can construct a log of all FTP
activity, including date, time, username, and the names of the files transferred.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
FTP
Type
Protocol Signature
Vulnerability
description
In File Transfer Protocol (FTP), files being transferred from the destination host to the
source host use a GET (technically, RECV) command to transfer the files. Such file transfer
activity can be examined for compliance with your organization's acceptable use policies,
or for suspicion of unauthorized disclosure of sensitive information.
How to remove this
vulnerability
Determine the intent of the user in question if this file transfer activity is suspicious or is
not in compliance with your organization's acceptable use policies.
References
ISS X-Force
FTP get file
http://xforce.iss.net/static/647.php
183
Multiple FTP servers glob(3) expansion buffer overflow (FTP_Glob_Expansion)
Multiple FTP servers glob(3) expansion buffer overflow
(FTP_Glob_Expansion)
About this
signature or
vulnerability
This signature detects a specially formatted FTP request whose first character is a tilde (~)
and contains metacharacters (such as ~^$.|*+?()[]{}). Such an FTP request could indicate
an attacker's attempt to overflow a buffer and execute arbitrary code on the FTP server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
HP-UX: 11.00, NetBSD, Solaris: 8, IRIX: 6.5.x, OpenBSD: 2.8, FreeBSD: 4.2, MIT Kerberos 5,
Caldera UnixWare: 7
Type
Unauthorized Access Attempt
Vulnerability
description
Multiple FTP servers are vulnerable to a buffer overflow in the glob(3) function. The
glob(3) function is used to expand short-hand notation into complete file names. By
sending to the FTP server a request containing a tilde (~) as its first character with other
wildcard characters in the pathname string, a remote attacker can overflow a buffer and
execute arbitrary code on the FTP server to gain root privileges. Once the request is
processed, the glob(3) function expands the user input, which could exceed the expected
length. In order to exploit this vulnerability, the attacker must be able to create directories
on the FTP server.
How to remove this
vulnerability
For FreeBSD 4.2:
Upgrade to the latest version of FreeBSD (FreeBSD 4.2-STABLE, FreeBSD 5.0-CURRENT,
or later), as listed in CERT Advisory CA-2001-07. See References.
For Fujitsu UXP/V:
Apply the appropriate patch for your system, as listed in CERT Advisory CA-2001-07.
See References.
For NetBSD 1.4:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-4 dated 4-04-2001 or later),
as listed in NetBSD Security Advisory 2001-005. See References.
For NetBSD 1.5:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-5 dated 4-04-2001 or later),
as listed in NetBSD Security Advisory 2001-005. See References.
For NetBSD-Current:
Upgrade to the latest version of NetBSD (NetBSD-Current dated 4-03-2001 or later), as
listed in NetBSD Security Advisory 2001-005. See References.
For Caldera UnixWare 7:
Apply the appropriate patch for your system, as listed in Caldera International, Inc.
Security Advisory CSSA-2001-SCO.27. See References.
184
Multiple FTP servers glob(3) expansion buffer overflow (FTP_Glob_Expansion)
For other distributions:
Contact your vendor for upgrade or patch information.
References
Network Associates, Inc. COVERT Labs Security Advisory #48
Globbing Vulnerabilities in Multiple FTP Daemons
http://www.pgp.com/research/covert/advisories/048.asp
CERT Advisory CA-2001-07
File Globbing Vulnerabilities in Various FTP Servers
http://www.cert.org/advisories/CA-2001-07.html
NetBSD Security Advisory 2001-005 (from SecurityFocus Archive)
Ftpd denial of service and remote buffer overflow
http://www.securityfocus.com/advisories/3207
FreeBSD, Inc. Security Advisory FreeBSD-SA-01:33
globbing vulnerability in ftpd
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpdglob.v1.1.asc
Kerberos Security Advisory 2001-04-25
KRB5 FTPD BUFFER OVERFLOWS
http://web.mit.edu/kerberos/www/advisories/ftpbuf.txt
CERT Vulnerability Note VU#808552
Multiple ftpd implementations contain buffer overflows
http://www.kb.cert.org/vuls/id/808552
NetBSD Security Advisory 2000-018
One-byte buffer overrun in ftpd
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000018.txt.asc
CIAC Information Bulletin L-070A
FTP Filename Expansion Vulnerability
http://www.ciac.org/ciac/bulletins/l-070.shtml
CIAC Information Bulletin L-135
SGI File Globbing Vulnerability in ftpd
http://www.ciac.org/ciac/bulletins/l-135.shtml
SGI Security Advisory 20010802-01-P
File globbing vulnerability in ftpd
ftp://patches.sgi.com/support/free/security/advisories/20010802-01-P
CIAC Information Bulletin L-129
Sun in.ftpd Filename Expansion Vulnerability
http://www.ciac.org/ciac/bulletins/l-129.shtml
Sun Microsystems, Inc. Security Bulletin #00205
in.ftpd
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
205&type=0&nav=sec.sba
185
Multiple FTP servers glob(3) implementation buffer overflow (FTP_Glob_Implementation)
Caldera International, Inc. Security Advisory CSSA-2001-SCO.27
UnixWare 7: ftpd glob security
ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.27/CSSA-2001SCO.27.txt
ISS X-Force
Multiple FTP servers glob(3) expansion buffer overflow
http://xforce.iss.net/static/6332.php
CVE
CAN-2001-0249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0249
Multiple FTP servers glob(3) implementation buffer overflow
(FTP_Glob_Implementation)
About this
signature or
vulnerability
This signature detects a specially formatted pattern string containing a set of brackets {}
followed by an overly long string. Such a pattern string could indicate an attacker's
attempt to overflow a buffer and execute arbitrary code on the FTP server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
HP-UX: 11.00, NetBSD, Solaris: 8, IRIX: 6.5.x, OpenBSD: 2.8, FreeBSD: 4.2, Caldera
UnixWare: 7
Type
Unauthorized Access Attempt
Vulnerability
description
Multiple FTP servers employ a glob(3) function, which is used to expand shorthand
notation into complete file names. Implementations of the c-shell globbing code are
vulnerable to a buffer overflow. By supplying to the FTP server a pattern string containing
a set of brackets {} followed by an overly long string, a remote attacker can overflow a
buffer in the execbrc() function and execute arbitrary code on the FTP server. In order to
exploit this vulnerability, the attacker must be able to create directories on the FTP server.
How to remove this
vulnerability
For FreeBSD 4.2:
Upgrade to the latest version of FreeBSD (FreeBSD 5.0-CURRENT, FreeBSD 4.2-STABLE,
or FreeBSD 4.3-RELEASE, when it becomes available), as listed in CERT Advisory CA2001-07. See References.
For Fujitsu UXP/V:
Apply the appropriate patch for your system, as listed in CERT Advisory CA-2001-07.
See References.
For NetBSD 1.4:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-4 dated 4-04-2001 or later),
as listed in NetBSD Security Advisory 2001-005. See References.
186
Multiple FTP servers glob(3) implementation buffer overflow (FTP_Glob_Implementation)
For NetBSD 1.5:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-5 dated 4-04-2001 or later),
as listed in NetBSD Security Advisory 2001-005. See References.
For NetBSD-Current:
Upgrade to the latest version of NetBSD (NetBSD-Current dated 4-03-2001 or later), as
listed in NetBSD Security Advisory 2001-005. See References.
For Caldera UnixWare 7:
Apply the appropriate patch for your system, as listed in Caldera International, Inc.
Security Advisory CSSA-2001-SCO.27. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References
Network Associates, Inc. COVERT Labs Security Advisory #48
Globbing Vulnerabilities in Multiple FTP Daemons
http://www.pgp.com/research/covert/advisories/048.asp
CERT Advisory CA-2001-07
File Globbing Vulnerabilities in Various FTP Servers
http://www.cert.org/advisories/CA-2001-07.html
NetBSD Security Advisory 2001-005 (from SecurityFocus Archive)
Ftpd denial of service and remote buffer overflow
http://www.securityfocus.com/archive/1/175233
CIAC Information Bulletin L-129
Sun in.ftpd Filename Expansion Vulnerability
http://www.ciac.org/ciac/bulletins/l-129.shtml
Sun Microsystems, Inc. Security Bulletin #00205
in.ftpd
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
205&type=0&nav=sec.sba
Caldera International, Inc. Security Advisory CSSA-2001-SCO.27
UnixWare 7: ftpd glob security
ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.27/CSSA-2001SCO.27.txt
Hewlett-Packard Security Bulletin HPSBUX0108-162
ftpd and ftp incorrectly manage buffers.
http://itrc.hp.com
CIAC Information Bulletin L-118
Hewlett-Packard ftpd and ftp Vulnerability
http://www.ciac.org/ciac/bulletins/l-118.shtml
ISS X-Force
Multiple FTP servers glob(3) implementation buffer overflow
http://xforce.iss.net/static/6333.php
187
NetTerm ftp 'dele' command buffer overflow (FTP_NetTerm_Dele_Overflow)
FTP mkdir (FTP_Mkdir)
About this
signature or
vulnerability
This signature detects and records all user attempts to create new directories on an FTP
server, whether successful or not. In combination with the other FTP signatures, this
signature can construct a log of all FTP activity, including date, time, username, and the
names of the files transferred.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Protocol Signature
Vulnerability
description
The File Transfer Protocol (FTP) allows a user to create a new directory on the target
computer. A directory created by a user with an "anonymous" username is indicative of
suspicious activity.
How to remove this
vulnerability
This activity should be examined for compliance with acceptable use policies, or for
suspicion of unauthorized disclosure of sensitive information.
References
ISS X-Force
FTP mkdir
http://xforce.iss.net/static/648.php
NetTerm ftp 'dele' command buffer overflow
(FTP_NetTerm_Dele_Overflow)
About this
signature or
vulnerability
This signature detects a dele argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the dele command. By supplying a 1024 byte argument
to the dele command, a remote attacker can overflow the buffer to crash the service and
possibly execute arbitrary code on the system.
188
NetTerm ftp 'dir' command buffer overflow (FTP_NetTerm_Dir_Overflow)
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'dele' command buffer overflow
http://xforce.iss.net/static/3587.php
NetTerm ftp 'dir' command buffer overflow
(FTP_NetTerm_Dir_Overflow)
About this
signature or
vulnerability
This signature detects a dir argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the dir command. By supplying a 1024 byte argument
to the dir command, a remote attacker can overflow the buffer to crash the service and
possibly execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'dir' command buffer overflow
http://xforce.iss.net/static/3588.php
189
NetTerm ftp 'mkd' command buffer overflow (FTP_NetTerm_Mkd_Overflow)
NetTerm ftp 'ls' command buffer overflow
(FTP_NetTerm_Ls_Overflow)
About this
signature or
vulnerability
This signature detects an ls argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the ls command. By supplying a 1024 byte argument to
the ls command, a remote attacker can overflow the buffer to crash the service and
possibly execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'ls' command buffer overflow
http://xforce.iss.net/static/3589.php
NetTerm ftp 'mkd' command buffer overflow
(FTP_NetTerm_Mkd_Overflow)
About this
signature or
vulnerability
This signature detects an mkd argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
190
NetTerm ftp 'pass' command buffer overflow (FTP_NetTerm_Pass_Overflow)
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the mkd command. By supplying a 1024 byte argument
to the mkd command, a remote attacker can overflow the buffer to crash the service and
possibly execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'mkd' command buffer overflow
http://xforce.iss.net/static/3590.php
NetTerm ftp 'pass' command buffer overflow
(FTP_NetTerm_Pass_Overflow)
About this
signature or
vulnerability
This signature detects a pass argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the pass command. By supplying a 1024 byte argument
to the pass command, a remote attacker can overflow the buffer to crash the service and
possibly execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'pass' command buffer overflow
http://xforce.iss.net/static/3591.php
191
FTP password (FTP_Pass)
NetTerm ftp 'rmdir' command buffer overflow
(FTP_NetTerm_Rmdir_Overflow)
About this
signature or
vulnerability
This signature detects an rmdir argument of 1024 characters or more being sent to the
NetTerm FTP program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
NetTerm NetFtpd
Type
Unauthorized Access Attempt
Vulnerability
description
NetFtpd is an FTP server that is distributed as a part of NetTerm. The program is
vulnerable to a buffer overflow in the rmdir command. By supplying a 1024 byte
argument to the rmdir command, a remote attacker can overflow the buffer to crash the
service and possibly execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of July 2000.
References
Dragonmount Networks Advisory DNA-1999-001
NetTerm FTP Daemon
http://www.dragonmount.net/security/dna/dna-1999-001.php
ISS X-Force
NetTerm ftp 'rmdir' command buffer overflow
http://xforce.iss.net/static/3592.php
FTP password (FTP_Pass)
About this
signature or
vulnerability
This signature detects all FTP logins and records the cleartext password used to log into
the FTP server. This information is sensitive, and care should be taken to ensure that this
information is not disclosed. This signature allows an administrator to log invalid
password attempts, check passwords for strength against attack, and keep complete logs
of activity. In combination with the other FTP decodes, this decode can construct a log of
all FTP activity, including date, time, username, and the names of the files transferred.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
FTP
192
Privileged port attack enabled on FTP server (FTP_PrivilegedBounce)
Type
Protocol Signature
Vulnerability
description
In File Transfer Protocol (FTP), a cleartext password is passed across the network in order
to authenticate that a user has access to files on the destination host.
How to remove this
vulnerability
Multiple instances of this event in a short period of time might suggest that a brute force
attack is underway.
This activity should be examined for compliance with acceptable use policies, or for
suspicion of unauthorized disclosure of sensitive information.
References
ISS X-Force
FTP password
http://xforce.iss.net/static/649.php
Privileged port attack enabled on FTP server
(FTP_PrivilegedBounce)
About this
signature or
vulnerability
This signature detects an FTP bounce attack against a privileged port. An FTP bounce
attack against a non-privileged port may be caused by a type of FTP proxy, but an FTP
bounce against a privileged port always indicates a malicious attempt to attack a network.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Solaris: 2.x, SunOS: 4.1.x, Windows 2000
Type
Unauthorized Access Attempt
Vulnerability
description
The FTP service specification allows passive connections to be established based on the
port address given by the client. This configuration can allow attackers to execute
destructive commands using the FTP service. The problem occurs when the FTP service
connects using a port other than FTP Data port (port 20) and the port number is less than
IP_PORT_RESERVED (ports less than 1024).
In Microsoft Internet Information Server (IIS), the EnablePortAttack parameter is set by
default to prevent a security problem in the FTP protocol specification. EnablePortAttack
controls if such an attack should be allowed. By default, the service does not make any
connections to port numbers lower than IP_PORT_RESERVED (other than port 20). If you
want users to connect by using other ports as specified in the FTP RFC, this flag should be
enabled in the registry.
How to remove this
vulnerability
Upgrade to an FTP server that cannot establish connections to arbitrary systems. See
References.
For Windows NT/2000:
193
Privileged port attack enabled on FTP server (FTP_PrivilegedBounce)
Use the Registry Editor (regedt32) to disable EnablePortAttack:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. From the Windows Start menu, select Run.
2. Type regedt32 and press Enter. This opens the Windows registry editor.
3. Find the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FTPSVC\Parame
ters registry key or the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSFTPSVC\Para
meters registry key.
4. Set the EnablePortAttack value to zero.
If you see this attack, determine the Host and Port involved. If this is one of your own
hosts, you may want to check to see what was done to it. If this was a host that you do not
own, the administrator of that system will see connections having originated from your
FTP server, and if an attack was performed, your computer will appear to be the source of
those attacks. You may wish to contact that administrator or at least save the logs of the
original source of the attack should that administrator contact you in accordance with
your security policies.
Windows NT
Set the registry key as follows: 1. From the Windows NT Start menu, select Run. 2. Type
regedt32 and press Enter. This opens the Windows NT registry editor. 3. Go to the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FTPSVC\Parameters
or
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSFTPSVC\Paramet
ers registry key and if the EnablePortAttack value is nonzero, then set it to zero.
Windows 2000
If you want users to connect by using other ports as specified in the FTP RFC, this flag
should be enabled. Set the registry key. Set the registry key as follows: 1. From the
Windows NT Start menu, select Run. 2. Type regedt32 and press Enter. This opens the
Windows NT registry editor. 3. Go to the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FTPSVC\Parameters
or
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSFTPSVC\Paramet
ers registry key and if the EnablePortAttack value is nonzero, then set it to zero.
References
CERT Advisory CA-2001-04
Problems With The FTP PORT Command (Why You Don't Want Just Any PORT in a
Storm)
http://www.cert.org/tech_tips/ftp_port_attacks.html
CERT Advisory CA-1997-27
FTP Bounce
http://www.cert.org/advisories/CA-1997-27.html
194
FTP privileged port bounce can conceal attacker's identity (FTP_PrivilegedPort)
Internet-Security.com Web site
Internet-Security.com Web Site
http://internet-security.com/lists/ciac/0014.html
Microsoft Knowledge Base Article Q147621
IIS FTP Service Registry Parameters
http://support.microsoft.com/support/kb/articles/q147/6/21.asp
ISS X-Force
Privileged port attack enabled on FTP server
http://xforce.iss.net/static/945.php
CVE
CVE-1999-0017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017
FTP privileged port bounce can conceal attacker's identity
(FTP_PrivilegedPort)
About this
signature or
vulnerability
This signature detects an FTP privileged port bounce, which could indicate an attacker's
attempt to create the false appearance that the FTP server itself is staging an attack. An
FTP Bounce attack to a non-privileged port is not as dangerous as an FTP Bounce attack to
a privileged port. However, when an FTP Bounce attack occurs against a privileged port,
it is highly indicative of an attack on the network. For this reason, the combined attack is
added as a separate signature (FTP_PrivilegedBounce).
False positives
RealSecure Network Sensor: A false positive is possible if an FTP bounce that is not done
to a privileged port is a result of a type of FTP proxy.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Solaris: 2.x, SunOS: 4.1.x
Type
Unauthorized Access Attempt
Vulnerability
description
In a normal FTP (File Transfer Protocol) session, a connection is established to the FTP
control port (TCP port 21). Once this control channel is established, any files to be sent are
transferred on a separate connection (the data connection). The FTP client performs this
procedure by sending a PORT command that contains the IP address, while the port
listens for a TCP connection. The FTP server then connects back to that port and transfers
the file.
In an FTP Bounce attack, the FTP client specifies a different IP address than its own to
trick some FTP servers into making a connection and sending data to another host on the
network. This creates the appearance that the computer is being probed or attacked by the
FTP server when in fact it is the FTP client that is indirectly attacking it.
195
FTP put file (FTP_Put)
In a closely related attack, the FTP Privileged Port attack, an attacker specifies a legitimate
IP address while using a privileged port for it connect back to. This allows an attacker on a
multi-user system to attack her own computer while hiding her identity. This creates the
appearance that the attack is originating from the FTP server.
How to remove this
vulnerability
Check to see if your FTP server is vulnerable to the FTP bounce attack. (If you have
Internet Scanner, run a scan against the FTP server and check if it comes up vulnerable to
this.)
Apply the appropriate patch for your system, as listed in CERT Advisory CA-1997-27. See
References.
As a workaround, if your FTP server is vulnerable, upgrade to the latest version of wuftpd (2.4.2-beta-16 or later), as listed in CERT Advisory CA-1997-27. See References.
Also, examine the Host and Port that was connected to with the bounce attack. If this is
one of your own hosts, you may want to check what was done to it. If this was a host that
you do not own, be aware that the administrator of that computer can see connections
having originated from your FTP server, and if an attack was performed, your computer
appears to be the source of those attacks. You may want to contact that administrator or at
least save the logs of the original source of the attack should that administrator contact
you in accordance with their security policies.
References
CERT Coordination Center Tech Tips
Problems With The FTP PORT Command or Why You Don't Want Just Any PORT in a
Storm
http://www.cert.org/tech_tips/ftp_port_attacks.html
CERT Advisory CA-1997-27
FTP Bounce
http://www.cert.org/advisories/CA-1997-27.html
CIAC Information Bulletin I-018A
FTP Bounce Vulnerability
http://www.ciac.org/ciac/bulletins/i-018a.shtml
Academ Consulting Services Web site
WU-FTP Server Software Release Information
http://ftp.academ.com/academ/wu-ftpd/release.html
ISS X-Force
FTP privileged port bounce can conceal attacker's identity
http://xforce.iss.net/static/892.php
CVE
CVE-1999-0017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017
FTP put file (FTP_Put)
About this
signature or
vulnerability
196
This signature detects FTP PUT requests to upload files to an FTP server. This signature
also discovers all files that are being transferred to the destination host over FTP. In
FTP CWD ~root login (FTP_Root)
combination with the other FTP decodes, this decode can construct a log of all FTP
activity, including date, time, username, and the names of the files transferred.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
Systems affected
FTP
Type
Protocol Signature
Vulnerability
description
In File Transfer Protocol (FTP), files being transferred from the source host to the
destination host use a PUT (technically STOR) command to transfer the files. FTP PUT
decoding discovers all files that are being transferred to the destination host over FTP.
How to remove this
vulnerability
This activity should be examined for compliance with acceptable use policies, or for
suspicion of unauthorized disclosure of sensitive information.
References
ISS X-Force
FTP put file
http://xforce.iss.net/static/650.php
FTP CWD ~root login (FTP_Root)
About this
signature or
vulnerability
This signature detects the use of the "CWD ~root" command, which may indicate an
attempt by an attacker to gain root access to an FTP server.
False positives
RealSecure Network Sensor: A false positive is possible if a valid 'cd ~root' command is
sent during an FTP session. However, this is extremely unlikely. It is much more likely
that this signature is indicative of malicious intent.
RealSecure Server Sensor: A false positive is possible if a valid 'cd ~root' command is
sent during an FTP session. However, this is extremely unlikely. It is much more likely
that this signature is indicative of malicious intent.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Unauthorized Access Attempt
Vulnerability
description
Very old versions of the FTP daemon are vulnerable to unauthorized access by use of the
"CWD ~root" command. By issuing a sequence of commands including the "CWD ~root"
197
FTP root login success detected (FTP_root_login)
command, an attacker could bypass authentication on a vulnerable FTP server to gain
root permissions and read, write, or transfer files.
How to remove this
vulnerability
Replace the vulnerable FTP daemon with a more recent FTP package, such as wuftpd.
Also, FTP daemons that are vulnerable to this attack are likely to have shipped with older
operating systems. Consider upgrading to the latest available operating system supported
by your hardware.
References
CERT Advisory CA-1988-01
ftpd vulnerability
http://www.cert.org/advisories/CA-1988-01.html
ISS X-Force
FTP CWD ~root login
http://xforce.iss.net/static/54.php
CVE
CVE-1999-0082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0082
FTP root login success detected (FTP_root_login)
About this
signature or
vulnerability
This signature detects an entry in the wtmp binary file indicating that a root user has
successfully authenticated to use FTP.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Solaris: 2.6, Solaris: 7, Solaris: 8
Type
Host Sensor
Vulnerability
description
A root user has successfully authenticated to use FTP. An attacker who logs in as root can
view, modify, or delete any file on the system, or execute programs with root privileges.
This would allow an attacker to perform many malicious actions against the system.
How to remove this
vulnerability
Confirm that the FTP session is authorized. Use the time of the FTP session to help
determine if this is legitimate administrative activity.
If you suspect that an unauthorized FTP session has occurred, further investigation is
warranted. Review the login history of users at the time of the FTP session. It may be
necessary to contact any users in question. It is possible that an attacker has gained access
to a valid user root FTP account and password. Require the users in question to change
their passwords immediately.
198
FTP SITE EXEC can allow arbitrary command execution (FTP_Site_Exec_DotDot)
References
ISS X-Force
FTP root login success detected
http://xforce.iss.net/static/6021.php
FTP site command (FTP_Site_Cmd)
About this
signature or
vulnerability
This signature detects the use of the FTP site command.
Additional
Vulnerabilities
Found
■
wu-ftpd-exec
False positives
RealSecure Network Sensor: This event should not be considered an attack if it does not
occur with a corresponding RealSecure SITE Exec .. or SITE Exec Tar event. Nevertheless,
this is an unusual event.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Protocol Signature
Vulnerability
description
The File Transfer Protocol (FTP) site command allows a user to execute certain commands
on a destination host in addition to the normal FTP function of transferring files. In
normal FTP usage, the FTP site command is rarely used.
How to remove this
vulnerability
There may be legitimate reasons to execute site commands under certain circumstances.
However, site commands can also be used by an attacker to gain access. Consequently, an
administrator may want to view and log the site commands being executed to check for
possible abuse.
If you see this event, examine the FTP logs carefully to reconstruct this user's actions.
References
ISS X-Force
FTP site command
http://xforce.iss.net/static/651.php
FTP SITE EXEC can allow arbitrary command execution
(FTP_Site_Exec_DotDot)
About this
signature or
vulnerability
This signature detects a specially-crafted FTP SITE EXEC command, which may indicate
an attempt by a remote attacker to execute arbitrary commands on the FTP server.
199
FTP Site Exec Tar allows remote access (FTP_Site_Exec_Tar)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
wu-ftpd: 2.4.1 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Certain versions of wu-ftpd permit the use of a SITE EXEC command to execute
commands on a remote system. By providing a pathname with certain characteristics, a
remote attacker could execute arbitrary commands on the FTP server, which could aid the
attacker in gaining root-level access on the victim system.
How to remove this
vulnerability
Upgrade to the latest version of wu-ftp (2.4.2 or later), available from the Academ
Consulting Services Web site. See References.
References
Academ Consulting Services Web site
WU-FTP Server Software Release Information
http://ftp.academ.com/academ/wu-ftpd/release.html
CERT Advisory CA-1993-06
wuarchive ftpd Vulnerability
http://www.cert.org/advisories/CA-1993-06.html
CERT Advisory CA-1994-08
ftpd Vulnerabilities
http://www.cert.org/advisories/CA-1994-08.html
CERT Advisory CA-1995-16
wu-ftpd Misconfiguration Vulnerability
http://www.cert.org/advisories/CA-1995-16.html
ISS X-Force
FTP SITE EXEC can allow arbitrary command execution
http://xforce.iss.net/static/618.php
CVE
CVE-1999-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080
FTP Site Exec Tar allows remote access (FTP_Site_Exec_Tar)
About this
signature or
vulnerability
This signature detects a specially-crafted FTP SITE EXEC command that includes a
command line option to the GNU tar program. This could indicate an attempt by a remote
attacker to execute arbitrary commands on a vulnerable system.
Default risk level
High
200
FTP SYST command (FTP_Syst)
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
wu-ftpd: 2.4.1 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Certain versions of wu-ftpd permit the use of a SITE EXEC command to execute
commands on a remote system. A command line option to the GNU tar program allows a
user with FTP access to execute arbitrary commands on an FTP server by using the SITE
EXEC command. This could allow a remote attacker to gain root-level access on the
vulnerable system.
How to remove this
vulnerability
Upgrade your FTP server or change to a different type of FTP server.
References
ISS X-Force
FTP Site Exec Tar allows remote access
http://xforce.iss.net/static/619.php
CVE
CVE-1999-0202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0202
FTP SYST command (FTP_Syst)
About this
signature or
vulnerability
This signature detects a SYST command being issued to a File Transfer Protocol (FTP)
server.
False positives
RealSecure Network Sensor: Some FTP clients such as Macintosh clients issue a SYST
command on every connect to determine if the server supports certain desirable FTP
extensions.
RealSecure Server Sensor: Some FTP clients such as Macintosh clients issue a SYST
command on every connect to determine if the server supports certain desirable FTP
extensions.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
FTP
Type
Pre-attack Probe
Vulnerability
description
When a SYST command is issued to a File Transfer Protocol (FTP) server, the FTP server
returns a response indicating the host operating system of the server. An attacker could
201
FTP user login success detected (FTP_user_login)
use this information about the host operating system to customize an attack to exploit
other potential vulnerabilities.
How to remove this
vulnerability
Closely observe other activity on the target system following the SYST request. If this is a
non-anonymous FTP server, ensure that the FTP server requires users to log in prior to
honoring a SYST request. If anonymous access is allowed, consider disabling the SYST
command. Refer to the documentation for your FTP server.
References
ISS X-Force
FTP SYST command
http://xforce.iss.net/static/1225.php
FTP username (FTP_User)
About this
signature or
vulnerability
This signature records the username on the FTP server of the person transferring files. In
combination with the other FTP decodes, this decode can construct a log of all FTP
activity, including date, time, username, and the names of the files transferred.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
FTP
Type
Protocol Signature
Vulnerability
description
The File Transfer Protocol (FTP) allows users to transfer files between computers. Users
must log in with a username and password to transfer files across the network. A
username of "anonymous" is suspicious, as anyone can use an "anonymous" account.
How to remove this
vulnerability
This activity should be examined for compliance with acceptable use policies, or for
suspicion of unauthorized disclosure of sensitive information.
References
ISS X-Force
FTP username
http://xforce.iss.net/static/652.php
FTP user login success detected (FTP_user_login)
About this
signature or
vulnerability
This signature detects an entry in the wtmp binary file indicating that a user has
successfully authenticated to use FTP.
Default risk level
Low
202
FireWall-1 misconfiguration could allow attackers to manipulate filter modules (FW1_Auth_As_Local)
Sensors that have
this signature
RealSecure Server Sensor: 6.0
Systems affected
Solaris: 2.6, Solaris: 7, Solaris: 8
Type
Host Sensor
Vulnerability
description
A user has successfully authenticated to use FTP.
Attackers often misuse systems by briefly logging in, initiating some inappropriate action,
and then quickly logging off. Sometimes the attackers try to cover up the records of their
presence. By maintaining a record of user logins, it is possible to display a record of the
login events that occurred at the time of an attack. This audit history of logins can help
you narrow the list of suspect user accounts.
How to remove this
vulnerability
Confirm that the FTP session is authorized. Use the time of the FTP session to help
determine if this is legitimate user activity.
If you suspect that an unauthorized FTP session has occurred, further investigation is
warranted. Review the login history of users at the time of the FTP session. It may be
necessary to contact any users in question. It is possible that an attacker has gained access
to a valid FTP account and password. Require the users in question to change their
passwords immediately.
References
ISS X-Force
FTP user login success detected
http://xforce.iss.net/static/6022.php
FireWall-1 misconfiguration could allow attackers to manipulate
filter modules (FW1_Auth_As_Local)
About this
signature or
vulnerability
This signature detects traffic directed at TCP port 256 that could indicate an attempt by an
attacker to bypass authentication by masquerading as the localhost.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Check Point Firewalls
Type
Unauthorized Access Attempt
Vulnerability
description
Check Point FireWall-1 implements a number of authentication and encryption options
for inter-module communication including FWA1, FWN1, S/Key, or none at all. A
common misconfiguration is to not require authentication from the localhost address
(127.0.0.1). Unfortunately, filter modules do not obtain this address information from the
203
FireWall-1 FWA1 authentication weakness (FW1_Auth_Replay)
peer address of the TCP connection, but instead from the data stream received from the
client. A remote attacker could use this to masquerade as the localhost and issue
commands (such as unloading the policy) without being authenticated.
How to remove this
vulnerability
For VPN-1/FireWall-1 4.0:
Apply the latest Service Pack for your system (SP7 or later), as listed in the Check Point
Technical Support Alert. See References.
For VPN-1\FireWall-1 4.1:
Apply the latest Service Pack for your system (SP2 or later), as listed in the Check Point
Technical Support Alert. See References.
For VPN-1 Appliances (IPSO) 4.0:
Apply the SP5 Hotfix, as listed in the Check Point Technical Support Alert. See
References.
References
Data Protect GmbH Web site
A Stateful Inspection of FireWall-1
http://www.dataprotect.com/bh2000/
Check Point Technical Support Alert
Potential Security Issues Recently Identified in VPN-1/FireWall-1
http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Password
Internet Security Systems Security Alert #62
Multiple vulnerabilities on all platforms and versions of Check Point FireWall-1
http://xforce.iss.net/alerts/advise62.php
CIAC Information Bulletin K-073
Multiple Vulnerabilities in Check Point Firewall-1
http://www.ciac.org/ciac/bulletins/k-073.shtml
ISS X-Force
FireWall-1 misconfiguration could allow attackers to manipulate filter modules
http://xforce.iss.net/static/5137.php
CVE
CAN-2000-0808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0808
FireWall-1 FWA1 authentication weakness (FW1_Auth_Replay)
About this
signature or
vulnerability
This signature detects an attempt to attack FireWall-1's FWA1 authentication protocol on
TCP port 256.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
204
FireWall-1 FWA1 authentication weakness (FW1_Auth_Replay)
Systems affected
Check Point FireWall-1: 3.0, Check Point FireWall-1: 4.0, Check Point FireWall-1: 4.1,
Check Point FireWall-1: 4.1 SP1
Type
Unauthorized Access Attempt
Vulnerability
description
Check Point FireWall-1 implements a number of authentication and encryption options
for inter-module communication, including the FWA1 protocol, which both authenticates
and encrypts communication with a client. A flaw in this protocol could allow a remote
attacker to replay a slightly modified challenge from a server to trick it into successfully
authenticating the attacker. However, the attacker still does not have the encryption key
necessary to continue communicating with the module and therefore cannot issue any
commands.
How to remove this
vulnerability
For VPN-1/FireWall-1 4.0:
Apply the latest Service Pack for your system (SP7 or later), as listed in the Check Point
Technical Support Alert. See References.
For VPN-1\FireWall-1 4.1:
Apply the latest Service Pack for your system (SP2 or later), as listed in the Check Point
Technical Support Alert. See References.
For VPN-1 Appliances (IPSO) 4.0:
Apply the SP5 Hotfix, as listed in the Check Point Technical Support Alert. See
References.
References
Data Protect GmbH Web site
A Stateful Inspection of FireWall-1
http://www.dataprotect.com/bh2000/
Check Point Technical Support Alert
Potential Security Issues Recently Identified in VPN-1/FireWall-1
http://www.checkpoint.com/techsupport/alerts/list_vun.html#Intermodule_Communications
Internet Security Systems Security Alert #62
Multiple vulnerabilities on all platforms and versions of Check Point FireWall-1
http://xforce.iss.net/alerts/advise62.php
CIAC Information Bulletin K-073
Multiple Vulnerabilities in Check Point Firewall-1
http://www.ciac.org/ciac/bulletins/k-073.shtml
ISS X-Force
FireWall-1 FWA1 authentication weakness
http://xforce.iss.net/static/5162.php
CVE
CAN-2000-0806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0806
205
FireWall-1 allows remote "get topology" requests without authentication (FW1_GetTopology)
FireWall-1 allows remote "get topology" requests without
authentication (FW1_GetTopology)
About this
signature or
vulnerability
This signature detects an unencrypted (and possibly unauthenticated) Get Topology
(gettopo) request to a FireWall-1 module on TCP port 256.
False positives
RealSecure Network Sensor: RealSecure detects all unencrypted Get Topology requests,
even from authenticated users. This does not necessarily indicate an attack, but could
expose sensitive network topology information to a remote attacker.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Check Point Firewalls
Type
Protocol Signature
Vulnerability
description
The Check Point FireWall-1/VPN-1 SecuRemote client requires knowledge of a network's
topology before it can negotiate a VPN (Virtual Private Network) connection. SecuRemote
clients prior to version 4.0 do not encrypt or authenticate connections to the SecuRemote
Server, which could expose possibly sensitive network topology information to remote
attackers. The client and server of SecuRemote version 4.1 support string authentication
and encryption of this data, but by default permit weaker, less secure connections for
backward compatibility. An attacker could take advantage of these weaker connections to
obtain sensitive network topology information.
How to remove this
vulnerability
Disable the FireWall-1 option "Respond to Unauthenticated Cleartext Topology
Requests".
To disable this option from the FireWall-1 Policy Editor:
1. Open the FireWall-1 Policy Editor.
2. Select Policy —> Properties.
3. Click the Desktop Security tab.
4. Clear the "Respond to Unauthenticated Cleartext Topology Requests" check box.
References
ISS X-Force
FireWall-1 allows remote "get topology" requests without authentication
http://xforce.iss.net/static/5172.php
206
GateCrasher backdoor for Windows (GateCrasher)
GateCrasher backdoor for Windows (GateCrasher)
About this
signature or
vulnerability
This signature detects a TCP connection on port 6969 to a GateCrasher backdoor on your
network.
False negatives
RealSecure Network Sensor: RealSecure detects a connection to the GateCrasher
backdoor only when the GateCrasher backdoor uses its default port, port 6969. A false
negative is possible if the GateCrasher backdoor is configured to use a port other than
6969.
RealSecure Server Sensor: RealSecure detects a connection to the GateCrasher backdoor
only when the GateCrasher backdoor uses its default port, port 6969. A false negative is
possible if the GateCrasher backdoor is configured to use a port other than 6969.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 6.5
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The GateCrasher 1.2 backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the GateCrasher
1.2 backdoor, an attacker can do the following:
How to remove this
vulnerability
●
start and stop an FTP server on your computer
●
restart your computer
●
chat with other users on the system
●
access files
●
access your system registry
To remove the GateCrasher backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Command that has a data value of
C:\Windows\system.exe.
3. Delete this registry entry.
4. Delete system.exe from the Windows system directory.
207
Gauntlet Firewall CyberPatrol integration buffer overflow (Gauntlet_CyberDaemon_Overflow)
References
Internet Security Systems Security Alert #30
Windows Backdoor Update III
http://xforce.iss.net/alerts/advise30.php
ISS X-Force
GateCrasher backdoor for Windows
http://xforce.iss.net/static/2322.php
Gauntlet Firewall CyberPatrol integration buffer overflow
(Gauntlet_CyberDaemon_Overflow)
About this
signature or
vulnerability
This signature detects an oversized HTTP proxy request on TCP port 8999. This request
will be reported in the "REQUEST" info field; the request's length will be reported in the
"LENGTH" info field. An HTTP proxy request that contains binary data could indicate an
attempt by an attacker to overflow a buffer in the Cyberdaemon component.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Gauntlet Firewall: 5.0, Gauntlet Firewall: 5.5, Gauntlet Firewall: 4.2, Gauntlet Firewall: 4.1,
WebShield: 100 Series, WebShield: 300 Series, WebShield: Solaris 4.0
Type
Unauthorized Access Attempt
Vulnerability
description
Network Associates Gauntlet, a multi-platform firewall system, is vulnerable to a buffer
overflow in the CyberPatrol content monitoring system component. A remote attacker
can overflow a buffer in the Gauntlet CyberPatrol component to crash the system and
deny proxied HTTP connections to legitimate users or execute arbitrary code on the
firewall with root privileges.
How to remove this
vulnerability
Apply the appropriate "cyber.patch" for your system, available from the PGP Security
Web site. See References.
References
PGP Security Web site
Gauntlet Advisory – May 22, 2000
http://www.pgp.com/support/product-advisories/gauntlet.asp
Garrison Technologies
Gauntlet Vulnerability Discovered by Garrison Engineer
http://www.garrison.com/html/gauntlet-article.html
PGP Security Web site
Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow Vulnerability
Advisory Addendum
http://www.pgp.com/support/product-advisories/gauntlet.asp
208
Gauntlet ICMP packet denial of service (Gauntlet_ICMP_DoS)
BugTraq Mailing List, Sun May 21 2000 22:36:05
Gauntlet CyberPatrol Buffer Overflow
http://www.securityfocus.com/archive/1/61238
Gauntlet Support Web site
Patch Status
http://www.tis.com/support/patchpage.html
ISS X-Force
Gauntlet Firewall CyberPatrol integration buffer overflow
http://xforce.iss.net/static/4503.php
CVE
CVE-2000-0437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0437
Gauntlet ICMP packet denial of service (Gauntlet_ICMP_DoS)
About this
signature or
vulnerability
This signature detects a specially-crafted ICMP Protocol Problem packet that could
indicate an attempt by a remote attacker to stall the Gauntlet firewall.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Gauntlet Firewall: 5.0
Type
Denial of Service
Vulnerability
description
Network Associates Gauntlet Firewall version 5.0 is vulnerable to a denial of service
attack. A remote attacker could stall the firewall by submitting a specially-crafted ICMP
Protocol Problem packet to a computer routed through the firewall.
How to remove this
vulnerability
Apply the kernel.BSDI.patch, available from the PGP Security Web site. See References.
References
BugTraq Mailing List, Thu Jul 29 1999 22:03:07
Remotely Lock Up Gauntlet 5.0
http://www.securityfocus.com/archive/1/20276
PGP Security Web site
Current Gauntlet 5.0 Patch Status
http://www.pgp.com/naicommon/download/upgrade/patches/patchgauntlet50unix.asp
ISS X-Force
Gauntlet ICMP packet denial of service
http://xforce.iss.net/static/3108.php
209
GayOL backdoor for Windows and AOL (GayOL)
CVE
CVE-1999-0683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0683
GayOL backdoor for Windows and AOL (GayOL)
About this
signature or
vulnerability
This signature detects a GayOL client attempting to connect to a GayOL server on UDP
port 692.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The GayOL backdoor program allows attackers to take control of a user's AOL (America
Online) session on an infected system. When the user of an infected system logs into AOL,
the GayOL backdoor notifies the attacker by ICQ of the user's IP address. The attacker can
then use a special client that operates over UDP port 692 to connect to the system and
perform a number of functions such as:
●
retrieve and set AOL passwords
●
manipulate the user's AOL mailbox
●
manipulate the user's Instant Message and Chat sessions
The GayOL backdoor server on UDP port 692 only becomes active when the user logs into
AOL.
How to remove this
vulnerability
To remove the GayOL backdoor from an infected computer:
1. If the infected system is currently logged into AOL, log off.
2. Delete the file C:\Windows\Start Menu\Programs\StartUp\winsystray8876.exe
3. Delete the file C:\Windows\System\gaoltray.exe
4. Restart the computer.
References
ISS X-Force
GayOL backdoor for Windows and AOL
http://xforce.iss.net/static/5328.php
210
GirlFriend backdoor for Windows (GirlFriend)
Buffer overflows can lead to arbitrary command execution
(Generic_Intel_Overflow)
About this
signature or
vulnerability
This signature detects NOPS instructions. If NOPS instructions are found, it looks for
syscall traps for that type of architecture, which could allow an attacker to gain access to
your system.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2
Systems affected
Any
Type
Denial of Service
Vulnerability
description
In buffer overflow attacks, an attacker supplies data that is longer than the available space
to hold it. For stack allocated variables, this usually means the attacker can corrupt other
variables and eventually modify the code that is executed when the function in which the
overflow occurs ends.
How to remove this
vulnerability
Block access to hosts or networks launching these attacks. This event may indicate an
attack based on previously released vulnerabilities in a server, or an attack on
unpublished security vulnerabilities. If possible, remove the attacked server from the
network and determine any vulnerabilities it may have.
References
Nathan P. Smith Web site
Smashing the Stack
http://reality.sgi.com/nate/machines/security/
ISS X-Force
Buffer overflows can lead to arbitrary command execution
http://xforce.iss.net/static/2189.php
GirlFriend backdoor for Windows (GirlFriend)
About this
signature or
vulnerability
This signature detects a TCP connection on port 21554 to a GirlFriend backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
211
Glacier backdoor for Windows (Glacier)
Type
Unauthorized Access Attempt
Vulnerability
description
The GirlFriend backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the GirlFriend
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access files on your hard drive
●
capture your keystrokes
●
retrieve your passwords by monitoring the password fields in dialog boxes on your
screen
To remove the GirlFriend backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Windll.exe. The entry's data value contains the path to
the GirlFriend program file, Windll.exe. Remember the location of the file.
3. Restart your computer in MS-DOS mode.
4. Delete the Windll.exe file from the path named in the registry value.
5. Restart Windows.
6. Using Regedit, delete the Windll.exe entry from the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.
References
Internet Security Systems Security Alert #30
Windows Backdoor Update III
http://xforce.iss.net/alerts/advise30.php
ISS X-Force
GirlFriend backdoor for Windows
http://xforce.iss.net/static/2324.php
Glacier backdoor for Windows (Glacier)
About this
signature or
vulnerability
This signature detects a TCP connection (traffic destined to TCP port 7626 or originating
from TCP port 7718) to a Glacier backdoor on your network.
False positives
RealSecure Network Sensor: A false positive is possible if other services are operating on
the Glacier client/server ports, though this is very unlikely.
Default risk level
High
212
Glacier backdoor for Windows (Glacier)
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows NT, Windows 95, Windows 98, Windows 2000
Type
Unauthorized Access Attempt
Vulnerability
description
The Glacier backdoor is one of many backdoor programs that attackers can use to access
your computer system without your knowledge or consent. With the Glacier backdoor, an
attacker can do the following:
●
modify the registry
●
shut down your computer
●
view your computer's screen
●
record passwords
●
obtain system information
●
manipulate files on your computer
By default, the Glacier backdoor copies two files, Kernel32.exe and SysExplr.exe, onto the
victim computer. Kernel32.exe is the server program, and SysExplr.exe is a backup of the
server program that could re-infect the system when a user opens a text file.
The Glacier backdoor program names, locations, and ports can be configured by the
attacker, which can make detection and removal difficult.
How to remove this
vulnerability
To remove the Glacier backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor
may cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the following two registry entries:
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\(Default)
■
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(Default)
The data value for one or both of the entries should contain the path to the Glacier
program file, usually Kernel32.exe. This file is located in the Windows System directory
by default. If both registry entries contain the same file name, but it it is not Kernel32.exe,
it is probably the Glacier program file. Remember the name and location of this file.
2. Delete the registry entry or entries that contain the path to the Glacier program file.
3. Delete the file found in the registry entry.
4. Using Regedit, find the
HKLM\Software\Classes\txtfile\shell\open\command\(Default) registry entry. If
the entry's data value is not "<Path to Notepad>\NOTEPAD.EXE %1", it contains the
path to a backup copy of the Glacier program file, usually SysExplr.exe. This file is
located in the Windows System directory by default. Remember the name and
location of this file.
213
Global group access or privileges modified (Global_group_changed)
5. Change the registry entry's data value to the location of the Windows Notepad
program: "<Path to Notepad>\NOTEPAD.EXE %1".
6. Delete the file you identified in step 5.
References
CIAC Information Bulletin L-077
The Glacier Backdoor
http://www.ciac.org/ciac/bulletins/l-077.shtml
ISS X-Force
Glacier backdoor for Windows
http://xforce.iss.net/static/4339.php
Global group access or privileges modified
(Global_group_changed)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that access to or
privileges for a global group have been modified.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A global group is a named collection of user accounts that is visible to any computer
participating in a domain. Global groups may only contain user accounts from one
domain. The three predefined global groups for a Windows NT domain are Domain
Administrators, Domain Users, and Domain Guests. Typically these global groups only
apply to Windows NT domains set up on a primary domain controller. Any management
performed on the global group will result in Windows NT writing an audit message to the
security event log.
Any changes made to a global group can have consequences for all the computers in the
domain in question. An attacker that has gained access can alter the membership of a
global group to allow accounts access and privileges never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the global
group audit events can determine the degree to which an attacker may have created
access to other systems. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Global group access or privileges modified
http://xforce.iss.net/static/1526.php
214
Global group deleted from the domain (Global_group_deleted)
Global group created on the domain (Global_group_created)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a global group has
been created on the domain.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A global group is a named collection of user accounts that is visible to any computer
participating in a domain. Global groups may only contain user accounts from one
domain. The three predefined global groups for a Windows NT domain are Domain
Administrators, Domain Users, and Domain Guests. Typically these global groups only
apply to Windows NT domains set up on a primary domain controller. Any management
performed on the global group will result in an audit message being written to the
security event log.
Any changes made to a global group can have consequences for all the computers in the
domain in question. An attacker who has gained access can alter the membership of a
global group to allow accounts access and privileges never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the global
group audit events can determine the degree to which an attacker may have created
access to other systems.
References
ISS X-Force
Global group created on the domain
http://xforce.iss.net/static/1518.php
Global group deleted from the domain (Global_group_deleted)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a global group has
been deleted from the domain.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
215
Global group membership modified - user added (Global_group_user_added)
Type
Host Sensor
Vulnerability
description
A global group is a named collection of user accounts that is visible to any computer
participating in a domain. Global groups may only contain user accounts from one
domain. The three predefined global groups for a Windows NT domain are Domain
Administrators, Domain Users, and Domain Guests. Typically these global groups only
apply to Windows NT domains set up on a primary domain controller. Any management
performed on the global group will result in Windows NT writing an audit message to the
security event log.
Any changes made to a global group can have consequences for all the computers in the
domain in question. An attacker that has gained access can alter the membership of a
global group to allow accounts access and privileges never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the global
group audit events can determine the degree to which an attacker may have created
access to other systems. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Global group deleted from the domain
http://xforce.iss.net/static/1527.php
Global group membership modified - user added
(Global_group_user_added)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has been
added to a global group.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A global group is a named collection of user accounts that is visible to any computer
participating in a domain. Global groups may only contain user accounts from one
domain. The three predefined global groups for a Windows NT domain are Domain
Administrators, Domain Users, and Domain Guests. Typically these global groups only
apply to Windows NT domains set up on a primary domain controller. Any management
performed on the global group will result in Windows NT writing an audit message to the
security event log.
216
Global group membership modified - user removed (Global_group_user_removed)
Any changes made to a global group can have consequences for all the computers in the
domain in question. An attacker that has gained access can alter the membership of a
global group to allow accounts access and privileges never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the global
group audit events can determine the degree to which an attacker may have created
access to other systems. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Global group membership modified - user added
http://xforce.iss.net/static/1528.php
Global group membership modified - user removed
(Global_group_user_removed)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has been
removed from a global group.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A global group is a named collection of user accounts that is visible to any computer
participating in a domain. Global groups may only contain user accounts from one
domain. The three predefined global groups for a Windows NT domain are Domain
Administrators, Domain Users, and Domain Guests. Typically these global groups only
apply to Windows NT domains set up on a primary domain controller. Any management
performed on the global group will result in Windows NT writing an audit message to the
security event log.
Any changes made to a global group can have consequences for all the computers in the
domain in question. An attacker that has gained access can alter the membership of a
global group to allow accounts access and privileges never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the global
group audit events can determine the degree to which an attacker may have created
access to other systems. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Global group membership modified - user removed
http://xforce.iss.net/static/1529.php
217
Gnutella Download (Gnutella_Download)
Gnutella Connection (Gnutella_Connect)
About this
signature or
vulnerability
This signature detects a connection between a Gnutella client and a Gnutella server.
False positives
RealSecure Network Sensor: RealSecure detects all occurrences of the string
“GNUTELLA CONNECT” on any port. Although highly unlikely, a false positive is
possible if this string occurs in network communications not associated with a Gnutella
connection.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Gnutella
Type
Protocol Signature
Vulnerability
description
Gnutella is a tool for general peer-to-peer file sharing, similar to the popular Napster
program, but without a centralized server. The Gnutella protocol is well documented on
the Internet, making it possible for an attacker to create a customized, malicious Gnutella
application with backdoor features. In addition, files shared from other Gnutella users
could contain viruses or other backdoor programs.
How to remove this
vulnerability
If use of Gnutella is not in compliance with your system policy, consider terminating the
connection associated with this Gnutella event. It may be helpful to remind users of your
system policy regarding the use of Gnutella or similar applications.
References
Gnutella Web site
Welcome to Gnutella
http://gnutella.wego.com/
ISS X-Force
Gnutella Connection
http://xforce.iss.net/static/4820.php
Gnutella Download (Gnutella_Download)
About this
signature or
vulnerability
This signature detects a Gnutella file transfer.
False positives
RealSecure Network Sensor: A false positive is possible if the string “GET /get/” appears
over the network, in which case it will be identified as a Gnutella download. Also, it is
possible for web transfers to be identified as Gnutella transfers if they have a 'get'
directory under the http root.
218
Gnutella Worm (Gnutella_Worm)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Gnutella
Type
Suspicious Activity
Vulnerability
description
Gnutella is a tool for general peer-to-peer file sharing, similar to the popular Napster
program, but without a centralized server. The Gnutella protocol is well documented on
the Internet, making it possible for an attacker to create a customized, malicious Gnutella
application with backdoor features. In addition, files shared from other Gnutella users
could contain viruses or other backdoor programs.
How to remove this
vulnerability
If use of Gnutella is not in compliance with your system policy, consider terminating the
connection associated with this Gnutella event. It may be helpful to remind users of your
system policy regarding the use of Gnutella or similar applications.
References
Gnutella Web site
Welcome to Gnutella
http://gnutella.wego.com/
ISS X-Force
Gnutella Download
http://xforce.iss.net/static/4821.php
Gnutella Worm (Gnutella_Worm)
About this
signature or
vulnerability
This signature detects a Gnutella download containing a .vbs (Visual Basic Script) file,
which could install the Gnutella worm, or another virus, if executed.
False positives
RealSecure Network Sensor: A false positive is possible if the .vbs file in the Gnutella
download does not contain the Gnutella worm. However, any downloaded .vbs file
should be considered suspicious.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Gnutella
Type
Suspicious Activity
Vulnerability
description
The Gnutella worm is a virus program which, if installed on your computer, can send
copies of itself to other computers that use the Gnutella application. Gnutella is a tool for
219
Windows 2000 group type change (Group_type_changed)
general peer-to-peer file sharing, similar to the popular Napster program, but without a
centralized server.
