Information leaks, more Microsoft hacks and Hybris

Hybris worm on increase; Exchange Server Malformation revealed; Microsoft 'hacked' again; Security flaws in Compaq Management Agents; Buffer overflow in Lotus Notes/Domino SMTP server and more.

Information leaks of various kinds can make attacks against your network easier, and this is especially true of leaks that can be seen by remote users ("insiders" have so many advantages in this regard...). A couple of information leaks are described below and the Compaq one is of particular interest as some of the files that may exposed often contain administrative user's passwords in plain text. It is, of course, very bad practice to write passwords down, no matter how secure you think the location is. Storing security-critical passwords in supposedly secure locations such as system configuration files is therefore doubly foolish as these are the files attackers will most often look for unexpcted methods of acessing, such as the Compaq vulnerability provides.

If you have a process or system function that requires storing a security-sensitive password in a file (and isn't that all passwords?), seriously consider whether you really need to use that functionality or

if there is not another way. Ask yourself "Could a system vendor really be so stupid as to expect saving a password in a file can be safe?" If your answer is "Yes", consider switching vendors! If the functionality is key to your operation and there is no other way, consider switching vendors.

Also covered today are updates on a couple of recent Microsoft advisories, Microsoft hacked again, a Lotus Notes/Domino e-mail server bug, and a tricky new worm on the loose.

Virus News

Hybris worm on increase

Why is it that the last few weeks I have reported almost exclusively on "worms"? These programs mostly arrive on victims machines as executable attachments to odd through downright weird e-mail messages and require the user's willing cooperation to be run.

Hybris is a particularly nasty piece of work with complaex network updating functionality which means that it can keep changing its appearance and features as its writer releases update modules or "plug-

ins". Such developments have been seen before, but some of the advances in their implementation in Hybris mean that it will be a trickier beast for antivirus products to keep on top of. Most antivirus vendors have descriptions of Hybris on their web sites, however, I have chosen to link to just one -- the one that is by far the most detailed (although probably still incomplete) as this newsletter goes to press.

- Kaspersky Anti-Virus description of Hybris

Security News

Exchange v5.5 "Malformed MIME Header" details released

The security researcher who uncovered the Exchange server denial of service vulnerability that Microsoft named "Malformed MIME Header" has released the details of the MIME header involved. As these details are now publicly available, it is strongly recommended that anyone running Exchange Server 5.5 in environments where the server has to process e-mail from potentially untrustworthy sources should apply the patch or the soon to be released SP4 for Exchange Server 5.5. This would include all servers on, or processing messages relayed from, Internet e-mail sources.

- Microsoft Security Bulletin and FAQ

IIS "Web Server File Request Parsing” vulnerability revisited

Microsoft has updated its security bulletin covering the serious IIS security vulnerability mentioned in this newsletter last week. IIS v4.0 was originally reported as not affected by this vulnerability, but that has turned out to be incorrect. Microsoft also documents some further restrictions on the conditions that apply for the vulnerability to be exploited.

IIS users, and particularly those using v4.0, should revisit the web pages below. As SP6.0a contains a patch that fixed this problem, IIS v4.0 servers running under that service pack should be fixed.

- Microsoft Security Bulletin and FAQ

Microsoft "hacked" again...

In the introductory notes of last week's newsletter, a Dutch hacker was reported as altering the contents of a "decomissioned" Microsoft web server by exploiting the IIS "Web Server File Request Parsing" vulnerability. This was possible because Microsoft system administrators had apparently not applied the appropriate security patches to that server (see preceding item).

The same hacker is now reported to have "attacked" the same web server a few days later. A Microsoft spokesman claims the server was patched following the public exposure of the first incident, but the hacker claims to have used the attack as previously.

- ComputerWorld article

Security flaws in Compaq web-based Management Agents

Although rcently reported as a NetWare issue, default installations of Compaq's web-based Management Agents for several platforms may provide anonymous access to system configuration files that can contain sensitive information. Compaq says the agents for SCO Unix, UnixWare and

OpenServer, IBM OS/2 and Compaq OpenVMS do not expose similar vulnerabilities. A similar problem exists in Compaq's Survey Utility v2.0 (and later) installed as an agent on NT and NetWare.

Affected software has shipped pre-installed on some Compaq systems and this software is often installed by users. Compaq claims it has "always advocated that these agents and utilities be deployed only in private networks and were not for use on the Internet or systems outside the bounds of a firewall". Its subsequent claim that this means the threat is largely an internal one is open to question however.

Users of Compaq equipment that ships with this software are advised to check Compaq's position on this at the URL below. As this vulnerability was disclosed on a public mailing list last week, it is likely that probes for open Compaq Management Agents on Internet-connected machines will start appearing, so you should ensure you are not open to abuse through this potential information leak source.

- Compaq Security Advisory

Buffer overflow in Lotus Notes/Domino SMTP server

The S.A.F.E.R. team have released a security bulletin documenting a buffer overflow in Lotus Notes and Domino SMTP servers prior to v5.05. This overflow allows such servers to be crashed remotely and opens the possibility of an attacker executing arbitrary code on the server with the elevated priviliges of the mail server. The authors of the security bulletin have suggested they may release an exploit demonstrating the use of this vulnerability.

Users of affected servers may wish to read the security bulletin in full and/or obtain the latest updates from Lotus. The URLs below link to the respective web pages.

- S.A.F.E.R. Security Bulletin

- Lotus update site

Remote object enumeration in Novell environments

Due to a combination of factors revolving around legacy support issues, default installations of NetWare v5.0 and later with native IP support leak more system information than may be desirable. This is of particular concern for servers visible to the Internet. BindView's RAZOR security research team at has released a detailed advisory explaining the issues and exposures.

Users of NetWare v5.0+ servers with native IP support are recommended to read that advisory and such users in Internet-connected organizations are strongly recommended to read it.

- RAZOR Advisory

Bind remote DoS affects multiple Linux and Unix distributions

The Internet Software Consortium (ISC) has released an update to bind -- the popular DNS server implementation -- and recommends that users upgrade to this release to resolve some serious security vulnerabilities. Apart from the ISC's updated code releases, most Linux (and a few other Unix platform) vendors are now shipping updated bind packages for their distributions -- users of these platforms should check their vendors update and/or security pages for details.

- ISC bind and bind vulnerabilities pages

Join the newsletter!

Error: Please check your email address.
Show Comments
[]