How to remove this
vulnerability
If use of Gnutella is not in compliance with your system policy, consider terminating the
connection associated with this Gnutella event, or uninstalling the Gnutella application. It
may be helpful to remind users of your system policy regarding the use of Gnutella or
similar applications. Additionally, educate users about the dangers of executing
untrusted content.
References
Gnutella Web site
Welcome to Gnutella
http://gnutella.wego.com/
ISS X-Force
Gnutella Worm
http://xforce.iss.net/static/4822.php
Windows 2000 group type change (Group_type_changed)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a group type has
been changed.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
The group type of a Windows 2000 group has been changed. The two group types used in
Windows 2000 are security groups and distribution groups. While security groups assign
access rights and privileges to groups of users, distribution groups are used to perform
non-security functions in applications that use Active Directory. Because the purposes of
each group type are very different, any group type change should be considered a
suspicious event.
How to remove this
vulnerability
Verify that the group type change was authorized. If necessary, undo the change.
References
ISS X-Force
Windows 2000 group type change
http://xforce.iss.net/static/4855.php
220
Hack'a'Tack backdoor for Windows (HackATack)
Logon event by a Guest user (Guest_user_login)
About this
signature or
vulnerability
This signature detects a security log message indicating that a guest user has logged on to
the system.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Solaris, Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Some system administrators allow a guest account on their systems. A casual or one-time
user often uses such a guest account. When a guest logs into the system, an event message
is written to the security log.
In Windows NT/2000, this event is generated when a Windows NT/2000 security event
ID = 528 occurs and the word "guest" is in the event information. In Solaris, this event is
generated when a guest logs in using login, rlogin, or telnet.
Guest accounts are essentially anonymous. For this reason, all guest accounts should be
considered suspicious.
How to remove this
vulnerability
Frequently, an administrator will be unaware of a guest account being enabled on a
system. This event message indicates not only that a guest account exists, but that it is also
in use. It is strongly recommended that all guest accounts be disabled. Guest accounts can
be the open door through which an attacker makes an initial entrance onto a system. If a
guest account is enabled, the administrator should be careful in setting up the guest
account and making sure that it does not provide an entry point for an attacker.
References
ISS X-Force
Logon event by a Guest user
http://xforce.iss.net/static/1788.php
Hack'a'Tack backdoor for Windows (HackATack)
About this
signature or
vulnerability
This signature detects a TCP connection on port 31785 to a Hack'a'Tack backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
221
Hacker's Paradise backdoor for Windows 95/98 and NT (HackersParadise)
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Hack'a'Tack backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Hack'a'Tack
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
move and close windows on your desktop
●
start an FTP server on your computer
●
log your keystrokes, including passwords you type
●
shut down the computer
●
execute programs
To remove the Hack'a'Tack backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Explorer32. The entry's data value contains the path to
the Hack'a'Tack program file, Expl32.exe. Remember the location of the file.
3. Restart your computer in MS-DOS mode.
4. Delete the Expl32.exe file from the path named in the registry value.
5. Restart Windows.
6. Using Regedit, delete the Expl32.exe entry from the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.
References
Internet Security Systems Security Alert #30
Windows Backdoor Update III
http://xforce.iss.net/alerts/advise30.php
ISS X-Force
Hack'a'Tack backdoor for Windows
http://xforce.iss.net/static/2325.php
Hacker's Paradise backdoor for Windows 95/98 and NT
(HackersParadise)
About this
signature or
vulnerability
This signature detects a TCP connection on port 456 to a Hacker's Paradise backdoor on
your network.
Default risk level
High
222
Host Control backdoor for Windows (HostControl)
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Hacker's Paradise backdoor is one of many backdoor programs that attackers can use
to access your computer system without your knowledge or consent. With the Hacker's
Paradise backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access files on your computer
●
manipulate the appearance of your desktop
●
retrieve RAS (Remote Access Server) passwords (Windows NT only)
To remove the Hacker's Paradise backdoor from your computer:
1. Stop the Hacker's Paradise program (Antihack.exe) from running. Open the task list
by following the steps below for your platform:
■
In Windows 95/98, press Ctrl+Alt+Del to display the Close Programs dialog box.
■
In Windows NT, press Ctrl+Alt+Del, then click the Task Manager button to start
the NT Task Manager.
2. Select Antihack.exe, and then click End Task. If Antihack.exe does not appear in the
list, the backdoor is using a different file name and could be very difficult to locate.
Refer to the steps below for using an antivirus program to remove the backdoor.
3. Find and delete the file Antihack.exe.
To use an antivirus program to remove the Hacker's Paradise backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Hacker's Paradise backdoor from your computer.
References
ISS X-Force
Hacker's Paradise backdoor for Windows 95/98 and NT
http://xforce.iss.net/static/3113.php
Host Control backdoor for Windows (HostControl)
About this
signature or
vulnerability
This signature detects a TCP connection on port 11051 to a Host Control backdoor on your
network.
223
Host Control backdoor for Windows (HostControl)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Host Control backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. On an infected system,
the Host Control server listens on port 11051 for Host Control client connections. Once
connected, a Host Control client can manipulate files and retrieve passwords on the
infected system.
How to remove this
vulnerability
To remove the Host Control backdoor from your computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. In Windows 95/98, press Ctrl+Alt+Del to display the Close Programs dialog box.
2. Select the Winoldap program from the list.
3. Click the End Task button. (There may be more than one instance of Winoldap on the
list. Click the End Task button for each instance.)
4. Using Regedit, find the
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
5. Find the registry entry named ICQNetDetect that has a data value of
C:\Recycled\temp.exe.
6. Delete this registry entry.
7. Find the registry entry named WinKernel that has a data value of
C:\Recycled\winkernel.exe.
8. Delete this registry entry.
9. Find the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
10. Repeat steps 5 through 8 for this registry key.
11. Delete C:\Recycled\temp.exe and C:\Recycled\winkernel.exe.
12. Restart your computer.
224
HP OpenView hidden SNMP community (HP_OpenView_SNMP_Backdoor)
These instructions were tested for Host Control version 2.6. For other possible versions of
the Host Control backdoor, you may wish to use an antivirus program to remove the Host
Control backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Host Control backdoor from your computer.
References
ISS X-Force
Host Control backdoor for Windows
http://xforce.iss.net/static/5329.php
HP OpenView hidden SNMP community
(HP_OpenView_SNMP_Backdoor)
About this
signature or
vulnerability
False positives
This signature detects the use of a specific, hidden SNMP community string that has readwrite access to the configuration of HP OpenView 4.x and 5.x management Agents.
RealSecure Network Sensor: A false positive is possible for legitimate use of the hidden
SNMP community string.
RealSecure Server Sensor: A false positive is possible for legitimate use of the hidden
SNMP community string.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 6.5
Systems affected
HP-UX: 9.x, Solaris: 2.x, HP-UX: 10.x, HP-UX: 11.00
Type
Unauthorized Access Attempt
Vulnerability
description
Internet Security Systems' (ISS) X-Force has researched a hidden SNMP community string
that exists in the HP OpenView 4.x and 5.x management Agent. This community string
has read-write access to the Agent configuration and may allow unauthorized access to
certain SNMP variables. Attackers may use this hidden community string to learn about
network topology as well as modify MIB variables.
This vulnerability is present in HP OpenView version 5.02. Earlier versions are believed to
be vulnerable. SNMP agents for HP-UX 9.x, 10.x, 11.0 and Solaris 2.x are vulnerable.
OpenView for Windows NT is not vulnerable.
225
HP-UX rlpd print protocol daemon buffer overflow (HPUX_RLPD_Overflow)
How to remove this
vulnerability
References
Apply the following patches, as listed in Hewlett-Packard Security Bulletin HPSBUX9811088. See References.
●
PHSS_16846 (HP-UX 11.00)
●
PHSS_16845 (HP-UX 10.20)
●
PHSS_16800 (HP-UX 10.0x and 10.10)
●
PHSS_16799 (HP-UX 9.x)
●
PSOV_02190 (Solaris 2.3 and 2.4)
●
PSOV_02191 (Solaris 2.5.1 and 2.6)
Internet Security Systems Security Alert #12
Hidden SNMP community in HP OpenView
http://xforce.iss.net/alerts/advise12.php
Hewlett-Packard Security Bulletin HPSBUX9811-088
Security Vulnerability with snmp
http://us-support.external.hp.com/index.html
ISS X-Force
HP OpenView hidden SNMP community
http://xforce.iss.net/static/1387.php
CVE
CAN-1999-0516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0516
HP-UX rlpd print protocol daemon buffer overflow
(HPUX_RLPD_Overflow)
About this
signature or
vulnerability
This signature detects an unusually long "6" command request sent to the lpd daemon.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
HP-UX: 10.01, HP-UX: 10.10, HP-UX: 11.00, HP-UX: 10.20, HP-UX: 11.11, HP-UX: 11.20
Type
Unauthorized Access Attempt
Vulnerability
description
Many commercial and open-source operating systems are adapted from BSD Unix. HPUX is shipped with a line printer daemon adapted from BSD Unix that is similar to in.lpd
in other Unix variants. The Line Printer Daemon is used to allow heterogeneous Unix
environments to share printers over a network.
226
HP-UX rlpd print protocol daemon buffer overflow (HPUX_RLPD_Overflow)
The HP-UX rlpdaemon is vulnerable to a denial of service attack caused by a buffer
overflow. By sending a specially-crafted print request, an attacker can crash the service or
execute arbitrary code with superuser privilege on the target system. This vulnerability is
particularly serious because rlpdaemon is installed and configured by default and is
active even if it is not being used. An attacker requires no local account or knowledge of
the configuration on the target system to successfully exploit this vulnerability.
All current versions of HP-UX install and enable the rlpdaemon daemon by default.
How to remove this
vulnerability
For HP-UX 10.01, 10.10, 10.20, 11.00, 11.11, and 11.20:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Security
Bulletin HPSBUX0108-163. See References.
References
Internet Security Systems Security Alert #93
Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon
http://xforce.iss.net/alerts/advise93.php
Hewlett-Packard Support Web site
IT resource center
http://us-support.external.hp.com
Hewlett-Packard Security Bulletin HPSBUX0108-163
Sec. Vulnerability in rlpdaemon
http://us-support.external.hp.com/cki/bin/doc.pl/sid=bdb76c6c0cce400353/
screen=ckiDisplayDocument?docId=200000056242915
CIAC Information Bulletin L-134
HP Security Vulnerability in rlpdaemon
http://www.ciac.org/ciac/bulletins/l-134.shtml
CERT Advisory CA-2001-30
Multiple Vulnerabilities in lpd
http://www.cert.org/advisories/CA-2001-30.html
CERT Vulnerability Note VU#966075
HP-UX vulnerable to buffer overflow in line printer daemon (rlpdaemon) via crafted
print request
http://www.kb.cert.org/vuls/id/966075
CIAC Information Bulletin M-014
UNIX - Multiple Vulnerabilities In LPD
http://www.ciac.org/ciac/bulletins/m-014.shtml
ISS X-Force
HP-UX rlpd print protocol daemon buffer overflow
http://xforce.iss.net/static/6811.php
CVE
CAN-2001-0668
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0668
227
Glimpse HTTP aglimpse allows remote command execution (HTTP_Glimpse)
Alibaba Web server allows browsing the file system outside the
server root directory (HTTP_DotDot)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_DotDot signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Alibaba Web Server
Type
Unauthorized Access Attempt
Vulnerability
description
CSM Alibaba is a commercial HTTP server for Windows 95, Windows 98, and Windows
NT. A vulnerability in the Alibaba HTTP server could allow a remote user to traverse
directories on the Web server's file system outside the document root. A remote attacker
can issue an HTTP GET request containing "dot dot" sequences (/../) to traverse
directories and read any file on the Web server. If directory browsing is enabled, an
attacker does not need prior knowledge of file names to exploit this vulnerability.
How to remove this
vulnerability
CSM no longer exists and Alibaba has not been updated since 1996. Users are advised to
upgrade to a newer Web server that has more updates and support.
As a workaround, you should install the Alibaba server on a physical drive of its own, or
disable the server if possible.
References
NTBugtraq Mailing List, Thu, 6 May 1999 23:51:27 +0200
..-hole in Alibaba 2.0
http://www.ntbugtraq.com/
default.asp?pid=36&sid=1&A2=ind9905&L=ntbugtraq&F=P&S=&P=3407
ISS X-Force
Alibaba Web server allows browsing the file system outside the server root directory
http://xforce.iss.net/static/2175.php
CVE
CAN-1999-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0776
Glimpse HTTP aglimpse allows remote command execution
(HTTP_Glimpse)
About this
signature or
vulnerability
228
This vulnerability is detected by the HTTP_Glimpse signature.
Glimpse HTTP aglimpse allows remote command execution (HTTP_Glimpse)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Glimpse: 2.0, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The aglimpse program allows a remote attacker to execute arbitrary commands on a Web
server. The aglimpse program is part of the Glimpse HTTP package, a Web interface to
the glimpse search tool. Glimpse HTTP version 2.0 is vulnerable to this problem.
The attacker can access the files on the Web server with the same user ID as that of the
configuration of your Web server. This exploit could allow the attacker to gain root or
administrator access to the host. In either case, it allows the attacker to alter the contents of
your Web site.
How to remove this
vulnerability
Upgrade to the latest version of WebGlimpse (1.5 or later), available from the
WebGlimpse Web site. See References.
As a workaround, log on as root on the vulnerable computer and type:
# /bin/chmod 400 /usr/local/etc/httpd/cgi-bin/aglimpse
Replace the path name with your cgi-bin directory.
Patches: Insert a / character at the start of the open command in the aglimpse program
(around line 72).
The vulnerable line is: open(CONF,'$indexdir/archive.cfg') || &err_conf;
The patched line is: open(CONF,'/$indexdir/archive.cfg') || &err_conf;
References
AUSCERT Advisory AA-97.28
Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA97.28.GlimpseHTTP.WebGlimpse.vuls
WebGlimpse Web site
Unix-based search software
http://glimpse.cs.arizona.edu/
CERT Vendor-Initiated Bulletin VB-97.13
Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts
http://www.cert.org/vendor_bulletins/VB-97.13.GlimpseHTTP.WebGlimpse
Packetstorm Exploit Code Archive
Glimpse http
http://packetstorm.securify.com/Exploit_Code_Archive/glimpse_http.txt
229
IIS ASP source visible (HTTP_IIS3_Asp_Dot)
CIAC Information Bulletin I-014
Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
http://www.ciac.org/ciac/bulletins/i-014.shtml
ISS X-Force
Glimpse HTTP aglimpse allows remote command execution
http://xforce.iss.net/static/350.php
CVE
CVE-1999-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0147
IIS 3.0 script source revealed by appending 2E to requests
(HTTP_IIS3_Asp_Dot)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_IIS3_Asp_Dot signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Microsoft IIS: 3.0 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) 3.0 required a hot-fix to patch a prior security
vulnerability (the ASP Dot vulnerability). This hot-fix introduced a new security
vulnerability that could allow an attacker to view the contents of an Active Server Page or
other script by substituting a "." (period) in the URL with its hexadecimal value (2E).
How to remove this
vulnerability
Upgrade to IIS 4.0, which fixes this vulnerability.
References
@stake, Inc./L0pht Security Advisory 03/19/97
Microsoft IIS 3.0
http://www.atstake.com/research/advisories/1997/asp.txt
ISS X-Force
IIS 3.0 script source revealed by appending 2E to requests
http://xforce.iss.net/static/621.php
IIS ASP source visible (HTTP_IIS3_Asp_Dot)
About this
signature or
vulnerability
230
This vulnerability is detected by the HTTP_IIS3_Asp_Dot signature.
IIS ASP source visible (HTTP_IIS3_Asp_Dot)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
SunOS, Windows NT
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) versions 2.0 and 3.0 display the source of
Active Server Pages (ASP files), if a period is appended to the URL. In addition, scripting
information to other data in the file can be viewed.
Potentially proprietary Web server files (such as .ASP, .HTX, and .IDC file name
extensions) may contain sensitive information (such as user IDs and passwords)
embedded in the source code that is normally not available to remote users.
How to remove this
vulnerability
Upgrade to the latest version of Microsoft Internet Information Server (version 5.0 or
later), available from the Microsoft Windows Web Services (IIS) Web site. See References.
— OR —
If upgrading to the latest version is not possible, download the patch provided by
Microsoft, as listed in Microsoft Knowledge Base Article Q163485. See References.
As a workaround, disable read permissions for the ASP directory in the Internet Service
Manager. This may not be a practical solution since many sites mix ASP and HTML files.
If your site mixes these files together in the same directories, segregate them immediately.
ASP files should be treated as any other Web-based executable and kept in separate
directories where permissions can be adjusted.
Windows NT
Apply the latest Windows NT 4.0 Service Pack.
References
Microsoft Knowledge Base Article Q163485
Active Server Pages Script Appears in Browser
http://support.microsoft.com/support/kb/articles/q163/4/85.asp
Microsoft Knowledge Base Article Q164059
IIS Execution File Text Can Be Viewed in Client
http://support.microsoft.com/support/kb/articles/q164/0/59.asp
BugTraq Mailing List, Thu Feb 20 1997 12:51:04
Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
http://www.securityfocus.com/archive/1/6332
BugTraq Mailing List, Thu Feb 20 1997 09:39:01
! [ADVISORY] Major Security Hole in MS ASP
http://www.securityfocus.com/archive/1/6330
231
Sybase PowerDynamo PWS allows remote file system traversal (HTTP_DotDot)
Microsoft Web site
Microsoft Windows Web Services (IIS) Web site
http://www.microsoft.com/technet/iis/
ISS X-Force
IIS ASP source visible
http://xforce.iss.net/static/7.php
CVE
CAN-1999-0154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0154
Sybase PowerDynamo PWS allows remote file system traversal
(HTTP_DotDot)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_DotDot signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Sybase, PowerDynamo PWS
Type
Unauthorized Access Attempt
Vulnerability
description
PowerDynamo is a personal HTTP server developed by Sybase. PowerDynamo version
3.0.652 could allow a remote attacker to traverse directories on Web server's file system. A
remote attacker can send a GET request containing "dot dot" sequences (/../) to traverse
directories on the Web server's file system outside the document root and view any file on
the Web server's file system. In order to exploit this vulnerability, the attacker does not
need prior knowledge of file names if directory browsing is enabled.
How to remove this
vulnerability
No remedy available as of April 2001.
References
BugTraq Mailing List, Sat Sep 04 1999 08:37:01
[Sybase] software vendors do not think about old bugs
http://www.securityfocus.com/archive/1/26710
ISS X-Force
Sybase PowerDynamo PWS allows remote file system traversal
http://xforce.iss.net/static/3169.php
CVE
CVE-1999-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0695
232
3Com AirConnect Easy Setup Web Access (HTTP_3com_AirConnect_EasySetup)
TeamTrack HTTP server allows browsing the file system outside
the server root directory (HTTP_DotDot)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_DotDot signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
TeamTrack Server: 3.00
Type
Unauthorized Access Attempt
Vulnerability
description
A security hole in the HTTP server supplied with TeamShare's TeamTrack problemtracking could allow a remote attacker to traverse directories on the Web server. A remote
attacker could send a specially-crafted GET request containing "dot dot" sequences (/../)
to traverse directories and read files outside the Web server's document root.
How to remove this
vulnerability
TeamShare recommends users use a third party Web server like Microsoft's IIS or
Netscape Enterprise Server. This issue has been resolved in TeamTrack 4.0, which is
expected to be delivered in early 2000.
References
Rain Forest Puppy Security Advisory RFP9904
RFP9904: TeamTrack webserver vulnerability
http://www.wiretrip.net/rfp/p/doc.asp?id=14&iface=3
BugTraq Mailing List, Sat Oct 02 1999 06:14:32
RFP9904: TeamTrack webserver vulnerability
http://www.securityfocus.com/archive/1/29551
ISS X-Force
TeamTrack HTTP server allows browsing the file system outside the server root directory
http://xforce.iss.net/static/3281.php
CVE
CVE-1999-0933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0933
3Com AirConnect Easy Setup Web Access
(HTTP_3com_AirConnect_EasySetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_EasyInstall.htm," which indicates an attempt
to use the 3Com AirConnect Easy Setup Web Interface.
233
3Com AirConnect Filtering Setup Web Access (HTTP_3com_AirConnect_FilteringSetup)
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_EasyInstall.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt to use the 3Com AirConnect Easy Setup Web interface has been detected.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Easy Setup Web Access
http://xforce.iss.net/static/6456.php
3Com AirConnect Filtering Setup Web Access
(HTTP_3com_AirConnect_FilteringSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_FilteringSetup.htm," which indicates an
attempt to configure the Filtering setup of a 3Com AirConnect 802.11 access point through
the Web interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_FilteringSetup.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
234
3Com AirConnect Firmware Web Access (HTTP_3com_AirConnect_FirmwareSetup)
Vulnerability
description
An attempt is being made to configure the Filtering setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Filtering Setup Web Access
http://xforce.iss.net/static/6457.php
3Com AirConnect Firmware Web Access
(HTTP_3com_AirConnect_FirmwareSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_Firmware.htm," which indicates an attempt to
configure the Firmware of a 3Com AirConnect 802.11 access point through the Web
interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_Firmware.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the Firmware of a 3Com AirConnect 802.11 access
point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Firmware Web Access
http://xforce.iss.net/static/6458.php
235
3Com AirConnect RF Setup Web Access (HTTP_3com_AirConnect_RFSetup)
3Com AirConnect Modem Setup Web Access
(HTTP_3com_AirConnect_ModemSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_ModemSetup.htm," which indicates an
attempt to configure the Modem setup of a 3Com AirConnect 802.11 access point through
the Web interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_ModemSetup.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the Modem setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Modem Setup Web Access
http://xforce.iss.net/static/6459.php
3Com AirConnect RF Setup Web Access
(HTTP_3com_AirConnect_RFSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_RFSetup.htm," which indicates an attempt to
configure the radio setup of a 3Com AirConnect 802.11 access point through the Web
interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_RFSetup.htm."
Default risk level
High
236
3Com AirConnect Security Setup Web Access (HTTP_3com_AirConnect_SecuritySetup)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the radio setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect RF Setup Web Access
http://xforce.iss.net/static/6460.php
3Com AirConnect Security Setup Web Access
(HTTP_3com_AirConnect_SecuritySetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_SecuritySetup.htm," which indicates an
attempt to configure the security setup of a 3Com AirConnect 802.11 access point through
the Web interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_SecuritySetup.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the security setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
237
3Com AirConnect SNMP Setup Web Access (HTTP_3com_AirConnect_SNMPSetup)
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Security Setup Web Access
http://xforce.iss.net/static/6461.php
3Com AirConnect SNMP Setup Web Access
(HTTP_3com_AirConnect_SNMPSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_SNMPSetup.htm," which indicates an attempt
to configure the SNMP setup of a 3Com AirConnect 802.11 access point through the Web
interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_SNMPSetup.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the SNMP setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect SNMP Setup Web Access
http://xforce.iss.net/static/6462.php
238
3Com AirConnect System Setup Web Access (HTTP_3com_AirConnect_SystemSetup)
3Com AirConnect Special Functions Web Access
(HTTP_3com_AirConnect_SpecialFunctions)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_SpecialFunctions.htm," which indicates an
attempt to configure the SNMP setup of a 3Com AirConnect 802.11 access point through
the Web interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_SpecialFunctions.htm."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the special functions of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect Special Functions Web Access
http://xforce.iss.net/static/6463.php
3Com AirConnect System Setup Web Access
(HTTP_3com_AirConnect_SystemSetup)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/_SystemSetup.htm," which indicates an
attempt to configure the system setup of a 3Com AirConnect 802.11 access point through
the Web interface of the device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than 3Com
AirConnect that use the URL "/_SystemSetup.htm."
Default risk level
High
239
ActiveX allows local command execution (HTTP_ActiveX)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to configure the system setup of a 3Com AirConnect 802.11
access point through the Web interface of the device.
How to remove this
vulnerability
Disable the 3Com AirConnect Web Interface.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
ISS X-Force
3Com AirConnect System Setup Web Access
http://xforce.iss.net/static/6464.php
ActiveX allows local command execution (HTTP_ActiveX)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects when a web browser attempts to obtain a file containing a
Microsoft ActiveX control.
■
ie-active-download
False positives
RealSecure Network Sensor: This signature does not determine if the ActiveX control
being downloaded is malicious; it only detects that the browser is downloading ActiveX
code.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Windows
Type
Protocol Signature
Vulnerability
description
ActiveX is a Web technology that can be used maliciously to execute local commands on
the computer that is running ActiveX. For example, a remote attacker could use ActiveX
to execute a local command to shut down the computer.
240
HTTP Anyform (HTTP_AnyForm)
How to remove this
vulnerability
Review your organization's security policy on ActiveX. Consider disabling ActiveX for
your Web browsers to reduce potential vulnerability to hostile ActiveX applets.
References
The NT Shop Web site
Microsoft Active X Controls
http://www.ntsecurity.net/security/ActiveX.htm
ISS X-Force
ActiveX allows local command execution
http://xforce.iss.net/static/476.php
HTTP Anyform (HTTP_AnyForm)
About this
signature or
vulnerability
This signature detects HTTP GET requests to the AnyForm2 CGI-bin program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
AnyForm: 2.0
Type
Unauthorized Access Attempt
Vulnerability
description
AnyForm, by John Roberts, is a CGI-bin program used for simple forms that deliver email
responses. A vulnerability in version 2 of AnyForm (AnyForm2) could allow a remote
attacker to execute arbitrary commands on the Web server as the UID 'nobody'.
How to remove this
vulnerability
No remedy available as of August 2001. AnyForm is no longer available and is restricted
to use at the University of Kentucky. More information is available at the University of
Kentucky Web site. See References.
As a workaround, disable access or execute permission to the AnyForm2 script.
References
University of Kentucky Web site
WEB FORMS WITH ANYFORM
http://www.uky.edu/AnyForm
BugTraq Mailing List, Mon Jul 31 1995 21:26:51
SECURITY HOLE: "AnyForm" CGI
http://www.securityfocus.com/archive/1/3544
ISS X-Force
HTTP Anyform
http://xforce.iss.net/static/4907.php
241
AnyForm CGI script allows remote execution of arbitrary commands (HTTP_AnyFormPost)
CVE
CVE-1999-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0066
AnyForm CGI script allows remote execution of arbitrary
commands (HTTP_AnyFormPost)
About this
signature or
vulnerability
This signature detects specially-crafted HTTP POSTs to the AnyForm2 CGI-bin program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
AnyForm, by John Roberts, is a CGI-bin program used for simple forms that deliver email
responses. A vulnerability in version 2 of AnyForm (AnyForm2) could allow a remote
attacker to execute malicious programs on a Web server. The program fails to properly
perform sanity checks. A remote attacker could exploit this vulnerability by creating a
form with a hidden field and sending the form to the program to execute malicious
programs on the Web server.
How to remove this
vulnerability
No remedy available as of August 2001. AnyForm is no longer available and is restricted
to use at the University of Kentucky. More information is available at the University of
Kentucky Web site. See References.
As a workaround, disable access or execute permission to the AnyForm2 script.
References
University of Kentucky AnyForm Web site
WEB FORMS WITH ANYFORM
http://www.uky.edu/AnyForm
BugTraq Mailing List, Mon Jul 31 1995 21:26:51
SECURITY HOLE: "AnyForm" CGI
http://www.securityfocus.com/archive/1/3544
ISS X-Force
AnyForm CGI script allows remote execution of arbitrary commands
http://xforce.iss.net/static/301.php
CVE
CVE-1999-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0066
242
Apache HTTP server beck exploit (HTTP_Apache_DOS)
Apache HTTP server beck exploit (HTTP_Apache_DOS)
About this
signature or
vulnerability
False positives
This signature detects an HTTP request containing a large number of slashes ("/"), which
could indicate an attempt by an attacker to increase the load average on an Apache httpd
server.
RealSecure Network Sensor: A false positive is possible for valid URLs that contain more
than 1000 slashes ("/").
RealSecure Server Sensor: A false positive is possible for valid URLs that contain more
than 1000 slashes ("/").
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Apache Web Server
Type
Denial of Service
Vulnerability
description
Apache httpd servers prior to version 1.2.5 could allow an attacker to increase the load
average on the server, possibly causing a denial of service. An attacker could submit an
HTTP request containing thousands of slashes ("/") to cause the system running the
server to become very slow or inaccessible. This problem has sometimes been referred to
as the beck exploit.
How to remove this
vulnerability
Upgrade to the latest version of Apache (1.2.5 or later), as listed in the Apache Security
Advisory dated Tuesday, January 6 1998. See References.
References
Apache Server Project Web site
Apache Security Advisory, Tuesday, January 6 1998
http://www.apache.org/info/security_bulletin_1.2.5.html
BugTraq Mailing List, Tue Dec 30 1997 04:07:04
Apache DoS attack?
http://www.securityfocus.com/archive/1/8310
CERT Vendor-Initiated Bulletin VB-98.02
Apache Security Advisory
http://www.cert.org/vendor_bulletins/VB-98.02.apache
ISS X-Force
Apache HTTP server beck exploit
http://xforce.iss.net/static/697.php
243
Axis StorPoint CD servers could allow remote access to admin pages (HTTP_Axis_Storpoint)
HTTP authentication (HTTP_Authentication)
About this
signature or
vulnerability
This signature detects HTTP Basic authentication to a Web server and logs the usernames
and passwords.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
HTTP
Type
Protocol Signature
Vulnerability
description
Usernames and passwords used in HTTP Basic authentication to a Web server can be
logged to determine which user accounts are logging into Web servers from particular
systems. Collecting this information can be used to offload some logging tasks from
heavily-loaded Web servers and help detect brute force password guessing attacks
against the Web server.
How to remove this
vulnerability
If a brute force password guessing attack is suspected, review the history of HTTP
authentication events for more information.
References
ISS X-Force
HTTP authentication
http://xforce.iss.net/static/653.php
Axis StorPoint CD servers could allow remote access to admin
pages (HTTP_Axis_Storpoint)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the cnf_gi.htm file. The request contains a
"dot dot" (/../) sequence, which could indicate an attempt by an attacker to access the
server's administration pages.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
StorPoint CD Server: 2.5.1 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Axis Communications network CD servers StorPoint CD and CD/T could allow a remote
attacker to gain access to the server's administration pages, due to a vulnerability in the
software's Web interface for remote administration. In versions of StorPoint CD and CD/
244
Win32 CGI programs written as DOS batch files could allow remote command execution (HTTP_BAT_Execute)
T previous to 4.28, an attacker can submit a specially-crafted URL to bypass
authentication and access the server's administration pages.
How to remove this
vulnerability
Upgrade to software version 4.28, available from the Axis Communications Web site. Axis
recommends upgrading to hardware from one of their newer product lines. See
References.
References
BugTraq Mailing List, Tue Feb 29 2000 06:18:54
Infosec.20000229.axisstorpointcd.a
http://www.securityfocus.com/archive/1/48924
Axis Communications Web site
Axis Communications Support Web
http://www.axis.com/techsup/cdsrv/storpoint_cd/
ISS X-Force
Axis StorPoint CD servers could allow remote access to admin pages
http://xforce.iss.net/static/4078.php
CVE
CVE-2000-0191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191
Win32 CGI programs written as DOS batch files could allow
remote command execution (HTTP_BAT_Execute)
About this
signature or
vulnerability
This signature detects an HTTP GET request for a batch file that appears to be an attempt
to execute commands on the server. This event is never normal activity--it can only be an
attempted attack on the server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Windows
Type
Unauthorized Access Attempt
Vulnerability
description
Many Win32 Web servers have the ability to support multiple executable types as CGI
(Common Gateway Interface) components. When MS-DOS batch files (.BAT) are used for
this purpose and written in an insecure manner, they can allow remote attackers to
execute arbitrary commands on the Web server. If the Web server passes the
QUERY_STRING variable to the batch file with a '&' (ampersand) character embedded in
it and the script performs no input validation, the commands after the ampersand are
executed at the privilige level of the CGI program.
How to remove this
vulnerability
Remove batch (.BAT) files from your Web server's CGI-BIN directory or rewrite them to
properly validate user data.
245
Brown Orifice HTTPD (HTTP_BrownOrifice)
References
BugTraq Mailing List, Wed Feb 23 2000 15:52:10
Sambar Server alert!
http://www.securityfocus.com/archive/1/48001
BugTraq Mailing List, Thu Feb 24 2000 13:00:44
Sambar Server alert! (2)
http://www.securityfocus.com/archive/1/48181
ISS X-Force
Win32 CGI programs written as DOS batch files could allow remote command execution
http://xforce.iss.net/static/4425.php
Brown Orifice HTTPD (HTTP_BrownOrifice)
About this
signature or
vulnerability
This signature detects an HTTP download containing a Java .class file using vulnerable
Netscape Java classes that contain strings found in the BrownOrifice code. This may
indicate that a malicious web site is attempting to exploit this vulnerability.
False positives
RealSecure Network Sensor: A false positive is possible if any .class file or any Java
application being downloaded contains the specific strings found in the BrownOrifice
code.
False negatives
RealSecure Network Sensor: A false negative is possible if an attacker modifies the source
code of the BOHTTPD Java application to avoid detection by RealSecure.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
Systems affected
Netscape Communicator
Type
Unauthorized Access Attempt
Vulnerability
description
The Netscape Java distribution could allow a hostile Web site to start a server process on
the browsing system. Using "file:" URLs with the Netscape Java distribution, a remote
attacker can access arbitrary files on the browser system and any locally connected
networks, as demonstrated by the Brown Orifice program.
Netscape Communicator versions 4.74 and earlier, and all versions of Netscape
Navigator, are vulnerable when Java is enabled.
How to remove this
vulnerability
Upgrade to the latest version of Netscape Communicator (4.75 or later), available from the
Netscape Products Web site. See References.
As a workaround, disable Java in the browser.
To stop the server process on your computer after visiting a malicious Web site, close all
open Netscape browser windows.
246
Brown Orifice HTTPD (HTTP_BrownOrifice)
References
CERT Advisory CA-2000-15
Netscape Allows Java Applets to Read Protected Resources
http://www.cert.org/advisories/CA-2000-15.html
Internet Security Systems Security Alert #58
Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in Netscape
http://xforce.iss.net/alerts/advise58.php
Netscape Communications, Inc. Web site
Netscape Security Notes
http://www.netscape.com/security/notes/index.html
Netscape Communications, Inc. Web site
Netscape Products
http://home.netscape.com/download/
BugTraq Mailing List, Sat Aug 05 2000 03:04:29
Dangerous Java/Netscape Security Hole
http://www.securityfocus.com/archive/1/74163
Red Hat Linux Errata Advisory RHSA-2000:054-01
New Netscape packages fix Java security hole
http://www.redhat.com/support/errata/RHSA-2000-054-01.html
Caldera Systems, Inc. Security Advisory CSSA-2000-027.1
Netscape java security bug
http://www.calderasystems.com/support/security/advisories/CSSA-2000-027.1.txt
FreeBSD, Inc. Security Advisory FreeBSD-SA-00:39
Two Vulnerabilities in Netscape
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:39.netscape.asc
SuSE Security Announcement #60
Security Hole in Netscape, Versions 4.x, possibly others
http://www.suse.de/de/support/security/suse_security_announce_60.txt
Linux-Mandrake Security Update Advisory MDKSA-2000:033 (from SecurityFocus
Archive)
Netscape Java vulnerability
http://www.securityfocus.com/archive/1/75470
Linux-Mandrake Security Update Advisory MDKSA-2000:036 (from BugTraq Mailing List)
netscape update
http://www.securityfocus.com/archive/1/77454
BugTraq Mailing List, Fri Aug 18 2000 19:54:43
Conectiva Linux Security Announcement - netscape
http://www.securityfocus.com/archive/1/77073
SecurityFocus.com news
Beware 'Brown Orifice'
http://www.securityfocus.com/news/70
CERT Vulnerability Note VU#32231
Netscape Java Security Manager fails to prevent URLConnections through
247
Squid cachemgr.cgi script can be used to remotely proxy portscans (HTTP_Cachemgr)
netscape.net.URLConnection Class
http://www.kb.cert.org/vuls/id/32231
National Infrastructure Protection Center (NIPC) Advisory 00-052
"Brown Orifice", August 9, 2000
http://www.nipc.gov/warnings/assessments/2000/00-052.htm
CIAC Information Bulletin K-063
Netscape - Java Vulnerability
http://www.ciac.org/ciac/bulletins/k-063.shtml
ISS X-Force
Brown Orifice HTTPD
http://xforce.iss.net/static/5032.php
CVE
CVE-2000-0676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0676
Squid cachemgr.cgi script can be used to remotely proxy
portscans (HTTP_Cachemgr)
About this
signature or
vulnerability
This signature detects HTTP GET requests for cgi-bin/cachemgr.cgi. This CGI script is
distributed with the Squid proxy.
False positives
RealSecure Network Sensor: RealSecure detects any use of the cachemgr.cgi, including
legitimate use of the Squid cachemgr.cgi script (if it is installed in the cgi-bin directory).
This script should be in a protected CGI directory to secure it. This signature can be used
to detect an attacker trying to use the script from the cgi-bin directory (its default location
in Red Hat Linux and possibly other Linux distributions).
RealSecure Server Sensor: Legitimate use of the Squid cachemgr.cgi. Seems bad, but this
script should be in a protected CGI directory to secure it. This will detect people trying to
use it in its default location in Redhat (et al, if any).
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI), Squid, Red Hat Linux: 6.0
Type
Unauthorized Access Attempt
Vulnerability
description
The cachemgr.cgi script is distributed with the Squid proxy as a tool for managing and
viewing statistics about a running cache server. The cachemgr.cgi script is not installed by
default into a system's Web server CGI directory. However, under some systems
(including Red Hat Linux), the cachemgr.cgi script can be found in this directory with no
access controls in place. This script can be used by a remote attacker to connect to
248
Campas cgi-bin file executes remote commands (HTTP_Campas)
arbitrary hosts and ports which could be used to "proxy" portscans through vulnerable
systems.
How to remove this
vulnerability
Remove the cachemgr.cgi script from your server's CGI-BIN directory.
References
BugTraq Mailing List, Fri Jul 23 1999 16:36:32
Redhat 6.0 cachemgr.cgi lameness
http://www.securityfocus.com/archive/1/19392
Red Hat Linux Errata Advisory RHSA-1999:025-01
Potential misuse of squid cachemgr.cgi
http://www.redhat.com/support/errata/RHSA1999025_01.html
ISS X-Force
Squid cachemgr.cgi script can be used to remotely proxy portscans
http://xforce.iss.net/static/2385.php
CVE
CVE-1999-0710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0710
Campas cgi-bin file executes remote commands (HTTP_Campas)
About this
signature or
vulnerability
This signature detects an attack against the campas cgi-bin script present with certain
httpd Web servers.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The campas CGI program allows a remote attacker to execute commands on a Web server
with the privileges of the user owning the server process. The campas program is
included as a sample CGI program in some older versions of the NCSA Web server.
Depending on the configuration of the Web server, this could allow an attacker to gain
root or administrator access to the host. This vulnerability also allows an attacker to alter
the contents of the Web site.
How to remove this
vulnerability
Delete the campas cgi-bin script.
— AND —
Upgrade your HTTP server to the latest available version.
249
iCat Carbo Server allows remote file viewing (HTTP_Carbo_Server)
References
BugTraq Mailing List, Tue Jul 15 1997 16:24:31
Bug CGI campas
http://www.securityfocus.com/archive/1/7252
ISS X-Force
Campas cgi-bin file executes remote commands
http://xforce.iss.net/static/298.php
CVE
CVE-1999-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0146
iCat Carbo Server allows remote file viewing
(HTTP_Carbo_Server)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
iCat Carbo Server
Type
Unauthorized Access Attempt
Vulnerability
description
iCat Carbo Server is a program used for creating interactive online catalogs. A
vulnerability in iCat could allow a remote user to view any file on the system that iCat is
running on. This vulnerability has been confirmed in Carbo Server version 3.0.0.
How to remove this
vulnerability
If possible, disable the Carbo server until a patch or upgrade becomes available from iCat.
In disabling the Carbo server, ensure that the carbo.dll file is deleted.
References
BugTraq Mailing List, Sat Nov 08 1997 11:11:12
Security bug in iCat Suite version 3.0
http://www.securityfocus.com/archive/1/7943
iCat.Com Web site
iCat.Com: e-commerce solutions
http://www.icat.com/
ISS X-Force
iCat Carbo Server allows remote file viewing
http://xforce.iss.net/static/1620.php
CVE
CAN-1999-1069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1069
250
Carello Web shopping cart add.exe allows remote file creation and duplication (HTTP_Carello)
Carello Web shopping cart add.exe allows remote file creation
and duplication (HTTP_Carello)
About this
signature or
vulnerability
This signature detects specially formatted HTTP GET requests that include
QUOT;add.exe", which could allow an attacker to create copies of files on the server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Carello: 1.2.1
Type
Unauthorized Access Attempt
Vulnerability
description
Carello Web version 1.2.1 may reveal the source code of files on the server. Carello Web is
a Web site shopping cart application developed by Pacific Software. An attacker could use
the "add.exe" component in Carello Web to create copies of known files on the Web
server, using a different file extension for the new file. An attacker could then submit an
HTTP request for the new file to view its source. If the copied file is a server-side ASP file
(Active Server Page), the source could reveal sensitive information, such as usernames
and passwords.
How to remove this
vulnerability
No remedy available as of March 2001.
As a workaround, disable access by anonymous Internet accounts to directories that
contain sensitive information.
References
@stake, Inc./Cerberus Information Security Advisory CISADV000524b
Carello Web file overwriting vulnerability
http://www.atstake.com/research/advisories/2000/advcarello.html
Pacific Software Publishing
Carello Web
http://www.carelloweb.com/
ISS X-Force
Carello Web shopping cart add.exe allows remote file creation and duplication
http://xforce.iss.net/static/4542.php
CVE
CVE-2000-0396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0396
251
Cart32 shopping cart allows remote attackers to change admin password (HTTP_Cart32_ChangeAdminPassword)
Cart32 shopping cart allows remote attackers to change admin
password (HTTP_Cart32_ChangeAdminPassword)
About this
signature or
vulnerability
This signature detects an access attempt to the c32web.exe CGI program. The access
attempt includes a 'ChangeAdminPassword' parameter.
False positives
RealSecure Network Sensor: This signature does not distinguish between authorized and
unauthorized attempts to change a Cart32 administrator password.
RealSecure Server Sensor: This signature does not distinguish between authorized and
unauthorized attempts to change a Cart32 administrator password.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
Cart32: 2.6, Cart32: 3.0
Type
Unauthorized Access Attempt
Vulnerability
description
Cart32 is an online shopping cart system developed by McMurtrey/Whitaker &
Associates for the Windows platform. A vulnerability in the c32web.exe CGI component
of Cart32 could allow a remote attacker to change the administrator password to an
arbitrary value without knowledge of the original password. By exploiting this
vulnerability, a remote attacker can gain access to the Cart32 Administration program.
How to remove this
vulnerability
Apply the patch from the McMurtrey/Whitaker & Associates Web site, as listed in Cart32
Knowledge Base Article: c048. See References.
References
BugTraq Mailing List, Thu Apr 27 2000 21:30:37
Re: Alert: Cart32 secret password backdoor (CISADV000427)
http://www.securityfocus.com/archive/1/57566
Cart32 Knowledge Base Article c048
McMurtrey/Whitaker & Associates, Inc. responds to "backdoor password" reports.
http://www.cart32.com/kbshow.asp?article=c048
@stake, Inc./Cerberus Information Security Advisory CISADV000427
Cart32 secret password Backdoor
http://www.atstake.com/research/advisories/2000/advcart32.html
ISS X-Force
Cart32 shopping cart allows remote attackers to change admin password
http://xforce.iss.net/static/4351.php
CVE
CAN-2000-0429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0429
252
Cart32 shopping cart allows remote access to client lists and admin functions (HTTP_Cart32_ClientList)
Cart32 shopping cart allows remote access to client lists and
admin functions (HTTP_Cart32_ClientList)
About this
signature or
vulnerability
This signature detects an access attempt to the cart32.exe CGI program. This access
attempt includes a 'cart32clientlist' parameter.
False positives
RealSecure Network Sensor: This signature does not distinguish between authorized and
unauthorized requests to the cart32.exe CGI program for the Cart32 client list.
RealSecure Server Sensor: This signature does not distinguish between authorized and
unauthorized requests to the cart32.exe CGI program for the Cart32 client list.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
Cart32: 2.6, Cart32: 3.0
Type
Unauthorized Access Attempt
Vulnerability
description
Cart32 is an online shopping cart system developed by McMurtrey/Whitaker &
Associates for the Windows platform. Cart32 could allow a remote attacker to gain
unauthorized access to a list of shopping cart clients, due to a vulnerability in the
cart32.exe CGI component. An attacker could exploit this vulnerability to obtain sensitive
information, including passwords and customer information, such as credit card
numbers.
How to remove this
vulnerability
Apply the patch from the McMurtrey/Whitaker & Associates Web site, as listed in Cart32
Knowledge Base Article: c048. See References.
References
BugTraq Mailing List, Thu Apr 27 2000 21:30:37
Re: Alert: Cart32 secret password backdoor (CISADV000427)
http://www.securityfocus.com/archive/1/57566
Cart32 Knowledge Base Article c048
McMurtrey/Whitaker & Associates, Inc. responds to "backdoor password" reports.
http://www.cart32.com/kbshow.asp?article=c048
@stake, Inc./Cerberus Information Security Advisory CISADV000427
Cart32 secret password Backdoor
http://www.atstake.com/research/advisories/2000/advcart32.html
ISS X-Force
Cart32 shopping cart allows remote access to client lists and admin functions
http://xforce.iss.net/static/4350.php
253
Cdomain whois_raw.cgi script allows remote execution of arbitrary commands (HTTP_Cdomain)
Cart32 shopping cart allows remote access to server
installation details (HTTP_Cart32_Expdate)
About this
signature or
vulnerability
This signature detects an access attempt to the "cart32.exe" CGI program with an
argument of "expdate", which could indicate an attempt by an attacker to retrieve
sensitive information about the server installation.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Cart32: 2.6, Cart32: 3.0
Type
Suspicious Activity
Vulnerability
description
Cart32 is an online shopping cart system developed by McMurtrey/Whitaker &
Associates. A vulnerability in the cart32.exe CGI executable could allow a remote attacker
to retrieve sensitive information about the server installation, including environment
settings and a list of programs in the CGI-BIN directory. A remote attacker can exploit this
vulnerability by appending the string "/expdate" to a request for the cart32.exe CGI.
How to remove this
vulnerability
No remedy available as of February 2001.
References
BugTraq Mailing List, Tue May 02 2000 08:39:26
Another interesting Cart32 command
http://www.securityfocus.com/archive/1/58160
ISS X-Force
Cart32 shopping cart allows remote access to server installation details
http://xforce.iss.net/static/4398.php
CVE
CVE-2000-0430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0430
Cdomain whois_raw.cgi script allows remote execution of
arbitrary commands (HTTP_Cdomain)
About this
signature or
vulnerability
This signature detects a type of HTTP request to a whois_raw.cgi script. This type of
request indicates that an attacker is attempting to execute programs to gain unauthorized
access on your Web server running Cdomain 1.x.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
254
Cisco Aironet Web Configuration in use (HTTP_Cisco_Aironet_Webconfig)
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
Cdomain is a commercial CGI package that provides a Web-based gateway to the Whois
service. A vulnerability in the script of Freeware versions of Cdomain previous to 2.5
could allow a remote attacker to use shell metacharacters (such as &, |, or \) in the
domain entry to execute arbitrary commands on the system with privileges of the Web
server process. Later versions of CdomainFree, as well as all versions of CdomainPro are
not vulnerable, because they connect directly to the Whois server. However, this
vulnerability affects the whois_raw.cgi in versions 1.x and the cdomain.pl in versions 2.0
through 2.4.
How to remove this
vulnerability
Upgrade to the latest version of CdomainFree (2.5 or later), available from the Cdomain
Web site. See References.
References
BugTraq Mailing List, Tue Jun 01 1999 01:34:51
whois_raw.cgi problem
http://www.securityfocus.com/archive/1/14019
Cdomain Web site
Cdomain Home
http://www.cdomain.com/
ISS X-Force
Cdomain whois_raw.cgi script allows remote execution of arbitrary commands
http://xforce.iss.net/static/2251.php
Cisco Aironet Web Configuration in use
(HTTP_Cisco_Aironet_Webconfig)
About this
signature or
vulnerability
This signature detects an HTTP POST to "/cgi-bin/cgiSetupNav," which indicates an
attempt to configure a Cisco AiroNet 802.11 Access Point through the Web interface of the
device.
False positives
RealSecure Network Sensor: A false positive is possible for products other than Cisco
Aironet that use the URL "/cgi-bin/cgiSetupNav."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Cisco Aironet Access Point
Type
Suspicious Activity
255
Cisco Catalyst allows anonymous user to execute commands (HTTP_Cisco_Catalyst_Exec)
Vulnerability
description
An attempt is being made to configure a Cisco AiroNet 802.11 Access Point through the
Web interface of the device.
How to remove this
vulnerability
Disable Web access to the AiroNet device.
References
Cisco Technology Solutions
Wireless Solutions
http://www.cisco.com/warp/public/779/smbiz/netsolutions/find/wireless.shtml
ISS X-Force
Cisco Aironet Web Configuration in use
http://xforce.iss.net/static/6465.php
Cisco Catalyst allows anonymous user to execute commands
(HTTP_Cisco_Catalyst_Exec)
About this
signature or
vulnerability
In order to reduce false positives, this signature can be configured in RealSecure to ignore
particular HTTP GET requests that begin with "/exec/." For example, you may wish to
ignore all HTTP GET requests that begin with "/exec/java," since such a request is less
likely to indicate the actions of an attacker. Use the "Ignore" option in the policy entry for
this signature to configure which, if any, "/exec/" HTTP GET requests should be ignored
by RealSecure.
False positives
RealSecure Network Sensor: A false positive is possible if a directory named "/exec/"
exists on the root of the Web server and is accessed by a browser. However, false positives
can be reduced by using the "Ignore" option in the policy entry for this signature to
configure which, if any, "/exec/" HTTP GET requests should be ignored by RealSecure.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Cisco Catalyst: 3500 XL
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the Web-based configuration interface of Cisco Catalyst 3500 XL series
switches could allow a remote attacker to execute arbitrary commands. By requesting the
/exec directory, a remote attacker can bypass authentication and execute arbitrary
commands on the device. An attacker can use this vulnerability to view the configuration
file and obtain user passwords.
How to remove this
vulnerability
No remedy available as of February 2001.
As a workaround, disable the Web configuration interface.
256
Cisco IOS routers denial of service caused by HTTP commands (HTTP_Cisco_IOS_DoS)
References
BugTraq Mailing List, Thu Oct 26 2000 10:51:55
Advisory def-2000-02: Cisco Catalyst remote command execution
http://www.securityfocus.com/archive/1/141471
BugTraq Mailing List, Mon Nov 13 2000 19:35:08
Re: 3500XL
http://www.securityfocus.com/archive/1/144655
ISS X-Force
Cisco Catalyst allows anonymous user to execute commands
http://xforce.iss.net/static/5415.php
CVE
CVE-2000-0945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0945
Cisco IOS routers denial of service caused by HTTP commands
(HTTP_Cisco_IOS_DoS)
About this
signature or
vulnerability
This signature detects an HTTP GET request containing the string "/%%". A specially
formatted HTTP GET request containing this string can crash some versions of the IOS
HTTP server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Cisco IOS
Type
Denial of Service
Vulnerability
description
The Cisco IOS operating system found on many Cisco routers is vulnerable to a denial of
service attack if the HTTP server is enabled. By sending a specially-crafted URL to the
router (in the form of http://<router_ip>/%%), a remote attacker can crash the router.
This attack will cause the router to restart and could also require that the router be
manually powered down and restarted.
How to remove this
vulnerability
Install the appropriate patch or disable the HTTP server on the router, as listed in Cisco
Systems Field Notice, May 14, 2000. See References.
References
BugTraq Mailing List, Wed Apr 26 2000 05:24:07
Cisco HTTP possible bug
http://www.securityfocus.com/archive/1/57363
Cisco Systems Field Notice, May 14, 2000
Cisco IOS HTTP Server Vulnerability
http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
257
Cisco IOS query denial of service (HTTP_Cisco_IOS_Query_DoS)
CERT Vulnerability Note VU#24346
Cisco IOS software vulnerable to DoS via HTTP request containing "%%"
http://www.kb.cert.org/vuls/id/24346
ISS X-Force
Cisco IOS routers denial of service caused by HTTP commands
http://xforce.iss.net/static/4357.php
CVE
CVE-2000-0380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0380
Cisco IOS query denial of service (HTTP_Cisco_IOS_Query_DoS)
About this
signature or
vulnerability
This signature detects an HTTP request for "/cgi-bin/view-source?/", which could
indicate an attempt by an attacker to crash the Cisco router.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Cisco IOS
Type
Denial of Service
Vulnerability
description
Cisco IOS versions 12.0 through 12.1 are vulnerable to a denial of service attack when the
HTTP service is enabled. By requesting a URL containing any text followed by "?/" and
supplying the enable password, a remote attacker can cause a Cisco router or switch to
enter an infinite loop. After two minutes, the router crashes and automatically restarts. If
the router fails to properly restart, the device must be manually restarted to regain
functionality.
How to remove this
vulnerability
Upgrade to the latest version of Cisco IOS appropriate for your system, as listed in Cisco
Systems Field Notice, October 25, 2000. See References.
References
Cisco Systems Field Notice, October 25, 2000
Cisco IOS HTTP Server Query Vulnerability
http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml
CORE SDI S.A. Security Advisory CORE-20002510
Vulnerability Report For Cisco IOS Web Administration DoS
http://www.core-sdi.com/advisories/cisco_ios_web_adm.htm
CERT Vulnerability Note VU#683677
Cisco IOS software vulnerable to DoS via HTTP request containing "?/"
http://www.kb.cert.org/vuls/id/683677
258
Classifieds.cgi script allows a remote attacker to read arbitrary files off servers (HTTP_Classifieds_Post)
CIAC Information Bulletin L-012
Cisco IOS HTTP Server Query Vulnerability
http://www.ciac.org/ciac/bulletins/l-012.shtml
ISS X-Force
Cisco IOS query denial of service
http://xforce.iss.net/static/5412.php
CVE
CAN-2000-0984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0984
Classifieds.cgi script allows a remote attacker to read arbitrary
files off servers (HTTP_Classifieds_Post)
About this
signature or
vulnerability
This signature detects HTTP POSTs to 'cgi-bin/classifieds.cgi.'
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
Classifieds is a free CGI script for handling classified ads on Web pages. A vulnerability in
the classifieds.cgi script allows a remote attacker to specify an email address that will mail
arbitrary files off the system to the attacker's address. This could allow an attacker to steal
files from the target system.
How to remove this
vulnerability
Disable the classifieds.cgi script in your CGI-BIN directory until a patch or upgrade
becomes available or a version that corrects this issue is released.
References
The Most Comprehensive List of CGI & httpd Bugs
Classifieds (classifieds.cgi)
http://secinf.net/info/www/cgi-bugs.htm
notts.net Web site
Classifieds.cgi - by Greg Mathews
http://www.cgi.notts.net/rs/gmathews/classifieds.html
ISS X-Force
Classifieds.cgi script allows a remote attacker to read arbitrary files off servers
http://xforce.iss.net/static/3102.php
259
ColdFusion Expression Evaluator allows remote file manipulation (HTTP_Cold_Fusion)
CVE
CVE-1999-0934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0934
ColdFusion Expression Evaluator allows remote file manipulation
(HTTP_Cold_Fusion)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
ColdFusion
Type
Unauthorized Access Attempt
Vulnerability
description
Many versions of ColdFusion ship with many sample scripts and programs used for
demonstration purposes. The Expression Evaluator (shipped with ColdFusion 4.0 and
earlier) is one such sample program and is used to demonstrate the expression evaluation
features of ColdFusion. A vulnerability in the Expression Evaluator could allow a remote
attacker to view, delete, or upload (create) arbitrary files on the server. Normally, the
Expression Evaluator program is accessible only from the localhost computer (127.0.0.1),
but when accessed directly it allows connections from any host.
How to remove this
vulnerability
Apply the Cold Fusion 4.0.1 Update, as listed in Allaire Security Bulletin ASB99-01. See
References.
— OR —
Apply the appropriate ColdFusion Expression Evaluator Security Patch for your system,
as listed in Allaire Security Bulletin ASB99-01. See References.
— OR —
If you do not wish to apply the 4.0.1 Update or the Cold Fusion Evaluator Security Patch,
remove the Cold Fusion Expression Evaluator (evaluate.cfm) from //CFDOCS/expeval.
— AND —
Allaire recommends removing all sample code, example applications, tutorials and
documentation from production servers. As a rule, sample code and example applications
should not be installed on production servers.
References
Allaire Security Bulletin ASB99-01
Expression Evaluator Security Issues
http://www.allaire.com/handlers/index.cfm?ID=8727
@stake, Inc./L0pht Security Advisory 04/20/99
Cold Fusion Application Server
http://www.atstake.com/research/advisories/1999/cfusion.txt
260
ColdFusion Web administration feature can be used to stop the CF server (HTTP_ColdFusion_Admin)
Phrack Magazine, Volume 8, Issue 54, File 08 of 12
NT Web Technology Vulnerabilities
http://packetstorm.securify.com/mag/phrack/phrack54/P54-08
Allaire Corporation Web site
ColdFusion 4.0.1 Update
http://www.allaire.com/handlers/index.cfm?ID=10712
ISS X-Force
ColdFusion Expression Evaluator allows remote file manipulation
http://xforce.iss.net/static/1740.php
ColdFusion Web administration feature can be used to stop the
CF server (HTTP_ColdFusion_Admin)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the ColdFusion Administrator
startstop.html file located in the cfide/administrator directory.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows NT, ColdFusion: 4.x
Type
Denial of Service
Vulnerability
description
The ColdFusion Administrator includes a utility for starting and stopping the ColdFusion
service from a Web browser. Due to a problem that exists in this feature when Advanced
Security is enabled, any remote user could stop the ColdFusion server.
How to remove this
vulnerability
This issue was resolved in ColdFusion version 4.5.2. Download and install version 4.5.2
from Allaire's ColdFusion download page. See references.
As a temporary solution, remove the startstop.html page from the CFIDE/Administrator
directory under the server's document root. If this functionality is required, traditional
Web server access controls can be placed on this file to restrict access to authorized users.
References
Allaire Security Bulletin ASB99-07
Solution Available for Denial-of-Service Attack Using CF Admin. Start/Stop Utility
http://www.allaire.com/handlers/index.cfm?ID=10968
Allaire Corporation Web site
ColdFusion Downloads page
http://www.allaire.com/products/coldfusion/index.cfm
ISS X-Force
ColdFusion Web administration feature can be used to stop the CF server
http://xforce.iss.net/static/2207.php
261
ColdFusion CFCACHE tag could expose temporary files with sensitive information (HTTP_ColdFusion_Cfcache)
CVE
CVE-1999-0756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0756
ColdFusion CFCACHE tag could expose temporary files with
sensitive information (HTTP_ColdFusion_Cfcache)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the cfcache.map file, which could indicate
an attacker's attempt to retrieve temporary files containing potentially sensitive
information.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 6.5
Systems affected
ColdFusion: 4.0, ColdFusion: 4.0.1
Type
Unauthorized Access Attempt
Vulnerability
description
ColdFusion 4.x uses a CFCACHE tag, which aids rapid page delivery by intelligently
compiling CFM pages and caching them. A vulnerability in this feature could a allow
remote attacker to retrieve temporary files containing potentially sensitive information.
How to remove this
vulnerability
Upgrade to ColdFusion version 4.5.
— OR —
For ColdFusion 4.0x, apply the CFCACHE.CFM patch, as listed in Allaire Security
Bulletin ASB00-03. See References.
References
Allaire Security Bulletin ASB00-03
Patch Available For Potential Information Exposure By The CFCACHE Tag
http://www.allaire.com/handlers/index.cfm?ID=13978
ISS X-Force
ColdFusion CFCACHE tag could expose temporary files with sensitive information
http://xforce.iss.net/static/3862.php
CVE
CVE-2000-0057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0057
262
ColdFusion email example script can be used to view arbitrary files (HTTP_ColdFusion_Email_ExampleApp)
ColdFusion email example script can be used to view arbitrary
files (HTTP_ColdFusion_Email_ExampleApp)
About this
signature or
vulnerability
This signature detects an HTTP GET request for "CFDOCS/exampleapps/email/
login.cfm". This could indicate an attacker's attempt to bypass access restrictions in order
to view files on the Web server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2
Systems affected
ColdFusion: 4.5
Type
Unauthorized Access Attempt
Vulnerability
description
Macromedia ColdFusion version 4.5 ships with several sample programs and scripts used
for demonstration purposes. These programs and scripts are accessible only through the
local host. A vulnerability in the email example script could allow a remote attacker to
bypass access restrictions and view arbitrary files on the server. The attacker could bypass
access restrictions by sending an HTTP request with a spoofed Host variable in the HTTP
header. Once a successful login has occurred, the attacker can send a specially-crafted
URL to view any file on the Web server.
How to remove this
vulnerability
Macromedia does not intend to release a patch for this vulnerability.
As a workaround, do not install example applications or documentation on production
ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps
directory. As a rule, sample code and example applications should not be installed on
production servers.
— OR —
Upgrade to the latest version of Macromedia ColdFusion (5.0 or later), available from the
Macromedia Web site. See References.
References
Internet Security Systems Security Alert #92
Remote Vulnerabilities in Macromedia ColdFusion Example Applications
http://xforce.iss.net/alerts/advise92.php
Macromedia Security Bulletin (MPSB01-08)
Best practice recommended to address new security issue in example applications
released with ColdFusion Server versions 4.x and earlier.
http://www.allaire.com/Handlers/index.cfm?ID=21700
Macromedia Web site
Macromedia ColdFusion
http://www.macromedia.com/software/coldfusion/downloads/
263
ColdFusion sample program can be used to confirm existence of arbitrary files (HTTP_ColdFusion_FileExists)
ISS X-Force
ColdFusion email example script can be used to view arbitrary files
http://xforce.iss.net/static/6791.php
CVE
CAN-2001-0535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535
ColdFusion sample program can be used to confirm existence of
arbitrary files (HTTP_ColdFusion_FileExists)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the Allaire server's fileexists.cfm page or
Allaire code samples on the server.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
ColdFusion
Type
Suspicious Activity
Vulnerability
description
ColdFusion Server 4.0 ships with several sample applications. A remote attacker could
access one of these sample programs, fileexists.cfm, to remotely confirm the existence of
arbitrary files on the server. This information could be useful to an attacker in performing
additional attacks.
How to remove this
vulnerability
Apply the Cold Fusion 4.0.1 Update, as listed in Allaire Security Bulletin ASB99-02. See
References.
— AND —
Remove the fileexists.cfm program and all sample applications and code from from all
production servers.
References
Allaire Security Bulletin ASB99-02
ColdFusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739
Allaire Corporation Web site
ColdFusion 4.0.1 Update
http://www.allaire.com/handlers/index.cfm?ID=10712
ISS X-Force
ColdFusion sample program can be used to confirm existence of arbitrary files
http://xforce.iss.net/static/1743.php
264
ColdFusion sample program can allow remote users to read any file (HTTP_ColdFusion_SourceWindow)
CVE
CAN-1999-0923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0923
ColdFusion sample program can allow remote users to read any
file (HTTP_ColdFusion_SourceWindow)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the "sourcewindow.cfm" sample file, which
could indicate an attempt by an attacker to read arbitrary files from the Web server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
ColdFusion
Type
Unauthorized Access Attempt
Vulnerability
description
The ColdFusion sample program sourcewindow.cfm contains a vulnerability that could
allow remote attackers to read any file on the system.
How to remove this
vulnerability
Install the Cold Fusion 4.0.1 Update, available from the Allaire Web site. See References.
It is recommended that the sourcewindow.cfm program be removed from all production
servers.
References
Allaire Security Bulletin ASB99-02
ColdFusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739
Allaire Corporation Web site
ColdFusion 4.0.1 Update
http://www.allaire.com/handlers/index.cfm?ID=10712
ISS X-Force
ColdFusion sample program can allow remote users to read any file
http://xforce.iss.net/static/1744.php
CVE
CAN-1999-0923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0923
265
ColdFusion sample can reveal source to any CFM file (HTTP_ColdFusion_ViewExample)
ColdFusion syntax checker could consume all processor
resources (HTTP_ColdFusion_SyntaxChecker_DOS)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the "cfmlsyntaxchecker.cfm" sample file,
which could indicate an attempt by an attacker to cause a denial of service attack on the
Web server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
ColdFusion
Type
Denial of Service
Vulnerability
description
The Syntax Checker is a program shipped with ColdFusion. Its purpose is to test CFML
(ColdFusion Markup Language) code for compatibility with ColdFusion version 4.0. A
vulnerability in the Syntax Checker program could allow a remote attacker to cause the
system to consume all available processor resources.
How to remove this
vulnerability
Install the Cold Fusion 4.0.1 Update from the Allaire Web site. See References.
It is recommended that users remove the cfmlsyntaxcheck.cfm program from all
production servers.
References
Allaire Security Bulletin ASB99-02
ColdFusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739
Allaire Corporation Web site
ColdFusion 4.0.1 Update
http://www.allaire.com/handlers/index.cfm?ID=10712
ISS X-Force
ColdFusion syntax checker could consume all processor resources
http://xforce.iss.net/static/1742.php
CVE
CAN-1999-0923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0923
ColdFusion sample can reveal source to any CFM file
(HTTP_ColdFusion_ViewExample)
About this
signature or
vulnerability
266
This signature detects HTTP GET requests for the "viewexample.cfm" sample page, which
could indicate an attempt by an attacker to retrieve CFM source code from the server.
ColdFusion Web publish example script can be used to upload and execute files (HTTP_ColdFusion_WebPublish_ExampleApp)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
ColdFusion
Type
Unauthorized Access Attempt
Vulnerability
description
ColdFusion 4.0 ships with many sample applications and scripts that are installed by
default. A vulnerability in the viewexample.cfm program could allow a remote user to
view the source of any CFM file on the server. This could allow an attacker to gain
proprietary information, such as usernames and passwords, contained in the source code.
How to remove this
vulnerability
Install the Cold Fusion 4.0.1 Update from the Allaire Web site. See References.
— AND —
Remove all samples, including viewexample.cfm, from production Web servers, as
recommended in Allaire Security Bulletin (ASB99-02). See References.
References
Allaire Security Bulletin ASB99-02
ColdFusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739
Allaire Corporation Web site
ColdFusion 4.0.1 Update
http://www.allaire.com/handlers/index.cfm?ID=10712
ISS X-Force
ColdFusion sample can reveal source to any CFM file
http://xforce.iss.net/static/1741.php
CVE
CAN-1999-0923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0923
ColdFusion Web publish example script can be used to upload
and execute files (HTTP_ColdFusion_WebPublish_ExampleApp)
About this
signature or
vulnerability
This signature detects an HTTP GET request for "cfdocs/exampleapps/publish/admin/
index.cfm". This could indicate an attacker's attempt to bypass access restrictions in order
to upload malicious files to the Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2
267
Cookies passed to Web browser (HTTP_Cookie)
Systems affected
ColdFusion: 4.5
Type
Suspicious Activity
Vulnerability
description
Macromedia ColdFusion version 4.5 ships with several sample applications and scripts
used for demonstration purposes. These programs and scripts are accessible only through
the local host. A vulnerability in the Web publish example script could allow a remote
attacker to bypass access restrictions and upload files to the Web server. The attacker
could bypass access restrictions by sending an HTTP request with a spoofed Host variable
in the HTTP header. An attacker could use this vulnerability to upload and execute
malicious files on an affected Web server.
How to remove this
vulnerability
Macromedia does not intend to release a patch for this vulnerability.
As a workaround, do not install example applications or documentation on production
ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps
directory. As a rule, sample code and example applications should not be installed on
production servers.
— OR —
Upgrade to the latest version of Macromedia ColdFusion (5.0 or later), available from the
Macromedia Web site. See References.
References
Internet Security Systems Security Alert #92
Remote Vulnerabilities in Macromedia ColdFusion Example Applications
http://xforce.iss.net/alerts/advise92.php
Macromedia Security Bulletin (MPSB01-08)
Best practice recommended to address new security issue in example applications
released with ColdFusion Server versions 4.x and earlier.
http://www.allaire.com/Handlers/index.cfm?ID=21700
Macromedia Web site
Macromedia ColdFusion
http://www.macromedia.com/software/coldfusion/downloads/
ISS X-Force
ColdFusion Web publish example script can be used to upload and execute files
http://xforce.iss.net/static/6790.php
CVE
CAN-2001-0535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535
Cookies passed to Web browser (HTTP_Cookie)
About this
signature or
vulnerability
268
This signature detects a Web client passing a cookie to a server, indicating the Web client
has already accepted a cookie and is passing it back to the server.
Count.cgi allows remote users to view arbitrary GIF files (HTTP_Count)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5
Systems affected
HTTP
Type
Protocol Signature
Vulnerability
description
A cookie is an identifier that is passed from a Web server to a Web browser. If the Web
browser accepts the cookie, then subsequent accesses to the Web server will transmit the
cookie along with the URL being requested, allowing the Web server to maintain state
information about a user or session.
Cookies provide client-based persistent state information. This information may allow a
Web server to obtain information about where and what a Web client is doing, and is a
privacy concern to some people.
How to remove this
vulnerability
Some organizations have policies that prevent cookies from being used, to protect the
organization from possible cookie snooping by Web servers.
References
CIAC Information Bulletin I-034
Internet Cookies
http://www.ciac.org/ciac/bulletins/i-034.shtml
ISS X-Force
Cookies passed to Web browser
http://xforce.iss.net/static/683.php
Count.cgi allows remote users to view arbitrary GIF files
(HTTP_Count)
About this
signature or
vulnerability
This signature detects a specially-crafted HTTP GET request for the Count.cgi program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5
Systems affected
count.cgi: 2.3, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
Count.cgi is a popular CGI program by Muhammad Muquit that displays the number of
raw hits on Web pages as an in-line image. A vulnerability in the Count.cgi program
could allow a remote attacker to view any GIF file on the server by submitting specially
269
Dansie shopping cart backdoor allows attacker to execute arbitrary commands (HTTP_Dansie_Backdoor)
crafted URL to the Count.cgi program. This vulnerability permits an attacker to view GIF
files within or outside the server's root directory.
How to remove this
vulnerability
Remove the count.cgi program from the cgi-bin directory.
— OR —
Upgrade to the latest version of count.cgi (2.4 or later), available from the Count Web site.
See References.
References
Muhammad A Muquit Web site
WWW Homepage Access Counter
http://muquit.com/muquit/software/Count/Count.html
BugTraq Mailing List, Fri Oct 10 1997 14:42:37
Security flaw in Count.cgi (wwwcount)
http://www.securityfocus.com/archive/1/7762
CERT Advisory CA-1997-24
Buffer Overrun Vulnerability in Count.cgi cgi-bin Program
http://www.cert.org/advisories/CA-1997-24.html
AUSCERT Advisory AA-97.27
Buffer Overrun Vulnerability in Count.cgi cgi-bin Program
http://www.auscert.org/Information/Advisories/aus_1997.html
CERT Vendor-Initiated Bulletin VB-97.02
Security Hole in Guestbook Script for Web Servers Using SSI
http://www.cert.org/vendor_bulletins/VB-97.02.sol_guestbook
CIAC Information Bulletin I-013
Count.cgi Buffer Overrun Vulnerability
http://www.ciac.org/ciac/bulletins/i-013.shtml
ISS X-Force
Count.cgi allows remote users to view arbitrary GIF files
http://xforce.iss.net/static/586.php
CVE
CVE-1999-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0021
Dansie shopping cart backdoor allows attacker to execute
arbitrary commands (HTTP_Dansie_Backdoor)
About this
signature or
vulnerability
270
This signature detects HTTP POST data that could be used to exploit a backdoor in the
cart.pl application in some versions of the Dansie Shopping Cart. The form element and
attempted command will be displayed in the DATA information field. This extra
information may be in "www-form-urlencoded" format, meaning that spaces are replaced
with '+' characters and other non-alphanumerics are represented in hexadecimal escape
sequences (e.g., " %2F" instead of '/').
Dansie Shopping Cart contains hidden email routine (HTTP_Dansie_Cart)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Dansie Shopping Cart
Type
Unauthorized Access Attempt
Vulnerability
description
Dansie Shopping Cart is a Web-based Perl shopping cart system. Dansie Shopping Cart
version 3.0.4 contains a backdoor in the cart.pl (Perl) application, which could allow a
remote attacker to execute arbitrary commands on the Web server. The backdoor is a form
element consisting of a random nine-digit string of letters and numbers.
How to remove this
vulnerability
No remedy available as of February 2001.
References
BugTraq Mailing List, Tue Apr 11 2000 02:24:06
Back Door in Commercial Shopping Cart
http://www.securityfocus.com/archive/1/54851
ISS X-Force
Dansie shopping cart backdoor allows attacker to execute arbitrary commands
http://xforce.iss.net/static/4975.php
CVE
CVE-2000-0252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0252
Dansie Shopping Cart contains hidden email routine
(HTTP_Dansie_Cart)
About this
signature or
vulnerability
This signature detects HTTP GET requests (containing the string "usmbu7777") for the
Dansie Shopping Cart files cart.cgi or cart.pl.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Dansie Shopping Cart
Type
Unauthorized Access Attempt
Vulnerability
description
Dansie Shopping Cart is a CGI shopping cart program written in Perl. An email routine
hidden in the source code sends an email to tech@dansie.net containing the Web address
of the script and the IP address and server name of the host.
271
Dansie shopping cart allows retrieval of sensitive configuration information (HTTP_Dansie_Infoleak)
How to remove this
vulnerability
No remedy available as of January, 2001.
References
InternetNews article
Shopping Cart Program Leaves Back Door Open
http://www.internetnews.com/ec-news/article/0,,4_340591,00.html
InfoSec News article, "Back Door Mania"
[ISN] Close The Door
http://www.landfield.com/isn/mail-archive/2000/Aug/0062.html
Craig Dansie Web site
Dansie Shopping Cart
http://www.dansie.net/cart.html
Safe Networks Web site
Danise Shopping Cart
http://www.safenetworks.com/Others/scart2.html
ISS X-Force
Dansie Shopping Cart contains hidden email routine
http://xforce.iss.net/static/4265.php
Dansie shopping cart allows retrieval of sensitive configuration
information (HTTP_Dansie_Infoleak)
About this
signature or
vulnerability
This signature detects an HTTP GET request to the cart.cgi or cart.pl object. The HTTP
GET request contains "db", "env", or "vars" in the query. This HTTP GET request is most
likely an attempt by an attacker to obtain configuration information about the Dansie
Shopping Cart installation.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Dansie Shopping Cart
Type
Unauthorized Access Attempt
Vulnerability
description
Dansie Shopping Cart is a Web-based Perl shopping cart system. The cart.pl (Perl)
application in Dansie Shopping Cart 3.0.4 handles form variables insecurely. By adding
form variables, such as vars, env, or db to a URL, a remote attacker can obtain database or
configuration information to modify the shopping cart contents.
How to remove this
vulnerability
No remedy available as of February 2001.
As a workaround, set the "personal option #66" to "HTTP_REFERER". This workaround
only limits risk, and does not remove the vulnerability. An attacker can spoof the
HTTP_REFERER field to bypass this workaround.
272
HTTP "dot dot" sequences (HTTP_DotDot)
References
BugTraq Mailing List, Fri Apr 14 2000 00:41:33
Re: more problems with that POS dansie cart software!
http://www.securityfocus.com/archive/1/55550
ISS X-Force
Dansie shopping cart allows retrieval of sensitive configuration information
http://xforce.iss.net/static/4954.php
CVE
CVE-2000-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0254
HTTP "dot dot" sequences (HTTP_DotDot)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects Web requests containing "dot dot" sequences.
■
http-alibaba-dotdot
■
ftgate-fileread
■
http-powerdynamo-dotdotslash
■
http-teamtrack-file-read
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions
Type
Unauthorized Access Attempt
Vulnerability
description
An attacker can traverse directories on the Web server by using "dot dot" (/../) sequences
in URLs, allowing the attacker to read any file on the target HTTP server that is worldreadable or readable by the ID of the HTTP process. For example, a URL of the form
(http://www.domain.com/..\..) allows anyone to browse and download files outside of
the Web server content root directory. URLs such as (http://www.domain.com/
scripts..\..\) script-name could allow an attacker to execute the target script. An attacker
can use a listing of this directory as additional information for planning a structured
attack, or could download files elsewhere in the file system.
How to remove this
vulnerability
Check with the vendor and documentation of your Web server software for information
on configuring your server to remove this vulnerability.
— OR —
Upgrade to the latest version of your Web server software. Contact your vendor for more
information.
273
Dragon Fire IDS allows remote command execution through dfire.cgi script (HTTP_DragonFire)
References
ISS X-Force
HTTP "dot dot" sequences
http://xforce.iss.net/static/106.php
Dragon Fire IDS allows remote command execution through
dfire.cgi script (HTTP_DragonFire)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the Dragonfire CGI script file dfire.cgi
with a pipe "|" character in one of its arguments.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
Dragon Fire IDS: 3.1
Type
Unauthorized Access Attempt
Vulnerability
description
The CGI script dfire.cgi, which is used by Dragon Fire Remote Web Interface version 1.0,
could allow a remote attacker to use shell metacharacters to execute arbitrary commands
and possibly compromise the system running Dragon Fire.
How to remove this
vulnerability
No remedy available as of July 2000.
As a workaround, apply the following patch:
1. Using vi, open the dfire.cgi file.
2. Go to line 215, which should look similar to the following: $command = $command .
'-f ' . $db . $input{'database'} . '/dragon.db';
3. Below this line, add the following two lines: $AOK = '-a-zA-Z0-9_.+:/'; $command =~
s/[^$AOK]/ /go;
Dragon Fire should continue to function correctly. Confirm this by submitting a query.
References
BugTraq Mailing List, Wed Aug 04 1999 13:32:20
NSW Dragon Fire gets drowned
http://www.securityfocus.com/archive/1/23247
ISS X-Force
Dragon Fire IDS allows remote command execution through dfire.cgi script
http://xforce.iss.net/static/3834.php
CVE
CAN-1999-0913
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0913
274
ECWare IIS CGI program denial of service (HTTP_ECware_DoS)
ECWare IIS CGI program denial of service (HTTP_ECware_DoS)
About this
signature or
vulnerability
This signature detects an empty HTTP GET request to ecware.exe, which can cause your
IIS server to hang and stop accepting other HTTP GET requests.
False negatives
RealSecure Network Sensor: The ECWare executable is vulnerable to other HTTP GET
requests. This RealSecure signature checks for an HTTP GET request to ecware.exe that
contains no data. HTTP GET requests with bad data can also cause the IIS server to hang.
This signature will not detect those requests.
RealSecure Server Sensor: The ECWare executable is vulnerable to other HTTP GET
requests. This RealSecure signature checks for an HTTP GET request to ecware.exe that
contains no data. HTTP GET requests with bad data can also cause the IIS server to hang.
This signature will not detect those requests.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
ECware Pro, ECmerchant2000 Pro
Type
Denial of Service
Vulnerability
description
ECware Pro 4.0, ECmerchant 2000 beta 3, and possibly other versions are vulnerable to a
denial of service when used in conjunction with Microsoft Internet Information Server
(IIS) 4. The ECware.exe CGI program does not exit properly when certain errors occur. If
enough requests are made to ECware.exe, IIS stops responding to HTTP requests and fails
to spawn additional ECware.exe processes when the CGI is called. IIS resumes
functionality if the Web server is stopped and restarted. However, some ECware.exe
processes may continue to run and consume memory on the system until the computer is
rebooted. Other versions of ECware Pro and ECmerchant 2000 may also be vulnerable.
How to remove this
vulnerability
Upgrade to ECmerchant 5.1 or later, available from the ECware Web site. See References.
If your ECware or ECmerchant package is vulnerable, and you are victim to this attack,
you can restart IIS by issuing the following commands:
net stop w3svc
net start w3svc
References
ECware Web site
ECware Corporation
http://www.ecware.com
ISS X-Force
ECWare IIS CGI program denial of service
http://xforce.iss.net/static/4194.php
275
EZshopper loadpage.cgi could be used to execute arbitrary commands (HTTP_EZShopper_Loadpage)
EZMall 2000 shopping cart misconfiguration exposes the order
log (HTTP_EZMall2000)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the EZ Mall 2000 order log file.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
EZMall 2000
Type
Unauthorized Access Attempt
Vulnerability
description
I-Soft's (formerly Seaside Enterprises) EZMall 2000 Web ordering system could
potentially be misconfigured by an administrator. This misconfiguration could expose the
order log file, which contains sensitive information about the purchase activity on the
vulnerable site.
How to remove this
vulnerability
Reinstall the I-Soft EZMall 2000 Shopping Cart application, following the installation
instructions carefully. To prevent unauthorized remote access to sensitive I-Soft EZMall
2000 Shopping Cart files and directories, ensure that appropriate permissions have been
set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
I-Soft, LLC Web site
Shopping Cart Software Program by EZMall 2000
http://www.ezmall2000.com/
ISS X-Force
EZMall 2000 shopping cart misconfiguration exposes the order log
http://xforce.iss.net/static/3859.php
CVE
CAN-1999-0606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0606
EZshopper loadpage.cgi could be used to execute arbitrary
commands (HTTP_EZShopper_Loadpage)
About this
signature or
vulnerability
276
This signature detects someone attempting to open or execute files on your web server by
exploiting the EZ Shopper 3.0 script named loadpage.cgi.
EZshopper search.cgi could be used to execute arbitrary commands (HTTP_EZShopper_Search)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
EZShopper: 3.0
Type
Unauthorized Access Attempt
Vulnerability
description
EZshopper 3.0 contains a script named loadpage.cgi that can give an attacker access to
your Web server. EZshopper is a Perl-based e-commerce software package from AHG,
Inc. Due to several flaws (lack of input validation and insecure use of the open() call) in
the source code of the software, a remote attacker can pass a variable to loadpage.cgi that
opens any file or executes any command with the privileges of the Web server.
How to remove this
vulnerability
Upgrade to the latest version of EZ Shopper (3.0 or later), available from the AHG Web
site. See References.
References
BugTraq Mailing List, Sun Feb 27 2000 00:42:35
EZ Shopper 3.0 shopping cart CGI remote command execution
http://www.securityfocus.com/archive/1/48580
AHG Web site
Ezshopper
http://www.ahg.com
ISS X-Force
EZshopper loadpage.cgi could be used to execute arbitrary commands
http://xforce.iss.net/static/4044.php
CVE
CAN-2000-0187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0187
EZshopper search.cgi could be used to execute arbitrary
commands (HTTP_EZShopper_Search)
About this
signature or
vulnerability
This signature detects someone attempting to open or execute files on your web server by
exploiting the EZ Shopper 3.0 script named search.cgi.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
EZShopper: 3.0
277
HylaFax faxsurvey CGI allows execution of commands (HTTP_FaxSurvey)
Type
Unauthorized Access Attempt
Vulnerability
description
EZshopper 3.0 contains a script named search.cgi that can give an attacker access to your
Web server. EZshopper is a Perl-based e-commerce software package from AHG, Inc. Due
to several flaws (lack of input validation and insecure use of the open() call) in the source
code of the software, a remote attacker can pass a variable to search.cgi that opens any file
or executes any command with the privileges of the Web server.
How to remove this
vulnerability
Upgrade to the latest version of EZ Shopper (3.0 or later), available from the AHG Web
site. See References.
References
BugTraq Mailing List, Sun Feb 27 2000 00:42:35
EZ Shopper 3.0 shopping cart CGI remote command execution
http://www.securityfocus.com/archive/1/48580
AHG Web site
Ezshopper
http://www.ahg.com/software.htm#ezshopper
ISS X-Force
EZshopper search.cgi could be used to execute arbitrary commands
http://xforce.iss.net/static/4045.php
CVE
CAN-2000-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0188
HylaFax faxsurvey CGI allows execution of commands
(HTTP_FaxSurvey)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI), SuSE Linux
Type
Suspicious Activity
Vulnerability
description
The faxsurvey CGI program included with some versions of the HylaFAX package could
allow a remote attacker to execute commands on the Web server. The commands executed
would be limited to those capable of being run by the owner of the server process,
typcially as a "nobody" user.
How to remove this
vulnerability
Apply the appropriate patch for your system, available from the HylaFAX Web site. See
References.
As a workaround, disable the faxsurvey CGI script.
278
FormMail CGI program multiple vulnerabilities (HTTP_FormMail)
References
BugTraq Mailing List, Tue Aug 04 1998 07:41:24
remote exploit in faxsurvey cgi-script
http://www.securityfocus.com/archive/1/10161
HylaFAX Web site
Windows Backdoors Update II: Net Bus 2.0 Pro, Caligula, and Picture.exe
http://www.hylafax.org/patches/index.html
ISS X-Force
HylaFax faxsurvey CGI allows execution of commands
http://xforce.iss.net/static/1532.php
CVE
CVE-1999-0262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0262
FormMail CGI program multiple vulnerabilities (HTTP_FormMail)
About this
signature or
vulnerability
This signature detects an HTTP POST request to a FormMail CGI program, which may or
may not exist on your network.
False positives
RealSecure Network Sensor: This signature detects all HTTP POST requests to all
versions of the FormMail CGI program, including versions that are not vulnerable to the
remote execution vulnerability or the remote usage vulnerability. Also, RealSecure only
detects HTTP POST requests from the Web client, which does not necessarily indicate that
the FormMail program even exists on your network.
RealSecure Server Sensor: This signature detects all HTTP POST requests to all versions
of the FormMail CGI program, including versions that are not vulnerable to the remote
execution vulnerability or the remote usage vulnerability. Also, RealSecure only detects
HTTP POST requests from the Web client, which does not necessarily indicate that the
FormMail program even exists on your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
FormMail
Type
Unauthorized Access Attempt
Vulnerability
description
Matt Wright's FormMail CGI program is subject to the following vulnerabilities:
●
remote execution of arbitrary commands on the server (FormMail version 1.0)
●
unauthorized remote usage of the FormMail program itself (FormMail version 1.3)
The remote execution vulnerability in FormMail version 1.0 allows a remote attacker to
execute arbitrary commands on the server.
279
FrontPage Server Extensions device name denial of service (HTTP_FrontPage_DeviceName)
The remote usage vulnerability in FormMail version 1.3 allows an unauthorized remote
Web server to use for its own sites your Web server's FormMail program.
How to remove this
vulnerability
Upgrade to the latest version of FormMail (1.6 or later), available from the FormMail Web
site. See References.
References
BugTraq Mailing List, Wed Aug 02 1995 21:28:43
SECURITY HOLE: FormMail
http://www.securityfocus.com/archive/1/3545
Matt's Script Archive: FormMail
Downloading
http://www.worldwidemart.com/scripts/formmail.shtml
ISS X-Force
FormMail CGI program multiple vulnerabilities
http://xforce.iss.net/static/4917.php
FrontPage Server Extensions device name denial of service
(HTTP_FrontPage_DeviceName)
About this
signature or
vulnerability
This signature detects an HTTP GET request containing a device name reference
appended to a call to shtml.exe. This GET request could indicate an attempt by an attacker
to execute a denial of service attack or determine the physical path of the server
components.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
FrontPage Server Extensions: 1.1
Type
Denial of Service
Vulnerability
description
FrontPage 2000 Server Extensions version 1.1 is vulnerable to a remote denial of service
attack. By requesting a URL using the shtml.exe component of FrontPage 2000 Server
Extensions, an attacker can overflow a buffer and also determine the physical path of the
server components by including a DOS device name in the GET request. As a result,
FrontPage operations slow down and the server shows 100 percent CPU utilization until
the GET request times out. After the GET request times out, CPU utilization decreases and
the server returns to normal.
How to remove this
vulnerability
Upgrade to the latest Service Release (1.2 or later) for FrontPage 2000, available from the
MSDN Online Web Workshop. See References.
References
Xato Network Security, Inc. Security Advisory XATO-082000-01
FRONTPAGE SERVER EXTENSIONS SHTML.EXE DENIAL OF SERVICE
http://www.xato.net/Reference/xato-082000-01.htm
280
FrontPage Server Extensions Visual Studio RAD Support sub-component buffer overflow
MSDN Online Web Workshop
Microsoft FrontPage 2000 Server Extensions: Downloads for Microsoft Windows-Based
Servers
http://msdn.microsoft.com/workshop/languages/fp/2000/winfpse.asp
ISS X-Force
FrontPage Server Extensions device name denial of service
http://xforce.iss.net/static/5124.php
CVE
CAN-2000-0710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0710
FrontPage Server Extensions Visual Studio RAD Support subcomponent buffer overflow
(HTTP_Frontpage_Extensions_RAD_Overflow)
About this
signature or
vulnerability
This signature detects URLs containing references to the files fp30reg.dll or fp4areg.dll,
followed by an overly long string. Such URLs could indicate an attacker's attempt to
overflow a buffer in Microsoft IIS (Internet Information Server) servers running FrontPage
Server Extensions with the Visual Studio RAD Support sub-component.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
Windows NT, Windows NT: 4.0, Microsoft IIS: 4.0, Windows 2000, FrontPage 2000 Server
Extensions, Windows 2000: Server, Microsoft IIS: 5.0, Windows 2000: Advanced Server
Type
Protocol Signature
Vulnerability
description
Microsoft FrontPage Server Extensions (FPSE) for Windows NT and Windows 2000 is
vulnerable to a buffer overflow in the Visual Studio RAD (Remote Application
Deployment) Support sub-component. FrontPage Server Extensions are components used
in Microsoft Internet Information Server (IIS) versions 4.0 and 5.0. If the Visual Studio
RAD Support sub-component is installed, a remote attacker can send a specially-crafted
packet to the server to overflow a buffer. An attacker could exploit this vulnerability to
execute arbitrary code on the system and possibly gain complete control over the affected
Web server.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-035. See References.
Windows NT
Apply the Windows NT4.0 'FrontPage Server Extension Unchecked Buffer' security patch,
as detailed in Microsoft Security Bulletin MS01-035.
Windows 2000
281
HTTP get (HTTP_Get)
Ensure that Windows 2000 Service Pack 2 is installed and apply the Windows 2000
'FrontPage Server Extension Unchecked Buffer' security patch, as detailed in Microsoft
Security Bulletin MS01-035.
References
Microsoft Security Bulletin MS01-035
FrontPage Server Extension Sub-Component Contains Unchecked Buffer
http://www.microsoft.com/technet/security/bulletin/MS01-035.asp
NSFOCUS Security Advisory SA2001-03
Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability
http://www.nsfocus.com/english/homepage/sa01-03.htm
CIAC Information Bulletin L-100
FrontPage Sub-Component Vulnerability
http://www.ciac.org/ciac/bulletins/l-100.shtml
ISS X-Force
FrontPage Server Extensions Visual Studio RAD Support sub-component buffer overflow
http://xforce.iss.net/static/6730.php
CVE
CVE-2001-0341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0341
HTTP get (HTTP_Get)
About this
signature or
vulnerability
This signature detects that a computer on your network has submitted an HTTP GET
request to a Web server. This signature allows an administrator to track, log and view
Web traffic on the network.
False positives
RealSecure Network Sensor: Lists of sites accessed can be reviewed for compliance with
the organization's "Acceptable Use" policy. Internal publication of summaries of where
everyone is vitising with their browsers is often very effective both for user education
about acceptable use of the network, and to discourage internal misuse.
RealSecure Server Sensor: Lists of sites accessed can be reviewed for compliance with
the organization's "Acceptable Use" policy. Internal publication of summaries of where
everyone is vitising with their browsers is often very effective both for user education
about acceptable use of the network, and to discourage internal misuse.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5.2
Systems affected
HTTP
Type
Protocol Signature
282
Glimpse Web server allows remote command execution (HTTP_Glimpse)
Vulnerability
description
Pages, images, and all other information viewed through a Web browser on the World
Wide Web are transferred through HTTP using the GET command. HTTP GET decoding
discovers all Web pages being transmitted insecurely to a computer.
How to remove this
vulnerability
Some organizations have policies that prevent the use of Web browsers in order to protect
the organization from possible malicious intent.
Lists of sites accessed can be reviewed for compliance with the organization's "Acceptable
Use" policy. Internal publication of summaries of where users have visited with their
browsers can be effective both for user education about acceptable use of the network and
to discourage internal misuse.
References
ISS X-Force
HTTP get
http://xforce.iss.net/static/654.php
Glimpse Web server allows remote command execution
(HTTP_Glimpse)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects an attack against the glimpse cgi-bin script present with certain
httpd Web servers.
■
http-cgi-glimpse-vuln
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Glimpse: 2.0, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The aglimpse CGI script shipped with Glimpse HTTP version 2.0 and WebGlimpse
versions prior to 1.5 could allow a remote attacker to execute commands on a Web server
with the privileges of the user running the httpd process. Depending on the configuration
of the Web server, this could allow the attacker to gain root or administrator access to the
host. In any case, this vulnerability allows the attacker to alter the contents of the Web site.
How to remove this
vulnerability
Disable access to the aglimpse CGI script until you can upgrade to the latest version of
WebGlimpse (2.0.03 or later), available from the Webglimpse Web site. See References.
GlimpseHTTP is no longer supported by the makers of Webglimpse.
283
Guestbook could allow execution of commands from remote (HTTP_Guestbook)
References
GlimpseHTTP Home Pages
GlimpseHTTP security
http://sunsite.bilkent.edu.tr/pub/infosystems/Glimpse/security.html
CERT Vendor-Initiated Bulletin VB-97.13
Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts
http://www.cert.org/vendor_bulletins/VB-97.13.GlimpseHTTP.WebGlimpse
WebGlimpse Web site
The site for cooperative development of Glimpse & Webglimpse
http://webglimpse.org/
ISS X-Force
Glimpse Web server allows remote command execution
http://xforce.iss.net/static/297.php
Guestbook could allow execution of commands from remote
(HTTP_Guestbook)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the Guestbook CGI script, which may be
running on a Web server.
False positives
RealSecure Network Sensor: RealSecure only detects the execution of this script, not the
exploitation of it. Even if you apply the remedy, RealSecure will continue to detect the use
of this script.
RealSecure Server Sensor: RealSecure only detects the execution of this script, not the
exploitation of it. Even if you apply the remedy, RealSecure will continue to detect the use
of this script.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The guestbook CGI program allows a remote attacker to execute arbitrary commands on a
Web server. This is present in Selena Sol's guestbook on servers with Server Side Includes
(SSI) enabled.
How to remove this
vulnerability
Modify the guestbook.setup file, adding the word exec to the comma delimited
@bad_words variable.
— OR —
Modify the guestbook.setup file so that the @allow_html variable is set to no.
284
HTTP HEAD request detected (HTTP_Head)
References
CERT Vendor-Initiated Bulletin VB-97.02
Security Hole in Guestbook Script for Web Servers Using SSI
http://www.cert.org/vendor_bulletins/VB-97.02.sol_guestbook
Extropia.com
Guestbook Security
http://www.extropia.com/scripts/guestbook_security.html
ISS X-Force
Guestbook could allow execution of commands from remote
http://xforce.iss.net/static/321.php
CVE
CVE-1999-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0237
HTTP HEAD request detected (HTTP_Head)
About this
signature or
vulnerability
This signature detects an HTTP HEAD request on the network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
An HTTP HEAD request, which is similar to an HTTP GET request, has been detected on
the network. The HTTP GET command is used to transfer pages, images, and other
content viewed through a Web browser. Although similar to GET requests, HEAD
requests have been used by CGI scanners and exploits to remain hidden from Intrusion
Detection Systems (IDS), which only detect HTTP GET requests. While HTTP HEAD
requests do happen normally, they are rare. As a result, they often indicate that an
attacker is trying to bypass an IDS.
How to remove this
vulnerability
HTTP HEAD requests may indicate an attacker attempting to bypass an IDS. Determine if
this HEAD request is suspicious by examining the Web address associated with the event.
References
ISS X-Force
HTTP HEAD request detected
http://xforce.iss.net/static/4703.php
285
Htmlscript CGI allows remote file reading (HTTP_HTMLScript)
Home Free CGI search.cgi script allows remote directory
listings (HTTP_HomeFree_Search)
About this
signature or
vulnerability
This signature detects someone attempting to view directory listings by exploiting the
search.cgi script.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI), Home Free CGI
Type
Unauthorized Access Attempt
Vulnerability
description
Home Free is a collection of free CGI Perl scripts for Windows NT and Unix systems. A
vulnerability in the search.cgi program allows a user to issue the letter variable and view
directory listings on the vulnerable server.
How to remove this
vulnerability
No remedy available as of January 2000.
References
BugTraq Mailing List, Mon Jan 03 2000 17:52:23
Another search.cgi vulnerability
http://www.securityfocus.com/archive/1/40593
ISS X-Force
Home Free CGI search.cgi script allows remote directory listings
http://xforce.iss.net/static/3882.php
CVE
CAN-2000-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0054
Htmlscript CGI allows remote file reading (HTTP_HTMLScript)
About this
signature or
vulnerability
This signature detects specially-crafted HTTP GET requests for the search97.vts CGI
script, which could indicate attempts by an attacker to read arbitrary files on the system.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
286
Internet Explorer 3.0 allows remote command execution (HTTP_IE3_URL)
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the Miva Corporation htmlscript CGI program could allow a remote
user to read files on the server. Any file that can be read by the user running the server
(usually "nobody") can also be accessed from the htmlscript CGI script. This vulnerability
is present in versions of the htmlscript CGI program previous to 2.9932.
How to remove this
vulnerability
Htmlscript has been acquired by Miva Corporation. Contact Miva technical support for
upgrade or patch information.
Disable htmlscript on your server until you are able to patch this vulnerability, or if you
are unable to obtain a fix for this vulnerability.
References
BugTraq Mailing List, Tue Jan 27 1998 17:28:53
Security flaw in htmlscript
http://www.securityfocus.com/archive/1/8460
ISS X-Force
Htmlscript CGI allows remote file reading
http://xforce.iss.net/static/1466.php
CVE
CVE-1999-0264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0264
Internet Explorer 3.0 allows remote command execution
(HTTP_IE3_URL)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Microsoft Internet Explorer: 3.0, Microsoft Internet Explorer: 3.01
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Explorer versions 3.0 and 3.01 could allow a Web site to execute an
arbitrary program on a computer running Microsoft Windows and browsing the Web
using Microsoft Internet Explorer.
By exploiting this vulnerability, an attacker who has created a malicious Web site can
execute commands on another user's computer. When someone using Microsoft Internet
Explorer 3.0 or 3.01 connects to the attacker's Web site, the HTML code written by the
attacker can execute commands or even create a login on the visiting client's computer.
How to remove this
vulnerability
Upgrade to the latest version of Internet Explorer (3.02 or later), available from the
Microsoft Web site. See References.
287
Win32 Web servers remote command execution through .CMD and .BAT files (HTTP_IE_BAT)
References
Microsoft Web site
Internet Explorer Home Page
http://www.microsoft.com/windows/ie/
Security Bugware Web site
Internet Explorer #1
http://focus.silversand.net/vulner/allbug/ie.html
Security Bugware Web site
Internet Explorer #2
http://focus.silversand.net/vulner/allbug/ie2.html
ISS X-Force
Internet Explorer 3.0 allows remote command execution
http://xforce.iss.net/static/463.php
CVE
CVE-1999-0280
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0280
Win32 Web servers remote command execution through .CMD
and .BAT files (HTTP_IE_BAT)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Microsoft IIS: 1.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) version 1.0 could allow a remote attacker to
execute commands on the server by using .BAT and .CMD files. It is believed that this
vulnerability affects other servers in addition to IIS. Contact your vendor for more
information.
Using this vulnerability, an attacker could create a malicious Web site. When someone
using IE 3.0 connects to this Web site, the HTML code written by the attacker can execute
commands or create a login on the visiting client's system.
How to remove this
vulnerability
Apply the .CMD /.BAT Patch, as listed in Microsoft Knowledge Base Article Q148188. See
References.
As a workaround, disable .BAT and .CMD file extensions for external CGI scripts in the
mapping feature of the IIS WWW server, as listed in Microsoft Knowledge Base Article
Q148188. See References.
— OR —
288
IIS ASP DATA issue could reveal source code (HTTP_IIS$DATA)
Apply the latest Windows NT Service Pack (3.51 or later) for Microsoft IIS, as listed in
Microsoft Knowledge Base Article Q148188. See References.
References
Microsoft Knowledge Base Article Q148188
Internet Information Server Security .CMD /.BAT Patch
http://support.microsoft.com/support/kb/articles/q148/1/88.asp
Microsoft Knowledge Base Article Q155056
IIS Security Concern Using Batch Files for CGI
http://support.microsoft.com/support/kb/articles/q155/0/56.asp
ISS X-Force
Win32 Web servers remote command execution through .CMD and .BAT files
http://xforce.iss.net/static/63.php
CVE
CVE-1999-0233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0233
IIS ASP DATA issue could reveal source code (HTTP_IIS$DATA)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Microsoft IIS: 2.0, Microsoft IIS: 3.0, Microsoft IIS: 4.0, Microsoft IIS: 1.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) is vulnerable to a source code disclosure,
caused by how IIS handles the multiple data streams NTFS provides for files. By
appending the string "::$DATA" to an HTTP request for a file, an attacker could view the
contents of a file that is normally set to be acted upon by an Application Mapping, such as
Active Server Pages (ASP). An attacker who has gained read access to such a file could
view sensitive or potentially proprietary information within the source of the file.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS98-003. See References.
References
Microsoft Security Bulletin MS98-003
File Access Issue with Windows NT Internet Information Server (IIS)
http://www.microsoft.com/technet/security/bulletin/ms98-003.asp
Microsoft Knowledge Base Article Q188806
::$DATA Data Stream Name of a File May Return Source
http://support.microsoft.com/support/kb/articles/q188/8/06.asp
NTBugtraq Mailing List
ASP vulnerability with Alternate Data Streams
289
IIS ASP dot bug (HTTP_IIS3_Asp_Dot)
http://www.ntbugtraq.com/
default.asp?pid=36&sid=1&A2=ind9807&L=ntbugtraq&F=P&S=&P=921
Allaire Security Bulletin ASB99-03
ASB99-03: Microsoft Internet Information Server Exposure of Source Code with
'::$DATA'
http://www.allaire.com/handlers/index.cfm?ID=8729
Microsoft Web site
Microsoft Windows Web Services (IIS) Web site
http://www.microsoft.com/technet/iis/
CIAC Information Bulletin I-068
File Access Issue With Internet Information Server
http://www.ciac.org/ciac/bulletins/i-068.shtml
ISS X-Force
IIS ASP DATA issue could reveal source code
http://xforce.iss.net/static/1125.php
CVE
CVE-1999-0278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0278
IIS ASP dot bug (HTTP_IIS3_Asp_Dot)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects an HTTP request for an Active Server Page (ASP) file with a dot
("."), which could indicate an attempt by an attacker to view the source of ASP files on a
Microsoft Internet Information Server.
■
http-iis-aspsource
■
http-iis-2e
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Microsoft IIS: 3.0 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) versions 2.0 and 3.0 display the source of
Active Server Pages (ASP files) if a period is appended to the URL. In addition, scripting
information to other data in the file can be viewed.
Potentially proprietary Web server files (such as .ASP, .HTX, and .IDC file name
extensions) may contain sensitive information (such as user IDs and passwords)
embedded in the source code, which is normally not available to remote users.
290
IIS 4.0/5.0 escaped percent found (HTTP_IIS_Double_Eval_Evasion)
How to remove this
vulnerability
Upgrade to the latest version of Microsoft Internet Information Server (5.0 or later),
available from the Microsoft Windows Web Services (IIS) Web site. See References. If
upgrading to the latest version of IIS is not possible, download and apply the iis-fix patch,
available from the Microsoft FTP site. See References.
As a workaround, disable read permissions for the ASP directory in the Internet Service
Manager. This may not be a practical solution since many sites mix ASP and HTML files.
If your site mixes these files together in the same directories, segregate them immediately.
ASP files should be treated as any other Web-based executable and kept in separate
directories where permissions can be adjusted.
References
Microsoft Knowledge Base Article Q163485
Active Server Pages Script Appears in Browser
http://support.microsoft.com/support/kb/articles/q163/4/85.asp
BugTraq Mailing List, Thu Feb 20 1997 13:51:04
Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
http://www.securityfocus.com/archive/1/6332
BugTraq Mailing List, Thu Feb 20 1997 09:39:01
! [ADVISORY] Major Security Hole in MS ASP
http://www.securityfocus.com/archive/1/6330
Microsoft Knowledge Base Article Q164059
IIS Execution File Text Can Be Viewed in Client
http://support.microsoft.com/support/kb/articles/q164/0/59.asp
ISS X-Force
IIS ASP dot bug
http://xforce.iss.net/static/336.php
CVE
CAN-1999-0154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0154
IIS 4.0/5.0 escaped percent found
(HTTP_IIS_Double_Eval_Evasion)
About this
signature or
vulnerability
This signature detects a URL containing double percent character sequences, such as
"%25". This could indicate an attacker's attempt to use escaped sequences to bypass an
intrusion detection system. See also HTTP_IIS_Percent_Evasion,
HTTP_IIS_Unicode_Evasion, and HTTP_IIS_UTF8_Evasion.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft IIS: 5.0
Type
Protocol Signature
291
IIS idq.dll ISAPI extension buffer overflow (HTTP_IIS_Index_Server_Overflow)
Vulnerability
description
Microsoft IIS (Internet Information Server) versions 4.0 and 5.0 incorrectly evaluate URLs
twice for escape sequences. In an attempt to bypass intrusion detection systems, an
attacker may submit to an IIS server a URL containing escape sequences (such as %25)
representing percent (%) characters.
How to remove this
vulnerability
No remedy available as of October 2001.
References
ISS X-Force
IIS 4.0/5.0 escaped percent found
http://xforce.iss.net/static/7202.php
IIS 4.0/5.0 malformed hex sequence (HTTP_IIS_Hex_Evasion)
About this
signature or
vulnerability
This signature detects invalid hex sequences (such as "%)f") in submitted URLs. Such
URLs may indicate an attacker's attempt to bypass an intrusion detection system.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft IIS: 5.0
Type
Protocol Signature
Vulnerability
description
Microsoft IIS (Internet Information Server) versions 4.0 and 5.0 translate certain forms of
malformed hex sequences (such as "%)f"). IIS will process any escape sequence as long as
it contains at least one valid hexadecimal character. In an attempt to bypass an intrusion
detection system, an attacker may submit to the IIS server a URL containing such
malformed hex sequences.
How to remove this
vulnerability
No remedy available as of October 2001.
References
ISS X-Force
IIS 4.0/5.0 malformed hex sequence
http://xforce.iss.net/static/7199.php
IIS idq.dll ISAPI extension buffer overflow
(HTTP_IIS_Index_Server_Overflow)
About this
signature or
vulnerability
292
This signature detects an attempt to access an IIS (Internet Information Server) IDA
(Indexing Service) object with overly long arguments. This event could indicate an
attacker's attempt to crash the IIS service or execute arbitrary code on the system by
exploiting a buffer overflow condition.
IIS idq.dll ISAPI extension buffer overflow (HTTP_IIS_Index_Server_Overflow)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Server Sensor: 6.0.1
Systems affected
Windows NT, Windows NT: 4.0, Microsoft IIS: 4.0, Windows 2000, Microsoft Index
Server: 2.0, Microsoft IIS: 5.0, Microsoft Indexing Service: All versions, Microsoft IIS: 6.0
beta, Windows: XP beta
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) versions 4.0, 5.0, and 6.0 beta are vulnerable to
a buffer overflow in the handling of ISAPI (Internet Services Application Programming
Interface) extensions. An unchecked buffer in the code that handles idq.dll ISAPI
extensions in the Indexing Service for IIS could allow a remote attacker to overflow a
buffer and execute code by sending a specially-crafted Indexing Service request. An
attacker could exploit this vulnerability to gain complete control over the affected server.
This vulnerability is exploitable via the "Code Red" and "Code Red II" worm. The "Code
Red" worm is a self-propagating worm that scans random IP addresses on port 80
searching for vulnerable Web servers. Once a vulnerable Web server is found, the worm
performs malicious activity before propagating to other vulnerable hosts. The "Code Red
II" worm does not deface Web sites, as the original version of the worm did, but it carries
a more serious threat -- it contains a Trojan Horse payload, which could allow any remote
attacker to further compromise infected systems. The "Code Red II" worm also has the
ability to scan for vulnerable hosts much faster than previous versions, which has already
been reported to cause failures in certain network components by overloading them with
network traffic.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-033. See References.
Windows NT
Apply the "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server
Compromise" security update to Microsoft Index Server 2.0 as detailed in Microsoft
Security Bulletin MS01-033. Alternatively, if they are not required, disable the .IDA and
.IDQ mappings as follows: 1. In the Internet Service Manager, select Properties for the
Web site. 2. Select the tab for Directory, Home Directory or Virtual Directory. 3. Under
Applications, click Configuration. 4. Select the App Mappings tab. 5. Select the .IDA or
.IDQ mapping and click Remove.
Windows 2000
Apply the "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server
Compromise" security update to Indexing Service in Windows 2000 as detailed in
Microsoft Security Bulletin MS01-033. Alternatively, if they are not required, disable the
.IDA and .IDQ mappings as follows: 1. In the Internet Service Manager, select Properties
for the Web site. 2. Select the tab for Directory, Home Directory or Virtual Directory. 3.
Under Applications, click Configuration. 4. Select the App Mappings tab. 5. Select the
.IDA or .IDQ mapping and click Remove.
293
IIS idq.dll ISAPI extension buffer overflow (HTTP_IIS_Index_Server_Overflow)
References
eEye Digital Security Team Alert AD20010618
All versions of Microsoft Internet Information Services Remote buffer overflow (SYSTEM
Level Access)
http://www.eeye.com/html/Research/Advisories/AD20010618.html
Microsoft Security Bulletin MS01-033
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server
Compromise
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Internet Security Systems Security Alert #79
Remote IIS Index Server ISAPI Extension Buffer Overflow
http://xforce.iss.net/alerts/advise79.php
CERT Vulnerability Note VU#952336
Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer
used when encoding double-byte characters
https://www.kb.cert.org/vuls/id/952336
CERT Advisory CA-2001-13
Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-13.html
CIAC Information Bulletin L-098
Microsoft Index Server ISAPI Extension Buffer Overflow
http://www.ciac.org/ciac/bulletins/l-098.shtml
IBM Managed Security Services Outside Advisory Redistribution MSS-OAR-E012001:224.1
Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension
Could Enable Web Server Compromise
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/
85256A3400529A8685256A700047905E/$file/oar224.txt
CERT Advisory CA-2001-19
"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-19.html
CERT Advisory CA-2001-23
Continued Threat of the "Code Red" Worm
http://www.cert.org/advisories/CA-2001-23.html
Cisco System Field Notice July 20, 2001
"Code Red" Worm - Customer Impact
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
Internet Security Systems Security Alert #89
X-Force Response to Concern About the "Code Red" Worm
http://xforce.iss.net/alerts/advise89.php
Internet Security Systems Security Alert #90
Resurgence of "Code Red" Worm Derivatives
http://xforce.iss.net/alerts/advise90.php
294
IIS 5.0 ISAPI Internet Printing Protocol extension buffer overflow (HTTP_IIS_ISAPI_Printer_Overflow)
CERT Incident Note IN-2001-09
"Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/incident_notes/IN-2001-09.html
CIAC Information Bulletin L-120
Cisco "Code Red" Worm Impact
http://www.ciac.org/ciac/bulletins/l-120.shtml
CIAC Information Bulletin L-117
The Code Red Worm
http://www.ciac.org/ciac/bulletins/l-117.shtml
ISS X-Force
IIS idq.dll ISAPI extension buffer overflow
http://xforce.iss.net/static/6705.php
CVE
CAN-2001-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500
IIS 5.0 ISAPI Internet Printing Protocol extension buffer
overflow (HTTP_IIS_ISAPI_Printer_Overflow)
About this
signature or
vulnerability
This signature detects any HTTP request for any file with an extension of ".printer."
False positives
RealSecure Network Sensor: A false positive is possible if a legitimate user is using ISAPI
Printer Extensions for valid reasons. However, most published exploits for this
vulnerability use "null.printer." Requests for this particular file could indicate the activity
of an attacker.
RealSecure Server Sensor: A false positive is possible if a legitimate user is using ISAPI
Printer Extensions for valid reasons. However, most published exploits for this
vulnerability use "null.printer." Requests for this particular file could indicate the activity
of an attacker.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Server Sensor: 6.0.1
Systems affected
Windows 2000, Microsoft IIS: 5.0, Windows 2000: Server, Windows 2000: Advanced
Server, Windows 2000: Datacenter Server
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) version 5.0 installed on Microsoft Windows
2000 is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services
Application Programming Interface) extensions. An unchecked buffer exists in the code
that handles input parameters for the Internet Printing Protocol (IPP) ISAPI extension. By
295
IIS 5.0 ISAPI Internet Printing Protocol extension buffer overflow (HTTP_IIS_ISAPI_Printer_Overflow)
sending a specially-crafted Internet Printing request to the server, an attacker can
overflow a buffer to allow the modification of IPP ISAPI extension functionality. An
attacker can use this vulnerability to gain complete control over the affected server.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-023. See References.
Windows 2000
Apply the "Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0
Server" security patch as detailed in Microsoft Security Bulletin MS01-023. Alternatively,
if not required, disable the .printer mapping as follows: 1. In the Internet Service Manager,
select Properties for the Web site. 2. Select the tab for Directory, Home Directory or
Virtual Directory. 3. Under Applications, click Configuration. 4. Select the App Mappings
tab. 5. Select the .printer mapping and click Remove.
References
Microsoft Security Bulletin MS01-023
Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
eEye Digital Security Team Alert AD20010501
Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level
Access)
http://www.eeye.com/html/Research/Advisories/AD20010501.html
CERT Advisory CA-2001-10
Buffer Overflow Vulnerability in Microsoft IIS 5.0
http://www.cert.org/advisories/CA-2001-10.html
BugTraq Mailing List, Tue May 01 2001 13:15:10
Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level
Access)
http://www.securityfocus.com/archive/1/181109
BugTraq Mailing List, Thu May 03 2001 08:09:07
How to remove .printer mapping (WAS RE: Permanently remove IIS pr inter mapping)
http://www.securityfocus.com/archive/1/181906
BugTraq Mailing List, Thu May 03 2001 23:08:38
IIS 5 remote exploit.
http://www.securityfocus.com/archive/1/181937
BugTraq Mailing List, Wed May 02 2001 20:04:43
Re: Permanently remove iis printer mapping
http://www.securityfocus.com/archive/1/181931
BugTraq Mailing List, Sun May 13 2001 06:12:02
IIS5 .printer exploit ported to perl and win32
http://www.securityfocus.com/archive/1/184535
BugTraq Mailing List, Wed May 02 2001 09:57:42
Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level
Access)
http://www.securityfocus.com/archive/1/181420
296
IIS allows remote attackers to obtain source code fragments using +.htr (HTTP_IIS_Obtain_Code)
Microsoft Technet
Secure Internet Information Services 5 Checklist
http://www.microsoft.com/technet/security/iis5chk.asp
CERT Vulnerability Note VU#516648
Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol
(IPP) ISAPI contains buffer overflow (MS01-023)
http://www.kb.cert.org/vuls/id/516648
CIAC Information Bulletin L-078
Microsoft Unchecked Buffer in ISAPI Extension
http://www.ciac.org/ciac/bulletins/l-078.shtml
Internet Security Systems Security Alert #75
Remote IIS ISAPI Printer Extension Buffer Overflow
http://xforce.iss.net/alerts/advise75.php
ISS X-Force
IIS 5.0 ISAPI Internet Printing Protocol extension buffer overflow
http://xforce.iss.net/static/6485.php
CVE
CVE-2001-0241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0241
IIS allows remote attackers to obtain source code fragments
using +.htr (HTTP_IIS_Obtain_Code)
About this
signature or
vulnerability
This signature detects HTTP GET requests that include the string "+.htr", which could
indicate an attempt by an attacker to view the source of files on the Web server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft Personal Web Server: 4.0, Microsoft IIS: 5.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) versions 4.0 and 5.0 could allow a remote
attacker to obtain source code fragments under restricted conditions, due to a variant of
the "File Fragment Reading via .HTR" vulnerability. (For more information about the "File
Fragment Reading via .HTR" vulnerability, see Microsoft Security Bulletin MS00-031. See
References.) By sending a URL request with an appended +.htr, an attacker could be sent
parts of the .ASP (Active Server Page) source code.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-004. See References.
297
IIS allows remote attackers to obtain source code fragments using +.htr (HTTP_IIS_Obtain_Code)
Microsoft first addressed the "File Fragment Reading via .HTR" vulnerability in Microsoft
Security Bulletin MS00-031. However, new variants of this vulnerability have resulted in
the release of an additional Microsoft Security Bulletins and updated patches. The most
current patch for this vulnerability is available in Microsoft Security Bulletin MS01-004.
For best security practices, if .HTR functionality is not required, disable the .HTR script
mapping, as listed in Microsoft Security Bulletin MS01-004. See References.
References
Microsoft Security Bulletin MS00-044
Patch Available for “Absent Directory Browser Argument” Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-044.asp
Microsoft Security Bulletin MS00-044 FAQ
Microsoft Security Bulletin (MS00-044): Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-044.asp
Microsoft Security Bulletin MS00-031
Patch Available for "Undelimited .HTR Request" and "File Fragment Reading via .HTR"
Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
Microsoft Security Bulletin MS01-004
Patch Available for New Variant of “File Fragment Reading via .HTR” Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS01-004.asp
ISBASE Security Advisory SA2000-02
IIS ISM.DLL truncation exposes file content
http://www.securityfocus.com/advisories/2412
Allaire Security Bulletin ASB00-20
Patch Available for "Absent Directory Browser Argument" Vulnerability
http://www.securityfocus.com/advisories/2460
BugTraq Mailing List, Fri Aug 04 2000 11:39:00
More information on MS00-044 Date: Fri Aug 04 2000 11:39:00
http://www.securityfocus.com/archive/1/74153
CERT Vulnerability Note VU#28565
Microsoft Internet Information Server (IIS) discloses contents of files via crafted request
containing "+.htr"
http://www.kb.cert.org/vuls/id/28565
ISS X-Force
IIS allows remote attackers to obtain source code fragments using +.htr
http://xforce.iss.net/static/5104.php
CVE
CVE-2000-0630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0630
298
IIS and SiteServer Showcode.asp sample file allows remote file viewing (HTTP_IIS_Showcode)
IIS 4.0/5.0 malformed double percent sequence
(HTTP_IIS_Percent_Evasion)
About this
signature or
vulnerability
This signature detects invalid hex sequences (such as "%%35c") in submitted URLs. Such
URLs may indicate an attacker's attempt to bypass an intrusion detection system.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft IIS: 5.0
Type
Protocol Signature
Vulnerability
description
Microsoft IIS (Internet Information Server) versions 4.0 and 5.0 mistranslate double
percent sequences (%%). Whereas other Web servers would translate %%35c to a literal
"%35c" with no further translation, IIS will perform two translations: the first to "%5c" and
then to "/". In this example, IIS will translate the double percent to a percent, but will
continue to translate in escape mode, translating the hexadecimal 35 to a '5', then
translating the resulting "%5c" to a slash "/". In an attempt to bypass an intrusion
detection system, an attacker may submit to the IIS server URLs containing such double
percent sequences.
How to remove this
vulnerability
No remedy available as of October 2001.
References
ISS X-Force
IIS 4.0/5.0 malformed double percent sequence
http://xforce.iss.net/static/7201.php
IIS and SiteServer Showcode.asp sample file allows remote file
viewing (HTTP_IIS_Showcode)
About this
signature or
vulnerability
This signature detects an attempt to access the "showcode.asp" sample file used by IIS 4.0
and SiteServer 3.x. This may indicate an attacker's attempt to read arbitrary files on the
server.
False positives
RealSecure Network Sensor: A false positive is possible for access attempts for benign
files coincidentally named "showcode.asp." A false positive is also possible for access
attempts to patched (invulnerable) copies of this file.
RealSecure Server Sensor: A false positive is possible for access attempts for benign files
coincidentally named "showcode.asp." A false positive is also possible for access attempts
to patched (invulnerable) copies of this file.
Default risk level
Medium
299
IIS %u Unicode encoding detected (HTTP_IIS_Unicode_Encoding)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft Site Server: All versions
Type
Suspicious Activity
Vulnerability
description
The showcode.asp sample file shipped with Microsoft Internet Information Server (IIS) 4.0
and SiteServer 3.x can be remotely exploited to read arbitrary files on vulnerable servers.
This file is one of several sample files distributed with IIS 4.0 and SiteServer 3.x that allow
remote file viewing.
How to remove this
vulnerability
Remove the showcode.asp file from your servers. As a rule, sample code and example
applications should not be installed on production servers.
References
@stake, Inc./L0pht Security Advisory 05/07/99
Microsoft IIS 4.0 Web Server
http://www.atstake.com/research/advisories/1999/showcode.txt
Microsoft Security Bulletin MS99-013
Patches Available for File Viewers Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Microsoft Knowledge Base Article Q231368
Solution Available for File Viewers Vulnerability
http://support.microsoft.com/support/kb/articles/q231/3/68.asp
WebTrends Press Release
WebTrends Corporation Discovers New Microsoft Site Server & IIS Security
Vulnerabilities
http://www.webtrends.com/news/releases/release.asp?id=81
Microsoft Knowledge Base Article Q232449
Sample ASP Code May be Used to View Unsecured Server Files
http://support.microsoft.com/support/kb/articles/q232/4/49.asp
ISS X-Force
IIS and SiteServer Showcode.asp sample file allows remote file viewing
http://xforce.iss.net/static/2381.php
CVE
CAN-1999-0736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0736
IIS %u Unicode encoding detected (HTTP_IIS_Unicode_Encoding)
About this
signature or
vulnerability
300
This signature detects HTTP requests that contain "%u" followed by a particular series of
hexadecimal characters. Such "%u" requests could indicate an attacker's attempts to
bypass an intrusion detection system. RealSecure decodes these %u requests and may
trigger additional events based on the content of the requests.
IIS Unicode translation error allows remote command execution (HTTP_IIS_Unicode_Translation)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft IIS: 5.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) allows Unicode characters to be encoded in
URL requests in a format that uses "%u". Such encoded characters appear as "%uXXXX",
where "XXXX" represents hexadecimal characters (0-9, A-F). For example, the character 'a'
can be encoded as %u0061. A remote attacker can use this form of encoding to attempt to
bypass intrusion detection systems.
How to remove this
vulnerability
No remedy available as of August 2001.
References
Internet Security Systems Security Alert #95
Multiple Vendor IDS Unicode Bypass Vulnerability
http://xforce.iss.net/alerts/advise95.php
eEye Digital Security Advisory AD20010705
%u encoding IDS bypass vulnerability
http://www.eeye.com/html/Research/Advisories/AD20010705.html
CIAC Information Bulletin L-139
Microsoft IIS "%u encoding IDS bypass vulnerability"
http://www.ciac.org/ciac/bulletins/l-139.shtml
ISS X-Force
IIS %u Unicode encoding detected
http://xforce.iss.net/static/6994.php
CVE
CAN-2001-0669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0669
IIS Unicode translation error allows remote command execution
(HTTP_IIS_Unicode_Translation)
About this
signature or
vulnerability
This signature detects HTTP GET requests that include certain Unicode characters. Such
GET requests may indicate an attacker's attempts to bypass IIS (Internet Information
Server) security mechanisms.
False negatives
RealSecure Network Sensor: A unique version of this Unicode attack is possible for each
language supported by Windows NT. This signature only detects attacks against the
English version of Windows NT. This signature has not yet been tested in attacks against
other language versions of Windows NT. Also, this signature will only detect specific
HTTP GET requests that attempt to run an .exe file.
301
IIS Unicode translation error allows remote command execution (HTTP_IIS_Unicode_Translation)
RealSecure Server Sensor: A unique version of this Unicode attack is possible for each
language supported by Windows NT. This signature only detects attacks against the
English version of Windows NT. This signature has not yet been tested in attacks against
other language versions of Windows NT. Also, this signature will only detect specific
HTTP GET requests that attempt to run an .exe file.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Server Sensor: 6.0.1
Systems affected
Windows NT, Microsoft IIS: 4.0, Windows 2000, Microsoft IIS: 5.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) versions 4.0 and 5.0 are vulnerable to a
canonicalization error when using foreign Unicode character sets. An attacker could send
a specially-crafted URL containing Unicode characters that represent slashes ("/") and
backslashes ("\") to access files and folders on the Web server with the privileges of the
IUSR_ account (an anonymous user account for IIS). This vulnerability may yield
additional privileges that could allow the attacker to add, delete, or modify files, or
execute commands on the server.
This vulnerability may be exploited via the "Code Blue" worm. See Internet Security
Systems Security Alert #96 for more information. See References.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS00-078. See References.
Windows NT
Apply the "Web Server Folder traversal" patch detailed in Microsoft Security Bulletin
MS00-078.
Windows 2000
Apply the "Web Server Folder traversal" patch detailed in Microsoft Security Bulletin
MS00-078.
References
Microsoft Security Bulletin MS00-078
Patch Available for 'Web Server Folder Traversal' Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Microsoft Security Bulletin MS00-078 FAQ
Microsoft Security Bulletin (MS00-078): Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-078.asp
BugTraq Mailing List, Tue Oct 17 2000 09:48:03
IIS %c1%1c remote command execution
http://www.securityfocus.com/archive/1/140091
302
IIS %u Unicode wide character encoding detected (HTTP_IIS_Unicode_Wide_Encoding)
BugTraq Mailing List, Fri Oct 20 2000 03:30:48
[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution
http://www.securityfocus.com/archive/1/140620
BugTraq Mailing List, Wed Oct 18 2000 23:21:23
IIS 4.0/5.0 UNICODE exploit
http://www.securityfocus.com/archive/1/140349
BugTraq Mailing List, Wed Oct 18 2000 15:35:31
Re: IIS %c1%1c remote command execution
http://www.securityfocus.com/archive/1/140214
Internet Security Systems Security Alert #68
Serious flaw in Microsoft IIS UNICODE translation
http://xforce.iss.net/alerts/advise68.php
CERT Vulnerability Note VU#111677
Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url
http://www.kb.cert.org/vuls/id/111677
CERT Advisory CA-2001-11
sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html
CIAC Information Bulletin L-007
Microsoft IIS Folder Traversal
http://www.ciac.org/ciac/bulletins/l-007.shtml
Internet Security Systems Security Alert #96
Code Blue Worm
http://xforce.iss.net/alerts/advise96.php
ISS X-Force
IIS Unicode translation error allows remote command execution
http://xforce.iss.net/static/5377.php
CVE
CAN-2000-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0884
IIS %u Unicode wide character encoding detected
(HTTP_IIS_Unicode_Wide_Encoding)
About this
signature or
vulnerability
This signature detects HTTP requests that contain "%u" followed by a particular series of
hexadecimal characters. Such "%u" requests could indicate an attacker's attempts to
bypass an intrusion detection system. RealSecure does not decode the HTTP request but
will report the exact request string as is.
False positives
RealSecure Network Sensor: A false positive is possible if the detected encoded wide
characters represent foreign language characters in an otherwise legitimate (nonmalicious) HTTP request.
RealSecure Server Sensor: A false positive is possible if the detected encoded wide
303
IIS %u Unicode wide character encoding detected (HTTP_IIS_Unicode_Wide_Encoding)
characters represent foreign language characters in an otherwise legitimate (nonmalicious) HTTP request.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, CiscoSecure IDS, Microsoft IIS: 5.0, Snort: prior to 1.8.1
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) allows wide characters to be Unicode encoded
in URL requests in a format that uses "%u". Such encoded characters appear as
"%uXXXX", where "XXXX" represents hexadecimal characters (0-9, A-F). For example, the
character 'a' can be encoded as "%u0061" . A remote attacker can use this form of encoding
to attempt to bypass intrusion detection systems.
Many public ".ida" overflow exploits (including the CodeRed worms) use this type of
encoding when executing a buffer overflow attempt.
How to remove this
vulnerability
For RealSecure Network Sensor 5.x, 6.x: Apply the latest RealSecure Network Sensor XPress Update (XPU 3.2 or later), as listed in Internet Security Systems Security Alert #95.
See References. For RealSecure Server Sensor 6.0: Upgrade to the latest version of
RealSecure Server Sensor (6.0.1 or later), as listed in Internet Security Systems Security
Alert #95. See References. For Cisco Secure Intrusion Detection System (Netranger):
Apply the latest service pack as listed in Cisco Systems Field Notice, September 5, 2001.
See References. For Snort prior to 1.8.1: Upgrade to the latest version of Snort (1.8.1 or
later) available at: http://www.snort.org/downloads.html
References
Internet Security Systems Security Alert #95
Multiple Vendor IDS Unicode Bypass Vulnerability
http://xforce.iss.net/alerts/advise95.php
eEye Digital Security Advisory AD20010705
%u encoding IDS bypass vulnerability
http://www.eeye.com/html/Research/Advisories/AD20010705.html
Cisco Systems Field Notice, September 5, 2001
Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability
http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vulnpub.shtml
CIAC Information Bulletin M-001
Cisco Secure IDS Signature Obfuscation Vulnerability
http://www.ciac.org/ciac/bulletins/m-001.shtml
CIAC Information Bulletin L-139
Microsoft IIS "%u encoding IDS bypass vulnerability"
http://www.ciac.org/ciac/bulletins/l-139.shtml
304
IIS URL decoding error could allow remote code execution (HTTP_IIS_URL_Decoding)
ISS X-Force
IIS %u Unicode wide character encoding detected
http://xforce.iss.net/static/6995.php
CVE
CAN-2001-0669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0669
IIS URL decoding error could allow remote code execution
(HTTP_IIS_URL_Decoding)
About this
signature or
vulnerability
This signature detects specific HTTP GET requests that contain "double-escaped" periods,
slashes, or back-slashes. Such HTTP GET requests may indicate an attacker's attempts to
bypass security mechanisms in IIS (Internet Information Server) URL decoding routines.
False positives
RealSecure Network Sensor: Some legitimate sites may convert certain characters of the
URL into "escaped" characters (e.g., "%2E") or "double escaped" characters (e.g., "%252E").
A false positive is possible if users visit legitimate sites that use certain "double escaped"
URLs (containing "double-escaped" characters), which this signature uses to detect this
vulnerability.
RealSecure Server Sensor: Some legitimate sites may convert certain characters of the
URL into "escaped" characters (e.g., "%2E") or "double escaped" characters (e.g., "%252E").
A false positive is possible if users visit legitimate sites that use certain "double escaped"
URLs (containing "double-escaped" characters), which this signature uses to detect this
vulnerability.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Server Sensor: 6.0.1
Systems affected
Windows NT, Windows NT: 4.0, Microsoft IIS: 4.0, Windows 2000, Microsoft IIS: 5.0,
Microsoft Peer Web Services
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the URL decoding routines in Microsoft Internet Information Server
(IIS) versions 4.0 and 5.0 could allow a remote attacker to execute arbitrary code on the IIS
server. When IIS receives a query on a server-side script, it performs a decoding pass on
the request. A primary decoding routine converts the string into canonical form, security
checks are performed to ensure the validity of the request, then a second decoding routine
parses parameters following the filename. However, IIS mistakenly parses the filename a
second time with these additional parameters. A remote attacker could exploit this
vulnerability by sending a specially-crafted URL containing ".." ("dot dot") and "/"
characters to bypass security mechanisms within the URL decoding routines. This
vulnerability could allow the attacker to view directory structures, view and delete files,
execute arbitrary commands, or cause a denial of service.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-026 . See References.
305
IIS URL decoding error could allow remote code execution (HTTP_IIS_URL_Decoding)
Windows NT
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-026.
Windows 2000
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS01-026.
References
Microsoft Security Bulletin MS01-026
Superfluous Decoding Operation Could Allow Command Execution via IIS
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
NSFOCUS Security Advisory SA2001-02
Microsoft IIS CGI Filename Decode Error Vulnerability
http://www.nsfocus.com/english/homepage/sa01-02.htm
CERT Advisory CA-2001-12
Superfluous Decoding Vulnerability in IIS
http://www.cert.org/advisories/CA-2001-12.html
Internet Security Systems Security Alert #77
IIS URL Decoding Vulnerability
http://xforce.iss.net/alerts/advise77.php
CERT Vulnerability Note VU#789543
IIS decodes filenames superfluously after applying security checks
http://www.kb.cert.org/vuls/id/789543
CIAC Information Bulletin L-083
Microsoft CGI Filename Decode Error Vulnerability in IIS
http://www.ciac.org/ciac/bulletins/l-083.shtml
Bright Eyes Research Group Advisory # be00001e
Remote users can execute any command on several IIS 4.0 and 5.0 systems by using UTF
codes
http://security.instock.ru/rus/advisories/advisories.htm/be00001e.txt
BugTraq Mailing List, Wed Sep 19 2001 19:12:16
RE: New vulnerability in IIS4.0/5.0
http://www.securityfocus.com/archive/1/215342
Microsoft Security Bulletin MS01-044
15 August 2001 Cumulative Patch for IIS
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
CIAC Information Bulletin L-132
Microsoft Cumulative Patch for IIS
http://www.ciac.org/ciac/bulletins/l-132.shtml
ISS X-Force
IIS URL decoding error could allow remote code execution
http://xforce.iss.net/static/6534.php
306
IIS ExAir sample site denial of service (HTTP_IISExAir_DoS)
CVE
CVE-2001-0333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333
UTF8 found in the HTTP data (HTTP_IIS_UTF8_Evasion)
About this
signature or
vulnerability
This signature detects invalid hex sequences (such as "%c0%af") in submitted URLs. Such
URLs may indicate an attacker's attempt to bypass an intrusion detection system.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3, RealSecure Server Sensor: 6.5
Systems affected
Microsoft IIS: 4.0, Microsoft IIS: 5.0
Type
Protocol Signature
Vulnerability
description
UTF8 (Universal Character Set Transformation Format 8) is a means of encoding 16-bit
Unicode characters as multibyte character sequences so that Unicode characters can be
mixed in a string with normal ASCII characters. In a string that contains UTF8 encodings,
ASCII characters are represented by their normal values. Unicode characters are
represented by 2, 3, or 4 byte sequences, although Microsoft IIS (Internet Information
Server) only supports 2 and 3 byte sequences. Bytes with values of 0xc0 or higher
represent the start of a UTF8 encoding. For example, an escape sequence of %c0%af in a
URL is a 2 byte UTF8 encoding.
How to remove this
vulnerability
No remedy available as of October 2001.
References
BugTraq Mailing List, Oct 4 2001 1:04PM
On IDS Evasion, Vulnerabilities, and Vendor Hype
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=218563
ISS X-Force
UTF8 found in the HTTP data
http://xforce.iss.net/static/7200.php
IIS ExAir sample site denial of service (HTTP_IISExAir_DoS)
About this
signature or
vulnerability
This signature detects specially-crafted HTTP GET requests for one of many specific .asp
(active server page) files, which may indicate an attacker's attempt to cause a denial of
service on an installation of Microsoft Internet Information Server (IIS).
Default risk level
Medium
307
IIS buffer overflow in HTR requests can allow remote code execution (HTTP_IISHTR_Overflow)
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Microsoft IIS: 4.0
Type
Denial of Service
Vulnerability
description
Installations of Internet Information Server (IIS) version 4.0 that include the "ExAir"
sample site pages are vulnerable to a denial of service attack. If certain ExAir .asp (active
server page) pages are requested directly and not from the main page, the pages do not
load the needed DLLs correctly, and the server's CPU usage increases to 100%. By
submitting such a request for these .asp pages, an attacker can exhaust all CPU resources
on the server.
How to remove this
vulnerability
Remove the IIS ExAir Sample Site from your installation of IIS. More information is
available in the Getting Started with the Windows NT 4.0 Option Pack white paper,
available from the Microsoft Web site. See References.
References
BugTraq Mailing List, Tue Jan 26 1999 16:35:41
IIS 4 Advisory - ExAir sample site DoS
http://www.securityfocus.com/archive/1/12161
Microsoft Web Site
Getting Started with the Windows NT 4.0 Option Pack
http://www.microsoft.com/ntserver/appservice/deployment/planguide/ntopdg.asp
ISS X-Force
IIS ExAir sample site denial of service
http://xforce.iss.net/static/2229.php
CVE
CVE-1999-0449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449
IIS buffer overflow in HTR requests can allow remote code
execution (HTTP_IISHTR_Overflow)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT, Windows NT: 4.0, Microsoft IIS: 4.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Information Server (IIS) version 4.0 is vulnerable to a denial of service
attack caused by a buffer overflow involving the way that .HTR, .STM, and .IDC files are
processed. IIS version 4.0 can perform various server-side processing with specific file
308
IIS buffer overflow in HTR requests can allow remote code execution (HTTP_IISHTR_Overflow)
types. Requests for files ending with .HTR, .STM, and .IDC extensions are passed to the
appropriate external DLL for processing. By sending a malformed request, an attacker can
overflow a buffer and cause the service to crash. It may be possible for an attacker to use
this vulnerability to execute arbitrary code on the system.
How to remove this
vulnerability
Apply the Internet Information Server 4.0 ext-fix update.
Additional steps can be used to prevent issues similar to this one from impacting any
Microsoft IIS 4.0 Server. IIS 4.0 can be forced to check if the requested script exists or if the
user has permission to the requested script. If the user does not have permission to view
the requested script, the appropriate warning message is returned to the browser and the
script engine is not invoked.
To set this functionality:
1. In Internet Service Manager (ISM), double-click Internet Information Server.
2. Right-click the computer name and then click Properties on the menu that appears.
3. In the Master Properties drop-down box, click WWW Service, and then click Edit.
4. Click the Home Directory tab and then click Configuration.
5. Double-click the line in the extension mappings that contains .HTR.
6. Select the check box labeled "Check if file exists".
7. Repeat these steps for STM and IDC application mappings.
8. Close the ISM.
Windows NT
Apply the Internet Information Server 4.0 ext-fix update. Internet Information Server 4.0
users, apply the ext-fix update: 1. Open a web browser. 2. Go to ftp://ftp.microsoft.com/
bussys/IIS/iis-public/fixes/usa/ext-fix/. 3. View the readme.txt for versions and install
instructions. 4. Download the appropriate patch for your operating environment. 5. Find
the patch file you downloaded to your computer. 6. Double-click its icon to start the
installation. 7. Follow the installation directions. Additional steps can be used to prevent
issues similar to this one from impacting any Microsoft IIS 4.0 Server. IIS 4.0 can be forced
to check if the requested script exists or if the user has permission to the requested script.
If not, the appropriate warning message is returned to the browser and the script engine is
not invoked. This functionality can be set as follows: 1. In Internet Service Manager (ISM),
double-click Internet Information Server. 2. Right-click the computer name and then click
Properties on the menu that appears. 3. In the Master Properties drop-down box, click
"WWW Service", and then click "Edit". 4. Click the "Home Directory" tab and then click
"Configuration". 5. Double-click the line in the extension mappings that contains ".HTR".
6. Select the check box labeled "Check if file exists". 7. Repeat these steps for STM and IDC
application mappings. 8. Close the ISM.
References
eEye Digital Security Team Alert AD06081999
Retina vs. IIS4, Round 2
http://www.eeye.com/html/Research/Advisories/AD19990608.html
Microsoft Security Bulletin MS99-019
Workaround Available for 'Malformed HTR Request' Vulnerability
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS99-019.asp
309
Microsoft Index Server idq.dll allows remote directory traversal (HTTP_IndexServer_IDQ)
CIAC Information Bulletin J-048
Malformed HTR Request Vulnerability
http://ciac.llnl.gov/ciac/bulletins/j-048.shtml
Microsoft Knowledge Base Article Q234905
An Improperly Formatted HTTP Request Can Cause The Inetinfo Process To Fail
http://support.microsoft.com/support/kb/articles/q234/9/05.asp
CERT Advisory CA-1999-07
IIS Buffer Overflow
http://www.cert.org/advisories/CA-1999-07.html
Internet Security Systems Security Alert #28
Malformed HTR File Vulnerability in Microsoft Internet Information Server 4.0
http://xforce.iss.net/alerts/advise28.php
ISS X-Force
IIS buffer overflow in HTR requests can allow remote code execution
http://xforce.iss.net/static/2281.php
CVE
CVE-1999-0874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0874
Microsoft Index Server idq.dll allows remote directory traversal
(HTTP_IndexServer_IDQ)
About this
signature or
vulnerability
This signature detects someone attempting to view files on your web server by exploiting
the idq.dll file in Microsoft Index Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Windows NT: 4.0, Microsoft IIS Index Server: 2.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Index Server could allow a remote attacker to view files on the Web server.
Microsoft Index Server is a Web search engine included in the Windows NT 4.0 Option
Pack. A vulnerability in the idq.dll file allows a remote attacker to search outside virtual
directories by requesting a specially-crafted URL. Attackers can use this vulnerability to
view any file on the Web server root drive, if they know or can guess the file name.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS00-006. See References.
310
Microsoft Index Server webhits.dll allows remote directory traversal (HTTP_IndexServer_Webhits)
In addition, ensure that your IDQ files restrict user input so that only .HTX files are
capable of formatting the output. Some sample files do not sufficiently restrict user input.
Sample files should always be removed from production servers.
References
Microsoft Security Bulletin MS00-006
Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
@stake, Inc./Cerberus Information Security Advisory CISADV000202
IDQ
http://www.atstake.com/research/advisories/2000/adviisidq.html
ISS X-Force
Microsoft Index Server idq.dll allows remote directory traversal
http://xforce.iss.net/static/4232.php
CVE
CAN-2000-0126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0126
Microsoft Index Server webhits.dll allows remote directory
traversal (HTTP_IndexServer_Webhits)
About this
signature or
vulnerability
This signature detects someone attempting to view files on your web server by exploiting
the webhits.dll file in Microsoft Index Server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Windows NT, Windows 2000, Microsoft Index Server: 2.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Index Server could allow a remote attacker to view files on the Web server.
Microsoft Index Server is a Web search engine included in the Windows NT 4.0 Option
Pack and incorporated as Indexing Services in Windows 2000. A vulnerability in the
webhits.dll file allows a remote attacker to search outside virtual directories by requesting
a specially-crafted URL. Attackers can use this vulnerability to view any file on the Web
server root drive, if they know or can guess the file name.
How to remove this
vulnerability
Obtain the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS00-006. See References.
Windows NT
Apply the “Malformed Hit-Highlighting Argument” patch detailed in Microsoft Security
Bulletin MS00-006 to Index Server 2.0
311
info2www script allows remote execution of commands (HTTP_Info2WWW)
Windows 2000
Apply the “Malformed Hit-Highlighting Argument” patch detailed in Microsoft Security
Bulletin MS00-006 to Indexing Services for Windows 2000
References
Microsoft Security Bulletin MS00-006
Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
@stake, Inc./Cerberus Information Security Advisory CISADV000126
Webhits.dll buffer truncation
http://www.atstake.com/research/advisories/2000/adviishtw.html
ISS X-Force
Microsoft Index Server webhits.dll allows remote directory traversal
http://xforce.iss.net/static/3884.php
CVE
CVE-2000-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0097
info2www script allows remote execution of commands
(HTTP_Info2WWW)
False positives
RealSecure Network Sensor: A false positive is possible for legitimate uses of the script.
RealSecure Server Sensor: A false positive is possible for legitimate uses of the script.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The info2www script is a program used to convert GNU Info Nodes into HTML for
viewing over the Web. A vulnerability in some versions of this script prior to 1.2 could
allow a remote attacker to execute arbitrary commands with the privilege of the user
owning the server process, usually "nobody." Other scripts (such as info2html and
infogate) from which the info2www script may have been derived may also be
vulnerable. Generally, the script is vulnerable if it calls open() without parsing
metacharacters from the HTTP request.
How to remove this
vulnerability
Disable all info2www CGI scripts prior to version 1.2, as well as any versions of the
info2html and infogate scripts, which may also be vulnerable.
312
HTTP Java (HTTP_Java)
References
BugTraq Mailing List, Tue Mar 03 1998 03:26:49
Vulnerabilites in some versions of info2www CGI
http://www.securityfocus.com/archive/1/8658
ISS X-Force
info2www script allows remote execution of commands
http://xforce.iss.net/static/1732.php
CVE
CVE-1999-0266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0266
HTTP Java (HTTP_Java)
About this
signature or
vulnerability
This signature detects when a Web browser attempts to obtain a file containing Java
bytecode.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
HTTP, Java
Type
Protocol Signature
Vulnerability
description
Web browsers that have Java enabled may access files that contain Java code from remote
Web sites. It is possible for Java code to contain malicious commands.
How to remove this
vulnerability
Some organizations have policies that prevent Java from being used, to protect the
organization from possible hostile applets. If your policy does not allow Java to be used,
disable Java in the user's Web browser.
References
CNET News.Com Article, August 30, 1999, 12:25 p.m. PT
Malicious Java code uses IE to access computers
http://news.cnet.com/news/0-1003-204-346600.html
CERT Tech Tips FAQ
Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites
http://www.cert.org/tech_tips/malicious_code_FAQ.html
ISS X-Force
HTTP Java
http://xforce.iss.net/static/655.php
313
WebLogic allows users to read source of JSP files (HTTP_JSP_SourceRead)
jj CGI program could allow remote command execution
(HTTP_JJ)
About this
signature or
vulnerability
This signature detects specially-crafted HTTP GET requests for cgi-bin/jj (the jj CGI
demonstration program), which may indicate attempts by an attacker to execute code on
the system.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The jj CGI program distributed with some HTTP servers is used as a demonstration
program. A vulnerability in this program could allow a remote attacker to execute
arbitrary commands with the same permissions as the CGI script by shell escaping from
the /bin/mail program (on systems that support such a feature). To exploit this
vulnerability, an attacker must have knowledge of the program's password. However,
several default passwords are known, including "HTTPDrocks" and "SDGROCKS."
How to remove this
vulnerability
Remove the jj CGI program from the CGI-BIN directory.
As a rule, sample code, example applications, tutorials and documentation should not be
installed on production servers.
References
BugTraq Mailing List, Tue Dec 24 1996 18:30:20
jj cgi
http://www.securityfocus.com/archive/1/6021
ISS X-Force
jj CGI program could allow remote command execution
http://xforce.iss.net/static/1808.php
CVE
CVE-1999-0260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0260
WebLogic allows users to read source of JSP files
(HTTP_JSP_SourceRead)
About this
signature or
vulnerability
This signature detects the use of ".JSP" (an all-caps extension) in a URL.
Default risk level
Medium
314
MachineInfo script reveals system information (HTTP_MachineInfo)
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
WebLogic
Type
Unauthorized Access Attempt
Vulnerability
description
BEA WebLogic Server is vulnerable to source code disclosure of Java Server Pages (JSP
files). By requesting a JSP file from the server with the file extension changed from
lowercase (.jsp) to uppercase (.JSP), an attacker can cause the Web server to reveal the
source code for the requested JSP file.
Potentially proprietary Web server files, such as Java Server Pages, may contain sensitive
information (such as user IDs and passwords) embedded in the source code.
How to remove this
vulnerability
Set the following property in the weblogic.properties file, as listed in BEA security
lockdown documentation (see References):
weblogic.httpd.servlet.extensionCaseSensitive=true
References
BugTraq Mailing List, Mon Jun 12 2000 02:19:45
BEA WebLogic JSP showcode vulnerability
http://www.securityfocus.com/archive/1/64356
FreeBSD, Inc. Security Advisory FreeBSD-SA-01:08
New BEA WebLogic showcode vulnerability discovered by Foundstone, Inc.
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=36
BEA WebLogic
WebLogic Server HTTP Configuration
http://www.weblogic.com/docs51/admindocs/lockdown.html
ISS X-Force
WebLogic allows users to read source of JSP files
http://xforce.iss.net/static/4694.php
CVE
CVE-2000-0499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0499
MachineInfo script reveals system information
(HTTP_MachineInfo)
False positives
RealSecure Network Sensor: A false positive is possible for legitimate uses of the script.
RealSecure Server Sensor: A false positive is possible for legitimate uses of the script.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
315
IIS unauthorized ODBC data access with RDS (HTTP_MDAC_Access)
Systems affected
IRIX: 6.3, Common Gateway Interface (CGI)
Type
Pre-attack Probe
Vulnerability
description
The CGI script MachineInfo is installed by default on some IRIX systems. This script
provides detailed information about the computer on which it is running. This
information includes the type and speed of the processor, memory, and other details
regarding installed hardware. This information could be useful to an attacker in
performing an attack.
How to remove this
vulnerability
Remove the MachineInfo script from the CGI bin directory of your Web server.
References
SGI Security Advisory 19970501-02-PX
IRIX webdist.cgi, handler and wrap programs
ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
CERT Advisory CA-1997-12
Vulnerability in webdist.cgi
http://www.cert.org/advisories/CA-1997-12.html
AUSCERT Advisory AA-97.14
SGI IRIX webdist.cgi Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.14.SGI.webdist.cgi.vul
Cisco Systems Network Security Database
SGI MachineInfo CGI script
http://www.opensystems.com/support/docs/6332/vul_334.html
BugTraq Mailing List, May 7 1997 5:02AM
Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6705
ISS X-Force
MachineInfo script reveals system information
http://xforce.iss.net/static/1730.php
CVE
CAN-1999-1067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1067
IIS unauthorized ODBC data access with RDS
(HTTP_MDAC_Access)
About this
signature or
vulnerability
This signature detects an HTTP POST request to /msadc/msadcs.dll.
False positives
RealSecure Network Sensor: A false positive is possible if a legitimate HTTP POST
request is made to /msadc/msadcs.dll.
316
IIS unauthorized ODBC data access with RDS (HTTP_MDAC_Access)
RealSecure Server Sensor: A false positive is possible if a legitimate HTTP POST request
is made to /msadc/msadcs.dll.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 6.5
Systems affected
Windows NT, Microsoft IIS: 4.0, Microsoft Data Access Components (MDAC): All
versions, Windows 2000
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Data Access Components (MDAC) versions 2.1 and earlier, in the default
configuration, could allow a remote attacker to access OLE database sources. Remote Data
Services (RDS), one of the components of MDAC, is designed to permit remote data access
to authenticated users through Microsoft Internet Information Server (IIS). A vulnerability
in the DataFactory object of RDS could allow an attacker to use a Web client to send a SQL
query to OLE database datasources.
If the remote server is available to the Windows NT IIS server, and the attacker knows the
correct IP address, SQL account and password, and database name, the attacker could
retrieve the query results through the Web client. This vulnerability is compounded by
the fact that many SQL databases contain a default administrator username ("sa") with a
null password.
In addition, under some configurations this vulnerability could allow an attacker to
execute shell commands or access files on the IIS server as a privileged user.
How to remove this
vulnerability
Upgrade to the latest version of MDAC, version 2.5 or later, as described in Microsoft
Security Bulletin (MS99-025): Frequently Asked Questions. See References.
Remove Sample Pages for RDS on production systems. Delete the directory, including all
of its subfolders: %systemdrive%\program files\common files\system\msadc\samples
— OR —
If RDS functionality is not needed, delete the /msadc virtual directory from the default
Web site.
Windows NT
Delete the following registry keys from the Registry Editor or a batch file:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\RDSServer.DataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\AdvancedDataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\VbBusObj.VbBusObjCls Using the Registry Editor, delete the registry keys
as follows: 1. Open the Registry Editor. From the Windows NT Start menu, select Run.
Type regedt32 and click OK. 2. Go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
317
IIS unauthorized ODBC data access with RDS (HTTP_MDAC_Access)
\ADCLaunch registry key. 3. Select the RDSServer.DataFactory key. 4. From the Edit
menu, select Delete and verify the deletion. 5. Repeat steps 3 and 4 to delete the
AdvancedDataFactory and VbBusObj.VbBusObjCls keys. --OR-- Use the REGDEL.exe
command-line utility to remove DataFactory functionality. REGDEL.exe is a tool available
as part of the Windows NT Resource Kit utilities that can be used to delete registry entries
from the command line: 1. Copy the following text into a .bat file (for example,
c:\dfremove.bat) and run the batch file on machines on which you want to remove the
RDS components. REM Batch file to remove RDS components REM Make sure that
REGDEL.exe from the Resource Kit is in your PATH REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDa
taFactory" REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.D
ataFactory" REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.V
bBusObjCls" Echo RDS Keys Removed 2. Execute or run the batch file on the web server.
Windows 2000
Delete the following registry keys from the Registry Editor or a batch file:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\RDSServer.DataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\AdvancedDataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch\VbBusObj.VbBusObjCls Using the Registry Editor, delete the registry keys
as follows: 1. Open the Registry Editor. From the Windows NT Start menu, select Run.
Type regedt32 and click OK. 2. Go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
\ADCLaunch registry key. 3. Select the RDSServer.DataFactory key. 4. From the Edit
menu, select Delete and verify the deletion. 5. Repeat steps 3 and 4 to delete the
AdvancedDataFactory and VbBusObj.VbBusObjCls keys. --OR-- Use the REGDEL.exe
command-line utility to remove DataFactory functionality. REGDEL.exe is a tool available
as part of the Windows NT Resource Kit utilities that can be used to delete registry entries
from the command line: 1. Copy the following text into a .bat file (for example,
c:\dfremove.bat) and run the batch file on machines on which you want to remove the
RDS components. REM Batch file to remove RDS components REM Make sure that
REGDEL.exe from the Resource Kit is in your PATH REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDa
taFactory" REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.D
ataFactory" REGDEL
"SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.V
bBusObjCls" Echo RDS Keys Removed 2. Execute or run the batch file on the web server.
References
Microsoft Security Bulletin MS98-004
Unauthorized ODBC Data Access with RDS and IIS
http://www.microsoft.com/TechNet/security/bulletin/ms98-004.asp
Microsoft Knowledge Base Article Q184375
Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
Microsoft Security Bulletin MS99-025
Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS
http://www.microsoft.com/TechNet/security/bulletin/ms99-025.asp
318
Internet Explorer msradio buffer overflow (HTTP_MSRadio_Overflow)
CIAC Information Bulletin J-054
Unauthorized Access to IIS Servers through ODBC Data Access with RDS
http://www.ciac.org/ciac/bulletins/j-054.shtml
Microsoft Security Bulletin MS99-025 FAQ
Microsoft Security Bulletin (MS99-025): Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq99-025.asp
CERT Incident Note IN-1999-08
Attacks against IIS web servers involving MDAC
http://www.cert.org/incident_notes/IN-99-08.html
Internet Security Systems Security Alert #32
Vulnerabilities in Microsoft Remote Data Service
http://xforce.iss.net/alerts/advise32.php
Microsoft Universal Data Access Download page
MDAC 2.5 RTM
http://www.microsoft.com/data/download.htm
ISS X-Force
IIS unauthorized ODBC data access with RDS
http://xforce.iss.net/static/1212.php
CVE
CVE-1999-1011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1011
Internet Explorer msradio buffer overflow
(HTTP_MSRadio_Overflow)
About this
signature or
vulnerability
This signature detects a vnd.ms.radio URL containing more than 300 characters, which
could indicate an attempt by an attacker to overflow a buffer in the MSDXM.OCX file.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Microsoft Internet Explorer: 5.0
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Internet Explorer 5.x is vulnerable to a buffer overflow in the file MSDXM.OCX.
By sending a string of 360 or more characters to the local call vnd.ms.radio:\\, an attacker
can overflow the buffer and execute arbitrary code on the system.
How to remove this
vulnerability
No remedy available as of September 2000.
319
NCSA httpd allows remote users to execute commands (HTTP_NCSA_Buffer_Overflow)
References
BugTraq Mailing List, Sun Dec 05 1999 02:32:02
new IE5 remote exploit
http://www.securityfocus.com/archive/1/37444
ISS X-Force
Internet Explorer msradio buffer overflow
http://xforce.iss.net/static/3695.php
CVE
CVE-1999-0989
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0989
NCSA httpd allows remote users to execute commands
(HTTP_NCSA_Buffer_Overflow)
False positives
RealSecure Network Sensor: A false positive is possible for URLs exceeding 256
characters. RealSecure displays the first 80 characters of the URL. Examine the URL
carefully: an abundance of unprintable characters is indicative of a buffer overflow attack;
if the characters are primarily ASCII, then this event is most likely a false positive.
RealSecure Server Sensor: A false positive is possible for URLs exceeding 256 characters.
RealSecure displays the first 80 characters of the URL. Examine the URL carefully: if there
are lots of unprintable characters, then this is likely to be a buffer overflow attack; if the
characters are primarily ASCII, then it is most likely a false positive.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the NCSA HTTP server version 1.3 could allow a remote attacker to
send a specially constructed request to execute arbitrary code on the server. An attacker
could use this to gain root-level access. Exploit information for various platforms has been
made widely available for this vulnerability.
How to remove this
vulnerability
Switch to a supported server platform, such as Apache.
— OR —
Upgrade to the last stable release of the NCSA server or apply patches to correct this
problem. (The NCSA server is otherwise no longer supported.)
References
CERT Advisory CA-1995-04
NCSA HTTP Daemon for UNIX Vulnerability
http://www.cert.org/advisories/CA-1995-04.html
320
Netscape Enterprise Server allows remote directory listing (HTTP_Netscape_List_Directories)
CIAC Information Bulletin F-11
Unix NCSA httpd Vulnerability
http://ciac.llnl.gov/ciac/bulletins/f-11.shtml
ISS X-Force
NCSA httpd allows remote users to execute commands
http://xforce.iss.net/static/517.php
CVE
CVE-1999-0267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0267
Netscape Enterprise Server allows remote directory listing
(HTTP_Netscape_List_Directories)
False positives
RealSecure Network Sensor: A false positive is possible for legitimate HTTP INDEX
requests. Though there are legitimate reasons for HTTP INDEX requests, such a request
can be used by an attacker to gain access to sensitive information on Netscape Enterprise
Web servers.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
Netscape Enterprise Server: 3.0, Netscape Enterprise Server: 4.0
Type
Unauthorized Access Attempt
Vulnerability
description
Netscape Enterprise Server versions 3.0 and 4.0 with the Web Publishing feature enabled
could allow a remote attacker to obtain a directory listing of the server. A remote attacker
can connect to the server using telnet and send an "INDEX / HTTP/1.0" request to cause
the server to display the directory listing. An attacker can use this vulnerability to gain
access to sensitive information.
How to remove this
vulnerability
No remedy available as of February 2001.
As a workaround, disable Web Publishing or disable INDEX requests.
References
S.A.F.E.R. Security Bulletin 010124.EXP.1.11
Netscape Enterprise Server - INDEX request problem
http://www.safermag.com/advisories/0013.html
ISS X-Force
Netscape Enterprise Server allows remote directory listing
http://xforce.iss.net/static/5997.php
CVE
CAN-2001-0250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0250
321
Netscape Enterprise Server REVLOG denial of service (HTTP_Netscape_Revlog)
Netscape Enterprise Server can be tricked into listing Web
directories (HTTP_Netscape_PageServices)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Netscape Enterprise Server
Type
Pre-attack Probe
Vulnerability
description
Some versions of Netscape Enterprise Server can be tricked into revealing file listings for
directories that otherwise could not be viewed due to the existence of an index.html file. A
remote attacker could view file listings not intended for public access by requesting a URL
that includes the string "?PageServices." File listings could be useful to an attacker in
planning future attacks.
How to remove this
vulnerability
Disable directory browsing on affected servers.
— AND —
Upgrade to the latest version of iPlanet Web Server, Enterprise Edition (6.0 or later),
available from the iPlanet Web site. See References.
References
BugTraq Mailing List, Sun Aug 16 1998 19:38:41
Fw: [NTSEC] Netscape Server Security Hole
http://www.securityfocus.com/archive/1/10341
iPlanet Web site
Downloads
http://www.iplanet.com/downloads/download/index.html
ISS X-Force
Netscape Enterprise Server can be tricked into listing Web directories
http://xforce.iss.net/static/1810.php
CVE
CVE-1999-0269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269
Netscape Enterprise Server REVLOG denial of service
(HTTP_Netscape_Revlog)
About this
signature or
vulnerability
This signature detects an HTTP 'REVLOG' request, which may indicate an attacker's
attempt to crash or otherwise disrupt the service of a Netscape Enterprise Web server.
Default risk level
Medium
322
Netscape servers could reveal source code to some scripts (HTTP_Netscape_SpaceView)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.3
Systems affected
Netscape Enterprise Server
Type
Suspicious Activity
Vulnerability
description
Netscape Enterprise Server version 3.x with Web Publishing enabled is vulnerable to a
denial of service attack. A remote attacker can connect to the server and submit a
'REVLOG / HTTP/1.0' request to cause the server to crash.
How to remove this
vulnerability
No remedy available as of August 2001.
As a workaround, disable Web Publishing or REVLOG requests, as listed in S.A.F.E.R.
Security Bulletin 010125.DOS.1.5.
References
S.A.F.E.R. Security Bulletin 010125.DOS.1.5
Netscape Enterprise Server - REVLOG request problem
http://www.safermag.com/advisories/0014.html
ISS X-Force
Netscape Enterprise Server REVLOG denial of service
http://xforce.iss.net/static/6003.php
CVE
CAN-2001-0251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0251
Netscape servers could reveal source code to some scripts
(HTTP_Netscape_SpaceView)
False positives
RealSecure Network Sensor: As the regular expression (" $") is written, it detects any URL
that has a preceding space character before termination. So a URL with an arbitrary
number of spaces >1 would also trigger this event. Testing has not revealed if this is a
valid exploit of this particular problem. Trailing space(s) on an URL is an anomalous
event regardless and the possible false positive is acceptable.
RealSecure Server Sensor: As the regular expression (" $") is written, it detects any URL
that has a preceding space character before termination. So a URL with an arbitrary
number of spaces >1 would also trigger this event. Testing has not revealed if this is a
valid exploit of this particular problem. Trailing space(s) on an URL is an anomalous
event regardless and the possible false positive is acceptable.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Netscape FastTrack, Netscape Enterprise Server
323
Nimda worm propagation (HTTP_Nimda_Riched20dll)
Type
Pre-attack Probe
Vulnerability
description
A vulnerability in Netscape Enterprise and FastTrack servers could allow a remote
attacker to view the source to scripts that are not normally accessible. A remote attacker
can append a space character in the form of "%20" to the end of a GET request to cause the
server to mistakenly return the source code to the script instead of executing the script.
This could reveal sensitive information about the server or backend's setup.
How to remove this
vulnerability
Apply the 186244-readme patch, as listed in Allaire Security Bulletin (ASB99-06). See
References.
References
Allaire Security Bulletin ASB99-06
Netscape Servers for Win NT Exposure of Source Code with "%20"
http://www.allaire.com/handlers/index.cfm?ID=10967
Netscape Communications, Inc. Web site
PATCH #P186244 Release Notes
http://help.netscape.com/products/server/enterprise/P186244-readme.html
ISS X-Force
Netscape servers could reveal source code to some scripts
http://xforce.iss.net/static/2206.php
CVE
CAN-1999-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0286
Nimda worm propagation (HTTP_Nimda_Riched20dll)
About this
signature or
vulnerability
This signature detects when a file named "riched20.dll" is written to a Windows file
server. This file is created by the Nimda worm, and it may also be created by other
malicious worms or viruses.
False positives
RealSecure Server Sensor: A false positive is possible if users copy large directories to
servers and those directories contain a file named riched20.dll.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows NT, Windows 95, Windows 98, Microsoft IIS: 4.0, Windows 2000, Windows ME,
Microsoft IIS: 5.0
Type
Suspicious Activity
Vulnerability
description
The Nimda worm is similar in functionality to the Code Red worm and its derivatives.
The Nimda worm attempts to identify vulnerable Microsoft IIS servers by using several
Unicode Web Folder Traversal vulnerability attack strings to probe for vulnerable IIS
324
Nimda worm propagation (HTTP_Nimda_Riched20dll)
systems and deface them. Nimda can infect any Windows system and then propogate by
emailing copies of itself to individuals in MAPI (Messaging Application Programming
Interface) address books, or by identifying and infecting vulnerable IIS servers.
Nimda takes advantage of standard email distribution techniques to broaden the range of
target hosts. Instead of only attacking Web servers with Web server vulnerabilities,
Nimda is designed to also propagate using spoofed email. The email is spoofed to appear
to have been sent by trusted sources. Nimda relies on extensive local propagation once a
system is infected. It replaces '.dll', '.eml', '.nws' files on all shared drives. It also appends
itself to all '.htm', '.html', and '.asp' files on the infected system. This also allows the worm
to spread to remote users when they access Web pages on infected servers.
For additional information regarding the "Nimda" worm, refer to Internet Security
Systems Security Alert #97. See References.
How to remove this
vulnerability
For Microsoft IIS versions 4.0 and 5.0:
Apply the latest IIS cumulative security patch to prevent Web servers from being
compromised by the Nimda worm, as listed in Microsoft Security Bulletin MS01-044. See
References.
For Microsoft Internet Explorer versions 5.01 and 5.5:
To prevent the automatic execution of email attachments due to an Incorrect MIME
headers, apply the appropriate patch for your system, as listed in Microsoft Security
Bulletin MS01-020. See References.
Additional information on recovering from a system compromise is available from the
CERT Coordination Center Web site. See References.
References
Internet Security Systems Security Alert #97
Aggressive Propagation of Nimda Worm
http://xforce.iss.net/alerts/advise97.php
CERT Advisory CA-2001-26
Nimda Worm
http://www.cert.org/advisories/CA-2001-26.html
Microsoft Security Bulletin MS01-044
15 August 2001 Cumulative Patch for IIS
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
Microsoft Security Bulletin MS01-020
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
F-Secure Computer Virus Information Page
Nimda
http://www.f-secure.com/v-descs/nimda.shtml
CERT Coordination Center
Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
325
Novell Convert.bas Web server script (HTTP_Novell_Convert)
BugTraq Mailing List, Tue Sep 18 2001 18:49:43
Nimda Worm
http://www.securityfocus.com/archive/1/215177
CIAC Information Bulletin L-144
The W32.nimda Worm
http://www.ciac.org/ciac/bulletins/l-144.shtml
Microsoft TechNet
Information on the "Nimda" Worm
http://www.microsoft.com/technet/security/topics/Nimda.asp
CIAC Information Bulletin L-132
Microsoft Cumulative Patch for IIS
http://www.ciac.org/ciac/bulletins/l-132.shtml
ISS X-Force
Nimda worm propagation
http://xforce.iss.net/static/7130.php
Novell Convert.bas Web server script (HTTP_Novell_Convert)
About this
signature or
vulnerability
This signature detects an attack on the convert.bas cgi-bin program included as part of
some versions of Novell's HTTP server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Novell Web Server: 1.0, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The convert.bas program is included as part of the default installation of some versions of
the Novell HTTP server. A remote attacker can access the convert.bas program by using
specially formatted arguments to read any file on the Web server that is readable by the
ID of the Web server process. An attacker can use this vulnerability to gain information
that could be useful in performing further attacks.
How to remove this
vulnerability
Apply the web002.exe patch, available from the Novell Web site. See References.
— OR —
Remove the convert.bas program from the Web server.
References
Firewalls Mailing List, Wed, 3 Jul 1996 14:50:06 -0700 (PDT)
*** SECURITY ALERT ***
http://www.netsys.com/firewalls/firewalls-9607/0102.html
326
Novell CGI script files.pl could allow remote file viewing (HTTP_Novell_Files)
Novell Web site
WEB002.EXE: Web Server Security
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2911895
SecurityWire.com Web site
Novell HTTPd Server has default GI that can be breached
http://www.securitywire.com/hack/novell/phunc_cgi.novell
BugTraq Mailing List, Wed Jul 03 1996 18:02:35
BoS: *** SECURITY ALERT *** (fwd)
http://www.securityfocus.com/archive/1/4875
ISS X-Force
Novell Convert.bas Web server script
http://xforce.iss.net/static/339.php
CVE
CVE-1999-0175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0175
Novell CGI script files.pl could allow remote file viewing
(HTTP_Novell_Files)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the files.pl PERL script distributed with
Novell WebServer Examples Toolkit v2.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the files.pl script distributed with Novell WebServer Examples Toolkit
v2 could allow a remote attacker to view the contents of any file or directory on
vulnerable servers. The attacker would be limited to viewing files accessible to the user
owning the server process.
How to remove this
vulnerability
Remove the 'files.pl' script from any production or sensitive servers on your network. It is
a good practice to always remove sample scripts from the CGI-BIN directory of your Web
server before putting it into production.
References
WWW Security FAQ
Are there any known security problems with Novell WebServer?
http://www.w3.org/Security/Faq/wwwsf8.html#Q87
327
Nph-test-cgi program remote users can list files (HTTP_NphTestCgi)
WWW Security FAQ
What CGI scripts are known to contain security holes?
http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
ISS X-Force
Novell CGI script files.pl could allow remote file viewing
http://xforce.iss.net/static/2054.php
Nph-test-cgi program remote users can list files
(HTTP_NphTestCgi)
About this
signature or
vulnerability
This signature detects an attack on the cgi-bin nph-test-cgi script.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions, Apache Web Server: Old Versions, Common Gateway
Interface (CGI)
Type
Pre-attack Probe
Vulnerability
description
The nph-test-cgi program allows a remote attacker to list the contents of any readable
directory on a Web server. This allows a remote attacker to inspect the victim's system for
other likely vulnerabilities or targets. By default, the nph-test-cgi program is installed
with Apache Web servers up to and including version 1.0.5. It is also installed with some
versions of the NCSA Web server.
This vulnerability is also commonly present in the test-cgi program.
How to remove this
vulnerability
Remove the nph-test-cgi script. The nph-test-cgi script is included in Web server packages
as a code sample and is not required for the cgi-bin directory.
— OR —
Upgrade to the latest available version of the Apache Web server as listed in CERT
Advisory CA-1997-07. See References. Version 1.1.3 and later does not include the nphtest-cgi script in a default installation.
References
@stake, Inc./L0pht Security Advisory 04/96
test-cgi vulnerability in certain setups
http://www.atstake.com/research/advisories/1996/test-cgi-vulnerability.txt
CERT Advisory CA-1997-07
Vulnerability in the httpd nph-test-cgi script
http://www.cert.org/advisories/CA-1997-07.html
328
Netscape Enterprise and Fasttrack authentication buffer overflow (HTTP_NS_Admin_Overflow)
ISS X-Force
Nph-test-cgi program remote users can list files
http://xforce.iss.net/static/289.php
CVE
CVE-1999-0045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0045
Netscape Enterprise and Fasttrack authentication buffer
overflow (HTTP_NS_Admin_Overflow)
About this
signature or
vulnerability
This signature detects a long username or password directed at the HTTP Basic
Authentication port of the Netscape Enterprise Server or Netscape Fasttrack Server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
Netscape Enterprise Server: 3.51, Netscape Enterprise Server: 3.6, Netscape Enterprise
Server: 3.6 SP2, Netscape FastTrack: 3.01
Type
Unauthorized Access Attempt
Vulnerability
description
Netscape Enterprise Server and Netscape FastTrack Server are vulnerable to a buffer
overflow in the HTTP Basic Authentication portion of the server. This vulnerability affects
systems running Administration Server with password protected areas that rely on Basic
Authentication.
When accessing a password protected area of the Administration or Web server, an
attacker can cause the server to crash with an access violation error by sending a
username or password that is longer than 508 characters. As a result, an attacker could
execute arbitrary code as SYSTEM on Windows NT, or as root on Unix. Attackers can use
these privileges to gain full access to the server.
How to remove this
vulnerability
Upgrade to the latest version of iPlanet Web Server (4.0sp2 or later), available from the
iPlanet Downloads Web site. See References.
Netscape has stated that FastTrack will not be patched. Although Netscape released
service pack 3 for Enterprise Server 3.6, which fixes the vulnerability in the Web server,
the Administration Server remains vulnerable. If you are unable to upgrade, block the
Administration Server port at the firewall to prevent outside attacks.
References
Internet Security Systems Security Alert #39
Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
http://xforce.iss.net/alerts/advise39.php
329
Win32 Web servers allow access to files requested using the 8.3 format (HTTP_NT8.3_Filename)
iPlanet Downloads Web site
iPlanet Download Page
http://www.iplanet.com/download_index/downloads_index_9_0.html
ISS X-Force
Netscape Enterprise and Fasttrack authentication buffer overflow
http://xforce.iss.net/static/3586.php
CVE
CVE-1999-0853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0853
Win32 Web servers allow access to files requested using the
8.3 format (HTTP_NT8.3_Filename)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Microsoft IIS: 4.0, Microsoft Personal Web Server: 4.0, Netscape Enterprise Server
Type
Unauthorized Access Attempt
Vulnerability
description
All Win32 Microsoft operating systems can associate both a short and a long file name
with a file. For backward compatibility with DOS, the short name is restricted to a length
of 8 characters and an extension of 3 characters ("8.3-compliant" format). The long name is
not restricted to the 8.3-compliant format, but is restricted to a total length of 255
characters.
Windows NT and Windows 95 Web servers create lists of restricted file names for
restricted files on the server. However, because these lists do not contain any short file
names of the files, restricted files can still be accessed through their short file name. In
some cases, when a URL is requested using the short file name, the Web server can apply
different configuration settings to the request (including SSL encryption requirements, IP
address restriction requirements, and PICS ratings). This could enable an attacker to gain
access to unauthorized files.
How to remove this
vulnerability
Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows
NT Service Packs Web page. See References.
— OR —
Disable the 8.3 file name creation in the Windows NT registry. Choosing to disable 8.3 file
name creation increases both security and performance on the Web server, but it can
cause problems when running 16-bit programs.
To disable 8.3 file name creation, enable the NtfsDisable8dot3NameCreation registry
entry:
330
Win32 Web servers allow access to files requested using the 8.3 format (HTTP_NT8.3_Filename)
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may
cause severe and irreparable damage and may require you to reinstall your operating
system. Internet Security Systems cannot guarantee that problems caused by the use of
Registry Editor can be solved.
1. Verify that no 16-bit applications are used on the Web site. If you require 16-bit
applications, you may still apply the fix if all of the paths and files referenced meet the
8.3 naming convention.
2. Using Registry Editor, find the
HKLM\System\CurrentControlSet\Control\FileSystem registry key.
3. Select Edit -> New -> DWORD Value. A new registry entry is created.
4. Name the new registry entry "NtfsDisable8dot3NameCreation" . The value should be
set to 1.
References
Microsoft TechNet
Microsoft Internet Information Server 4.0 Security Checklist
http://www.microsoft.com/TechNet/security/iischk.asp#6
Microsoft Knowledge Base Article Q179148
Settings May Not Be Applied with URL with Short Filename
http://support.microsoft.com/support/kb/articles/q179/1/48.asp
NTBugtraq Mailing List, Thu, 8 Jan 1998 19:04:23 -0700
Nifty Security hole on Several NT Based Web Servers
http://www.ntbugtraq.com/
default.asp?pid=36&sid=1&A2=ind9801&L=ntbugtraq&F=P&S=&P=1298
CERT Advisory CA-1998-04
Microsoft Windows-based Web Servers unauthorized access - long file names
http://www.cert.org/advisories/CA-98.04.Win32.WebServers.html
Bugtraq Mailing List, Sat Aug 14 1999 13:58:38
Win32 File Naming (again)
http://www.securityfocus.com/archive/1/24207
Microsoft Product Support Services
Windows NT Service Packs
http://support.microsoft.com/support/ntserver/Content/ServicePacks/
CIAC Information Bulletin I-025a
Windows NT based Web Servers File Access Vulnerability
http://www.ciac.org/ciac/bulletins/i-025a.shtml
ISS X-Force
Win32 Web servers allow access to files requested using the 8.3 format
http://xforce.iss.net/static/709.php
CVE
CVE-1999-0012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012
331
Oracle Application Server shared library (ndwfn4.so) buffer overflow (HTTP_Oracle_Appserver_Overflow)
Oracle Application Server shared library (ndwfn4.so) buffer
overflow (HTTP_Oracle_Appserver_Overflow)
About this
signature or
vulnerability
This signature detects an HTTP GET request greater than 2000 characters preceded by "/
jsp/". This may indicate an attacker's attempt to cause a buffer overflow in the Oracle
Application Server (OAS) shared library file "$ORAHOME/ows/4.0/lib/ndwfn4.so."
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2
Systems affected
iPlanet Web Server: 4.x, Oracle Application Server: 4.0.8.2
Type
Unauthorized Access Attempt
Vulnerability
description
Oracle Application Server (OAS) version 4.0.8.2 is vulnerable to a denial of service attack
caused by a buffer overflow in the shared library file "$ORAHOME/ows/4.0/lib/
ndwfn4.so." By sending a GET request containing a string of 2050 characters or more
preceded by "/jsp/," an attacker can overflow a buffer and execute arbitrary code on the
server. This vulnerability also affects iPlanet Web Server versions 4.0 and 4.1, which use
the shared library file when configured as an external Web listener for OAS.
How to remove this
vulnerability
Upgrade to the latest version of iPlanet Web Server (4.1sp7 or later), available from the
iPlanet Web site. See References.
References
S.A.F.E.R. Security Bulletin 0016
Oracle Application Server shared library buffer overflow
http://www.safermag.com/advisories/0016.html
CERT Vulnerability Note VU#276767
iPlanet web servers expose sensitive data via buffer overflow
http://www.kb.cert.org/vuls/id/276767
@stake, Inc. Security Advisory A041601-1
iPlanet Web Server Enterprise Edition 4.0, 4.1 Response Header Overflow
http://www.atstake.com/research/advisories/2001/a041601-1.txt
iPlanet Web site
Important iPlanet Web Server 4.x Product Alert: Recommend Immediate Patch/Upgrade
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html
BugTraq Mailing List, Tue Apr 17 2001 12:42:47
iPlanet Web Server 4.x Product Alert
http://www.securityfocus.com/archive/1/177220
ISS X-Force
Oracle Application Server shared library (ndwfn4.so) buffer overflow
http://xforce.iss.net/static/6334.php
332
Order Form shopping cart misconfiguration exposes order information (HTTP_Orderform)
CVE
CAN-2001-0327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0327
Order Form shopping cart misconfiguration exposes order
information (HTTP_Orderform)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the Merchant Order Form order log file.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
Merchant Order Form
Type
Unauthorized Access Attempt
Vulnerability
description
The Merchant Order Form shopping cart system could potentially be misconfigured in
such a way that sensitive order information is exposed to remote attackers.
How to remove this
vulnerability
Reinstall the Merchant Order Form Shopping Cart application, following the installation
instructions carefully. To prevent unauthorized remote access to sensitive Merchant
Order Form Shopping Cart files and directories, ensure that appropriate permissions have
been set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
The Rainbow Garden Web site
Merchant Order Form v1.4 - WebWare
http://www.io.com/~rga/scripts/cgiorder.html
ISS X-Force
Order Form shopping cart misconfiguration exposes order information
http://xforce.iss.net/static/3860.php
CVE
CAN-1999-0605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0605
333
PDGSoft’s Shopping Cart misconfiguration exposes config and order files (HTTP_PDGSoft)
PDGSoft’s Shopping Cart misconfiguration exposes config and
order files (HTTP_PDGSoft)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the PDGSoft Shopping Cart order log file
or the configuration file.
False negatives
RealSecure Network Sensor: RealSecure detects a misconfiguration of the PDGSoft
Shopping Cart application only when particular exposed files are installed in a default
directory, the "PDG_Cart" directory. A false negative is possible if the exposed files are
installed in a directory other than "PDG_Cart".
RealSecure Server Sensor: RealSecure detects a misconfiguration of the PDGSoft
Shopping Cart application only when particular exposed files are installed in a default
directory, the "PDG_Cart" directory. A false negative is possible if the exposed files are
installed in a directory other than "PDG_Cart".
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
PDGSoft Shopping Cart
Type
Unauthorized Access Attempt
Vulnerability
description
PDGSoft's Shopping Cart Web-based shopping systems could be potentially
misconfigured by the site's administrator. This misconfiguration could expose the order
log file and the configuration file, which includes the system's admin username and
password in plaintext.
How to remove this
vulnerability
Reinstall the PDGSoft Shopping Cart application, following the installation instructions
carefully. To prevent unauthorized remote access to sensitive PDGSoft Shopping Cart
files and directories, ensure that appropriate permissions have been set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
Ecommerce Guide Web site
PDG Software's Response to Security Threat
http://ecommerce.internet.com/outlook/article/0,1467,7761_239511,00.html
PDG Software, Inc. Web site
PDG Software Moves Quickly to Ensure Customers' Security
http://www.pdgsoft.com/Security/security.html
ISS X-Force
PDGSoft’s Shopping Cart misconfiguration exposes config and order files
http://xforce.iss.net/static/3857.php
334
SGI pfdispaly.cgi script allows remote file viewing with server privileges (HTTP_Pfdisplay_Read)
CVE
CVE-1999-0608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0608
IRIX pfdispaly.cgi program was not fixed by a previous SGI patch
(HTTP_Pfdisplay_Execute)
False positives
RealSecure Network Sensor: A false positive is possible for legitimate uses of
pfdispaly.cgi.
RealSecure Server Sensor: A false positive is possible for legitimate uses of
pfdisplay.cgi.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
IRIX: 6.2, IRIX: 6.3, IRIX: 6.4, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The IRIX Performer API Search Tool (pdfdispaly.cgi) is a Web-based search tool that
assists in the searching of man pages, documents, example code, and special items known
as classes, methods, tokens, and samples. A vulnerability in the pfdispaly.cgi program
could allow a remote user to run any file on the system with 'nobody' privileges.
This vulnerability was not corrected in the SGI pfdispaly patch 3018.
How to remove this
vulnerability
No remedy available as of January 2001. As a workaround, change the permissions of the
pfdispaly.cgi program to prevent non-root users from executing the program.
References
BugTraq Mailing List, Tue Apr 07 1998 04:16:01
perfomer_tools again
http://www.securityfocus.com/archive/1/8935
ISS X-Force
IRIX pfdispaly.cgi program was not fixed by a previous SGI patch
http://xforce.iss.net/static/1434.php
SGI pfdispaly.cgi script allows remote file viewing with server
privileges (HTTP_Pfdisplay_Read)
False positives
RealSecure Network Sensor: A false positive is possible for normal, legitimate uses of
pfdisplay.cgi
RealSecure Server Sensor: A false positive is possible for normal, legitimate uses of
pfdisplay.cgi
Default risk level
Medium
335
Phone book CGI phf allows remote execution of arbitrary commands (HTTP_PHF)
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
IRIX: 6.2, IRIX: 6.3, IRIX: 6.4, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The IRIS Performer API Search Tool is a Web-based search tool that assists in the
searching of man pages, documents, example code, and special items known as classes,
methods, tokens, and samples. A vulnerability in the pfdispaly.cgi program could allow
remote users to view any file on the system with 'nobody' privileges.
How to remove this
vulnerability
For SGI IRIX 6.2, 6.3, or 6.4 systems, apply patch 3018, as listed in Silicon Graphics Inc.
Security Advisory 19980401-01-P3018. See References.
References
SGI Security Advisory 19980401-01-P3018
Performer API Search Tool 2.2 pfdispaly.cgi Vulnerability
ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P3018
BugTraq Mailing List, Mon Mar 16 1998 23:06:48
IRIX performer_tools bug
http://www.securityfocus.com/archive/1/8783
CIAC Information Bulletin I-041
Performer API Search Tool 2.2 pfdispaly.cgi Vulnerability
http://ciac.llnl.gov/ciac/bulletins/i-041.shtml
ISS X-Force
SGI pfdispaly.cgi script allows remote file viewing with server privileges
http://xforce.iss.net/static/810.php
CVE
CVE-1999-0270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0270
Phone book CGI phf allows remote execution of arbitrary
commands (HTTP_PHF)
About this
signature or
vulnerability
This signature detects HTTP GET requests for the cgi-bin script "phf," which may indicate
attempts by an attacker to execute arbitrary commands on a Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions, Apache Web Server: Old Versions, Common Gateway
Interface (CGI)
336
PHP/FI php.cgi script contains a remotely exploitable buffer overflow (HTTP_PHP_Overflow)
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability exists in the phf phone book that is pre-installed with several older
versions of NCSA and Apache Web server packages. The pre-installed cgi-bin script "phf"
could allow a remote attacker to execute arbitrary commands on a Web server. Exploit
information for this vulnerability is widespread and many programs exist to actively
probe entire networks for this vulnerability. An attacker could use the phone book
program to deface a Web page.
This vulnerability could also be used by an attacker to gather information for further
attacks or to gain root or administrator access to the target system.
How to remove this
vulnerability
No remedy available as of April 2001.
As a workaround, remove the phf program from the cgi-bin directory (it is not necessary
for normal operation of your Web server). If your situation requires the use of phf, permit
only those characters that you are certain you can handle correctly. Do not filter out bad
characters.
References
CERT Advisory CA-1996-06
Vulnerability in NCSA/Apache CGI example code
http://www.cert.org/advisories/CA-1996-06.html
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1996:002.1
Some C-language based Common Gateway Interface programs that call a shell to execute
other programs can be tricked into executing any arbitrary command
http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1996:002.2
Update of ERS-SVA-E01-1996:002.1
http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories
CERT Vulnerability Note VU#20276
'phf' CGI Script fails to Guard Against newline Characters
https://www.kb.cert.org/vuls/id/20276
ISS X-Force
Phone book CGI phf allows remote execution of arbitrary commands
http://xforce.iss.net/static/148.php
CVE
CVE-1999-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067
PHP/FI php.cgi script contains a remotely exploitable buffer
overflow (HTTP_PHP_Overflow)
About this
signature or
vulnerability
This signature detects an attack on the PHP cgi-bin program.
337
PHP remote users can read files (HTTP_PHP_Read)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
PHP, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The php CGI program php.cgi (part of the PHP/FI package developed by Rasmus
Lerdorf) is vulnerable to a buffer overflow. A remote attacker can overflow the buffer and
execute arbitrary code on the system under the UID of the user owning the httpd process,
usually "nobody." An attacker could exploit this vulnerability to change to contents of a
Web page or gain root or administrator access to the system.
How to remove this
vulnerability
Disable access to the php.cgi executable or move the PHP directory structure outside the
Web tree.
— AND —
Upgrade to the latest version of PHP (4.0.4 or later), available from the PHP Web site. See
References.
References
PHP Hypertext Preprocessor Web site
PHP Information
http://www.php.net
Network Associates, Inc. COVERT Labs Security Advisory #12
PHP/FI command line buffer overflow
http://www.pgp.com/research/covert/advisories/012.asp
ISS X-Force
PHP/FI php.cgi script contains a remotely exploitable buffer overflow
http://xforce.iss.net/static/293.php
CVE
CVE-1999-0058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0058
PHP remote users can read files (HTTP_PHP_Read)
About this
signature or
vulnerability
This signature detects an attack on the PHP cgi-bin program.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
338
PHP-Nuke unauthorized administrator access (HTTP_PHPNuke_Admin_Access)
Systems affected
PHP, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The php CGI program php.cgi is part of the PHP/FI package developed by Rasmus
Lerdorf. An attacker can access the php.cgi program with specially formatted arguments
to obtain directory listings of directories on the Web server or read the contents of any file
accessible to the user who owns the server process. This information could be used by an
attacker in performing further attacks against the system or network.
How to remove this
vulnerability
Disable access to the php.cgi executable or move the PHP directory structure outside the
Web tree.
— AND —
Upgrade to the latest version of PHP (4.0.4 or later), available from the PHP Web site. See
References.
References
PHP Hypertext Preprocessor Web site
PHP Information
http://www.php.net
ISS X-Force
PHP remote users can read files
http://xforce.iss.net/static/292.php
PHP-Nuke unauthorized administrator access
(HTTP_PHPNuke_Admin_Access)
About this
signature or
vulnerability
This signature detects a specially-crafted HTTP GET request for the PHP-Nuke
admin.php3 file. This GET request could indicate an attempt by an attacker to bypass the
PHP-Nuke administrator password to gain unauthorized administrative access to the
program.
False positives
RealSecure Network Sensor: A false positive is possible for installations of PHP-Nuke
that have not implemented a password for the administrator account.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
PHP-Nuke: 2.5
Type
Unauthorized Access Attempt
Vulnerability
description
PHP-Nuke is an open-source program for creating and managing news-based Web sites.
PHP-Nuke versions 2.5 and earlier could allow a remote attacker to gain administrator
339
PHP-Nuke could allow attackers to redirect ad banner URL links (HTTP_PHPNuke_URL_Redirect)
rights to the program. An attacker could submit a specially-crafted URL that would cause
the program to behave as though a valid administrator password has been entered. An
attacker could exploit administrator rights to edit users, articles, banners, or other related
data.
How to remove this
vulnerability
Upgrade to the latest version of PHP-Nuke (3.0 or later), available from the PHP-Nuke
Web site. See References.
References
SecuriTeam.com Mailing List 20 August 2000
Security holes in PHP-Nuke give administrative access to attackers
http://www.securiteam.com/securitynews/5AP0L002AG.html
PHP-Nuke Web site
PHP-Nuke
http://phpnuke.org/
ISS X-Force
PHP-Nuke unauthorized administrator access
http://xforce.iss.net/static/5108.php
CVE
CVE-2000-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0745
PHP-Nuke could allow attackers to redirect ad banner URL links
(HTTP_PHPNuke_URL_Redirect)
About this
signature or
vulnerability
This signature detects an attacker's attempt to change the destination URL of an ad banner
on a Web site that uses the PHP-Nuke program's banners.php file.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.2
Systems affected
PHP-Nuke: 4.4 and earlier
Type
Suspicious Activity
Vulnerability
description
PHP-Nuke is an open-source program for creating and managing news-based Web sites.
PHP-Nuke versions 4.4 and earlier could allow a remote attacker to alter the destination
URL when a visitor clicks an ad banner on a PHP-Nuke Web site. A remote attacker could
submit a query string within a URL request to an affected PHP-Nuke Web site to alter the
URL destination for a banner ad.
How to remove this
vulnerability
Upgrade to the latest version of PHP-Nuke (4.4.1 or later), available from the PHP-Nuke
Web site. See References.
340
HTTP POST request to a script or resource (HTTP_Post)
References
BugTraq Mailing List, Mon Apr 02 2001 16:18:53
Php-nuke exploit…
http://www.securityfocus.com/archive/1/173720
BugTraq Mailing List, Wed Apr 04 2001 12:09:15
Re: Php-nuke exploit…
http://www.securityfocus.com/archive/1/174065
PHP-Nuke Web site
PHP-Nuke Download Section
http://www.phpnuke.org/download.php?dcategory=PHP-Nuke&sortby=
PHP-Nuke Web site
PHP-Nuke Download Section
http://phpnuke.org/download.php?dcategory=Fixes
ISS X-Force
PHP-Nuke could allow attackers to redirect ad banner URL links
http://xforce.iss.net/static/6342.php
CVE
CVE-2001-0383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0383
HTTP POST request to a script or resource (HTTP_Post)
About this
signature or
vulnerability
This signature detects that a computer on your network has submitted an HTTP POST
request to a Web server.
You can configure RealSecure to terminate HTTP POST connections by using the RSKILL
response on HTTP POST requests. You can also configure RealSecure to only monitor and
record this traffic, instead of stopping it completely.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
HTTP
Type
Protocol Signature
Vulnerability
description
An HTTP POST request is a packet of information that a Web browser is attempting to
send to a Web server. People that browse the Web create these requests when filling out a
form on a Web site that uses HTTP POST. This information can be sensitive in nature,
such as an employee's name, telephone number, or, in some cases, a credit card number.
HTTP POST requests also send information that the user does not see, like the computer's
IP address or other information about the user's computer.
How to remove this
vulnerability
You can prohibit HTTP POST requests in many ways, such as configuring your firewall to
disallow HTTP POST requests.
341
QuikStore Shopping Cart misconfiguration exposes the config file (HTTP_QuikStore)
References
ISS X-Force
HTTP POST request to a script or resource
http://xforce.iss.net/static/3172.php
QuikStore Shopping Cart misconfiguration exposes the config
file (HTTP_QuikStore)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the QuikStore configuration file.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
I-Soft QuikStore
Type
Unauthorized Access Attempt
Vulnerability
description
I-Soft's QuikStore shopping cart system could potentially be misconfigured by an
administrator during its installation. This misconfiguration could expose the
configuration file, which contains the plaintext administrator password. An attacker
could use this password to compromise the system.
How to remove this
vulnerability
Reinstall the I-Soft QuikStore Shopping Cart application, following the installation
instructions carefully. To prevent unauthorized remote access to sensitive I-Soft
QuikStore Shopping Cart files and directories, ensure that appropriate permissions have
been set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
I-Soft, LLC Web site
Shopping Cart Software Program
http://www.quikstore.com/
ISS X-Force
QuikStore Shopping Cart misconfiguration exposes the config file
http://xforce.iss.net/static/3858.php
CVE
CAN-1999-0607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0607
342
Robots.txt file controls Web spiders (HTTP_RobotsTxt)
IRIX reg_echo.cgi reveals server hardware information
(HTTP_RegEcho)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
IRIX, Common Gateway Interface (CGI)
Type
Pre-attack Probe
Vulnerability
description
Some versions of IRIX with SoftWindows installed ship by default with a CGI program
called reg_echo.cgi, which returns information about the server's hardware. This
information could be useful to an attacker in performing an attack. The information
returned is roughly identical to that given by the MachineInfo script, also installed by
default.
How to remove this
vulnerability
Remove the reg_echo.cgi script from the CGI-BIN directory of your Web server.
References
ISS X-Force
IRIX reg_echo.cgi reveals server hardware information
http://xforce.iss.net/static/1915.php
Robots.txt file controls Web spiders (HTTP_RobotsTxt)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
HTTP
Type
Pre-attack Probe
Vulnerability
description
The robots.txt file is commonly placed in the root directory of a system's Web server to
control the actions of Web robots (often called crawlers or spiders). All robots that adhere
to the Robots Exclusion Standard (see References) will check this file on your server before
proceeding to index or search your site. A user who is able to modify the contents of the
robots.txt file could control the actions of Web robots on your server.
How to remove this
vulnerability
This is not a vulnerability. Administrators should review the contents of the robots.txt file
to check if the information is consistent with the policies of their organization.
343
SCO view-source CGI script allows remote users to read files (HTTP_SCO_View-Source)
References
The Web Robots Pages Web site
A Standard for Robot Exclusion
http://www.robotstxt.org/wc/norobots.html
ISS X-Force
Robots.txt file controls Web spiders
http://xforce.iss.net/static/1533.php
Nlog CGI script executes commands (HTTP_RpcNLog)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
Nlog is a package of scripts designed to correlate and analyze output from the nmap 2.0
portscanning software. Versions up to 1.1 contain a security flaw in the way
metacharacters are parsed by the rpcnlog.pl script. This flaw could allow a remote
attacker to execute arbitrary commands on the server with the privileges of the user
running the httpd process, usually "nobody."
How to remove this
vulnerability
Disable access to the scripts distributed with the nlog package until you can upgrade to
the latest version of nlog (1.1b or later), available from the H D Moore Web site. See
References.
References
BugTraq Mailing List, Sat Dec 26 1998 15:56:17
Nlog 1.1b released - security holes fixed
http://www.securityfocus.com/archive/1/11715
HD Moore Web site
nlog
http://www.digitaloffense.net/nlog/
ISS X-Force
Nlog CGI script executes commands
http://xforce.iss.net/static/1549.php
SCO view-source CGI script allows remote users to read files
(HTTP_SCO_View-Source)
About this
signature or
vulnerability
This signature detects an attack on the view-source cgi-bin script included as part of SCO
Skunkware CD-ROM distributions and other httpd servers.
Default risk level
High
344
Malformed HTML <SCRIPT> tag could bypass firewall active content stripping (HTTP_Script_Bypass)
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The view-source CGI script distributed with some Web servers and the SCO Skunkware
CD-ROM could allow a remote attacker to view files on the Web server. By accessing the
view-source script with specially formatted arguments, a remote attacker can view the
contents of any file on the system. The attacker is limited to reading files accessible to the
user owning the server process, usually "nobody.".
An attacker can use this method to list and read the files on the targeted Web server. This
information could be useful to an attacker in performing an attack.
How to remove this
vulnerability
No remedy available as of May 2001.
As a workaround, remove the view-source script from the cgi-bin directory on your Web
server.
References
BugTraq Mailing List, Sat Feb 08 1997 16:49:28
view-source
http://www.securityfocus.com/archive/1/6271
ISS X-Force
SCO view-source CGI script allows remote users to read files
http://xforce.iss.net/static/291.php
CVE
CVE-1999-0174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0174
Malformed HTML <SCRIPT> tag could bypass firewall active
content stripping (HTTP_Script_Bypass)
About this
signature or
vulnerability
This signature detects HTTP data containing a malformed <SCRIPT> tag preceded by an
extra "<" character.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
Systems affected
Check Point FireWall-1: 3.0
Type
Suspicious Activity
345
IRIX handler CGI allows remote command execution (HTTP_SGI_Handler)
Vulnerability
description
Some commercial firewalls, like Check Point FireWall-1, perform active content filtering
where certain tags are stripped from HTML documents before being passed through the
firewall. A malformed <SCRIPT> tag preceded by an extra "<" character (<<SCRIPT>)
could bypass this filtering process and could allow active content to reach internal hosts.
How to remove this
vulnerability
Check Point FireWall-1 users should upgrade to version 4.0 or later, which correctly
handles malformed SCRIPT tags.
References
BugTraq Mailing List, Sat Jan 29 2000 06:51:46
"Strip Script Tags" in FW-1 can be circumvented
http://www.securityfocus.com/archive/1/44250
BugTraq Mailing List, Tue Feb 01 2000 03:10:09
Re: "Strip Script Tags" in FW-1 can be circumvented
http://www.securityfocus.com/archive/1/44439
ISS X-Force
Malformed HTML <SCRIPT> tag could bypass firewall active content stripping
http://xforce.iss.net/static/3905.php
CVE
CVE-2000-0116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0116
IRIX handler CGI allows remote command execution
(HTTP_SGI_Handler)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the IRIX handler CGI program, with a
pipe character contained in the URL. This could indicate an attempt by an attacker to use
the handler CGI program to execute arbitrary commands on the Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
IRIX: 5.3, IRIX: 6.0.1, IRIX: 6.1, IRIX: 6.2, IRIX: 6.3, IRIX: 6.4, IRIX: 6.0, Common Gateway
Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The handler cgi-bin program allows a remote attacker to execute arbitrary commands on a
Web server running a vulnerable version of the program. The handler program is part of
the Outbox Environment Subsystem for IRIX, installed by default on all SGI systems
running IRIX 6.2 or newer. Older versions of IRIX may have this package optionally
installed.
How to remove this
vulnerability
Disable the scripts included with the IRIX Outbox Environment Subsystem and apply the
workaround noted below.
346
IRIX infosrch.cgi fname variable allows remote attackers to execute commands (HTTP_SGI_Infosrch)
To disable the scripts:
●
Log in as root on the vulnerable system and type: # /bin/chmod 400 /var/www/cgibin/handler (assuming default install path of /var/www).
●
Log in as root on the vulnerable system and remove the outbox subsystem: # /usr/
sbin/versions. -v remove outbox.
As a workaround, apply the appropriate patch for your system, as listed in Silicon
Graphics, Inc. Security Advisory 19970501-02-PX, which are located in the SGI FTP site.
See References.
References
SGI Security Advisory 19970501-02-PX
IRIX webdist.cgi, handler and wrap programs
ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
SGI FTP site
FTP
ftp://patches.sgi.com/support/free/security/patches/
ISS X-Force
IRIX handler CGI allows remote command execution
http://xforce.iss.net/static/340.php
CVE
CVE-1999-0148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0148
IRIX infosrch.cgi fname variable allows remote attackers to
execute commands (HTTP_SGI_Infosrch)
About this
signature or
vulnerability
This signature detects HTTP GET requests ("infosrch.cgi?" followed by "&fname=") and a
series of shell metacharacters that could allow an attacker to view files or execute arbitrary
commands on the server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
IRIX: 6.5
Type
Unauthorized Access Attempt
Vulnerability
description
InfoSearch is a tool distributed by SGI that converts manual (man) pages, release notes,
and other documents on the Internet into HTML format. The InfoSearch tool contains a
vulnerability in the method it uses to parse input for the fname variable. This
vulnerability could allow a remote attacker to view files or execute arbitrary commands
on the Web server.
347
SGI Webdist CGI script allows remote command execution (HTTP_SGI_Webdist)
How to remove this
vulnerability
Apply the appropriate patch for your system or disable the infosrch.cgi program, as listed
in Silicon Graphics Inc. Security Advisory 20000501-01-P.
— OR —
Remove the "infosrch.cgi" program from your system's CGI-BIN directory.
References
BugTraq Mailing List, Wed Mar 01 2000 18:12:41
infosrch.cgi vulnerability (IRIX 6.5)
http://www.securityfocus.com/archive/1/49301
BugTraq Mailing List, Mon May 22 2000 14:57:18
Vulnerability in infosrch.cgi
http://www.securityfocus.com/archive/1/61369
BugTraq Mailing List, Tue May 23 2000 00:11:37
infosrch.cgi 'interactive' shell
http://www.securityfocus.com/archive/1/61588
BugTraq Mailing List, Wed May 24 2000 14:57:21
Re: Vulnerability in infosrch.cgi
http://www.securityfocus.com/archive/1/61750
SGI Security Advisory 20000501-01-P
Vulnerability in infosrch.cgi
http://www.sgi.com/support/security/advisories.html
ISS X-Force
IRIX infosrch.cgi fname variable allows remote attackers to execute commands
http://xforce.iss.net/static/4065.php
CVE
CAN-2000-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0207
SGI Webdist CGI script allows remote command execution
(HTTP_SGI_Webdist)
About this
signature or
vulnerability
This signature detects a specially-crafted HTTP GET request for the Webdist.cgi program,
which could indicate an attempt by an attacker to execute arbitrary commands on the
Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
IRIX: 5.3, IRIX: 6.0.1, IRIX: 6.1, IRIX: 6.2, IRIX: 6.3, IRIX: 6.4, IRIX: 6.0, Common Gateway
Interface (CGI)
Type
Unauthorized Access Attempt
348
SGI IRIX cgi-bin wrap program remote users can list files (HTTP_SGI_Wrap)
Vulnerability
description
The Webdist program is part of the Out Box Environment Subsystem for IRIX, installed
by default on all SGI systems running IRIX 6.2 or newer. The Webdist.cgi program could
allow a remote attacker to execute arbitrary commands on a remote computer with the
privileges of the user owning the server process. Older versions of IRIX may have this
package optionally installed.
How to remove this
vulnerability
Disable or remove the scripts included with the IRIX Out Box Environment Subsystem
and apply the appropriate patches for your system, as listed in Silicon Graphics Inc.
Security Advisory 19970501-02-PX. See References.
References
SGI Security Advisory 19970501-02-PX
IRIX webdist.cgi, handler and wrap programs
ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
AUSCERT Advisory AA-97.14
SGI IRIX webdist.cgi Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.14.SGI.webdist.cgi.vul
SGI Security Advisory 19970501-01-A
Vulnerability in webdist.cgi
ftp://patches.sgi.com/support/free/security/advisories/19970501-01-A
CERT Advisory CA-1997-12
Vulnerability in webdist.cgi
http://www.cert.org/advisories/CA-1997-12.html
ISS X-Force
SGI Webdist CGI script allows remote command execution
http://xforce.iss.net/static/333.php
CVE
CVE-1999-0039
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0039
SGI IRIX cgi-bin wrap program remote users can list files
(HTTP_SGI_Wrap)
About this
signature or
vulnerability
This signature detects an attack on the wrap cgi-bin script included as part of the WWW
HTTP server shipped, with IRIX 6.2.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
IRIX: 5.3, IRIX: 6.0.1, IRIX: 6.1, IRIX: 6.2, IRIX: 6.3, IRIX: 6.4, IRIX: 6.0, Common Gateway
Interface (CGI)
Type
Pre-attack Probe
349
Cobalt RaQ Web server could reveal user's command history (HTTP_ShellHistory)
Vulnerability
description
The wrap CGI program is part of the Outbox Environment Subsystem for IRIX, installed
by default on all SGI systems running IRIX 6.2 or newer. Older versions of IRIX may have
this package optionally installed. By accessing the wrap script with specially formatted
arguments, a remote attacker can obtain a listing of files on the server. This information
could be useful to an attacker in performing further attacks.
How to remove this
vulnerability
Disable or remove the scripts included with the IRIX Outbox Environment Subsystem and
apply the appropriate patches for your system, as listed in Silicon Graphics Inc. Security
Advisory 19970501-02-PX. See References.
— AND —
If possible, upgrade to the latest version of operating system running on your Web server.
References
SGI Security Advisory 19970501-02-PX
IRIX webdist.cgi, handler and wrap programs
ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
ISS X-Force
SGI IRIX cgi-bin wrap program remote users can list files
http://xforce.iss.net/static/290.php
CVE
CVE-1999-0149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0149
Cobalt RaQ Web server could reveal user's command history
(HTTP_ShellHistory)
About this
signature or
vulnerability
This signature detects HTTP GET requests containing "/.history" or "/.bash_history,"
which may indicate attempts by an attacker to acquire users' shell command history.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Cobalt RaQ
Type
Pre-attack Probe
Vulnerability
description
The Cobalt RaQ Web server device may allow a user's shell command history to be
remotely obtained. By default, the Cobalt Web server shares a user's entire directory and
could reveal sensitive files, such as command history files. Any remote user can exploit
this vulnerability to gain access to security-sensitive information (such as administrator
passwords) contained in command history files. Also, the nature of Cobalt RaQ's setup
could allow an attacker to use Web search engines to identify servers that use Cobalt RaQ.
350
Shell interpreters can be used to execute commands on Web servers (HTTP_Shells)
How to remove this
vulnerability
Apply the ShellHistoryPatch-1.1.pkg patch, as listed in Cobalt Networks Support
Knowledgebase article 469 (may require login). See References.
References
Wired News Online
Teenager Finds Web-Server Hole
http://www.wired.com/news/news/technology/story/18109.html
BugTraq Mailing List, Thu Feb 25 1999 22:02:17
Cobalt root exploit
http://www.securityfocus.com/archive/1/12712
Cobalt Networks, Inc.
ShellHistoryPatch-1.1.pkg
http://ftp.cobalt.com/pub/packages/raq1/eng/ShellHistoryPatch-1.1.pkg
Cobalt Networks, Inc. Knowledge Base (may require login)
469: I noticed that the .bash_history is visible through a browser, which exposes my telnet
activities.
http://www.cobalt.com/support/kb/
search.php3?ques=shellhistorypatch&qid=469&language=1
ISS X-Force
Cobalt RaQ Web server could reveal user's command history
http://xforce.iss.net/static/1831.php
CVE
CVE-1999-0408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0408
Shell interpreters can be used to execute commands on Web
servers (HTTP_Shells)
About this
signature or
vulnerability
This signature detects attempts to get shells to execute commands. This signature detects
any calls to shell interpreters at any location (not only the cgi-bin directory) within or
outside the Web server.
False positives
RealSecure Network Sensor: A false positive is possible for Web pages that call shell
interpreters. Even in the event of a false positive, it is still considered bad security practice
to put shell interpreters (such as sh, csh, etc.) in the cgi-bin directory. A false positive is
also possible, though unlikely, for a Web page that has the same name as an obscure shell
interpreter (for example, "python").
RealSecure Server Sensor: A false positive is possible for Web pages that call shell
interpreters. Even in the event of a false positive, it is still considered bad security practice
to put shell interpreters (such as sh, csh, etc.) in the cgi-bin directory. A false positive is
also possible, though unlikely, for a Web page that has the same name as an obscure shell
interpreter (for example, "python").
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
351
Shockwave plugin allows reading of users' email (HTTP_ShockWave)
Systems affected
Unix, Common Gateway Interface (CGI)
Type
Suspicious Activity
Vulnerability
description
A common Web server misconfiguration is to put shell interpreters (such as sh, csh, etc.)
in the cgi-bin directory. Also, some early Web server documentation stated that CGI script
interpreters (such as Perl, Tcl, etc.) should be placed in the cgi-bin directory.
Placement of shell interpreters and CGI script interpreters in the cgi-bin directory could
allow a remote attacker to execute arbitrary commands through the interpreters. By
sending specially formatted HTTP requests, an attacker could cause these shells to
execute arbitrary commands. For example, an attacker could send a specially formatted
HTTP request that would cause password files to be emailed.
Internet Scanner users: Some Web servers are configured to use non-RFC compliant
message response headers, which may cause Internet Scanner to a report false positive for
this vulnerability.
How to remove this
vulnerability
Determine if any cgi-bin programs rely on shell interpreter access. If they do, move the
shell interpreter outside the www root, and modify the cgi-bin programs to look for the
shell interpreter in the new location. If no programs use the shell interpreter, remove it
from the cgi-bin directory.
Evaluate locally authored CGI executables to ensure that they do not pass unvalidated
user-supplied data to system commands.
References
CERT Advisory CA-1996-11
Interpreters in CGI bin Directories
http://www.cert.org/advisories/CA-1996-11.html
ISS X-Force
Shell interpreters can be used to execute commands on Web servers
http://xforce.iss.net/static/146.php
Shockwave plugin allows reading of users' email
(HTTP_ShockWave)
About this
signature or
vulnerability
This signature detects when a Web browser attempts to obtain a file containing a
Shockwave movie.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Shockwave Plugin: 5.x and earlier
Type
Protocol Signature
352
SiteServer 3.0 AdSamples installation could expose SQL server login information (HTTP_SiteCsc_Access)
Vulnerability
description
Macromedia Shockwave is a movie viewer plugin for Web browsers. Shockwave versions
previous to 6.0 contain a vulnerability that allows an attacker to create a Shockwave
movie with malicious content that can read email messages located on another user's
system.
How to remove this
vulnerability
Upgrade to the latest version of Shockwave (6.0 or later), available from the Shockwave
Web site. See References.
References
Shockwave Security Alert
Shockwave Security Alert : Reading Email
http://www.webcomics.com/shockwave/reademail.html
ISS X-Force
Shockwave plugin allows reading of users' email
http://xforce.iss.net/static/460.php
CVE
CAN-1999-1525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1525
SiteServer 3.0 AdSamples installation could expose SQL server
login information (HTTP_SiteCsc_Access)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Microsoft Site Server: All versions
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft SiteServer 3.0 ships with an optional AdSamples directory intended to
demonstrate the use of the Ad Server component of Site Server. If the permissions for this
directory allow public access, a remote attacker could possibly retrieve a SITE.CSC file,
which may contain database DSN's, logins, and passwords. This information could be
useful to an attacker in performing future attacks.
How to remove this
vulnerability
Remove the AdSamples directory from all production Web servers. As a rule, sample
code and example applications should not be installed on production servers.
References
BugTraq Mailing List, Tue May 11 1999 15:27:38
[ALERT] Site Server 3.0 May Expose SQL IDs and PSWs
http://www.securityfocus.com/archive/1/13638
ISS X-Force
SiteServer 3.0 AdSamples installation could expose SQL server login information
http://xforce.iss.net/static/2270.php
353
Test-cgi sample CGI script allows remote retrieval of file listings (HTTP_TestCgi)
SoftCart misconfiguration exposes passwords or order
information (HTTP_Softcart)
About this
signature or
vulnerability
This signature detects an HTTP GET request for Mercantec SoftCart files containing order
information or server passwords.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
SoftCart
Type
Unauthorized Access Attempt
Vulnerability
description
Mercantec's SoftCart Web-based shopping cart system could potentially be misconfigured
by a site's administrator. This misconfiguration could expose sensitive order information
or user IDs and passwords to the server.
How to remove this
vulnerability
Reinstall the SoftCart application, following the installation instructions carefully. To
prevent unauthorized remote access to sensitive SoftCart files and directories, ensure that
appropriate permissions have been set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
Mercantec, Inc. Web site
Mercantec E-Commerce Solutions
http://www.mercantec.com/
ISS X-Force
SoftCart misconfiguration exposes passwords or order information
http://xforce.iss.net/static/3856.php
CVE
CAN-1999-0609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0609
Test-cgi sample CGI script allows remote retrieval of file listings
(HTTP_TestCgi)
About this
signature or
vulnerability
This signature detects specially-crafted HTTP GET requests for the test-cgi program.
These requests could indicate attempts by an attacker to view the contents of the cgi-bin
directory or other directories on the Web server.
Default risk level
High
354
Suspicious URL with tilde (~) appended (HTTP_Tilde)
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
NCSA Servers: Old Versions, Apache Web Server: Old Versions, Common Gateway
Interface (CGI)
Type
Pre-attack Probe
Vulnerability
description
Certain conditions in the test-cgi file, shipped with older NCSA and Apache Web server
packages, could allow a remote attacker to submit a query to view the contents of the cgibin directory or other directories on the Web server. This information could be useful to
an attacker in performing future attacks on the system.
This vulnerability can be used to change the contents of a Web page. Exploit information
for this vulnerability has been widely distributed.
How to remove this
vulnerability
Remove test-cgi, in addition to any other example CGI scripts, from your cgi-bin
directory. If these scripts exist on your system, you may be running an outdated server
and should upgrade to the latest version offered by your vendor.
References
@stake, Inc./L0pht Security Advisory 04/96
test-cgi vulnerability in certain setups
http://www.atstake.com/research/advisories/1996/test-cgi-vulnerability.txt
ISS X-Force
Test-cgi sample CGI script allows remote retrieval of file listings
http://xforce.iss.net/static/149.php
CVE
CVE-1999-0070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0070
Suspicious URL with tilde (~) appended (HTTP_Tilde)
About this
signature or
vulnerability
This signature detects any attempt to access a URL with a tilde (~) appended to the URL.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
HTTP
Type
Suspicious Activity
355
passwd file accessed through Web server (HTTP_Unix_Passwords)
Vulnerability
description
Many popular text editors, such as vi, create a backup copy of any file opened for editing
in the current directory. Such backup files are usually renamed to something similar to the
original file name with a tilde ("~") character appended.
If a remote attacker accesses these backup files, the Web server could fail to apply proper
ACLs (access control lists) or could fail to execute the CGI as a program, which could
return the program's source code instead.
Attempts to access a URL with a tilde appended to the URL may indicate that an attacker
is trying to access the backup of a CGI file, instead of the original file.
How to remove this
vulnerability
Remove backup files from directories accessible by a Web browser. When making
modifications to files, do so with a text editor in an unshared directory.
Some text editors, such as emacs, can be configured to suppress creating backup files. For
example, a command such as (setq make-backup-files nil) in the .emacs configuration file
can suppress backup copies.
References
GNOME 1.4 User's Guide
Files and filenames
http://www.labs.redhat.com/gug/users-guide/new-file.html
ISS X-Force
Suspicious URL with tilde (~) appended
http://xforce.iss.net/static/2370.php
passwd file accessed through Web server
(HTTP_Unix_Passwords)
About this
signature or
vulnerability
This signature detects attempts to access the /etc/passwd file on Unix systems via a Web
(HTTP) server.
False positives
RealSecure Network Sensor: A Web site with a legitimate URL containing “/etc/
passwd” could cause a false positive. Examine the URL reported in the event.
RealSecure Server Sensor: A web site with a legitimate URL containing “/etc/passwd”
could cause a false positive. Examine the URL reported in the event.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Unix, HTTP
Type
Unauthorized Access Attempt
356
Verity search97 CGI script allows remote file reading (HTTP_Verity_Search)
Vulnerability
description
The /etc/passwd file on Unix systems contains password information. An attacker who
has accessed the etc/passwd file may attempt a brute force attack of all passwords on the
system.
An attacker may attempt to gain access to the etc/passwd file through a Web (HTTP)
server. Typically this is done through one of the CGI scripts installed on the server.
How to remove this
vulnerability
Examine the URL accessed and evaluate if the access attempt could have been successful.
If so, consider the system compromised and all passwords exposed. Although this event
is not the result of a specific vulnerability, you should take steps to ensure that your Web
server and CGI scripts do not contain vulnerabilities that could allow remote access to the
/etc/passwd file.
References
BugTraq Mailing List, Tue Aug 17 1999 10:13:48
Stupid bug in W3-msql
http://www.securityfocus.com/archive/1/24442
ISS X-Force
passwd file accessed through Web server
http://xforce.iss.net/static/1069.php
CVE
CVE-1999-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0753
Verity search97 CGI script allows remote file reading
(HTTP_Verity_Search)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI), Verity Search`97
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability in the search97 CGI script of Verity Search'97 Information Server could
allow a remote attacker to read any file on the system. In exploiting this vulnerability, the
attacker is limited to reading files accessible to the user owning the server process, usually
"nobody." This vulnerability affects all versions of the Search`97 Information Server up to
and including 3.1.
How to remove this
vulnerability
Apply the patch for this vulnerability (Verity bug ID 40663), available from the Verity
Customer Support site. See References.
References
BugTraq Mailing List, Tue Jul 14 1998 10:59:32
Verity/Search'97 Security Problems
http://www.securityfocus.com/archive/1/9891
357
HTTP connections from vulnerable clients (HTTP_Vulnerable_Client)
Verity Web site
Verity Customer Support site
https://customers.verity.com/
ISS X-Force
Verity search97 CGI script allows remote file reading
http://xforce.iss.net/static/1628.php
HTTP connections from vulnerable clients
(HTTP_Vulnerable_Client)
About this
signature or
vulnerability
This signature detects the use of a version of Internet Explorer prior to 4.01, or a version of
Netscape Communicator prior to 4.61, or Netscape Navigator version 4.08 or earlier.
Additional
Vulnerabilities
Found
■
ie-outdated
■
nav-outdated
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
Systems affected
HTTP
Type
Protocol Signature
Vulnerability
description
Whenever a Web browser makes an HTTP request, it sends User Agent information in the
request. This information includes the type and version of the Web browser. Earlier
versions of common Web browsers have known vulnerabilities.
Vulnerable browsers include the following versions of these browsers:
How to remove this
vulnerability
●
Internet Explorer prior to version 4.01
●
Netscape Communicator prior to 4.61
●
Netscape Navigator 4.08 and below (including all stand-alone versions of Netscape
Navigator)
Upgrade your system's Web browser to the latest version.
For Internet Explorer:
●
Upgrade to the latest version of Internet Explorer (5.5 or later), available from the
Microsoft Web site. See References.
For Netscape Navigator or Netscape Communicator:
358
Weakness CGI Scanner (HTTP_WeaknessCGIScanner)
●
References
Upgrade to the latest version of Netscape Communicator (6.0 or later), available from
the Netscape Web site. See References.
Microsoft Windows Technologies: Internet Explorer
Internet Explorer Home Page
http://www.microsoft.com/windows/ie/default.htm
Netscape Communications, Inc. Web site
Netscape Netcenter - Download & Upgrade Page
http://www.netscape.com/computing/download/index.html?cp=hom06x4
ISS X-Force
HTTP connections from vulnerable clients
http://xforce.iss.net/static/656.php
Weakness CGI Scanner (HTTP_WeaknessCGIScanner)
About this
signature or
vulnerability
This signature detects the Weakness CGI scanner performing a scan on your network for
vulnerable CGI scripts.
False negatives
RealSecure Network Sensor: RealSecure detects a scan by the Weakness program when
Weakness performs a scan for the newdsn.exe CGI program. A false negative is possible if
the Weakness source code is modified to remove this check for newdsn.exe.
RealSecure Server Sensor: RealSecure detects a scan by the Weakness program when
Weakness performs a scan for the newdsn.exe CGI program. A false negative is possible if
the Weakness source code is modified to remove this check for newdsn.exe.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Windows NT
Type
Pre-attack Probe
Vulnerability
description
The Weakness program is a CGI scanner used to scan Web sites for vulnerable CGI
scripts. A remote attacker who identifies vulnerable CGI scripts on a Web server may
attempt to use various CGI exploits to gain unauthorized access to the server.
How to remove this
vulnerability
Any sites that launch the Weakness program should be considered hostile. Determine the
source site from which the Weakness program was launched, and block the site at your
network's screening router or firewall.
References
ISS X-Force
Weakness CGI Scanner
http://xforce.iss.net/static/3681.php
359
WEBgais CGI script allows remote command execution (HTTP_Webgais)
Web finger access attempt (HTTP_WebFinger)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 3.1, RealSecure Server Sensor: 5.5.2
Systems affected
Common Gateway Interface (CGI)
Type
Suspicious Activity
Vulnerability
description
Some Web server configurations include a CGI finger interface, which provides a gateway
for users to finger a computer through their Web browser. An attacker could use this CGI
finger interface to send probes to other networks from computers on your network.
How to remove this
vulnerability
Remove the finger utility from your CGI-BIN directory. The utility could have any name
but is usually named finger or finger.pl.
References
ISS X-Force
Web finger access attempt
http://xforce.iss.net/static/1465.php
WEBgais CGI script allows remote command execution
(HTTP_Webgais)
About this
signature or
vulnerability
This signature requests HTTP GET requests for cgi-bin/webgais.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
WEBGais, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
WEBgais is a Web-based index/query system written in the Perl language. A
vulnerability in the way the WEBgais script handles shell metacharacters could allow a
remote attacker to execute commands on the remote computer with privileges of the Web
server (usually "nobody"). All versions of the WEBgais package up to 1.0b2 are
vulnerable.
How to remove this
vulnerability
No remedy available as of June 2001.
Disable the WEBgais script to prevent attackers from exploiting this vulnerability.
360
WebLogic FileServlet show code (HTTP_WebLogic_FileServlet_Show_Code)
References
BugTraq Mailing List, Thu Jul 10 1997 19:03:14
Vulnerability in WEBgais
http://www.securityfocus.com/archive/1/7229
CERT Tech Tips
How To Remove Meta-characters From User-Supplied Data In CGI Scripts
http://www.cert.org/tech_tips/cgi_metacharacters.html
ISS X-Force
WEBgais CGI script allows remote command execution
http://xforce.iss.net/static/1467.php
CVE
CVE-1999-0176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0176
WebLogic FileServlet show code
(HTTP_WebLogic_FileServlet_Show_Code)
About this
signature or
vulnerability
This signature detects URLs containing /*.shtml/ or /ConsoleHelp/, which could
indicate possible attempts by an attacker to view the source of .jsp or .jhtml files on a
WebLogic server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
WebLogic Enterprise: 5.1.x, WebLogic Server and Express: 4.5.x, WebLogic Server and
Express: 5.1.x
Type
Unauthorized Access Attempt
Vulnerability
description
BEA Systems WebLogic Enterprise 5.1, Web Logic Server 4.5x and 5.1x, and Web Logic
Express 4.5x and 5.1x, could allow a remote attacker to view the source documents under
the Web document root directory. A vulnerability in the ConsoleHelp servlet, if /
ConsoleHelp/ is in the prefix of the file path, invokes FileServlet, which causes the pages
to be displayed.
How to remove this
vulnerability
Apply the Service Pack for the "Show Code" vulnerability, as listed in BEA Systems, Inc.
Security Advisory BEA00-03.01. See References.
References
FreeBSD, Inc. Security Advisory FreeBSD-SA-01:24 (from SecurityFocus Archive)
BEA's WebLogic force handlers show code vulnerability
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=29
BEA Systems, Inc. Security Advisory BEA00-03.01
Service Pack for Show Code Vulnerability
http://developer.bea.com/code/security_010306.jsp
361
WebLogic allows users to read source of files (HTTP_WebLogic_FileSourceRead)
ISS X-Force
WebLogic FileServlet show code
http://xforce.iss.net/static/5024.php
CVE
CVE-2000-0682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0682
WebLogic allows users to read source of files
(HTTP_WebLogic_FileSourceRead)
About this
signature or
vulnerability
This signature detects URLs containing "/file", which could be used by an attacker to view
the source of .jsp files on a WebLogic server.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
WebLogic Server, WebLogic Express
Type
Unauthorized Access Attempt
Vulnerability
description
BEA WebLogic Server could reveal the source code of Java Server Pages (JSP files) on the
Web server. A remote attacker could request a file, adding "/file/" before the file name in
the URL, to cause the Web server to return the text source of the file to the browser,
instead of compiling and executing the .jsp page.
How to remove this
vulnerability
No remedy available as of February 2001.
As a workaround, register the file servlet using wild cards or a random string, as
described in WebLogic Server JSP Configuration. See References.
References
FreeBSD, Inc. Security Advisory FreeBSD-SA-01:10
BEA's WebLogic
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=34
BEA WebLogic Server 5.1
WebLogic Server JSP Configuration
http://www.weblogic.com/docs51/admindocs/lockdown.html#1111303
BugTraq Mailing List, Tue Jun 20 2000 14:36:25
BEA WebLogic /file/ showcode vulnerability
http://www.securityfocus.com/archive/1/66044
ISS X-Force
WebLogic allows users to read source of files
http://xforce.iss.net/static/4775.php
362
BEA Systems WebLogic Java injection (HTTP_WebLogic_JavaInjection)
CVE
CVE-2000-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0500
BEA Systems WebLogic Java injection
(HTTP_WebLogic_JavaInjection)
About this
signature or
vulnerability
This signature detects URLs containing '/*.jsp/' or '/*.jhtml/' , which could indicate an
attacker's attempt to inject malicious, executable Java code into files on the Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
WebLogic
Type
Unauthorized Access Attempt
Vulnerability
description
WebLogic servers could allow a remote attacker to inject executable Java code into files on
the Web server to be compiled and executed, due to the design of WebLogic handlers for
JSP and JHTML files. By having such code executed, the attacker could gain
administrative access to the server.
How to remove this
vulnerability
Configure your WebLogic server as listed in BEA Systems Advisory BEA00-04.00. See
References.
References
Foundstone Security Advisory FS-073100-10-BEA
BEA WebLogic remote commmand execution vulnerability discovered by Foundstone,
Inc.
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=28
CERT Advisory CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html
BEA Systems, Inc. Security Advisory BEA00-04.00
Compilation and execution of arbitrary files in web document root directory
http://developer.bea.com/code/alerts.jsp
ISS X-Force
BEA Systems WebLogic Java injection
http://xforce.iss.net/static/5027.php
363
WebLogic redirect request plugin buffer overflow can be used to gain root (HTTP_WebLogic_PluginBO)
WebLogic redirect request plugin buffer overflow can be used to
gain root (HTTP_WebLogic_PluginBO)
About this
signature or
vulnerability
This signature detects an HTTP GET request that contains QUOT;jsp?" followed by more
than 2000 characters.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
WebLogic
Type
Denial of Service
Vulnerability
description
BEA WebLogic Server and WebLogic Express versions 5.1.0 and 4.5.x are vulnerable to a
buffer overflow in the plugin that allows other Web servers to redirect requests to the
WebLogic server. By requesting a Java Server Page (.JSP file) from the BEA WebLogic
server with a URL containing 2048 characters or more, a remote attacker can overflow a
buffer and crash the Web server or execute arbitrary code on the system. An attacker may
be able to use this to gain root level privileges in Unix or SYSTEM privileges in Windows
NT.
How to remove this
vulnerability
Apply the proxy plug-in patch, as listed in BEA Systems, Inc. Security Advisory BEA0005.01. See References.
References
BEA Systems, Inc. Security Advisory BEA00-05.01
Patch Available for Buffer Overflow in BEA WebLogic Server Proxy Plug-In
http://developer.bea.com/code/security_000814.jsp
CORE SDI S.A. Security Advisory, August 15, 2000
Vulnerability Report for BEA Welogic's Proxy
http://www.core-sdi.com/advisories/wl_libproxy_adving.htm
BugTraq Mailing List, Tue Aug 15 2000 17:11:00
BEA Weblogic server proxy library vulnerabilities
http://www.securityfocus.com/archive/1/76396
ISS X-Force
WebLogic redirect request plugin buffer overflow can be used to gain root
http://xforce.iss.net/static/5096.php
CVE
CVE-2000-0681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0681
364
WebSite 1.1 for Windows NT winsample buffer overflow (HTTP_WebSite_Sample)
WebGais websendmail allows remote command execution
(HTTP_Websendmail)
About this
signature or
vulnerability
This signature detects HTTP POST commands containing "cgi-bin/websendmail".
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 5.5.2
Systems affected
WEBGais, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The Websendmail program allows a remote attacker to execute arbitrary commands on
vulnerable systems.
Websendmail is a cgi-bin program that comes with the WEBgais package. WEBgais is a
collection of CGI gateway programs, which incorporate the Global Area Intelligent Search
(GAIS) index/query system, so that it can be used as a search engine in WWW
information servers. Websendmail reads input from a form and sends email to the
specified destination. Versions of WEBgais up to version 1.0b2 are vulnerable.
How to remove this
vulnerability
No remedy available as of May 2001.
As a workaround, type: # /bin/chmod 400 /usr/local/etc/httpd/cgi-bin/websendmail
(replace with your cgi-bin directory as appropriate). You should disable websendmail
with the workaround.
References
BugTraq Mailing List, Fri Jul 04 1997 08:16:31
Vulnerability in websendmail
http://www.securityfocus.com/archive/1/7188
ISS X-Force
WebGais websendmail allows remote command execution
http://xforce.iss.net/static/296.php
CVE
CVE-1999-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0196
WebSite 1.1 for Windows NT winsample buffer overflow
(HTTP_WebSite_Sample)
About this
signature or
vulnerability
This signature detects attempts to access the win-c-sample.exe program, installed by
default in the cgi-shl directory of O'Reilly WebSite versions previous to 2.0.
365
WebSite 1.1 uploader (HTTP_WebSite_Uploader)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
Systems affected
O'Reilly Website: 2.0 and earlier, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The win-c-sample.exe program, installed by default in the cgi-shl directory of O'Reilly
WebSite versions previous to 2.0, is vulnerable to a buffer overflow. A remote attacker can
execute arbitrary commands on the server with the privileges of the user owning the
server process.
How to remove this
vulnerability
Remove the Win-C-Sample.exe script from the cgi-shl or cgi-bin directory. There is no
legitimate use for this script, and it has been removed from O'Reilly WebSite 2.0.
References
O'Reilly Software Web site
O'Reilly Software: WebSite
http://website.oreilly.com/
ISS X-Force
WebSite 1.1 for Windows NT winsample buffer overflow
http://xforce.iss.net/static/295.php
CVE
CVE-1999-0178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0178
WebSite 1.1 uploader (HTTP_WebSite_Uploader)
About this
signature or
vulnerability
This signature detects attempts to access uploader.exe, a program included as part of the
O’Reilly WebSite 1.1 Web server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5.2
Systems affected
O'Reilly Website: 2.0 and earlier, Common Gateway Interface (CGI)
Type
Unauthorized Access Attempt
Vulnerability
description
The uploader.exe program, included as part of the O’Reilly WebSite 1.1 Web server, could
allow a remote attacker to upload an arbitrary file to the cgi-win directory of the Web
server. The file could then possibly be executed with the privileges of the http server.
366
WebSphere Application Server Host: header denial of service (HTTP_WebSphere_HeaderDoS)
The uploader.exe program is installed by default in the cgi-win directory of the O'Reilly
WebSite Web server. O’Reilly WebSite software versions prior to 1.1g and v2.0 beta are
vulnerable. Version 2.0 is not vulnerable.
How to remove this
vulnerability
Remove the uploader.exe file from the Web server.
— AND —
If you want to remain at version 1.1, install the Uploader security fix dated July 30, 1996.
See References.
— OR —
Upgrade to the latest version of WebSite (2.0 or later), available from the O'Reilly Web
site. See References.
References
O'Reilly Software Web site
WebSite 1.1 Updates
http://website.oreilly.com/support/software/ws11_updates.cfm
O'Reilly Software Web site
Uploader Security Fix
ftp://ftp.ora.com/software/pub/support/software/website/uploader.zip
Insecure.org Web site
Uploader.exe insecurity
http://www.insecure.org/sploits/oreily.website.uploader.exe.html
ISS X-Force
WebSite 1.1 uploader
http://xforce.iss.net/static/294.php
CVE
CVE-1999-0177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0177
WebSphere Application Server Host: header denial of service
(HTTP_WebSphere_HeaderDoS)
About this
signature or
vulnerability
This signature detects an HTTP request containing a "Host:" header string that is longer
than 1000 characters.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2, RealSecure Server Sensor: 6.5
Systems affected
WebSphere
367
Selena Sol’s WebStore could expose order information (HTTP_WebStore)
Type
Denial of Service
Vulnerability
description
IBM WebSphere Application Server version 3.0.2 is vulnerable to a denial of service attack
caused by a vulnerability in the WAS plugin. By sending a long string containing 1092
characters or more in the HTTP Host: request header, a remote attacker can cause the Web
server process handling the request to fail on signal 11 (SIGSEGV) or signal 10 (SIGBUS).
It is unlikely that this could be exploited to gain privileges or execute arbitrary commands
on the Web server.
How to remove this
vulnerability
Apply FixPack 2 for WebSphere Application Server 3.02 (3.0.2.2), available from the IBM
Support site. See References.
References
BugTraq Mailing List, Fri Sep 15 2000 12:23:28
WebSphere application server plugin issue & vendor fix
http://www.securityfocus.com/archive/1/83284
IBM WebSphere Application Server Support: E-fixes
FixPacks and E-fixes
http://www-4.ibm.com/software/webservers/appserv/efix.html
ISS X-Force
WebSphere Application Server Host: header denial of service
http://xforce.iss.net/static/5252.php
CVE
CAN-2000-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0848
Selena Sol’s WebStore could expose order information
(HTTP_WebStore)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the WebStore order log file.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3, RealSecure Server Sensor: 5.5.2
Systems affected
Selena Sol's WebStore
Type
Unauthorized Access Attempt
Vulnerability
description
Selena Sol's WebStore shopping cart system could expose order information if
misconfigured. If misconfigured, the order.log file may be remotely retrievable by remote
attackers. This file contains sensitive information about purchases made with this system.
368
WindMail remote file retrieval (HTTP_WindMail_FileRead)
How to remove this
vulnerability
Reinstall the WebStore Shopping Cart application, following the installation instructions
carefully. To prevent unauthorized remote access to sensitive WebStore Shopping Cart
files and directories, ensure that appropriate permissions have been set.
References
BugTraq Mailing List, Tue Apr 20 1999 13:34:57
Re: Shopping Carts exposing CC data
http://www.securityfocus.com/archive/1/13363
Foundry Networks Web site
Webstore
http://www.extropia.com/scripts/web_store.html
ISS X-Force
Selena Sol’s WebStore could expose order information
http://xforce.iss.net/static/3861.php
CVE
CAN-1999-0604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0604
WindMail remote file retrieval (HTTP_WindMail_FileRead)
About this
signature or
vulnerability
This signature detects an HTTP GET request for the WindMail program.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
WindMail
Type
Unauthorized Access Attempt
Vulnerability
description
WindMail is a command-line email messenger for Windows. WindMail works with CGI
scripts that manage forms on Web sites. Normally, the CGI scripts pass form information
to WindMail and command it to send an email containing the information. An attacker
can exploit this feature of WindMail through a Web browser by typing a URL containing
certain instructions to the WindMail executable. Such a specially crafted URL can
command WindMail to email any file on the vulnerable system to the attacker.
How to remove this
vulnerability
No remedy available as of March 2000.
References
BugTraq Mailing List, Sat Mar 25 2000 22:41:46
Windmail allow web user get any file
http://www.securityfocus.com/archive/1/52810
369
WWWThreads SQL commands could allow users to gain privileges (HTTP_WWWThreads_Admin)
ISS X-Force
WindMail remote file retrieval
http://xforce.iss.net/static/4188.php
CVE
CAN-2000-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0242
Executable command in HTTP path (HTTP_Windows_Executable)
About this
signature or
vulnerability
This signature detects attempts by an attacker to embed an executable command (.EXE) in
Web (HTTP) traffic.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Windows NT, Windows 2000
Type
Protocol Signature
Vulnerability
description
Executable commands in Microsoft Windows environments typically possess an .EXE file
extension. A remote attacker could embed such an executable command in Web (HTTP)
traffic to launch a variety of attacks on a victim computer.
For example, a remote attacker could launch the Windows executable
c:\winnt\system32\cmd.exe by embedding the executable command in Web traffic.
How to remove this
vulnerability
Restrict remote program execution to only those applications and users that require this
capability.
References
ISS X-Force
Executable command in HTTP path
http://xforce.iss.net/static/6842.php
WWWThreads SQL commands could allow users to gain
privileges (HTTP_WWWThreads_Admin)
About this
signature or
vulnerability
This signature detects someone attempting to write or gain access to SQL Server through a
vulnerability in the WWWThreads software.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
370
HVL-RAT backdoor for Windows and AOL (Hvl_Rat)
Systems affected
WWWThreads: prior to 5.0
Type
Unauthorized Access Attempt
Vulnerability
description
Versions of the WWWThreads software prior to 5.0 allow remote users to submit SQL
commands though online forms to gain privileges. WWWThreads is a Web bulletin board
program that uses uses a SQL database. Due to insufficient input validation in the source
code, an attacker could send SQL commands through forms to manipulate the contents of
the database and to gain administrator database privileges.
How to remove this
vulnerability
Upgrade to WWWThreads Pro version 5.0 or later, or a demo version of WWWThreads
released after 02/01/00, available from the WWWThreads Web site. See References.
References
BugTraq Mailing List, Wed Feb 02 2000 19:33:03
RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
http://www.securityfocus.com/archive/1/44863
WWWThreads Web site
WWWThreads Download Area - Demo Version
http://www.wwwthreads.com/download.html
WWWThreads Demo / Support Forum
5.0 release and demo update - urgent upgrades
http://www.wwwthreads.com/perl/
showflat.pl?Cat=&Board=info&Number=9932&page=1&view=collapsed&sb=5
ISS X-Force
WWWThreads SQL commands could allow users to gain privileges
http://xforce.iss.net/static/4011.php
CVE
CAN-2000-0125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0125
HVL-RAT backdoor for Windows and AOL (Hvl_Rat)
About this
signature or
vulnerability
This signature detects a TCP connection on port 1099 to an HVL-RAT backdoor on your
network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
371
HVL-RAT backdoor for Windows and AOL (Hvl_Rat)
Vulnerability
description
How to remove this
vulnerability
The HVL-RAT backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the HVL-RAT
backdoor, an attacker can do the following:
●
shut down or restart your computer
●
detect your IP address
●
detect your America Online username and password
●
use your computer's microphone to record sounds
To remove HVL-RAT from your computer:
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Explorer that has a data value of
C:\Windows\System\Msgsvr16.exe.
3. Delete this registry entry.
4. Delete MsgSvr16.exe from the Windows system directory.
References
The Xploiter Web site
XPloiter - Rat Trojan
http://www.xploiter.com/security/rat.html
ISS X-Force
HVL-RAT backdoor for Windows and AOL
http://xforce.iss.net/static/3110.php
372
HVL-RAT backdoor for Windows and AOL (Hvl_Rat)
373
Linux identd configuration remote denial of service (Ident_Linux_DoS)
Ident errors may indicate probe of Ident service (Ident_Error)
About this
signature or
vulnerability
This signature detects Ident errors, which could indicate attempts by an attacker to
identify open connections between particular systems or probe your network for
configuration information.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 6.5
Systems affected
Unix
Type
Suspicious Activity
Vulnerability
description
Ident, the Identification protocol, allows a server to ask a client system for the local
username associated with a given network connection between the two systems. This is
done by the server opening an Ident connection back to the client, and specifying the pair
of port numbers (local and remote) for which it would like a username report. If no such
connection exists, or if the request from the server is otherwise malformed, the Ident
process on the client will report an error.
Probes of the Ident service might be used by an attacker to identify open connections
between particular systems. It can also be used to remotely reveal configuration
information (such as which processes are running as root). However, such probes often
result in a few error reports as the attacker attempts different port numbers.
How to remove this
vulnerability
Examine the destination address of this event, which could be an attacking system. Watch
for other events originating at that address.
References
ISS X-Force
Ident errors may indicate probe of Ident service
http://xforce.iss.net/static/1070.php
Linux identd configuration remote denial of service
(Ident_Linux_DoS)
About this
signature or
vulnerability
This signature detects that more than 100 identd connections have occurred within 30
seconds.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
SuSE Linux
374
Ident newline allows remote users to execute commands (Ident_Newline)
Type
Denial of Service
Vulnerability
description
In some Linux distributions, identd is started with inetd.conf with the options -w -t120.
Once an identd connection is made to the server, the server will wait 120 seconds before
answering another connection. By sending a large number of identd connections to the
server in a short period of time, a remote attacker could cause the server to use up all
available memory and crash the system.
How to remove this
vulnerability
Reconfigure the in.identd daemon to prevent it from waiting on connections.
To prevent the in.identd daemon from waiting on connections:
1. Change the start flag for in.identd in /etc/inetd.conf from — OR — to "nowait"
2. Change the in.identd options from "-w -t120 -e" to "-i -e".
— OR —
For stronger security, consider not running identd.
References
BugTraq Mailing List, Sat Aug 14 1999 12:29:48
DOS against SuSE's identd
http://www.securityfocus.com/archive/1/24244
SuSE Security Announcement #12
Security hole in netcfg
http://www.suse.de/de/support/security/suse_security_announce_12.txt
ISS X-Force
Linux identd configuration remote denial of service
http://xforce.iss.net/static/3128.php
CVE
CVE-1999-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0746
Ident newline allows remote users to execute commands
(Ident_Newline)
About this
signature or
vulnerability
This signature detects an Ident response containing a newline character.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 6.5
Systems affected
Sendmail
Type
Unauthorized Access Attempt
375
Ident buffer overflow allows remote users to execute commands (Ident_Overflow)
Vulnerability
description
Certain programs that connect back to the Ident service to log user information expect a
properly formatted response. If the response contains newlines, the response may be
improperly parsed, allowing the remote user to append commands to an Ident response
that will be executed by the target system with root-level access.
How to remove this
vulnerability
Upgrade to the latest version of Sendmail (8.11.2 or later), available from the Sendmail
Web site. See References.
References
Sendmail Consortium Web site
Current Release
http://www.sendmail.org/
CIAC Information Bulletin F-13
Unix Sendmail Vulnerabilities
http://www.ciac.org/ciac/bulletins/f-13.shtml
BugTraq Mailing List, Thu Feb 23 1995 03:49:08
Re: Sendmail 8.6.9 security hole
http://www.securityfocus.com/archive/1/2225
RootShell smh.c exploit
smh.c - Michael R. Widner - atreus (2/27/95)
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/smh.c.html
ISS X-Force
Ident newline allows remote users to execute commands
http://xforce.iss.net/static/628.php
CVE
CVE-1999-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
Ident buffer overflow allows remote users to execute commands
(Ident_Overflow)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Sendmail
Type
Unauthorized Access Attempt
Vulnerability
description
Sendmail is a Mail Transport Agent (MTA) used on many Unix-based operating systems.
Sendmail version 8.6.9 connects back to the ident service to log user information. This
version of Sendmail does not validate the information returned by the client. If the
response by the client to Sendmail is longer than expected, the response overflows the
buffer. This condition could allow a remote attacker to execute commands on the host
system and gain privileged access to the system.
376
Ident user (Ident_User)
How to remove this
vulnerability
Upgrade to the latest version of Sendmail (8.11.2 or later), available from the Sendmail
Web site. See References.
References
Sendmail Consortium Web site
Sendmail Homepage
http://www.sendmail.org
CIAC Information Bulletin F-13
Unix Sendmail Vulnerabilities
http://www.ciac.org/ciac/bulletins/f-13.shtml
BugTraq Mailing List, Thu Feb 23 1995 03:43:13
Re: Sendmail 8.6.9 security hole
http://www.securityfocus.com/archive/1/2235
ISS X-Force
Ident buffer overflow allows remote users to execute commands
http://xforce.iss.net/static/627.php
CVE
CVE-1999-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
Ident user (Ident_User)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Any
Type
Protocol Signature
Vulnerability
description
Services use the Ident port to identify the account by which a connection is being made on
a computer. This information can be used to track a connection back to a specific user on a
multi-user computer.
How to remove this
vulnerability
Consider enabling identd on internal hosts that do not generate ident events.
References
ISS X-Force
Ident user
http://xforce.iss.net/static/657.php
377
Internet Explorer allows active content to be automatically downloaded (HTTP_ActiveX)
Internet Explorer allows active content to be automatically
downloaded (HTTP_ActiveX)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_ActiveX signature.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Windows 95, Windows NT: 4.0
Type
Protocol Signature
Vulnerability
description
The Web browser allows active content to be automatically downloaded from the HTML
page that contains the content. Potentially malicious or virus-infected programs may be
stored on the local file system.
How to remove this
vulnerability
In Internet Explorer 3.x, from the Options dialog box, go to Security and disable Allow
Downloading of Active Content.
1. Open Internet Explorer 3.x.
2. From the View menu, select Options.
3. Click the Security tab.
4. Disable the Allow Downloading of Active Content option.
5. Click OK to apply the changes.
In Internet Explorer 5.x, from the Internet Options dialog box, go to Security and disable
the appropriate settings under Downloads.
1. Open Internet Explorer 5.x.
2. From the Tools menu, select Internet Options.
3. Click the Security tab, and then click Custom Level.
4. From the Downloads folder, locate the advanced feature and set it to the
recommended value.
5. Click OK to apply the changes.
References
ISS X-Force
Internet Explorer allows active content to be automatically downloaded
http://xforce.iss.net/static/353.php
378
Attempt to read or modify an 802.11 device's SSID (SNMP_Suspicious_Set)
Internet Explorer is outdated (HTTP_Vulnerable_Client)
About this
signature or
vulnerability
This vulnerability is detected by the HTTP_Vulnerable_Client signature.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Windows NT, Windows 95, Windows NT: 4.0, Windows 98
Type
Protocol Signature
Vulnerability
description
An outdated version of Microsoft Internet Explorer has been detected. All versions of
Internet Explorer prior to 4.01 are known to have security issues.
How to remove this
vulnerability
Apply the latest Service Pack for Internet Explorer 5.5 (Service Pack 1 or later), available
from the Microsoft Web site. See References.
Windows NT
Apply the Explorer 4.0 Freiburg, Bell Labs Java-Script and the DirectX patches.
References
Microsoft Internet Explorer Web site
Welcome to the Internet Explorer Home Page
http://www.microsoft.com/windows/Ie/default.htm
Microsoft Web site
5.5 it works faster to save you time
http://www.microsoft.com/windows/Ie/default.htm
ISS X-Force
Internet Explorer is outdated
http://xforce.iss.net/static/361.php
CVE
CAN-1999-0662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0662
Attempt to read or modify an 802.11 device's SSID
(SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or change the SSID (Security Set Identifier) of an
802.11 device. This is detected by the SNMP_Suspicious_Get signature.
Default risk level
High
379
Attempt to read or modify an 802.11 device's WEP encryption key (SNMP_Suspicious_Set)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point, Enterasys RoamAbout PC Card: 802.11, Enterasys
RoamAbout Access Point, Cisco Aironet Access Point, ORiNOCO Access Points, Cisco
Aironet 350 Series Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to read or modify the SSID (Security Set Identifier) of an 802.11
access point. An attacker could use SSID information to gain access to the wireless
network. This event should be considered particularly suspicious if your access point is
not configured to broadcast the SSID.
How to remove this
vulnerability
Ensure that the 802.11 device is properly configured.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
Cisco Technology Solutions
Wireless Solutions
http://www.cisco.com/warp/public/779/smbiz/netsolutions/find/wireless.shtml
Agere Systems Web site
ORiNOCO Wireless LAN
http://www.orinocowireless.com/
Enterasys Web site
Enterasys Wireless Solutions: RoamAbout
http://www.enterasys.com/wireless/
Internet Security Systems Web site
Securing E-business: Wireless LAN Security
http://www.iss.net/wireless/
ISS X-Force
Attempt to read or modify an 802.11 device's SSID
http://xforce.iss.net/static/6519.php
Attempt to read or modify an 802.11 device's WEP encryption
key (SNMP_Suspicious_Set)
About this
signature or
vulnerability
This signature detects an attempt to read or change the WEP (Wired Equivalent Privacy)
encryption key of an 802.11 device. This is detected by the SNMP_Suspicious_Get
signature.
Default risk level
High
380
IMail buffer overflow in built-in LDAP server (Imail_ldap_Overflow)
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1, RealSecure Network Sensor: XPU 3.1
Systems affected
3Com AirConnect Access Point, Enterasys RoamAbout PC Card: 802.11, Enterasys
RoamAbout Access Point, Cisco Aironet Access Point, ORiNOCO Access Points, Cisco
Aironet 350 Series Access Point
Type
Suspicious Activity
Vulnerability
description
An attempt is being made to read or modify the WEP (Wired Equivalent Privacy)
encryption key of an 802.11 access point. An attacker could use encryption key
information to gain access to a wireless network.
How to remove this
vulnerability
Ensure that the 802.11 device is properly configured. Change the WEP key if it has been
read by a suspicious computer.
References
3Com Product Support
3Com® AirConnect® 11 Mbps Wireless LAN Access Point
http://www.3com.com/products/en_US/
detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B
Cisco Technology Solutions
Wireless Solutions
http://www.cisco.com/warp/public/779/smbiz/netsolutions/find/wireless.shtml
Agere Systems Web site
ORiNOCO Wireless LAN
http://www.orinocowireless.com/
Enterasys Web site
Enterasys Wireless Solutions: RoamAbout
http://www.enterasys.com/wireless/
Internet Security Systems Security Alert #84
Wired-side SNMP WEP key exposure in 802.11b Access Points
http://xforce.iss.net/alerts/advise84.php
Internet Security Systems Web site
Securing E-business: Wireless LAN Security
http://www.iss.net/wireless/
ISS X-Force
Attempt to read or modify an 802.11 device's WEP encryption key
http://xforce.iss.net/static/6520.php
IMail buffer overflow in built-in LDAP server
(Imail_ldap_Overflow)
About this
signature or
vulnerability
This signature detects a character string greater than 2375 bytes being sent to port 389, the
IMail LDAP server port.
381
IMAP2bis server, anonymous login successful (IMAP2bis_server_anonymous_login_successful)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
IMail
Type
Denial of Service
Vulnerability
description
IMail is a multi-protocol mail server for Windows NT. Versions 5.0 and earlier of IMail are
vulnerable to a buffer overflow in the LDAP server. By sending a large number of
characters to the LDAP server, a remote attacker can overflow the buffer and cause the
LDAP service to consume all available resources on the server. It is not known whether an
attacker can use this vulnerability to execute arbitrary code.
How to remove this
vulnerability
No remedy available as of November 2000.
References
eEye Digital Security Team Alert AD03011999
Multiple IMail Vulnerabilites
http://www.eeye.com/html/Research/Advisories/AD19990301.html
Ipswitch, Inc. Product Information
IMail Server by Ipswitch
http://www.ipswitch.com/Products/IMail_Server/index.asp
ISS X-Force
IMail buffer overflow in built-in LDAP server
http://xforce.iss.net/static/1896.php
IMAP2bis server, anonymous login successful
(IMAP2bis_server_anonymous_login_successful)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Login anonymous"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access events in the Unix syslog. It may be helpful to create
382
IMAP2bis Server, brute force attack (IMAP2bis_server_brute_force_attack)
an audit history of these events, by monitoring the service's syslog messages. Normal
access attempts at unexpected times or under unusual circumstances may reveal the
presence of an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IMAP2bis
server has occurred.
References
ISS X-Force
IMAP2bis server, anonymous login successful
http://xforce.iss.net/static/1622.php
IMAP2bis Server, brute force attack
(IMAP2bis_server_brute_force_attack)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Excessive login failures"
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access attempts in the Unix syslog, as well as events that are
associated with specific attacks. Certain direct attacks against the IMAP2bis service can be
detected in this way. It may also be helpful to create an audit history of successful and
failed access events by monitoring the service's syslog messages.
How to remove this
vulnerability
This event likely indicates a direct attack against the IMAP2bis service, which requires
immediate response from an administrator. Log in to the Unix host in question and
terminate any user process that is obviously the source of the attack. Consider
immediately shutting down the service and curtailing access. Investigate the need to
upgrade or patch the service.
References
ISS X-Force
IMAP2bis Server, brute force attack
http://xforce.iss.net/static/1561.php
383
IMAP2bis Server, user Auto-logout (IMAP2bis_server_user_auto-logout)
IMAP2bis Server, pre-authenticated user login successful
(IMAP2bis_server_preauthenticated_user_login_successful)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Preauthenticated user"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access events in the Unix syslog. It may be helpful to create
an audit history of these events, by monitoring the service's syslog messages. Normal
access attempts at unexpected times or under unusual circumstances may reveal the
presence of an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IMAP2bis
server has occurred.
References
ISS X-Force
IMAP2bis Server, pre-authenticated user login successful
http://xforce.iss.net/static/1616.php
IMAP2bis Server, user Auto-logout
(IMAP2bis_server_user_auto-logout)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Autologout user"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
384
IMAP2bis Server, user login failure (IMAP2bis_server_user_login_failure)
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access events in the Unix syslog. It may be helpful to create
an audit history of these events, by monitoring the service's syslog messages. Normal
access attempts at unexpected times or under unusual circumstances may reveal the
presence of an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IMAP2bis
server has occurred.
References
ISS X-Force
IMAP2bis Server, user Auto-logout
http://xforce.iss.net/static/1563.php
IMAP2bis Server, user login failure
(IMAP2bis_server_user_login_failure)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Login failure"
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records failed access events in the Unix syslog. It may be helpful to
create an audit history of these events, by monitoring the service's syslog messages. Failed
access attempts may indicate an access error or an attempt by an attacker to probe your
network..
How to remove this
vulnerability
This event may indicate that a user is having difficulty using the service, or it may indicate
the presence of an attacker. Log in to the Unix host in question and determine who is
accessing the service and if they have a legitimate reason to do so. If this event appears
suspicious, review the audit history of access to determine if misuse or an attack of the
IMAP2bis server has occurred.
References
ISS X-Force
IMAP2bis Server, user login failure
http://xforce.iss.net/static/1562.php
385
IMAP2bis Server, user logout (IMAP2bis_server_user_logout)
IMAP2bis Server, user login successful
(IMAP2bis_server_user_login_successful)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Login user"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access events in the Unix syslog. It may be helpful to create
an audit history of these events, by monitoring the service's syslog messages. Normal
access attempts at unexpected times or under unusual circumstances may reveal the
presence of an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IMAP2bis
server has occurred.
References
ISS X-Force
IMAP2bis Server, user login successful
http://xforce.iss.net/static/1621.php
IMAP2bis Server, user logout (IMAP2bis_server_user_logout)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IMAP2bis service:
"Logout user"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IMAP2bis (Internet Mail Access Protocol) service has historically been targeted by
attackers. This service records access events in the Unix syslog. It may be helpful to create
386
IMAP AUTHENTICATE overflow could allow remote root access (IMAP_Authenticate_Overflow)
an audit history of these events, by monitoring the service's syslog messages. Normal
access attempts at unexpected times or under unusual circumstances may reveal the
presence of an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IMAP2bis
server has occurred.
References
ISS X-Force
IMAP2bis Server, user logout
http://xforce.iss.net/static/1564.php
IMAP AUTHENTICATE overflow could allow remote root access
(IMAP_Authenticate_Overflow)
About this
signature or
vulnerability
This signature detects a specially-crafted "AUTHENTICATE" command to the IMAP
server. The "AUTHENTICATE" command contains an unusually large argument, which
could indicate an attempt by an attacker to overflow a buffer to execute arbitrary
commands on the IMAP server.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3, RealSecure Server Sensor: 6.5
Systems affected
Internet Message Access Protocol (IMAP), Red Hat Linux: 4.2, Sun Internet Mail Server:
3.x, Sun Internet Mail Server: 2.0
Type
Unauthorized Access Attempt
Vulnerability
description
The Internet Message Access Protocol (IMAP), version 4rev1 (IMAP4rev1) allows a client
to access and manipulate electronic mail messages on a server. IMAP4rev1 servers up to
and including version 10.234 are vulnerable to a buffer overflow in the IMAP
AUTHENTICATE command. By submitting a specially-crafted IMAP AUTHENTICATE
command to the IMAP server, an attacker could overflow a buffer to execute arbitrary
commands on the victim site as the user running imapd, usually root.
This vulnerability is not the vulnerability described in CERT Advisory CA-97.09, which
describes a buffer overflow in the IMAP LOGIN command.
Fixed versions of IMAP were distributed under the 10.234 version number as well, so
version numbers alone should not be used to determine whether or not a server is
vulnerable to this attack.
How to remove this
vulnerability
For Sun Microsystems:
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security
Bulletin #00177. See References.
387
IMail IMAP service buffer overflow (IMAP_Imail_Overflow)
For Silicon Graphics, Inc.:
Upgrade to the latest version of the imapd daemon, available from the University of
Washington FTP server. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References
CERT Advisory CA-1998-09
Buffer Overflow in Some Implementations of IMAP Servers
http://www.cert.org/advisories/CA-1998-09.html
Sun Microsystems, Inc. Security Bulletin #00177
IMAP
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/177
SGI Security Advisory 19980802-01-I
University of Washington imapd daemon Vulnerability
ftp://patches.sgi.com/support/free/security/advisories/19980802-01-I
Pine Discussion Forum
Attention: Please update your imapd
http://www.washington.edu/pine/pine-info/1998.07/msg00062.html
BugTraq Mailing List, Thu Jul 16 1998 19:06:30
EMERGENCY: new remote root exploit in UW imapd
http://www.securityfocus.com/archive/1/9929
Washington University
Washington University FTP site
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
CIAC Information Bulletin I-074
Buffer Overflow in Some Implementations of IMAP Servers
http://www.ciac.org/ciac/bulletins/i-074.shtml
ISS X-Force
IMAP AUTHENTICATE overflow could allow remote root access
http://xforce.iss.net/static/1463.php
CVE
CVE-1999-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0005
IMail IMAP service buffer overflow (IMAP_Imail_Overflow)
About this
signature or
vulnerability
This signature detects unusually large login commands to the IMAP server, which could
indicate attempts by an attacker to overflow a buffer and crash the IMAP service.
Default risk level
Medium
388
Microsoft Outlook date header buffer overflow (IMAP_Outlook_Date_Overflow)
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.3
Systems affected
IMail
Type
Denial of Service
Vulnerability
description
IMail is a popular multi-protocol mail server for Windows NT environments. IMail
version 5.0 is vulnerable to a buffer overflow in the login command of the IMAP server.
An attacker could submit a specially-crafted username or password to overflow a buffer
and crash the service. It is not known whether this buffer overflow can be manipulated to
gain unauthorized access to the system.
How to remove this
vulnerability
No remedy available as of March 2001.
References
Ipswitch, Inc. Product Information
IMail Server by Ipswitch
http://www.ipswitch.com/Products/IMail_Server/index.asp
eEye Digital Security Team Alert AD03011999
Multiple IMail Vulnerabilities Multiple IMail Vulnerabilites
http://www.eeye.com/html/Research/Advisories/AD19990301.html
ISS X-Force
IMail IMAP service buffer overflow
http://xforce.iss.net/static/1895.php
CVE
CAN-1999-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1557
Microsoft Outlook date header buffer overflow
(IMAP_Outlook_Date_Overflow)
About this
signature or
vulnerability
The IMAP_Outlook_Date_Overflow signature detects IMAP4 server traffic containing a
"Date:" line longer than 70 characters.
Configurable Parameters:
The length of the "Date:" line this signature detects can be configured in the Policy Editor
for IMAP_Outlook_Date_Overflow.
False positives
RealSecure Network Sensor: A false positive is possible if any line in an email received by
IMAP4 contains the text "Date:" and is 150 characters long.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 1.3
389
Microsoft Outlook date header buffer overflow (IMAP_Outlook_Date_Overflow)
Systems affected
Windows NT, Microsoft Outlook: 98, Microsoft Outlook Express: 5.0, Windows 2000,
Microsoft Outlook Express: 4.0, Microsoft Outlook: 2000, Microsoft Outlook: 97
Type
Unauthorized Access Attempt
Vulnerability
description
Microsoft Outlook and Microsoft Outlook Express are vulnerable to a buffer overflow in
the inetcomm.dll component shared by both programs. By sending an email message with
a long date header value, using either the POP3 or IMAP4 protocols, a remote attacker can
overflow the buffer and execute arbitrary code on the system. The user does not have to
open the message for the attack to be successful. A malicious email can begin executing
code when it is retrieved from the server, before the user previews or opens the message.
Only the POP3 and IMAP4 Internet email protocols are affected by this vulnerability.
Microsoft Outlook also supports the MAPI (Microsoft Messaging API), the protocol used
by Microsoft Exchange. Outlook users who retrieve mail using MAPI, and do not use
either POP3 and IMAP4, are not affected by this vulnerability.
How to remove this
vulnerability
For Internet Explorer 5.01:
Apply the critical security patch, as listed in Microsoft Security Bulletin MS00-043. See
References.
For all other versions of Internet Explorer:
Upgrade to Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, as listed in
Microsoft Security Bulletin MS00-043. See References. (Windows 2000 users: Upgrading to
Internet Explorer 5.5 does not correct this vulnerability on Windows 2000 systems.)
Windows NT
Apply the "Malformed E-mail Header" patch detailed in Microsoft Security Bulletin
MS00-043
Windows 2000
Apply the "Malformed E-mail Header" patch detailed in Microsoft Security Bulletin
MS00-043
References
Microsoft Security Bulletin MS00-043
Patch Available for 'Malformed E-mail Header' Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-043.asp
Internet Security Systems Security Alert #57
Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients
http://xforce.iss.net/alerts/advise57.php
Underground Security Systems Research advisory USSR-2000050
Remotely Exploitable Buffer Overflow in Outlook 'Malformed E-mail MIME Header'
Vulnerability
http://www.ussrback.com/labs50.html
Microsoft TechNet
Microsoft Security Bulletin (MS00-043):Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
390
IMAP login buffer overflow could allow remote root access (IMAP_Overflow)
Microsoft Knowledge Base Article Q267884
E-mail Security Vulnerability Fixed in Internet Explorer 5.01 SP1
http://www.microsoft.com/technet/support/kb.asp?ID=267884
CIAC Information Bulletin K-060
Microsoft's Malformed E-Mail Header Vulnerability
http://www.ciac.org/ciac/bulletins/k-060.shtml
ISS X-Force
Microsoft Outlook date header buffer overflow
http://xforce.iss.net/static/4953.php
CVE
CVE-2000-0567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0567
IMAP login buffer overflow could allow remote root access
(IMAP_Overflow)
About this
signature or
vulnerability
This signature detects an IMAP login with an unusually large username (greater than 512
characters).
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 6.5
Systems affected
Internet Message Access Protocol (IMAP)
Type
Unauthorized Access Attempt
Vulnerability
description
IMAP is a remote mail reading protocol designed as an enhancement of the POP2/POP3
protocols. A vulnerability in both the University of Washington's and Mark Crispin's
IMAP implementation could allow a remote attacker to gain unauthorized root access.
This vulnerability also affects the POP3 servers shipped with these packages.
How to remove this
vulnerability
Apply the appropriate IMAP patch or upgrade for your system, as listed in CERT
Advisory CA-1997-09. See References.
For Checkpoint Firewall-1:
Contact Checkpoint Support for patch or upgrade information. See References.
For other distributions, contact your vendor for patch or upgrade information.
References
CERT Advisory CA-1997-09
Vulnerability in IMAP and POP
http://www.cert.org/advisories/CA-1997-09.html
391
IMAP password (IMAP_Password)
University of Washington Web site
UW IMAP Information Center
http://www.washington.edu/imap/
Network Associates, Inc. COVERT Labs Security Advisory #22
Buffer Overflow in imapd and ipop3d
http://www.pgp.com/research/covert/advisories/022.asp
SGI Security Advisory 19980302-01-I
IMAP/POP Vulnerability
ftp://patches.sgi.com/support/free/security/advisories/19980302-01-I
Check Point Web site
Check Point Software Technologies
http://www.checkpoint.com/
ISS X-Force
IMAP login buffer overflow could allow remote root access
http://xforce.iss.net/static/1637.php
IMAP password (IMAP_Password)
About this
signature or
vulnerability
This signature detects all successfully used passwords submitted by a user attempting to
log on to a mail server using IMAP. Submitted passwords are transmitted in cleartext to
RealSecure log files, so care should be taken to secure the log files. In combination with
other email signatures, this signature can help to construct a log of email activity.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Internet Message Access Protocol (IMAP)
Type
Protocol Signature
Vulnerability
description
The Internet Messaging Access Protocol (IMAP) service is used by numerous email
programs to retrieve email from a mail server and read it on a local computer. Single,
regularly spaced events of users logging on to a mail server are typical IMAP behavior.
However, a high frequency of these events (many within a short time period) could
indicate a possible brute force username or password guessing attack.
How to remove this
vulnerability
Examine the frequency of the queries as well as the source address. A high frequency of
these events is suspicious. Consider blocking access to the mail server for the source
address. IMAP should typically not be allowed from remote locations, due to the
difficulty in securing the connection and the fact that IMAP transmits passwords in
cleartext.
392
Infector backdoor for Windows (Infector)
References
ISS X-Force
IMAP password
http://xforce.iss.net/static/658.php
IMAP username (IMAP_User)
About this
signature or
vulnerability
This signature detects all successfully and unsuccessfully used passwords submitted by a
user attempting to log on to a mail server using IMAP. In combination with other email
signatures, this signature can help to construct a log of email activity.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Internet Message Access Protocol (IMAP)
Type
Protocol Signature
Vulnerability
description
The Internet Messaging Access Protocol (IMAP) service is used by numerous email
programs to retrieve email from a mail server and read it on a local computer. Single,
regularly spaced events of users attempting to log on to a mail server are typical IMAP
behavior. However, a high frequency of these events (many within a short time period)
could indicate a possible brute force username or password guessing attack.
How to remove this
vulnerability
Examine the frequency of the queries as well as the source address. A high frequency of
these events is suspicious. Consider blocking access to the mail server for the source
address. IMAP should typically not be allowed from remote locations, due to the
difficulty in securing the connection and the fact that IMAP transmits passwords in
cleartext.
References
ISS X-Force
IMAP username
http://xforce.iss.net/static/659.php
Infector backdoor for Windows (Infector)
About this
signature or
vulnerability
This signature detects a TCP connection on port 19 or port 146 to an Infector backdoor on
your network.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
393
Infector backdoor for Windows (Infector)
Type
Unauthorized Access Attempt
Vulnerability
description
The Infector backdoor is one of many backdoor programs for Windows 95 and Windows
98 that attackers can use to access your computer system without your knowledge or
consent. With the Infector backdoor, an attacker can execute programs, and upload and
download files.
The Infector backdoor is mainly used for initially infecting a system to upload more
feature-rich backdoors, such as SubSeven or Back Orifice 2000.
When the Infector backdoor is executed, it binds to TCP port 146 and awaits a connection
from the attacker's client. Later versions also bind to TCP port 17569. File transfers are
implemented as a lightweight FTP server that binds to TCP port 19.
How to remove this
vulnerability
To remove Infector from your computer:
1. Using Notepad, open C:\Windows\System.ini.
2. Under "[boot]" find the line that begins with "shell=Explorer.exe".
3. Remember the path and file name appended to this line. This is the location of the
backdoor server.
4. Delete this path from the line leaving only "shell=Explorer.exe".
5. Restart the computer.
6. Delete the file from the path noted in step 3.
These instructions were tested for Infector versions 1.3, 1.4.1 and 1.4.2. For other possible
versions of the Infector backdoor, you may want to use an antivirus program to remove
the Infector backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Infector backdoor from your computer.
References
TL Security Web site
Infector backdoor
http://www.tlsecurity.net/backdoor/Infector.backdoor.html
ISS X-Force
Infector backdoor for Windows
http://xforce.iss.net/static/5025.php
394
INN control message allows commands to be executed as root (INN_Control)
INN control message allows commands to be executed as root
(INN_Control)
About this
signature or
vulnerability
This signature detects an attack against the INN news server that allows any remote user
that can propagate a message to the news server to execute arbitrary commands on the
remote machine.
False positives
RealSecure Network Sensor: A false positive is possible if a control message embedded in
a standard news message is detected.
RealSecure Server Sensor: A false positive is possible if a control message embedded in
a standard news message is detected.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 6.5
Systems affected
InterNet News (INN)
Type
Unauthorized Access Attempt
Vulnerability
description
A vulnerability has been identified in the InterNet News (INN) daemon that could allow a
remote attacker to gain root access on vulnerable computers. This vulnerability affects all
versions up to and including 1.5.1. A remote attacker can send a specially-crafted control
message to the victim's news server to trick the process into executing arbitrary
commands on the system with root privileges. Exploit information for this vulnerability
has been made widely available.
How to remove this
vulnerability
This problem affects all versions including and prior to 1.5.1.
Upgrade to the latest version of INN (2.3.0 or later), available from the Internet Software
Consortium Web site. See References.
References
CERT Summary CS-1997.02
Current activity - attacks on news servers
http://www.cert.org/summaries/CS-97.02.html
CERT Advisory CA-1997-08
Vulnerability in innd
http://www.cert.org/advisories/CA-1997-08.html
AUSCERT Advisory AA-96.19
INN parsecontrol Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.19.INN.parsecontrol.vul
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:002.1
Security vulnerability in "innd" (InterNetNews server)
http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories
395
INN buffer overflow attack allows users to execute arbitrary code (INN_Overflow)
Internet Software Consortium (ISC) Web site
INN Version 2.3.0
http://www.isc.org/products/INN/
BugTraq Mailing List, Wed Dec 04 1996 21:59:46
Re: ANNOUNCE: INN 1.5
http://www.securityfocus.com/archive/1/5855
ISS X-Force
INN control message allows commands to be executed as root
http://xforce.iss.net/static/184.php
CVE
CVE-1999-0100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0100
INN buffer overflow attack allows users to execute arbitrary
code (INN_Overflow)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 6.5
Systems affected
InterNet News (INN)
Type
Unauthorized Access Attempt
Vulnerability
description
The NNTP (Network News Transfer Protocol) daemon distributed with INN
(InterNetNews) 1.5 and earlier is vulnerable to a buffer overflow. By sending a speciallycrafted string to the NNTP daemon, an attacker can cause the process to execute arbitrary
code on the INN server with root privileges.
How to remove this
vulnerability
This particular problem was resolved in version 1.5.1, which was later found to have
similar security problems.
Upgrade to the latest version of INN (2.3.0 or later), available from the Internet Software
Consortium Web site. See References.
References
Network Associates, Inc. COVERT Labs Security Advisory #17
Vulnerability in INN
http://www.pgp.com/research/covert/advisories/017.asp
Internet Software Consortium (ISC) Web site
INN Version 2.3.0
http://www.isc.org/products/INN/
ISS X-Force
INN buffer overflow attack allows users to execute arbitrary code
http://xforce.iss.net/static/623.php
396
INN verifycancels option allows remote code execution (Innd_Cancel_Overflow)
CVE
CVE-1999-0247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0247
INN verifycancels option allows remote code execution
(Innd_Cancel_Overflow)
About this
signature or
vulnerability
This signature detects NNTP traffic that could overflow a buffer in the NNTP server code.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 6.5
Systems affected
InterNet News (INN): 2.0, InterNet News (INN): 2.1, InterNet News (INN): 2.2, InterNet
News (INN): 2.2.1, InterNet News (INN): 2.2.2
Type
Unauthorized Access Attempt
Vulnerability
description
InterNet News (INN) is a popular, freely available NNTP (Network News Transfer
Protocol) server for Unix platforms. INN versions 2.x and earlier are vulnerable to a buffer
overflow in the INN code that verifies cancel requests sent to the control newsgroup.
By posting a message with a long message ID, and then sending a cancel request message
that contains a different sender than the original post, a remote attacker can overflow a
buffer in the NNTP server code and execute arbitrary code on the system.
This vulnerability exists when the "verifycancels" option is enabled in the innd.conf file,
which is not the default setting except for some versions of Red Hat Linux.
How to remove this
vulnerability
Upgrade to INN version 2.2.3, available from the Internet Software Consortium Web site.
See References.
For Linux-Mandrake:
Apply the appropriate patch for your system, as listed in MandrakeSoft Security
Advisory MDKSA-2000:023 : inn. See References.
For Conectiva Linux:
Set the INN "verifycancels" option to "false,” or upgrade to the latest version of
Conectiva’s INN (2.2.2-3cl or later), as listed in Conectiva Linux security announcement inn. See References.
References
BugTraq Mailing List, Tue Jun 06 2000 10:18:44
innd 2.2.2 remote buffer overflow
http://www.securityfocus.com/archive/1/63549
397
NetBSD unaligned IP options (IP_Unaligned_Timestamp)
Linux-Mandrake Security Update Advisory MDKSA-2000:023
inn
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-023.php3?dis=6.0
BugTraq Mailing List, Tue Jun 06 2000 11:32:23
Conectiva Linux security announcement - inn
http://www.securityfocus.com/archive/1/63877
Internet Software Consortium (ISC) Web site
INN: InterNetNews
http://www.isc.org/products/INN/
Caldera Systems, Inc. Security Advisory CSSA-2000-016.0
buffer overflow in inn
http://www.calderasystems.com/support/security/advisories/CSSA-2000-016.0.txt
ISS X-Force
INN verifycancels option allows remote code execution
http://xforce.iss.net/static/4615.php
CVE
CVE-2000-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0472
NetBSD unaligned IP options (IP_Unaligned_Timestamp)
About this
signature or
vulnerability
This signature detects packets that have an unaligned timestamp option, which may
indicate an attacker's attempts to crash the server.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.0.1
Systems affected
NetBSD: 1.4.1, FreeBSD: 3.4, FreeBSD: 4.0, NetBSD: 1.4.2, FreeBSD: 5.0
Type
Denial of Service
Vulnerability
description
Some BSD operating systems are vulnerable to a denial of service attack involving the
kernel's IP stack. A remote attacker could send a packet that has an unaligned IP
timestamp option to cause a kernel panic or other errors that could lead to a denial of
service.
How to remove this
vulnerability
Upgrade or patch your system, as recommended by your vendor.
As a workaround, block incoming packets with the IP options using ipfw(8).
For NetBSD 1.4.1 and 1.4.2:
Apply the appropriate patch for your system, as listed in NetBSD Security Advisory
2000-002. See References.
398
Duplicate IP addresses (IPDuplicate)
For FreeBSD:
Upgrade to the latest version of FreeBSD (dated 2000-06-08 or later), as listed in FreeBSD
Security Advisory FreeBSD-SA-00:23. See References.
As an alternative, apply the ip_options patch, as listed in FreeBSD Security Advisory
FreeBSD-SA-00:23. See References.
References
BugTraq Mailing List, Sat May 06 2000 03:19:29
[NHC20000504a.0: NetBSD Panics when sent unaligned IP options]
http://www.securityfocus.com/archive/1/58867
NetBSD Security Advisory 2000-002
IP options processing Denial of Service
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000002.txt.asc
FreeBSD, Inc. Security Advisory FreeBSD-SA-00:23
Remote denial-of-service in IP stack
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:23.ipoptions.asc.v1.1
ISS X-Force
NetBSD unaligned IP options
http://xforce.iss.net/static/4868.php
CVE
CVE-2000-0440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0440
Duplicate IP addresses (IPDuplicate)
About this
signature or
vulnerability
This signature detects two or more computers on your network using the same IP
address. The RealSecure Network Sensor will identify the MAC addresses that were
detected. The first bits in the MAC address identify the type of device, such as SUN
workstation, router, or ethernet card, which can help determine which type of computer is
using the IP address.
RealSecure Network Sensor detects the duplicate IP address by monitoring ARP packets
and comparing the MAC address and IP addresses found in each packet. When it detects
two packets with the same IP address address, but different MAC addresses, it creates this
IPDuplicate event. The Network Sensor continues to create IPDuplicate events until the
MAC and IP addresses of ARP packets match again.
False positives
RealSecure Network Sensor: Dual-homed routers (used for load-balancing) will trigger
this signature. When a user replaces an adapter card, this signature will also be triggered.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure OS Sensor: 5.0, RealSecure Server Sensor: 5.5
399
IP fragmentation (IPFrag)
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
Only one device on a network should send packets with a specific IP address. If a second
device on the network starts to send packets claiming to have the same source address, a
network problem has occurred. A device on the network may be misconfigured to have
the same IP address as another device, causing network conflicts. It is also possible that a
device on the network may be sending IP packets with a spoofed source address.
How to remove this
vulnerability
Identify the hosts involved. You may need to use a network management tool, such as
Network Monitor or Sniffer, to identify exactly which computers are using the duplicate
IP addresses. If one of the addresses comes from outside your network, monitor the
address in question to see what kind of data is being exchanged.
Correct any inappropriate network card configuration issues, if necessary. If an attacker is
spoofing IP addresses, determine how the attacker has gained access and take appropriate
actions to resolve the situation.
References
ISS X-Force
Duplicate IP addresses
http://xforce.iss.net/static/406.php
IP fragmentation (IPFrag)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
Fragmentation is a feature of the Internet Protocol (IP) suite that allows packets to be
broken into smaller units to be transferred across networks that do not support larger
MTUs (Message Transfer Units). An IP packet that is split into several fragments as it is
transmitted over a network is reassembled at the destination to form a full IP packet.
Some routers or firewalls only analyze the first fragment in a series to determine whether
or not it should be passed. Subsequent, remaining fragments will be passed blindly.
Subsequent fragments that overwrite the first fragment could reach a destination that the
router or firewall intends to block.
By using fragmentation in this way, an attacker can execute an attack beyond the filter or
access control modules implemented in routers or packet filtering firewalls. It is possible
for an attacker to construct individual fragments of an IP packet so that subsequent
packets overlap. As a result, the fragments can overwrite parts of the TCP header when
they are reassembled at the destination. In this case, an intermediate filtering router can be
400
TCP Half scan (Stealth scan) (IPHalfScan)
tricked into believing that a packet is destined for an allowed service, when instead the
packet is destined for a filtered service.
How to remove this
vulnerability
Ensure that you are using the latest available versions for your routers and firewalls.
Contact your vendors for upgrade or patch information.
Consult the documentation for your routers and firewalls for more information on how
they handle fragmentation.
References
Fermilab Linac Web site
IP Fragmentation
http://www-linac.fnal.gov/LINAC/software/locsys/syscode/ipsoftware/
IPFragmentation.html
ISS X-Force
IP fragmentation
http://xforce.iss.net/static/407.php
TCP Half scan (Stealth scan) (IPHalfScan)
About this
signature or
vulnerability
This signature detects one of the following types of stealth scans on your network: a
NULL scan, a Christmas scan, or a SYN-FIN scan.
False positives
RealSecure Network Sensor: It is possible that a keep-alive timer for certain "internet
push" technologies, as well as misbehaving or obsolete TCP implementations, may trigger
this signature.
RealSecure Server Sensor: It is possible that a keep-alive timer for certain "internet push"
technologies, as well as misbehaving or obsolete TCP implementations, may trigger this
signature.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Pre-attack Probe
Vulnerability
description
During a normal TCP connection, the source initiates the connection by sending a SYN
packet to a port on the destination system. If a service is listening on that port, the service
responds with a SYN/ACK packet. The client initiating the connection then responds
with an ACK packet, and the connection is established. If the destination host is not
waiting for a connection on the specified port, it responds with an RST packet. Most
system logs do not log completed connections until the final ACK packet is received from
the source.
Sending other types of packets that do not follow this sequence can elicit useful responses
from the target host, without causing a connection to be logged. This is known as a TCP
401
IPOP3D, brute force attack (IPOP3D_brute_force_attack)
half scan, or a stealth scan, because it does not generate a log entry on the scanned host.
An attacker can send several different type of packets to initiate various types of stealth
scans, such as the following:
●
NULL scan
●
Christmas scan (SYN+FIN+ACK)
●
SYN-FIN scan
A stealth scan is dangerous because it allows an attacker to determine which ports are
open on a target host, without being detected by the host operating system.
How to remove this
vulnerability
Upgrade your firewall to a system that understands the state of TCP connections and
rejects stealth scan packets. Stateful Inspections and Proxy firewalls will defeat IP half
scan attacks.
If you see this attack, log the address of the scanning entity. Contact the domain
administrator of the source domain to verify the address and the intent behind the scan.
Pay close attention to the log files of scanned hosts. If appropriate, reconfigure your
firewalls to inhibit traffic from the source of the scans.
References
ISS X-Force
TCP Half scan (Stealth scan)
http://xforce.iss.net/static/405.php
IPOP3D, brute force attack (IPOP3D_brute_force_attack)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Excessive login failures"
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access attempts in the Unix syslog, as well as events that are associated
with specific attacks. Certain direct attacks against the IPOP3D service can be detected in
this way. It may also be helpful to create an audit history of successful and failed access
events by monitoring the service's syslog messages.
How to remove this
vulnerability
This event likely indicates a direct attack against the IPOP3D service, which requires
immediate response from an administrator. Log in to the Unix host in question and
terminate any user process that is obviously the source of the attack. Consider
402
IPOP3D, user auto-logout (IPOP3D_user_auto-logout)
immediately shutting down the service and curtailing access. Investigate the need to
upgrade or patch the service.
References
ISS X-Force
IPOP3D, brute force attack
http://xforce.iss.net/static/1522.php
IPOP3D, Buffer overflow attack (IPOP3D_Overflow)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Crack attempt"
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Unauthorized Access Attempt
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access attempts in the Unix syslog, as well as events that are associated
with specific attacks. Certain direct attacks against the IPOP3D service can be detected in
this way. It may also be helpful to create an audit history of successful and failed access
events by monitoring the service's syslog messages.
How to remove this
vulnerability
This event likely indicates a direct attack against the IPOP3D service, which requires
immediate response from an administrator. Log in to the Unix host in question and
terminate any user process that is obviously the source of the attack. Consider
immediately shutting down the service and curtailing access. Investigate the need to
upgrade or patch the service.
References
ISS X-Force
IPOP3D, Buffer overflow attack
http://xforce.iss.net/static/4918.php
IPOP3D, user auto-logout (IPOP3D_user_auto-logout)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Autologout user"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
403
IPOP3D, user kiss of death logout (IPOP3D_user_kiss_of_death_logout)
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access events in the Unix syslog. It may be helpful to create an audit
history of these events, by monitoring the service's syslog messages. Normal access
attempts at unexpected times or under unusual circumstances may reveal the presence of
an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IPOP3D
service has occurred.
References
ISS X-Force
IPOP3D, user auto-logout
http://xforce.iss.net/static/1524.php
IPOP3D, user kiss of death logout
(IPOP3D_user_kiss_of_death_logout)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Kiss of death"
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access attempts in the Unix syslog, as well as events that are associated
with specific attacks. Certain direct attacks against the IPOP3D service can be detected in
this way. It may also be helpful to create an audit history of successful and failed access
events by monitoring the service's syslog messages.
How to remove this
vulnerability
This event likely indicates a direct attack against the IPOP3D service, which requires
immediate response from an administrator. Log in to the Unix host in question and
terminate any user process that is obviously the source of the attack. Consider
immediately shutting down the service and curtailing access. Investigate the need to
upgrade or patch the service.
404
IPOP3D, user login successful (IPOP3D_user_login_successful)
References
ISS X-Force
IPOP3D, user kiss of death logout
http://xforce.iss.net/static/1521.php
IPOP3D, user login failure (IPOP3D_user_login_failure)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Login failure"
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records failed access events in the Unix syslog. It may be helpful to create an audit
history of these events, by monitoring the service's syslog messages. Failed access
attempts may indicate an access error or an attempt by an attacker to probe your network.
How to remove this
vulnerability
This event may indicate that a user is having difficulty using the service, or it may indicate
the presence of an attacker. Log in to the Unix host in question and determine who is
accessing the service and if they have a legitimate reason to do so. If this event appears
suspicious, review the audit history of access to determine if misuse or an attack of the
IPOP3D service has occurred.
References
ISS X-Force
IPOP3D, user login failure
http://xforce.iss.net/static/1523.php
IPOP3D, user login successful (IPOP3D_user_login_successful)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Login user="
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
405
IPOP3D user login to remote host successful (IPOP3D_user_login_to_remote_host_successful)
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access events in the Unix syslog. It may be helpful to create an audit
history of these events, by monitoring the service's syslog messages. Normal access
attempts at unexpected times or under unusual circumstances may reveal the presence of
an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IPOP3D
service has occurred.
References
ISS X-Force
IPOP3D, user login successful
http://xforce.iss.net/static/1560.php
IPOP3D user login to remote host successful
(IPOP3D_user_login_to_remote_host_successful)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"IMAP login to host"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access events in the Unix syslog. It may be helpful to create an audit
history of these events, by monitoring the service's syslog messages. Normal access
attempts at unexpected times or under unusual circumstances may reveal the presence of
an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IPOP3D
service has occurred.
References
ISS X-Force
IPOP3D user login to remote host successful
http://xforce.iss.net/static/1559.php
406
TCP/IP protocol violations (IPProtocolViolation)
IPOP3D, user logout (IPOP3D_user_logout)
About this
signature or
vulnerability
This signature detects the following syslog message generated by the IPOP3 service:
"Logout from"
Default risk level
Low
Sensors that have
this signature
RealSecure OS Sensor: 3.0
Systems affected
Unix
Type
Host Sensor
Vulnerability
description
The IPOP3D (Post Office Protocol) service has historically been targeted by attackers. This
service records access events in the Unix syslog. It may be helpful to create an audit
history of these events, by monitoring the service's syslog messages. Normal access
attempts at unexpected times or under unusual circumstances may reveal the presence of
an attacker.
How to remove this
vulnerability
This event is likely the result of normal user activity. If this event appears suspicious,
review the audit history of access to determine if misuse or an attack of the IPOP3D
service has occurred.
References
ISS X-Force
IPOP3D, user logout
http://xforce.iss.net/static/1525.php
TCP/IP protocol violations (IPProtocolViolation)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detects invalid packets in TCP/IP traffic.
■
decod-lamptest-segment
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Protocol Signature
407
Unknown IP protocol (IPUnknownProtocol)
Vulnerability
description
Every network protocol has various rules that must be followed for proper operation. To
ensure that certain rules are being followed, packets can be collected and examined. This
can ensure that packets are valid. This can also ensure that the intrusion detection system
examining the packets does not fail to properly interpret packets. Attackers may attempt
to cause failures at the target host or cause an intrusion detection system to misinterpret
traffic or fail.
How to remove this
vulnerability
Examine the reason for the protocol violation given in the report. Check the source and
destination addresses for other events that have been triggered. Protocol violations are
most significant in conjunction with other attacks.
References
ISS X-Force
TCP/IP protocol violations
http://xforce.iss.net/static/1074.php
Unknown IP protocol (IPUnknownProtocol)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.5
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
There are several well-known protocols that are used on top of the IP protocol to transmit
data. Examples of these are TCP, UDP, and IGMP.
Custom applications may create their own protocol and transmit data using a custom
protocol. These applications that use their own protocol format may make it difficult or
impossible to determine what is being transmitted without directly examining the data.
For this reason, custom protocols are sometimes used by attackers to avoid detection
while transmitting data across the network.
Many security tools ignore protocols they do not understand. Therefore, it is common to
establish a covert communications channel using an unknown protocol. A covert channel
could indicate a backdoor into your network.
How to remove this
vulnerability
If you suspect abnormal activity, use a network analysis tool to capture and view network
traffic.
References
ISS X-Force
Unknown IP protocol
http://xforce.iss.net/static/408.php
408
IRC channel joined (IRC_Join)
IRC buffer overflow allows attackers to execute commands as
root (IRC_Daemon_Overflow)
About this
signature or
vulnerability
This signature detects a buffer overflow attack against ircd, the server binary for Internet
Relay Chat.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
IRCd: 2.8.21 and earlier
Type
Unauthorized Access Attempt
Vulnerability
description
The Internet Relay Chat (ICR) daemon, ircd, is vulnerable to a buffer overflow. A remote
attacker can overflow a buffer and execute arbitrary code on the system to gain root access
or cause the system to crash. Exploit information about this vulnerability has been made
widely available.
This buffer overflow vulnerability exists in all versions of ircd.dal through 4.4.10 and the
base irc2.8.21 distribution. The vulnerability may be present in ircu2.9.32, though it is
known to not be present in ircd.dal4.4.11.
How to remove this
vulnerability
Upgrade to the latest version of ircd (2.9.1 or later), available from the Boston University
FTP site. See References.
References
BugTraq Mailing List, Tue Jul 01 1997 02:20:47
ircd buffer overflow
http://www.securityfocus.com/archive/1/7169
The Book of IRC Web site
Software archive - IRC daemons
http://www.bookofirc.com/software/servers/
Boston University FTP site
ircd software downloads (v2.5.x - v2.9.x)
ftp://cs-pub.bu.edu/pub/irc/servers/
ISS X-Force
IRC buffer overflow allows attackers to execute commands as root
http://xforce.iss.net/static/624.php
IRC channel joined (IRC_Join)
About this
signature or
vulnerability
This signature detects channels joined by a user on Internet Relay Chat (IRC). In
combination with the other IRC signatures, this signature can be used to construct a log of
IRC activity.
409
IRC message (IRC_Msg)
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Internet Relay Chat
Type
Protocol Signature
Vulnerability
description
Internet Relay Chat (IRC) has traditionally been used for on-line discussions. While many
of IRC channels are used to discuss legitimate topics, some channels may be used to
discuss illegal or unethical activities.
How to remove this
vulnerability
Consult your organization's acceptable use policy and consider restricting use of IRC.
References
ISS X-Force
IRC channel joined
http://xforce.iss.net/static/660.php
IRC message (IRC_Msg)
About this
signature or
vulnerability
This signature detects entire messages sent by a user on Internet Relay Chat (IRC). In
combination with the other IRC signatures, this signature can be used to construct a log of
IRC activity.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Internet Relay Chat
Type
Protocol Signature
Vulnerability
description
Internet Relay Chat (IRC) has traditionally been used for on-line discussions. While many
of IRC channels are used to discuss legitimate topics, some channels may be used to
discuss illegal or unethical activities.
How to remove this
vulnerability
Consult your organization's acceptable use policy and consider restricting use of IRC.
References
ISS X-Force
IRC message
http://xforce.iss.net/static/661.php
410
Trinity distributed denial of service tool (IRC_Trinity)
IRC nick (IRC_Nick)
About this
signature or
vulnerability
This signature detects changes of a user's nickname on Internet Relay Chat (IRC). In
combination with the other IRC signatures, this signature can be used to construct a log of
IRC activity.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
IRCd: 2.8.21 and earlier
Type
Protocol Signature
Vulnerability
description
Internet Relay Chat (IRC) has traditionally been used for on-line discussions. While many
of IRC channels are used to discuss legitimate topics, some channels may be used to
discuss illegal or unethical activities.
How to remove this
vulnerability
Consult your organization's acceptable use policy and consider restricting use of IRC.
References
ISS X-Force
IRC nick
http://xforce.iss.net/static/662.php
Trinity distributed denial of service tool (IRC_Trinity)
About this
signature or
vulnerability
This signature detects an IRC message that begins with "(trinity)". This could indicate the
presence of a Trinity agent on a system on your network.
False positives
RealSecure Network Sensor: A false positive is possible if RealSecure detects any IRC
user message that begins with "(trinity)".
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Linux kernel
Type
Denial of Service
Vulnerability
description
Trinity is a distributed denial of service tool for Linux that is controlled by IRC (Internet
Relay Chat). The Trinity agent connects to an Undernet IRC server and waits for
411
IRDP can be used to change the default gateway of some systems (IRDP_Gateway_Spoof)
commands to be sent to the channel. Trinity can perform 8 different types of floods: UDP
flood, Fragment flood, SYN flood, RST flood, random flags flood, ACK flood, establish
flood, and null flood.
How to remove this
vulnerability
Reinstall the operating system of any system on which a Trinity agent is found.
Consider restricting use of public chat systems, such as IRC, which can pose a legitimate
security risk.
References
Internet Security Systems Security Alert #59
Trinity v3 Distributed Denial of Service tool
http://xforce.iss.net/alerts/advise59.php
CIAC Information Bulletin K-072
New Variants of Trinity and Stacheldraht DDoS
http://www.ciac.org/ciac/bulletins/k-072.shtml
ISS X-Force
Trinity distributed denial of service tool
http://xforce.iss.net/static/5256.php
IRDP can be used to change the default gateway of some
systems (IRDP_Gateway_Spoof)
About this
signature or
vulnerability
This signature detects an ICMP type 9 (router advertisement) packet with a router
preference greater than or equal to 1000.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1, RealSecure Server Sensor: 5.5.2
Systems affected
Solaris, SunOS, Windows 95, Windows 98
Type
Suspicious Activity
Vulnerability
description
Systems configured for DHCP (Dynamic Host Configuration Protocol) obtain default
gateway information and other configuration parameters when they first contact the
network's DHCP server. When dynamically configured through DHCP, it is possible to
remotely change the default gateway of certain systems (including Sun Solaris and SunOS
as well as Windows 95 and Windows 98) with ICMP Router Advertisement messages.
Using ICMP Router Advertisement messages in this way, an attacker could cause a
system to direct its network traffic through a system of the attacker's choice. This could
allow an attacker to use passive or man-in-the-middle monitoring, or commit denial of
service attacks.
How to remove this
vulnerability
Block all incoming ICMP type 9 and 10 (Router Advertisement and Solicitation)
datagrams.
412
Internet Scanner or Desktop Protection System detected a high risk vulnerability (IS_High_Vulnerability_Found)
For Windows 95/98:
Disable IRDP functionality. Refer to Microsoft Knowledge Base Article Q216141. See
References.
For Solaris and SunOS:
Configure your systems to obtain default gateway information from the DHCP server or
from the '/etc/defaultrouter' file.
Solaris
Configure the system to obtain default gateway information from the DHCP server or
from the '/etc/defaultrouter' file.
SunOS
Configure the system to obtain default gateway information from the DHCP server or
from the '/etc/defaultrouter' file.
Windows 95
Configure the system to disable IRDP functionality; refer to Microsoft Knowledge Base
Article Q216141.
Windows 98
Configure the system to disable IRDP functionality; refer to Microsoft Knowledge Base
Article Q216141.
References
@stake, Inc./L0pht Security Advisory 08/11/99
IDRP Default Route Assignment
http://www.atstake.com/research/advisories/1999/rdp.txt
Microsoft Knowledge Base Article Q216141
HOWTO: Disable IRDP Automatically Using WSH VBScript
http://support.microsoft.com/support/kb/articles/q216/1/41.asp
ISS X-Force
IRDP can be used to change the default gateway of some systems
http://xforce.iss.net/static/3123.php
CVE
CVE-1999-0875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875
Internet Scanner or Desktop Protection System detected a high
risk vulnerability (IS_High_Vulnerability_Found)
About this
signature or
vulnerability
This signature detects when Internet Scanner or Desktop Protection System detects a high
risk vulnerability on a host. The scanner's policy determined that this event should be sent
to the RealSecure Server Sensor.
Default risk level
High
413
Internet Scanner detected a low risk vulnerability (IS_Low_Vulnerability_Found)
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows NT, Windows 95, Windows 98, Windows 2000, Windows ME
Type
Host Sensor
Vulnerability
description
Internet Scanner or Desktop Protection System detected a high risk vulnerability on a
host. The policy determined that this event should be sent to the RealSecure Server
Sensor.
How to remove this
vulnerability
Identify the host for which the vulnerability was detected. Run a Desktop Protection
System scan on the host with local reports enabled, or consult the Internet Scanner scan
results, which will provide detailed information regarding the detected vulnerability as
well as a specific remedy.
References
ISS X-Force
Internet Scanner or Desktop Protection System detected a high risk vulnerability
http://xforce.iss.net/static/6119.php
Internet Scanner detected a low risk vulnerability
(IS_Low_Vulnerability_Found)
About this
signature or
vulnerability
This signature detects when Internet Scanner detects a low risk vulnerability on a host.
The Internet Scanner policy determined that this event should be sent to the RealSecure
Server Sensor.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows, Unix
Type
Host Sensor
Vulnerability
description
Internet Scanner detected a low risk vulnerability on a host. The Internet Scanner policy
determined that this event should be sent to the RealSecure Server Sensor.
How to remove this
vulnerability
Identify the host for which the vulnerability was detected. Consult the Internet Scanner
scan results, which will provide detailed information regarding the detected vulnerability
as well as a specific remedy.
References
ISS X-Force
Internet Scanner detected a low risk vulnerability
http://xforce.iss.net/static/7227.php
414
Internet Scanner scan completed (IS_Scan_Completed)
Internet Scanner detected a medium risk vulnerability
(IS_Meduim_Vulnerability_Found)
About this
signature or
vulnerability
This signature detects when Internet Scanner detects a medium risk vulnerability on a
host. The Internet Scanner policy determined that this event should be sent to the
RealSecure Server Sensor.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows, Unix
Type
Host Sensor
Vulnerability
description
Internet Scanner detected a medium risk vulnerability on a host. The Internet Scanner
policy determined that this event should be sent to the RealSecure Server Sensor.
How to remove this
vulnerability
Identify the host for which the vulnerability was detected. Consult the Internet Scanner
scan results, which will provide detailed information regarding the detected vulnerability
as well as a specific remedy.
References
ISS X-Force
Internet Scanner detected a medium risk vulnerability
http://xforce.iss.net/static/7226.php
Internet Scanner scan completed (IS_Scan_Completed)
About this
signature or
vulnerability
This signature detects a Windows Application event log message or a Solaris syslog
message indicating that an Internet Scanner scan has completed.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows, Unix
Type
Host Sensor
Vulnerability
description
An Internet Scanner scan was completed. This means that Internet Scanner has finished
either a manual scan or a scheduled scan. Use this event to keep track of when scans are
performed.
415
ISA Server component failed (ISA_Abnormal_Termination)
How to remove this
vulnerability
Confirm that the scan is authorized. If the scan is not authorized, ensure that access to the
Internet Scanner console is secure and protected from unauthorized users.
References
ISS X-Force
Internet Scanner scan completed
http://xforce.iss.net/static/7229.php
Internet Scanner scan started (IS_Scan_Started)
About this
signature or
vulnerability
This signature detects a Windows Application event log message or a Solaris syslog
message indicating that Internet Scanner has started a scan.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Windows, Unix
Type
Host Sensor
Vulnerability
description
An Internet Scanner scan was started. This means that Internet Scanner has started either
a manual scan or a scheduled scan. Use this event to keep track of when scans are
performed.
How to remove this
vulnerability
Confirm that the scan is authorized. If the scan is not authorized, ensure that access to the
Internet Scanner console is secure and protected from unauthorized users.
References
ISS X-Force
Internet Scanner scan started
http://xforce.iss.net/static/7228.php
ISA Server component failed (ISA_Abnormal_Termination)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 7023 is written to the
System event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
416
ISA Server failed to start (ISA_Failed_To_Start)
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
System event log. An ISA Server component failed abnormally.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server component failed
http://xforce.iss.net/static/7503.php
ISA Alert service failed to log an event (ISA_Alert_Failed_Log)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14180 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Alert Service failed to log an event to the system
log.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Alert service failed to log an event
http://xforce.iss.net/static/7504.php
ISA Server failed to start (ISA_Failed_To_Start)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 7001 is written to the
System event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
417
ISA Firewall service failed to start (ISA_FW_Start_Failed_Corrupt)
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
System event log. The ISA Server failed to start successfully.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server failed to start
http://xforce.iss.net/static/7505.php
ISA Firewall service initialization failed (ISA_FW_Init_Failed)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14001 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Firewall Service initialization failed.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Firewall service initialization failed
http://xforce.iss.net/static/7506.php
ISA Firewall service failed to start
(ISA_FW_Start_Failed_Corrupt)
About this
signature or
vulnerability
418
This signature detects when an ISA Server entry with event log ID 14063 is written to the
Application event log. See your ISA Server documentation for more details.
ISA Firewall service stopped (ISA_FW_Stop)
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Firewall Service failed to start successfully.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Firewall service failed to start
http://xforce.iss.net/static/7507.php
ISA Firewall service stopped (ISA_FW_Stop)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14182 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Firewall Service was stopped. Network security has
been negatively impacted.
How to remove this
vulnerability
Confirm with the system administrator that this is expected. If not, your system has likely
been compromised.
This event was generated directly from ISA server. Please see your ISA documentation for
additional information.
References
ISS X-Force
ISA Firewall service stopped
http://xforce.iss.net/static/7508.php
419
ISA Server stopped logging events (ISA_LOG_Service_Stopped_Logging_Failure)
ISA Server failed to write an event to the log
(ISA_LOG_File_Write_Failed)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14047 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server failed to write an event to the log file.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server failed to write an event to the log
http://xforce.iss.net/static/7509.php
ISA Server stopped logging events
(ISA_LOG_Service_Stopped_Logging_Failure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14049 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The Microsoft ISA Service has stopped logging events to the log
file.
420
ISA Server packet filter rebind failure (ISA_PF_Dial_Out_Rebind_Failure)
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server stopped logging events
http://xforce.iss.net/static/7510.php
ISA Server failed to create a packet filter
(ISA_PF_Create_PF_Failure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14120 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server could not create a packet filter.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server failed to create a packet filter
http://xforce.iss.net/static/7511.php
ISA Server packet filter rebind failure
(ISA_PF_Dial_Out_Rebind_Failure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14121 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
421
ISA Server packet filters disabled (ISA_PF_Filtering_Disabled)
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server packet filter dial-out interface cannot be rebound.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter rebind failure
http://xforce.iss.net/static/7512.php
ISA Server packet filter is dropping packets
(ISA_PF_Dropping_Packets)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14044 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server packet filter is dropping packets.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter is dropping packets
http://xforce.iss.net/static/7513.php
ISA Server packet filters disabled (ISA_PF_Filtering_Disabled)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14124 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
422
ISA Server packet filter insecure configuration (ISA_PF_Insecure_Config)
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server's packet filtering capability has been disabled.
How to remove this
vulnerability
Confirm with the system administrator that this is expected. If not, your system has likely
been compromised.
This event was generated directly from ISA server. Please see your ISA documentation for
additional information.
References
ISS X-Force
ISA Server packet filters disabled
http://xforce.iss.net/static/7514.php
ISA Server packet filter insecure configuration
(ISA_PF_Insecure_Config)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14086 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server has detected an insecure configuration in the packet
filter.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter insecure configuration
http://xforce.iss.net/static/7515.php
423
ISA Server failed to create an IP packet filter (ISA_PF_IP_PF_Create_Failure)
ISA Server packet filter interface bind failure
(ISA_PF_Interface_Bind_Failure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14122 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. An ISA Server packet filter interface cannot be bound.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter interface bind failure
http://xforce.iss.net/static/7516.php
ISA Server failed to create an IP packet filter
(ISA_PF_IP_PF_Create_Failure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14123 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server failed to create an IP packet filter.
424
ISA Server packet filter protocol violation detected (ISA_PF_Protocol_Violation)
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server failed to create an IP packet filter
http://xforce.iss.net/static/7517.php
ISA Server packet filter did not detect an external interface
(ISA_PF_No_Ext_Interface)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14119 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server did not detect an external interface for use by the packet
filter.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter did not detect an external interface
http://xforce.iss.net/static/7518.php
ISA Server packet filter protocol violation detected
(ISA_PF_Protocol_Violation)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14046 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
425
ISA Server Control service stopped (ISA_SCS_Stop)
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server packet filter has detected a protocol violation.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server packet filter protocol violation detected
http://xforce.iss.net/static/7519.php
ISA Server Control service initialization failed
(ISA_SCS_Init_Failed)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14026 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Control Service failed to initialize due to an
unknown reason.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server Control service initialization failed
http://xforce.iss.net/static/7520.php
ISA Server Control service stopped (ISA_SCS_Stop)
About this
signature or
vulnerability
426
This signature detects when an ISA Server entry with event log ID 14181 is written to the
Application event log. See your ISA Server documentation for more details.
ISA Server corrupted registry (ISA_Server_Init_Failed_Corrupt)
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Control Service was stopped. All other ISA services
depend on the Server Control Service, so ISA has been effectively stopped.
How to remove this
vulnerability
Confirm with the system administrator that this action was expected. If not, your system
has likely been compromised.
This event was generated directly from ISA server. Please see your ISA documentation for
additional information.
References
ISS X-Force
ISA Server Control service stopped
http://xforce.iss.net/static/7521.php
ISA Server corrupted registry (ISA_Server_Init_Failed_Corrupt)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14145 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server failed to initialize because of a corrupted registry.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server corrupted registry
http://xforce.iss.net/static/7522.php
427
ISA Web Proxy service stopped (ISA_WPS_Stop)
ISA Server insecure configuration (ISA_Server_NAT_Insecure)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14087 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. ISA Server detected an insecure configuration. ISA uses its own
NAT editor to fully secure your system.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Server insecure configuration
http://xforce.iss.net/static/7523.php
ISA Web Proxy service stopped (ISA_WPS_Stop)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 14183 is written to the
Application event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
Application event log. The ISA Server Web Proxy Service has been stopped.
How to remove this
vulnerability
Confirm with system administrators that this action was expected. If not, your system has
likely been compromised.
428
Internet Scanner vulnerability assessment (ISS)
This event was generated directly from ISA server. Please see your ISA documentation for
additional information.
References
ISS X-Force
ISA Web Proxy service stopped
http://xforce.iss.net/static/7524.php
ISA Web Proxy service failed (ISA_WPS_Terminated)
About this
signature or
vulnerability
This signature detects when an ISA Server entry with event log ID 7024 is written to the
System event log. See your ISA Server documentation for more details.
Default risk level
High
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft ISA Server: 2000
Type
Host Sensor
Vulnerability
description
Microsoft ISA (Internet Security & Acceleration) Server has written a message to the
System event log. The ISA Server Web Proxy Service terminated abnormally.
How to remove this
vulnerability
This event was generated directly from ISA server. Please see your ISA documentation for
remedy information.
References
ISS X-Force
ISA Web Proxy service failed
http://xforce.iss.net/static/7525.php
Internet Scanner vulnerability assessment (ISS)
About this
signature or
vulnerability
This signature detects vulnerability assessments being made with the freely available
version of Internet Scanner, or with the commercial version of the product made by
Internet Security Systems (ISS).
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0, RealSecure Server Sensor: 5.5
Systems affected
Any
Type
Pre-attack Probe
429
IP fragment reassembly denial of service (Jolt2)
Vulnerability
description
The shareware version of Internet Scanner was widely distributed on the Internet. This
product can identify weaknesses in networks connected to the Internet. By using the
shareware version of Internet Scanner, an attacker could gain information that would be
useful in performing an attack.
How to remove this
vulnerability
No remedy available.
Examine the source of the scan. If the scan comes from inside your organization or uses
your own Internet Scanner key, then you may not need to worry. If it comes from outside
or uses a key you do not recognize or uses an earlier shareware version of Internet
Scanner, then you should identify the scanning entity and determine the intent of the
scan.
References
CERT Advisory CA-1993-14
Internet Security Scanner (ISS)
http://www.cert.org/advisories/CA-1993-14.html
ISS X-Force
Internet Scanner vulnerability assessment
http://xforce.iss.net/static/632.php
IP fragment reassembly denial of service (Jolt2)
About this
signature or
vulnerability
This signature detects very large ICMP packet fragments with an ID field and a fragment
offset that are characteristic of the Jolt2 ping of death exploit.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.0.1
Systems affected
Windows NT, Windows 95, Windows NT: 4.0, Windows 98, Windows 2000, BeOS: 5.0
Type
Denial of Service
Vulnerability
description
Windows 95, 98, NT, and 2000, as well as BeOS 5.0, are vulnerable to a denial of service
attack, caused by a flaw in each operating system's method of IP fragment reassembly. A
remote attacker could send a continuous stream of identical, fragmented IP packets to
consume most or all of the operating system's CPU resources. This attack is sometimes
called the Jolt2 attack.
How to remove this
vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin
MS00-029. See References.
Windows NT
Apply the "IP Fragment Reassembly" patch detailed in Microsoft Security Bulletin MS00029
430
Kerberos IV peek accesses usernames and information (Kerberos_User_Snarf)
Windows 2000
Apply the "IP Fragment Reassembly" patch detailed in Microsoft Security Bulletin MS00029
References
Microsoft Security Bulletin MS00-029
Patch Available for 'IP Fragment Reassembly' Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
BindView RAZOR Security Advisory, May 19, 2000
Jolt2 - Remote Denial of Service attack against Windows 2000, NT4, and Win9x
http://razor.bindview.com/publish/advisories/adv_Jolt2.html
Microsoft Knowledge Base Article Q259728
Windows Hangs with Fragmented IP Datagrams
http://www.microsoft.com/technet/support/kb.asp?ID=259728
BugTraq Mailing List, Fri May 26 2000 09:18:38
Addendum: Analysis of jolt2.c (MS00-029)
http://www.securityfocus.com/archive/1/62014
BugTraq Mailing List, Fri May 26 2000 07:18:13
Analysis of jolt2.c (MS00-029)
http://www.securityfocus.com/archive/1/62011
ISS X-Force
IP fragment reassembly denial of service
http://xforce.iss.net/static/4518.php
CVE
CVE-2000-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0305
Kerberos IV peek accesses usernames and information
(Kerberos_User_Snarf)
About this
signature or
vulnerability
This signature detects a malformed packet sent to the Kerberos IV Key Distribution
Center (KDC), which may indicate an attempt by an attacker to obtain usernames or other
security-sensitive information from the KDC.
False positives
RealSecure Network Sensor: A false positive is possible for legitimate DNS requests from
a Unix system. A false positive is also possible if a normal Kerberos error message is
detected.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
Kerberos: IV
431
Kuang2 Virus installs remote control functionality on infected systems (Kuang2Virus)
Type
Pre-attack Probe
Vulnerability
description
The Kerberos IV Key Distribution Center (KDC) does not clear some internal buffers. By
sending a malformed packet to the KDC, an attacker can cause it to leak the username of
the last request, as well as other information. By sending multiple malformed packets and
analyzing the results of each, the attacker can obtain a list of usernames. This information
could be useful to an attacker in performing future attacks.
How to remove this
vulnerability
Upgrade to Kerberos V, or contact your vendor for patch availability for Kerberos IV.
References
@stake, Inc./L0pht Security Advisory 11/22/96
Kerberos 4
http://www.atstake.com/research/advisories/1996/krb_adv.txt
Massachusetts Institute of Technology Web site
Kerberos: The Network Authentication Protocol
http://web.mit.edu/kerberos/www/
BugTraq Mailing List, Nov 22 1996 2:07AM
L0pht Kerberos Advisory
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=5747
ISS X-Force
Kerberos IV peek accesses usernames and information
http://xforce.iss.net/static/65.php
CVE
CAN-1999-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1099
Kuang2 Virus installs remote control functionality on infected
systems (Kuang2Virus)
About this
signature or
vulnerability
This signature detects traffic consistent with that produced by client commmunication
with the Kuang2 Virus backdoor program.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.1
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
Kuang2 Virus is a backdoor program designed to run on Windows 95 and 98 systems that
infects files much like a virus. Once the virus has been executed on a system, it allows
432
Land denial of service (Land)
remote control of the system over TCP port 17300 and systematically infects all PE
(Portable Executable) .exe files on the system. Remote attackers are able to download and
upload files as well as install plugins that expand on the backdoor's basic functions.
How to remove this
vulnerability
The client program includes an antivirus function to clean an infected computer.
To clean the local system, leave the IP address field in the program blank. The antivirus
cleaning process copies the infected version of EXPLORER.EXE to EXPLORER.WK2, and
removes the virus. The program places the cleaned version of the file back to
EXPLORER.EXE, when you shut down and restart your computer. The antivirus process
also scans the hard drive, looking for any other infected files. The readme file included in
the distribution of the backdoor recommends running the antivirus scan twice to ensure
that the backdoor is removed.
References
McAfee Virus Profile
W95/Kuang2.cli
http://vil.mcafee.com/dispVirus.asp?virus_k=10213&
TL Security Trojan Archive
Kuang 2 The Virus
http://www.multimania.com/ilikeit/kuang2v.htm
ISS X-Force
Kuang2 Virus installs remote control functionality on infected systems
http://xforce.iss.net/static/4074.php
Land denial of service (Land)
About this
signature or
vulnerability
Additional
Vulnerabilities
Found
This signature detect a forged TCP SYN packet that has the IP address and port number
for the source the same as the IP address and port for the destination, commonly known
as the Land attack.
■
ver-tcpip-sys
■
95-verv-tcp
■
cisco-land
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 2.0, RealSecure Server Sensor: 5.5
Systems affected
Any, Windows NT, SCO Open Desktop/Open Server: 3.0, FreeBSD, SCO Open Server:
5.0, SCO UnixWare: 2.1.0, SCO CMW+: 3.0
Type
Denial of Service
Vulnerability
description
A Land attack, named after the published exploit of that name, is an attack in which a
forged TCP SYN packet that has identical source and destination IP addresses, and
identical source and destination port numbers, is sent to a target system. Receiving such a
433
Land denial of service (Land)
packet causes some TCP implementations to crash the target system or exhaust all CPU
resources.
How to remove this
vulnerability
Apply router or firewall rules for all incoming packets claiming to originate from the
internal network.
— AND —
Apply the latest Service Pack (SP4 or later) for Windows NT, available from the Microsoft
Web site. See References.
— OR —
Apply the Service Pack 3 (SP3 or later) for Windows NT 4.0, available from the Microsoft
Knowledge Base Article Q179129. See References.
— OR —
Apply the post-SP3 teardrop2-fix, available from the Microsoft Knowledge Base Article
Q179129. See References. This fix applies only to those users who choose not to upgrade to
SP4 or later.
For FreeBSD-current:
Apply the patch dated 1998-01-21, as listed in FreeBSD, Inc. Security Advisory FreeBSDSA-98:01. See References.
For FreeBSD 2.2-stable:
Apply the patch dated 1998-01-30, as listed in FreeBSD, Inc. Security Advisory FreeBSDSA-98:01. See References.
Apply the appropriate patch for your system, as listed in SCO Security Bulletin 98:01. See
References.
For HP-UX:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Security
Bulletin HPSBUX9801-076. See References.
For Novell NetWare:
Apply the ftcpsv09.exe (or later), and modify the STARTUP.NCF file to block these type
of attacks, as listed in Novell Technical Information Document #2932511. See References.
As a workaround, block IP-spoofed packets.
For other distributions:
Contact your vendor for upgrade or patch information.
Windows NT
Install the latest Windows NT 4.0 Servive Pack or, for Windows NT 4.0 Service Pack 3
(SP3) users, apply the teardrop2-fix hotfix as described in the Microsoft Knowledge Base
(KB) article Q165005 "Windows NT Slows Down Because of Land Attack".
SCO Open Desktop/Open Server: 3.0
Refer to SCO Security Bulletin 98:01 listed in the references.
434
Land denial of service (Land)
FreeBSD
For FreeBSD-current: Apply the patch dated 1998-01-21, as listed in FreeBSD, Inc. Security
Advisory FreeBSD-SA-98:01. See References. For FreeBSD 2.2-stable: Apply the patch
dated 1998-01-30, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-98:01. See
References.
SCO Open Server: 5.0
Refer to SCO Security Bulletin 98:01 listed in the references. For OpenServer 5.0.0 and
OpenServer 5.0.2, SLS OSS468 will include fixes. If OSS468 is installed, SSE010 is not
required. SSE010 should not be installed after OSS468 as it will nullify other fixes
contained in OSS468. For OpenServer 5.0.4, SLS OSS469 will include fixes. If OSS469 is
installed, SSE010 is not required. SSE010 should not be installed after OSS469 as it will
nullify other fixes contained in OSS469.
SCO UnixWare: 2.1.0
Refer to SCO Security Bulletin 98:01 listed in the references.
SCO CMW+: 3.0
Refer to SCO Security Bulletin 98:01 listed in the references.
References
Microsoft Knowledge Base Article Q179129
STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Microsoft Knowledge Base Article Q165005
Windows NT Slows Down Because of Land Attack
http://support.microsoft.com/support/kb/articles/q165/0/05.asp
SCO Security Bulletin 98:01
IP-based Denial of Service Attacks
ftp://ftp.sco.com/SSE/security_bulletins/SB.98:01a
Hewlett-Packard Security Bulletin HPSBUX9801-076 (from SecurityFocus Archive)
Security Vulnerability with land on HP-UX
http://www.securityfocus.com/advisories/1481
CERT Advisory CA-1997-28
IP Denial-of-Service Attacks
http://www.cert.org/advisories/CA-1997-28.html
FreeBSD, Inc. Security Advisory FreeBSD-SA-98:01
LAND attack can cause harm to running FreeBSD systems
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:01.land.asc
Novell Technical Information Document #2932511
TCP Loopback Denial-of-Service Attack
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2932511
Microsoft Web site
Windows NT Service Packs
http://support.microsoft.com/support/ntserver/Content/ServicePacks/
435
Windows NT snork attack can disable system (Land_UDP)
CIAC Information Bulletin I-036
FreeBSD Denial-of-Service LAND Attacks
http://ciac.llnl.gov/ciac/bulletins/i-036.shtml
CIAC Information Bulletin I-019
Tools Generating IP Denial-of-Service Attacks
http://ciac.llnl.gov/ciac/bulletins/i-019.shtml
CIAC Information Bulletin I-027b
HP-UX Vulnerabilities (CUE, CDE, land)
http://www.ciac.org/ciac/bulletins/i-027b.shtml
ISS X-Force
Land denial of service
http://xforce.iss.net/static/288.php
CVE
CVE-1999-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0016
Windows NT snork attack can disable system (Land_UDP)
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.2, RealSecure Server Sensor: 6.5
Systems affected
Windows NT: 4.0, Windows NT: 4.0 SP2, Windows NT: 4.0 SP1, Windows NT: 4.0 SP3
Type
Denial of Service
Vulnerability
description
Windows NT 4.0 up to SP4 is vulnerable to a denial of service attack. A remote attacker
with minimal resources can cause the system to consume all available processor and
network bandwidth resources for an indefinite length of time. The attack induces a storm
of packets much like the smurf and fraggle attacks that has been referred to as the snork
attack.
How to remove this
vulnerability
Apply the Windows NT 4.0 Service Pack 4 (SP4 or later), as listed in Microsoft Security
Bulletin MS98-014.
— OR —
Apply the Snk-fix post-SP3 hotfix, as listed in Microsoft Security Bulletin MS98-014. See
References.
References
Microsoft Security Bulletin MS98-014
Update available for RPC Spoofing Denial of Service on Windows NT
http://www.microsoft.com/technet/security/bulletin/ms98-014.asp
436
Microsoft LDAP server permanent blacklist (LDAP_blacklist_permanent)
Internet Security Systems Security Alert #09
Snork Denial of Service Attack Against Windows NT RPC Service
http://xforce.iss.net/alerts/advise9.php
Microsoft Knowledge Base Article Q193233
Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack
http://support.microsoft.com/support/kb/articles/q193/2/33.asp
ISS X-Force
Windows NT snork attack can disable system
http://xforce.iss.net/static/1372.php
CVE
CVE-1999-0969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0969
Microsoft LDAP server blacklist failed (LDAP_blacklist_failed)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that the Microsoft
LDAP server has attempted and failed to place a misbehaving host on its permanent
blacklist.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
An absence of frequent failures logged to the blacklist may indicate a misconfigured
LDAP Server, misconfigured host, or user error.
How to remove this
vulnerability
Examine the LDAP server and determine why it is failing to log the hosts in its blacklist.
References
ISS X-Force
Microsoft LDAP server blacklist failed
http://xforce.iss.net/static/3196.php
Microsoft LDAP server permanent blacklist
(LDAP_blacklist_permanent)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that the Microsoft
LDAP server has placed a misbehaving host on its permanent blacklist.
437
Microsoft LDAP server temporary blacklist (LDAP_blacklist_short-term)
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Permanent blacklisting may either be the result of a misconfigured device on the network,
a blacklisting threshold that is set too low, or unauthorized activity.
How to remove this
vulnerability
Identify the devices that are being blacklisted and determine why they are being
blacklisted. If the devices are outside of your network and are not required for proper
functioning, consider implementing firewall rules to prevent these systems from abusing
the LDAP server.
References
ISS X-Force
Microsoft LDAP server permanent blacklist
http://xforce.iss.net/static/3195.php
Microsoft LDAP server temporary blacklist
(LDAP_blacklist_short-term)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that the Microsoft
LDAP server has placed a misbehaving host on its temporary blacklist.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
Frequent activity in the blacklist may be caused by inappropriate or unauthorized activity
in conjunction with the LDAP server. An absence of frequent failures logged to the
blacklist may indicate a misconfigured host or user error.
How to remove this
vulnerability
Identify the devices that are being blacklisted and determine why they are being
blacklisted. If the devices are outside of your network and are not required for proper
functioning, consider implementing firewall rules to prevent these systems from abusing
the LDAP server.
438
Local group access or privileges modified (Local_group_changed)
References
ISS X-Force
Microsoft LDAP server temporary blacklist
http://xforce.iss.net/static/3194.php
Local group access or privileges modified
(Local_group_changed)
About this
signature or
vulnerability
This signature detects a security log message indicating that access to or privileges for a
local group have been changed.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Local groups are the primary means for distributing important privileges among users.
Groups help to simplify administration, as it is easier to assign privileges to a single group
than assigning them to each individual member. An attacker that has gained access to a
system can alter the membership of a local group to grant accounts privileges that were
never intended by the administrator.
Windows NT/2000: The following entry was added to the Windows NT/2000 security
event log: "641 - Local group changed, success audit". A local group is a named collection
of local and domain user accounts and global groups. It is a group that is defined on an
individual computer. The predefined local groups for a Windows NT/2000 domain are
Administrators, Backup Operators, Guests, Power Users, Replicator, and Users. The
additional predefined local groups for a system setup as a domain controller are Account
Operators, Print Operators, and Server Operators. Any time management is performed on
the local group it will result in an audit message being written to the security event log.
Solaris: The /etc/group file has been modified. A UNIX group is a named collection of
user accounts. The local group file is in the file /etc/group. When a user is a member of a
group they are entitled access files and other objects by virtue of their group ID (GID).
Note that this event pertains specifically to the local group file. Group membership may
also be provided to the system from a remote host via NIS.
How to remove this
vulnerability
Windows NT/2000: If it has been determined that a system has been compromised, an
inspection of the local group audit events can determine how broadly the attacker may
have spread privileges among compromised accounts.
You can review the administrative activity history by running the Windows NT/2000
Admin Activity Report.
439
Local group created with assigned members and privileges (Local_group_created)
Solaris: Modification of the group file should only occur when account administration is
being performed. If this event occurs and cannot be attributed to known administrative
work, then check the contents of the group file for inappropriate use.
References
ISS X-Force
Local group access or privileges modified
http://xforce.iss.net/static/1535.php
Local group created with assigned members and privileges
(Local_group_created)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a local group has
been created.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A local group is a named collection of local and domain user accounts and global groups.
It is a group that is defined on an individual computer. The predefined local groups for a
Windows NT domain are Administrators, Backup Operators, Guests, Power Users,
Replicator, and Users. The additional predefined local groups for a system setup as a
domain controller are Account Operators, Print Operators, and Server Operators. Any
management performed on the local group will result in an audit message being written
to the security event log.
Local groups are the primary means for distributing important privileges among users.
Groups help to simplify administration, as it is easier to assign privileges to a single group
than assigning them to each individual member. An attacker that has gained access to a
system can alter the membership of a local group to grant accounts privileges that were
never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the local
group audit events can determine the privileges and access rights that an attacker may
have acquired. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Local group created with assigned members and privileges
http://xforce.iss.net/static/1531.php
440
Local group membership modified - user added (Local_group_user_added)
Local group deleted from the system (Local_group_deleted)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a local group has
been deleted.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A local group is a named collection of local and domain user accounts and global groups.
It is a group that is defined on an individual computer. The predefined local groups for a
Windows NT domain are Administrators, Backup Operators, Guests, Power Users,
Replicator, and Users. The additional predefined local groups for a system setup as a
domain controller are Account Operators, Print Operators, and Server Operators. Any
management performed on the local group will result in an audit message being written
to the security event log.
Local groups are the primary means for distributing important privileges among users.
Groups help to simplify administration, as it is easier to assign privileges to a single group
than assigning them to each individual member. An attacker that has gained access to a
system can alter the membership of a local group to grant accounts privileges that were
never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the local
group audit events can determine the privileges and access rights that an attacker may
have acquired. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Local group deleted from the system
http://xforce.iss.net/static/1538.php
Local group membership modified - user added
(Local_group_user_added)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has been
added to a local group.
Default risk level
Medium
441
Local group membership modified - user removed (Local_group_user_removed)
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A local group is a named collection of local and domain user accounts and global groups.
It is a group that is defined on an individual computer. The predefined local groups for a
Windows NT domain are Administrators, Backup Operators, Guests, Power Users,
Replicator, and Users. The additional predefined local groups for a system setup as a
domain controller are Account Operators, Print Operators, and Server Operators. Any
management performed on the local group will result in an audit message being written
to the security event log. Local groups are the primary means for distributing important
privileges among users. Groups help to simplify administration, as it is easier to assign
privileges to a single group than assigning them to each individual member. An attacker
that has gained access to a system can alter the membership of a local group to grant
accounts privileges that were never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the local
group audit events can determine the privileges and access rights that an attacker may
have acquired. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Local group membership modified - user added
http://xforce.iss.net/static/1552.php
Local group membership modified - user removed
(Local_group_user_removed)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user has been
removed from a local group.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A local group is a named collection of local and domain user accounts and global groups.
It is a group that is defined on an individual computer. The predefined local groups for a
Windows NT domain are Administrators, Backup Operators, Guests, Power Users,
Replicator, and Users. The additional predefined local groups for a system setup as a
442
Windows 2000 account logon failed (Log_on_to_account_failed)
domain controller are Account Operators, Print Operators, and Server Operators. Any
management performed on the local group will result in an audit message being written
to the security event log.
Local groups are the primary means for distributing important privileges among users.
Groups help to simplify administration, as it is easier to assign privileges to a single group
than assigning them to each individual member. An attacker that has gained access to a
system can alter the membership of a local group to grant accounts privileges that were
never intended by the administrator.
How to remove this
vulnerability
If it has been determined that a system has been compromised, an inspection of the local
group audit events can determine the privileges and access rights that an attacker may
have acquired. You can review the administrative activity history by running the
Windows NT Admin Activity Report.
References
ISS X-Force
Local group membership modified - user removed
http://xforce.iss.net/static/1554.php
Windows 2000 account logon failed (Log_on_to_account_failed)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a logon to an account
from a workstation has failed.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
Logon failure from a workstation is a security sensitive event. Frequent logon failures, or
attempts to log on using an inappropriate account could indicate attempts by an attacker
to tamper with the Windows 2000 computer.
How to remove this
vulnerability
Determine the cause of the logon failure. Review the error code associated with this event.
Determine if the account in question is authorized for logon.
References
ISS X-Force
Windows 2000 account logon failed
http://xforce.iss.net/static/4872.php
443
Logon event by user with administrative privileges (Logon_with_admin_privileges)
Logon process registered (Logon_process_registered)
About this
signature or
vulnerability
This signature detects that a trusted logon process has registered with the Local Security
Authority (LSA) after system startup. This logon process will be trusted to submit logon
requests.
Usually, RealSecure will not detect the logon process registration at system startup, but it
will detect those that register after RealSecure has started.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.1, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A trusted logon process has registered with the Local Security Authority (LSA). This
logon process will be trusted to submit logon requests.
A logon process is responsible for submitting the user's logon request to the system for
authentication. A typical Windows NT system has multiple logon processes, one for each
logon "path" (for example, system console, for network access, for remote access through
serial line, etc.). Usually, these logon processes are registered at system startup time. But a
logon process can also be registered when a new service is started (for example, when the
remote access service is manually started). When this event happens, it usually indicates
that Windows NT added one more logon "path" to the system.
How to remove this
vulnerability
Determine whether the added logon process should be allowed and take appropriate
actions. For example, if the remote access server is added as a logon process, you should
determine whether remote access through serial line (modem) is allowed on that system.
References
ISS X-Force
Logon process registered
http://xforce.iss.net/static/2218.php
Logon event by user with administrative privileges
(Logon_with_admin_privileges)
About this
signature or
vulnerability
This signature detects that a user with administrative privileges has logged on to the
system.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
444
Logon event by user with special privileges (Logon_with_special_privileges)
Systems affected
Unix, Windows NT
Type
Host Sensor
Vulnerability
description
Windows NT: The Windows NT administrator has the authority to grant important
privileges to users and groups. Certain administrative privileges are normally granted
only to users that have some system administrative duties. An administrator must grant
these administrative privileges by using the Windows NT User Manager utility. For
example, the right SeLoadDriverPrivilege allows a user to load and unload device drivers.
Whenever a user who has been granted these administrative privileges logs on, an audit
message is written into the Windows NT security log.
Solaris: The "root" user is afforded primary system admin privileges in UNIX. This event
notes when a root user has logged in using a conventional login, rlogin, telnet, ftp, or
other login method.
How to remove this
vulnerability
Windows NT/2000: Take note of logon activity of users who have been granted
administrative privileges. Determine if those administrative privileges are necessary and
whether an account has gained administrative privileges without proper administrative
oversight. You can review the login history of accounts by running the login/logout
history report.
Solaris: Good security practice suggests that an administrator should only login as root
when performing specific administrative functions that require root access. Do not
perform other functions as root. The intent should be to make login as root an exception
and not the norm. This ensures that a root login is an important activity and should
always be attributable to some specific administrative activity. Hence when the root login
event occurs, it is an immediate cause for concern if it can not be associated with
legitimate administrative tasks.
References
ISS X-Force
Logon event by user with administrative privileges
http://xforce.iss.net/static/1517.php
Logon event by user with special privileges
(Logon_with_special_privileges)
About this
signature or
vulnerability
This signature detects a Windows security log message indicating that a user with special
privileges has logged on to the system.
Default risk level
High
Sensors that have
this signature
RealSecure OS Sensor: 3.0, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
445
LOKI ICMP tunneling back door (Loki)
Vulnerability
description
A Windows NT administrator has the authority to grant important privileges to users and
groups. Certain special privileges are not granted to any user by default. An administrator
must grant these special privileges by using the Windows NT User Manager utility. For
example, the right SeAuditPrivilege allows the user to generate security audit log entries.
Whenever a user who has been granted these special right-granting privileges logs on, an
audit message is written into the Windows NT security log.
How to remove this
vulnerability
Take note of logon activity by users who have been granted special privileges. Confirm
that those special privileges are actually necessary for those users. Determine whether an
account has gained special privileges without proper administrative oversight. You can
review the login history of accounts by running the login/logout history report.
References
ISS X-Force
Logon event by user with special privileges
http://xforce.iss.net/static/1516.php
LOKI ICMP tunneling back door (Loki)
False positives
RealSecure Network Sensor: A false positive is possible if RealSecure detects a particular
number in the ICMP header of a ping packet, which could contain otherwise harmless
data.
RealSecure Server Sensor: A false positive is possible if RealSecure detects a particular
number in the ICMP header of a ping packet, which could contain otherwise harmless
data.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 3.01, RealSecure Server Sensor: 5.5
Systems affected
FreeBSD: 2.1.x, Linux kernel: 2.0.x, OpenBSD: 2.1, Solaris: 2.5, Solaris: 2.6
Type
Suspicious Activity
Vulnerability
description
LOKI is a client/server program published in the online publication Phrack. This program
is a working proof-of-concept to demonstrate that data can be transmitted somewhat
secretly across a network by hiding it in traffic that normally does not contain payloads.
The example code can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP
echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door
into a Unix system after root access has been compromised. Presence of LOKI on a system
is evidence that the system has been compromised in the past.
How to remove this
vulnerability
If the LOKI attack is crossing a perimeter router or firewall, add a rule that blocks all
ICMP traffic entering your network.
To determine if LOKI is running, look for programs that have an ICMP raw socket open.
This can be done from a root shell on Linux with a command similar to: "netstat -a -n -w"
If you see something like this:
446
Lotus Notes SMTP server can be crashed with long HELO commands (Email_Helo_Overflow)
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
raw 0 0 0.0.0.0:1 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:*
raw 0 0 0.0.0.0:255 0.0.0.0:*
Some process has an ICMP raw socket open on the system, which might be indicative of a
LOKI daemon. Also look for 0.0.0.0:17, which might indicate a loki daemon running in
UDP mode. For Solaris, the command would be netstat -a -n -P icmp. Next, identify the
loki server and kill the process. To kill the process, choose one of the following
commands:
Linux: ps -aux -w | grep "root"
Solaris: /usr/ucb/ps -aux -w | grep "root"
The default name is lokid, but this name could easily be changed to another name by an
attacker. An active installation of lokid will often result in many zombie copies of the
process left around, due to bugs in the program. This can be used as a clue.
References
Phrack Magazine, Volume 7, Issue 49, File 06 of 16
Project Loki
http://packetstorm.securify.com/mag/phrack/phrack49/P49-06
Phrack Magazine, Volume 7, Issue 51, File 06 of 17
L O K I 2 (the implementation)
http://packetstorm.securify.com/mag/phrack/phrack51/P51-06
ISS X-Force
LOKI ICMP tunneling back door
http://xforce.iss.net/static/1452.php
Lotus Notes SMTP server can be crashed with long HELO
commands (Email_Helo_Overflow)
About this
signature or
vulnerability
This vulnerability is detected by the Email_Helo_Overflow signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1
Systems affected
Lotus Notes
Type
Suspicious Activity
Vulnerability
description
The Lotus Notes SMTP server is vulnerable to a denial of service attack. An attacker can
send consecutive HELO commands with lengths longer than 2048 characters to crash the
server.
447
Lotus Domino SMTP Server policy feature buffer overflow (Lotus_Domino_SMTP_Overflow)
How to remove this
vulnerability
No remedy available as of June 2001.
References
BugTraq Mailing List, Thu Jan 14 1999 08:52:53
Lotus Notes SMTP Server bug
http://www.securityfocus.com/archive/1/11952
ISS X-Force
Lotus Notes SMTP server can be crashed with long HELO commands
http://xforce.iss.net/static/1813.php
Lotus Domino SMTP Server policy feature buffer overflow
(Lotus_Domino_SMTP_Overflow)
About this
signature or
vulnerability
This signature detects a specially-crafted email for which the FROM field contains more
than 4000 characters.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 3.1
Systems affected
Lotus Domino R5: 5.0.1, Lotus Domino R5: 5.0.2, Lotus Domino R5: 5.0.3, Lotus Domino
R5: 5.0.4, Lotus Domino R5: 5.0
Type
Denial of Service
Vulnerability
description
Lotus Domino SMTP Server versions 5.0 through 5.0.5 are vulnerable to a buffer overflow
in the policy feature. The policy feature is used to define rules for server relaying. If the
policy feature is enabled to check for the domain name, a remote attacker can overflow a
buffer and crash the server or execute arbitrary code on the system with privileges of the
user that the SMTP server is running as.
How to remove this
vulnerability
Upgrade to the latest version of Lotus Domino SMTP Server (5.0.6 or later), available from
the Notes.net Web site. See References.
References
S.A.F.E.R. Security Bulletin 010123.EXP.1.10
Buffer overflow in Lotus Domino SMTP Server
http://www.safermag.com/advisories/0012.html
Notes.net Web site
version 5.06 download
http://www.notes.net/r5fixlist.nsf/Progress/5.0.6?OpenDocument
Notes/Domino Fix List Database SPR CMAS4NNLVG
Fixed a potential denial of service attack.
http://www.notes.net/r5fixlist.nsf/5c087391999d06e7852569280062619d/
77317b8b83ceac0285256a5000737387?OpenDocument
448
LPRng syslog() call allows user supplied format strings (LPRng_Format_String)
Lotus Customer Support Technote
Domino R5 SMTP Server Buffer Overflows if Domain Restrictions are Enabled
http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/
a05d4ad614858e0a852569e6005f1fc5?OpenDocument&Highlight=0,184329
CERT Vulnerability Note VU#666872
Buffer Overflow in Lotus Domino Mail Server
http://www.kb.cert.org/vuls/id/666872
ISS X-Force
Lotus Domino SMTP Server policy feature buffer overflow
http://xforce.iss.net/static/5993.php
CVE
CVE-2001-0260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0260
LPRng syslog() call allows user supplied format strings
(LPRng_Format_String)
About this
signature or
vulnerability
This signature detects an LPR command (on TCP port 515) that contains a format
specifier, which could indicate an attempt by an attacker to execute arbitrary code on the
host. The actual command detected will be reported in the Raw Command information
field.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: XPU 2.2
Systems affected
FreeBSD, TurboLinux, Caldera OpenLinux: 2.3, Caldera OpenLinux: 2.4, Red Hat Linux:
7.0
Type
Unauthorized Access Attempt
Vulnerability
description
The LPRng printer daemon in some Linux distributions is vulnerable to a format string
attack. User-supplied input is passed to syslog() calls in LPRng that do not include format
string arguments. An attacker can exploit this vulnerability to cause a segmentation fault
and execute arbitrary code, possibly gaining root privileges.
How to remove this
vulnerability
For Caldera OpenLinux: Upgrade to the latest version of LPRng (3.5.3-3 or later), as listed
in Caldera Systems, Inc. Security Advisory CSSA-2000-033.0. See References. For Red Hat:
Upgrade to the latest version of LPRng (3.6.24-2 or later), as listed in Red Hat, Inc. Security
Advisory RHSA-2000:065-04. See References. For FreeBSD: Upgrade to the latest version
of LPRng (3.6.25 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:56.
See References. For TurboLinux: Upgrade to the latest version of LPRng (3.6.26-1 or later),
as listed in TurboLinux Security Announcement TLSA2001001-1. See References. For
other distributions: Contact your vendor for upgrade or patch information.
449
Mail-Max server allows remote execution of code through a buffer overflow (Email_Helo_Overflow)
References
Caldera Systems, Inc. Security Advisory CSSA-2000-033.0
format bug in LPRng
http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
BugTraq Mailing List, Tue Sep 26 2000 00:57:43
Format strings: bug #2: LPRng
http://www.securityfocus.com/archive/1/85002
Red Hat Linux Errata Advisory RHSA-2000:065-04
LPRng contains a critical string format bug
http://www.redhat.com/support/errata/RHSA-2000-065-06.html
CERT Advisory CA-2000-22
Input Validation Problems in LPRng
http://www.cert.org/advisories/CA-2000-22.html
FreeBSD, Inc. Security Advisory FreeBSD-SA-00:56
LPRng contains potential root compromise
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
TurboLinux Security Announcement TLSA2001001-1
LPRng-3.6.26-1
http://www.turbolinux.com/pipermail/tl-security-announce/2001-January/
000029.html
CERT Vulnerability Note VU#382365
LPRng can pass user-supplied input as a format string parameter to syslog() calls
http://www.kb.cert.org/vuls/id/382365
CIAC Information Bulletin L-025
LPRng Format String Vulnerability
http://www.ciac.org/ciac/bulletins/l-025.shtml
CIAC Information Bulletin L-004
FreeBSD LPRng Vulnerability
http://www.ciac.org/ciac/bulletins/l-004.shtml
ISS X-Force
LPRng syslog() call allows user supplied format strings
http://xforce.iss.net/static/5287.php
CVE
CAN-2000-0917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
Mail-Max server allows remote execution of code through a
buffer overflow (Email_Helo_Overflow)
About this
signature or
vulnerability
This vulnerability is detected by the Email_Helo_Overflow signature.
Default risk level
High
450
Windows 2000 user account mapped for logon (Mapped_account)
Sensors that have
this signature
RealSecure Network Sensor: 3.1
Systems affected
Mail-Max
Type
Suspicious Activity
Vulnerability
description
SmartMax Software Mail-Max, an SMTP server Windows 95, Windows 98, and Windows
NT platforms, is vulnerable to a buffer overflow in the server's handling of some SMTP
commands. By exploiting this buffer overflow condition, a remote attacker could execute
arbitrary code on the server with the privileges of the user owning the Mail-Max process.
How to remove this
vulnerability
No remedy available as of June 2001.
References
BugTraq Mailing List, Sat Feb 13 1999 22:00:30
Mail-Max Remote Buffer Overflow Exploit
http://www.securityfocus.com/archive/1/12505
SmartMax Software, Inc. Web site
MailMax 2.0
http://www.smartmax.com/mailmax.html
ISS X-Force
Mail-Max server allows remote execution of code through a buffer overflow
http://xforce.iss.net/static/1773.php
CVE
CVE-1999-0404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0404
Windows 2000 user account mapped for logon
(Mapped_account)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a Windows 2000
account has been mapped by a client for logon.
Default risk level
Low
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
451
Master's Paradise98 backdoor for Windows (Masters_Paradise98)
Vulnerability
description
In order to enable a non-Windows 2000 Kerberos principal to log on to a Windows 2000
computer, the Kerberos principal must be mapped to a Windows 2000 user account.
If the Kerberos principal is mapped to an inappropriate account, or is not authorized to
log on to the Windows 2000 computer, it could enable an attacker to tamper with the
Windows 2000 computer.
How to remove this
vulnerability
Verify that the map account operation is authorized. If necessary, remove the mapped
account using the Windows 2000 Active Directory Users and Computers snap-in.
References
ISS X-Force
Windows 2000 user account mapped for logon
http://xforce.iss.net/static/4873.php
Map account operation failed (Mapped_account_failed)
About this
signature or
vulnerability
This signature detects a Windows event log message indicating that a client could not be
mapped for logon.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: SR 1.1
Systems affected
Windows 2000
Type
Host Sensor
Vulnerability
description
In order to enable a non-Windows 2000 Kerberos principal to log on to a Windows 2000
computer, the Kerberos principal must be mapped to a Windows 2000 user account.
Frequent failures for a Kerberos principal to be mapped to a Windows 2000 account could
indicate attempts by an attacker to tamper with the Windows 2000 computer.
How to remove this
vulnerability
Determine the cause of the map account operation failure. If the account mapping is
authorized, correct any problems and re-map the account.
References
ISS X-Force
Map account operation failed
http://xforce.iss.net/static/4881.php
Master's Paradise98 backdoor for Windows
(Masters_Paradise98)
About this
signature or
vulnerability
452
This signature detects a TCP connection on port 31 to a Master's Paradise98 backdoor on
your network.
Master's Paradise98 backdoor for Windows (Masters_Paradise98)
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Master's Paradise98 backdoor is one of many backdoor programs that attackers can
use to access your computer system without your knowledge or consent. With the
Master's Paradise98 backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access your files and system registry
●
manipulate the appearance of your desktop
●
obtain your RAS (Remote Access Server) password (Windows NT only)
The Master's Paradise backdoor can be very difficult to remove manually, because the
executable is difficult to locate and identify on your system. Refer to the steps below for
using an antivirus program to remove the backdoor.
To use an antivirus program to remove the Master's Paradise backdoor:
1. If you do not have an antivirus program installed, download and install one of these
virus scanners:
■
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
■
McAfee VirusScan: http://software.mcafee.com/centers/download/
■
Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/
2. Run the antivirus program to scan your system for this backdoor. The virus scanner
should find and remove the Master's Paradise backdoor from your computer.
References
Big Chicken Computer Security Web site
Masters Paradise
http://members.xoom.com/_XOOM/big_chicken/trojans/masterpar/
Threats to your Security on the Internet
The Basics of Master's Paradise
http://www.commodon.com/threat/threat-mp.htm
ISS X-Force
Master's Paradise98 backdoor for Windows
http://xforce.iss.net/static/4146.php
453
Maverick's Matrix backdoor for Windows 95/98 (MavericksMatrix)
Maverick's Matrix backdoor for Windows 95/98
(MavericksMatrix)
About this
signature or
vulnerability
This signature detects a TCP connection on port 1269 to a Maverick's Matrix backdoor on
your network.
False negatives
RealSecure Network Sensor: RealSecure detects a connection to the Maverick's Matrix
backdoor only when the Maverick's Matrix backdoor uses its default port, port 1269. A
false negative is possible if the Maverick's Matrix backdoor is configured to use a port
other than 1269.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Maverick's Matrix backdoor is one of many backdoor programs that attackers can use
to access your computer system without your knowledge or consent. With the Maverick's
Matrix backdoor, an attacker can do the following:
How to remove this
vulnerability
●
access files on your computer
●
retrieve passwords
●
start and stop an FTP server on your computer
To remove the Maverick's Matrix backdoor from your computer:
1. Delete Wincfg.exe from the Windows system directory.
2. Using Regedit, find the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Wincfg.exe=C:\<windows system>\wincfg.exe registry key.
3. Delete this registry key.
References
Maverick's Crew's Site
Maverick's Crew's Site
http://www.drive.to/Maverick
ISS X-Force
Maverick's Matrix backdoor for Windows 95/98
http://xforce.iss.net/static/3329.php
454
Millenium backdoor for Windows (Millenium)
MDaemon SMTP server can be crashed with a long HELO
(Email_Helo_Overflow)
About this
signature or
vulnerability
This vulnerability is detected by the Email_Helo_Overflow signature.
Default risk level
Medium
Sensors that have
this signature
RealSecure Network Sensor: 3.1
Systems affected
MDaemon
Type
Suspicious Activity
Vulnerability
description
MDaemon is a multi-protocol mail server developed by Alt-N Technologies for Microsoft
Windows systems. A vulnerability in versions of MDaemon up to 2.7.1 could allow a
remote attacker to crash the server by sending a HELO command with a very large
argument. To regain normal functionality, the server must be manually restarted.
How to remove this
vulnerability
Upgrade to the latest version of MDaemon (2.7.1, SP2 or later), available from the
MDaemon Download Page. See References.
References
MDaemon Download Page
MDaemon POP3/SMTP Server for Windows
http://www.mdaemon.com/download.cfm
BugTraq Mailing List, Tue Mar 10 1998 22:44:45
MDaemon SMTP Server Buffer Overflow's
http://www.securityfocus.com/archive/1/8741
Rootshell Web site
MDaemon buffer overflow
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199803/mdaemon.c.html
ISS X-Force
MDaemon SMTP server can be crashed with a long HELO
http://xforce.iss.net/static/1834.php
Millenium backdoor for Windows (Millenium)
About this
signature or
vulnerability
This signature detects a TCP connection on port 20001 to a Millenium backdoor on your
network.
Default risk level
High
455
Mountd export (MountdExport)
Sensors that have
this signature
RealSecure Network Sensor: 5.0
Systems affected
Windows NT, Windows 95, Windows 98
Type
Unauthorized Access Attempt
Vulnerability
description
The Millenium backdoor is one of many backdoor programs that attackers can use to
access your computer system without your knowledge or consent. With the Millenium
backdoor, an attacker can do the following:
How to remove this
vulnerability
●
log keystrokes
●
capture an image of your screen
●
execute programs
●
send messages to you that appear on your screen
To remove the Millenium backdoor from your computer:
1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find the registry entry named Millenium that has a data value of
C:\Windows\System\Reg66.exe.
3. Delete that registry entry.
4. Delete Reg66.exe from the Windows system directory.
5. Open the win.ini file in your Windows directory.
6. Find and delete the line "run=c:\windows\system\reg66.exe" from win.ini.
References
ISS X-Force
Millenium backdoor for Windows
http://xforce.iss.net/static/3111.php
Mountd export (MountdExport)
About this
signature or
vulnerability
This signature detects a remote showmount, which is a user request for a list of file
systems that are exported by the Network File System (NFS). This signature can assist in
understanding patterns of NFS file sharing on your network.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
NFS
Type
Suspicious Activity
456
Microsoft SQL 6.5 Server shutdown (MSSQL65_Shutdown)
Vulnerability
description
A showmount command is a user request for a list of file systems that are exported by the
Network File System (NFS). Use of the showmount command should only occur inside an
organization. Export requests from external sources should be considered suspicious.
How to remove this
vulnerability
If the source of the showmount is internal, consider querying the users to determine who
has been mounting file systems and why. If this event was caused by an outside host,
consider blocking access to that host.
References
ISS X-Force
Mountd export
http://xforce.iss.net/static/663.php
Mountd mount request (MountdMnt)
About this
signature or
vulnerability
This signature detects a Network File System (NFS) mount request and records the file
systems that a user mounts, allowing you to construct patterns of NFS file sharing.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: 1.0
Systems affected
NFS
Type
Suspicious Activity
Vulnerability
description
A Network File System (NFS) mount request is used to mount a remote file systems for
the purpose of NFS file sharing. Mount requests typically occur when a system boots. It is
possible but fairly unlikely that a user might independently mount a file system. Mount
events from systems that have been running for a long time (several hours or more) are
suspicious. Typically, this event should never be caused by an external host mounting one
of your file systems.
How to remove this
vulnerability
This event might suggest that the source host has just restarted. If the source has not
restarted recently (as reported by uptime), query the users to determine who has been
mounting file systems and why. If this event was caused by an outside host, consider
blocking access to that host.
References
ISS X-Force
Mountd mount request
http://xforce.iss.net/static/664.php
Microsoft SQL 6.5 Server shutdown (MSSQL65_Shutdown)
About this
signature or
vulnerability
This signature detects that the SQL Server 6.5 database server process has been shut
down.
457
Microsoft SQL Server 6.5 started (MSSQL65_Startup)
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 6.5
Type
Host Sensor
Vulnerability
description
The SQL Server database server process has been shut down.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This process may
have been shut down for software or hardware upgrades, diagnostics, or other
maintenance functions. If this is a production database server, closely monitor startup and
shutdown activity to prevent availability and integrity problems.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for a shutdown to occur, if shutdowns occur from
unexpected or non-administrative accounts, or if shutdowns occur at unusual times, then
this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL 6.5 Server shutdown
http://xforce.iss.net/static/3220.php
Microsoft SQL Server 6.5 started (MSSQL65_Startup)
About this
signature or
vulnerability
This signature detects that the SQL Server 6.5 database server process is starting.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 6.5
Type
Host Sensor
Vulnerability
description
The SQL Server database server process is starting.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This database
458
Microsoft SQL Server 6.5 non-trusted connection successful (MSSQL65_Successful_Non-Trusted_Connection)
may have been started for testing, troubleshooting, or development functions, or restarted
for software or hardware upgrades, diagnostics, or other maintenance functions.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for this database, if database processes activate from
unexpected or non-administrative accounts, or if database startups occur at unusual
times, then this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server 6.5 started
http://xforce.iss.net/static/3219.php
Microsoft SQL Server 6.5 non-trusted connection successful
(MSSQL65_Successful_Non-Trusted_Connection)
About this
signature or
vulnerability
This signature detects that a non-trusted connection has successfully been established to
the Microsoft SQL Server 6.5 database.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 6.5
Type
Host Sensor
Vulnerability
description
A non-trusted connection has successfully been established to the Microsoft SQL Server
database.
How to remove this
vulnerability
Most connection activity is normal for accessing a database. Determine the role of this
database and how critical it is in your business activities. This database may have been
started for production, testing, troubleshooting, or development functions. The function
of the database could help determine who should be connecting, how often, and at what
times of the day.
Verify that all activities are monitored and retained in an audit history. If there is no
legitimate reason for a particular user to be connecting to this database, if database
activity originates from unexpected user accounts, or if database accesses occur at
unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server 6.5 non-trusted connection successful
http://xforce.iss.net/static/3221.php
459
Microsoft SQL Server started (MSSQL7_Startup)
Microsoft SQL Server shutdown (MSSQL7_Shutdown)
About this
signature or
vulnerability
This signature detects that the SQL Server 7.0 database server process has been shut
down.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
Vulnerability
description
The SQL Server database server process has been shut down.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This process may
have been shut down for software or hardware upgrades, diagnostics, or other
maintenance functions. If this is a production database server, closely monitor startup and
shutdown activity to prevent availability and integrity issues.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for a shutdown to occur, if shutdowns occur from
unexpected or non-administrative accounts, or if shutdowns occur at unusual times, then
this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server shutdown
http://xforce.iss.net/static/3216.php
Microsoft SQL Server started (MSSQL7_Startup)
About this
signature or
vulnerability
This signature detects that the SQL Server 7.0 database server process is starting.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
460
Microsoft SQL Server non-trusted connection successful (MSSQL7_Successful_Non-Trusted_Connection)
Vulnerability
description
The SQL Server database server process is starting.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This database
may have been started for testing, troubleshooting, or development functions, or restarted
for software or hardware upgrades, diagnostics, or other maintenance functions.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for this database, if database processes activate from
unexpected or non-administrative accounts, or if database startups occur at unusual
times, then this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server started
http://xforce.iss.net/static/3215.php
Microsoft SQL Server non-trusted connection successful
(MSSQL7_Successful_Non-Trusted_Connection)
About this
signature or
vulnerability
This signature detects that a non-trusted connection has successfully been established to
the Microsoft SQL Server 7.0 database.
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
Vulnerability
description
A non-trusted connection has successfully been established to the Microsoft SQL Server
database.
How to remove this
vulnerability
Most connection activity is normal for accessing a database. Determine the role of this
database and how critical it is in your business activities. This database may have been
started for production, testing, troubleshooting, or development functions. The function
of the database could help determine who should be connecting, how often, and at what
times of the day.
Verify that all activities are monitored and retained in an audit history. If there is no
legitimate reason for a particular user to be connecting to this database, if database
activity originates from unexpected user accounts, or if database accesses occur at
unusual times, then this activity may be an indication of misuse.
461
Microsoft SQL Server shutdown (MSSQL_Shutdown)
References
ISS X-Force
Microsoft SQL Server non-trusted connection successful
http://xforce.iss.net/static/3217.php
Microsoft SQL Server failed connection
(MSSQL_Failed_Connection)
Default risk level
Medium
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A connection failed to be established to the Microsoft SQL Server database server.
How to remove this
vulnerability
A single or sporadic connection failure may be normal, and could be caused by an errant
connection attempt. Your audit history can help you determine if a pattern exists and
whether the pattern is an indicator of unauthorized access.
Most connection activity is normal for accessing a database. Determine the role of this
database and how critical it is in your business activities. This database may have been
started for production, testing, troubleshooting, or development functions, which would
determine who should be connecting, how often, and at what times of the day.
Verify that all activities are monitored and retained in an audit history. If there is no
legitimate reason for a particular user to be connecting to this database, if database
activity originates from unexpected user accounts, or if database accesses occur at
unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server failed connection
http://xforce.iss.net/static/3218.php
Microsoft SQL Server shutdown (MSSQL_Shutdown)
About this
signature or
vulnerability
This signature detects that the SQL Server database server process has been shut down.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
462
Microsoft SQL Server started (MSSQL_Startup)
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
Vulnerability
description
The SQL Server database server process has been shut down.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This process may
have been shut down for software or hardware upgrades, diagnostics, or other
maintenance functions. If this is a production database server, closely monitor startup and
shutdown activity to prevent availability and integrity issues.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for a shutdown to occur, if shutdowns occur from
unexpected or non-administrative accounts, or if shutdowns occur at unusual times, then
this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server shutdown
http://xforce.iss.net/static/3216.php
Microsoft SQL Server started (MSSQL_Startup)
About this
signature or
vulnerability
This signature detects that the SQL Server database server process is starting.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
Vulnerability
description
The SQL Server database server process is starting.
How to remove this
vulnerability
Most process-oriented activities are a part of normal administrative functions. Determine
the role of this database and how critical it is in your business activities. This database
may have been started for testing, troubleshooting, or development functions, or restarted
for software or hardware upgrades, diagnostics, or other maintenance functions.
Verify that all administrative activities are monitored and retained in an audit history. If
there is no legitimate reason for this database, if database processes activate from
unexpected or non-administrative accounts, or if database startups occur at unusual
times, then this activity may be an indication of misuse.
463
Microsoft SQL Server trusted connection successful (MSSQL_Successful_Trusted_Connection)
References
ISS X-Force
Microsoft SQL Server started
http://xforce.iss.net/static/3215.php
Microsoft SQL Server non-trusted connection successful
(MSSQL_Successful_Non-Trusted_Connection)
About this
signature or
vulnerability
This signature detects that a non-trusted connection has successfully been established to
the Microsoft SQL Server database.
Default risk level
Medium
Sensors that have
this signature
RealSecure Server Sensor: 6.5
Systems affected
Microsoft SQL Server: 7.0, Microsoft SQL Server: 6.5, Microsoft SQL Server: 2000
Type
Host Sensor
Vulnerability
description
A non-trusted connection has successfully been established to the Microsoft SQL Server
database.
How to remove this
vulnerability
Most connection activity is normal for accessing a database. Determine the role of this
database and how critical it is in your business activities. This database may have been
started for production, testing, troubleshooting, or development functions. The function
of the database could help determine who should be connecting, how often, and at what
times of the day.
Verify that all activities are monitored and retained in an audit history. If there is no
legitimate reason for a particular user to be connecting to this database, if database
activity originates from unexpected user accounts, or if database accesses occur at
unusual times, then this activity may be an indication of misuse.
References
ISS X-Force
Microsoft SQL Server non-trusted connection successful
http://xforce.iss.net/static/3217.php
Microsoft SQL Server trusted connection successful
(MSSQL_Successful_Trusted_Connection)
About this
signature or
vulnerability
This signature detects that a trusted connection has successfully been established to the
Microsoft SQL Server database.
Default risk level
Medium
464
mstream distributed denial of service tool (master detected) (Mstream_Master)
Sensors that have
this signature
RealSecure OS Sensor: 3.2, RealSecure Server Sensor: 5.5
Systems affected
Windows NT
Type
Host Sensor
Vulnerability
description
A trusted connection has successfully been established to the Microsoft SQL Server
database.
How to remove this
vulnerability
Trusted connections are most often used between computers in different domains, or for
processes that require special access to database processes.
Determine if this account should be allowed to establish trusted connections, or whether
these connections occurred during an appropriate time interval. If this is not an
authorized administrative account, consider limiting access for this account.
References
ISS X-Force
Microsoft SQL Server trusted connection successful
http://xforce.iss.net/static/3214.php
mstream distributed denial of service tool (master detected)
(Mstream_Master)
About this
signature or
vulnerability
This signature detects a connection to an mstream master program on TCP port 12754,
6723, or 15104.
False negatives
RealSecure Network Sensor: RealSecure detects a connection to the mstream master
program only when the mstream master uses its default ports, TCP ports 12754, 6723, or
15104. A false negative is possible if the mstream master program is configured to use
ports other than 12754, 6723, or 15104.
RealSecure Server Sensor: RealSecure detects a connection to the mstream master
program only when the mstream master uses its default ports, TCP ports 12754, 6723, or
15104. A false negative is possible if the mstream master program is configured to use
ports other than 12754, 6723, or 15104.
Default risk level
High
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
The mstream program is a distributed denial of service tool based on the "stream.c" attack.
This tool includes a "master controller" and a "zombie." The master controller is the
465
mstream distributed denial of service tool (master detected) (Mstream_Master)
portion of the tool that controls all of the zombie agents. An attacker connects to the
master controller using telnet to control the zombies. Communications between the client,
master, and zombie are not encrypted.
Using a slightly modified version of the stream.c attack, the zombie slows a computer
down by using up CPU cycles. The attack also consumes network bandwidth. In addition
to the incoming ACK packets, the target host will consume bandwidth when it tries to
send TCP RST packets to non-existent IP addresses. Routers will then return ICMP host/
network unreachable packets to the victim, resulting in more bandwidth starvation. The
distributed method of attack multiplies the effect on the CPU, as well as consuming large
amounts of network bandwidth.
How to remove this
vulnerability
Locate the mstream master or zombie on a system, by using strings or lsof. If you know
which port the master controller is listening on, you can use lsof to locate the executable.
After locating the mstream master or zombie, kill the process and delete the executable.
From the master controller, locate the zombie computers that are registered with the
master to find other systems that have been compromised.
To locate the mstream master or zombie on a system using strings:
1. Type the following command for each filesystem on the computer, replacing / with
the filesystem you want to search: find / -mount -type f -print | xargs grep -l
newserver Note: This command could take up to thirty minutes to run on your
system, depending on the size of the filesystem and the speed of the computer.
2. Verify each file found by using the strings command on it, because the search may
find files that are not part of mstream, such as /usr/bin/xchat.
3. Compare the strings output to the expected strings output for the master and the
zombie, as listed below. The strings output of the zombie, from server.c, should
contain the following text: Must be ran as root. socket bind setsockopt newserver
stream mstream ping pong fork Forked into background, pid %d The strings output
of the master should contain the following text: Connection from %s newserver New
server on %s. pong Got pong number %d from %s %s has disconnected (not auth'd):
%s Invalid password from %s. Password accepted for connection from %s. Lost
connection to %s: %s
To locate the mstream master or zombie on a system using lsof:
1. Type the following command, replacing "port" with the port number on which the
master executable is listening: lsof -i TCP:port
2. Compare the output to the following output to locate the process that is listening on
the specified TCP port: [root@berry]# lsof -i TCP:12754 COMMAND PID USER FD
TYPE DEVICE SIZE NODE NAME mstream 3664 juser 3u IPv4 721759 TCP *:12754
(LISTEN)
3. Type the following command, replacing "process" with the name of process
determined in step 2: lsof -c process -a -d txt
4. Compare the output to the following output, to find the path to the executable:
[root@berry]# lsof -c mstream -a -d txt COMMAND PID USER FD TYPE DEVICE
SIZE NODE NAME mstream 3664 juser txt REG 8,1 33185 306211 /home/juser/
mstream
466
mstream distributed denial of service tool (zombie detected) (Mstream_Zombie)
To kill the process and delete the executable:
1. Determine the process ID for the process. To obtain the PID:
■
If you know the name of the process, use the 'ps' command.
■
If you know the port number that the process is using, use lsof.
2. Kill the process using the 'kill' command and the process ID.
3. Delete the mstream executable.
To locate all the zombie systems registered to the master:
1. Locate the "..." or ".sr" file, which includes an encrypted list of IP addresses of all of the
zombies.
2. Decrypt the file using the following shell command, replacing "..." with ".sr",
depending on the file you are attempting to decrypt: [root@berry]# cat ... | tr 'b-k`' '09.' | sed 's/<$//' 31.3.3.7
Inform your ISP of the attack, so that they can take action to further prevent the attack
from spreading.
References
Internet Security Systems Security Alert #48
"mstream" Distributed Denial of Service Tool
http://xforce.iss.net/alerts/advise48.php
ISS X-Force
mstream distributed denial of service tool (master detected)
http://xforce.iss.net/static/4371.php
CVE
CAN-2000-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
mstream distributed denial of service tool (zombie detected)
(Mstream_Zombie)
About this
signature or
vulnerability
This signature detects communications between an mstream master and zombie using
UDP port 10498, 7983, 6838, or 9325.
False negatives
RealSecure Network Sensor: RealSecure detects communications between the mstream
master and zombie only when the mstream zombie program uses its default UDP ports of
10498, 7983, 6838, or 9325. A false negative is possible if the mstream program is
configured to use a port other than port 10498, 7983, 6838, or 9325.
RealSecure Server Sensor: RealSecure detects communications between the mstream
master and zombie only when the mstream zombie program uses its default UDP ports of
10498, 7983, 6838, or 9325. A false negative is possible if the mstream program is
configured to use a port other than port 10498, 7983, 6838, or 9325.
Default risk level
High
467
mstream distributed denial of service tool (zombie detected) (Mstream_Zombie)
Sensors that have
this signature
RealSecure Network Sensor: 5.0, RealSecure Server Sensor: 5.5.2
Systems affected
Any
Type
Suspicious Activity
Vulnerability
description
The mstream program is a distributed denial of service tool based on the "stream.c"
attack.This tool includes a "master controller" and a "zombie." The master controller is the
portion of the tool that controls all of the zombie agents. An attacker connects to the
master controller using telnet to control the zombies. Communications between the client,
master, and zombie are not encrypted.
Using a slightly modified version of the stream.c attack, the zombie slows a computer
down by using up CPU cycles. The attack also consumes network bandwidth. In addition
to the incoming ACK packets, the target host will consume bandwidth when it tries to
send TCP RST packets to non-existent IP addresses. Routers will then return ICMP host/
network unreachable packets to the victim, resulting in more bandwidth starvation. The
distributed method of attack multiplies the effect on the CPU, as well as consuming large
amounts of network bandwidth.
How to remove this
vulnerability
Locate the mstream master or zombie on a system, by using strings or lsof. If you know
which port the master controller is listening on, you can use lsof to locate the executable.
After locating the mstream master or zombie, kill the process and delete the executable.
From the master controller, locate the zombie computers that are registered with the
master to find other systems that have been compromised.
To locate the mstream master or zombie on a system using strings:
1. Type the following command for each filesystem on the computer, replacing / with
the filesystem you want to search: find / -mount -type f -print | xargs grep -l
newserver Note: This command could take up to thirty minutes to run on your
system, depending on the size of the filesystem and the speed of the computer.
2. Verify each file found by using the strings command on it, because the search may
find files that are not part of mstream, such as /usr/bin/xchat.
3. Compare the strings output to the expected strings output for the master and the
zombie, as listed below. The strings output of the zombie, from server.c, should
contain the following text: Must be ran as root. socket bind setsockopt newserver
stream mstream ping pong fork Forked into background, pid %d The strings output
of the master should contain the following text: Connection from %s newserver New
server on %s. pong Got pong number %d from %s %s has disconnected (not auth'd):
%s Invalid password from %s. Password accepted for connection from %s. Lost
connection to %s: %s
To locate the mstream master or zombie on a system using lsof:
1. Type the following command, replacing "port" with the port number on which the
master executable is listening: lsof -i TCP:port
2. Compare the output to the following output to locate the process that is listening on
the specified TCP port: [root@berry]# lsof -i TCP:12754 COMMAND PID USER FD
TYPE DEVICE SIZE NODE NAME mstream 3664 juser 3u IPv4 721759 TCP *:12754
(LISTEN)
468
Napster client update (Napster_Client_Update)
3. Type the following command, replacing "process" with the name of process
determined in step 2: lsof -c process -a -d txt
4. Compare the output to the following output, to find the path to the executable:
[root@berry]# lsof -c mstream -a -d txt COMMAND PID USER FD TYPE DEVICE
SIZE NODE NAME mstream 3664 juser txt REG 8,1 33185 306211 /home/juser/
mstream
To kill the process and delete the executable:
1. Determine the process ID for the process. To obtain the PID:
■
If you know the name of the process, use the 'ps' command.
■
If you know the port number that the process is using, use lsof.
2. Kill the process using the 'kill' command and the process ID.
3. Delete the mstream executable.
To locate all the zombie systems registered to the master:
1. Locate the "..." or ".sr" file, which includes an encrypted list of IP addresses of all of the
zombies.
2. Decrypt the file using the following shell command, replacing "..." with ".sr",
depending on the file you are attempting to decrypt: [root@berry]# cat ... | tr 'b-k`' '09.' | sed 's/<$//' 31.3.3.7
Inform your ISP of the attack, so that they can take action to further prevent the attack
from spreading.
References
Internet Security Systems Security Alert #48
"mstream" Distributed Denial of Service Tool
http://xforce.iss.net/alerts/advise48.php
ISS X-Force
mstream distributed denial of service tool (zombie detected)
http://xforce.iss.net/static/4370.php
CVE
CAN-2000-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
Napster client update (Napster_Client_Update)
About this
signature or
vulnerability
This signature detects a connection between a Napster client and a Napster server for the
purpose of updating the Napster client.
Default risk level
Low
Sensors that have
this signature
RealSecure Network Sensor: SR 1.1
Systems affected
Napster
469
Napster long command (Napster_Command_Long)
Type
Suspicious Activity
Vulnerability
description
A connection between a Napster client and a Napster server for the purpose of updating
the Napster client has been detected. Napster is an application that helps users locate,
upload, and download MP3 music files over the Internet. The Napster client downloads
and installs new versions of the client when it receives a message to do so from a Napster
server. It could be possible for an attacker who has taken control of a Napster server to
direct Napster clients to download potentially damaging files or programs.
How to remove this
vulnerability
If use of the Napster application is not in compliance with your system policy, consider
terminating the connection associated with this Napster event. It may be helpful to
remind users of your system policy regarding the use of Napster or similar applications.
References
Napstes Web site
Napster
http://www.napster.com/
ISS X-Force
Napster client update
http://xforce.iss.net/static/4372.php
Napster long command (Napster_Command_Long)
About this
signature or
vulnerability
This signature has been removed from RealSecure Network Sensor in XPU 3.1, due to a
large number of false positives. This signature appears in the Policy Editor; however, it
will not fire under any condition. As an alternative, you should use the other Napster
signatures in RealSecure to detect the use of Napster on your network. Napster can
introduce many different vulnerabilities on your network, and your security policy
should not permit it to be used.
False positives
RealSecure Network Sensor: This si
Related documents
Book Report Cover Page
Book Report Cover Page
Personnel File Review Form
Personnel File Review Form
Download