IDGNet Virus & Security Watch Friday 1 August 2003

This issue's topics: Introduction: * DCOM RPC; McAfee ePO, Linux kernel & Solaris fixes; learn from a worm Virus News: * One bad turn uncovers another * Major international antivirus conference 'over the ditch' in November Security News: * Confusion over MS03-026 installation and more * MS03-029 updated - RRAS problems * Fixes for McAfee ePolicy Orchestrator * Multiple Linux kernel patches * Solaris buffer overflow gives local root

This issue's topics:


* DCOM RPC; McAfee ePO, Linux kernel & Solaris fixes; learn from a worm

Virus News:

* One bad turn uncovers another

* Major international antivirus conference 'over the ditch' in November

Security News:

* Confusion over MS03-026 installation and more

* MS03-029 updated - RRAS problems

* Fixes for McAfee ePolicy Orchestrator

* Multiple Linux kernel patches

* Solaris buffer overflow gives local root


This week has seen a huge amount of discussion of DCOM RPC issues following the public releases late last week and through this week of several working exploits of the remote code execution vulnerability patched in MS03-026. Most of these exploits provide a 'remote shell', meaning that the person running the exploit can connect to the 'attacked' machine much as if it were running a telnet server, and they obtain a standard command prompt from the attacked machine. There has also, not surprisingly, been a noticeable increase in scanning for the standard ports that offer the Microsoft RPC services and a small spike in scanning for the port that the most widely discussed exploit opens its remote shell on if it is successful. While talking about MS03-026, also note that there are known problems with some of the popular patch management services correctly detecting whether the patch is already and/or properly installed.

Other things did happen this week, but I'll only highlight two more of them here - a nasty local privilege escalation in Solaris and a Linux kernel update fixing multiple security flaws.

Virus News:

* One bad turn uncovers another

Sometimes 'assistance' comes from the most unexpected quarters. The real-world incident related in the linked story may be helpful in reminding some readers of why they do the things they do, as the complacency of 'never having a real attack' can allow standards to fall. Further, this story of hunting and nailing a BAT/Mumu infection as it traipsed around a large, multinationally distributed corporate network and the lessons learned may provide good 'ammunition' to any readers who feel a lack of managerial support for 'doing things properly' _before_ they are needed.

Worm leaves its mark; exposes security deficiencies -

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Major international antivirus conference 'over the ditch' in November

The Association of Anti Virus Asia Researchers (AAVAR) is holding its 2003 conference in Sydney on 6 -7 November. Although the conference program has not yet been finalized, if previous years' speaker and attendee lists are anything to go by this will be the only opportunity for many years to see and meet such a distinguished group of the antivirus industry's technical talent so near to home. (In fairness to our readers, the newsletter compiler must admit he is joint author of proposed paper.)

The conference web site is essentially blank at the moment, until the program is finalized - we will also remind you again in a few weeks...

AVAR Conference 2003 -

Security News:

* Confusion over MS03-026 installation and more

Not for the first time, incompatibilities between the different security patch checking processes offered by Microsoft and others have caused confusion. This is exacerbated by various installation failures, unintended reversions to previous, unpatched versions of (some of) the files included in a patch and other largely unforeseen circumstances.

This time it is over the recent, highly critical DCOM RPC patch announced in MS03-026, discussed in this newsletter a couple of weeks ago. Depending on whether you use Windows Update, MBSA (Microsoft Baseline Security Analyzer) or various third-party tools, you may be correctly or incorrectly told that the MS03-026 patch is or is not necessary. Then, if told it is necessary by one method but you decide to obtain and apply it via another method, you may be told that the machine in question does not need it and the installation method you are trying to use will refuse to obtain the patch. Ascertaining whether something as critical as the MS03-026 patch is needed on a given machine should not be this difficult.

The pros and cons of the various methods used by Windows Update, MBSA and other update methods are discussed in the first two NTBugtraq messages linked below. In short, unless you are using a good third-party patch management product, it sounds as if the MBSA approach and downloading individual patches it lists as missing is the best approach and Windows Update is to be avoided if at all possible.

And finally on MS03-026... Functional 'proof of concept' exploits of this vulnerability have been published and widely discussed during the last week. Worryingly, there have been some reports that even machines with the MS03-026 patch properly installed are still vulnerable to a remote denial of service by attempts to exploit the buffer overflow. The third NTBugtraq message linked below addresses this issue, raising the implication that an updated MS03-026 patch is presumably to be expected to correct the claimed denial of service. (Limited testing of this claim by your newsletter compiler has failed to find evidence of such residual effects on Windows 2000 Professional, although there are many possible configuration options which may have to be tried in many combinations before one could be sure there is no such effect.)

Archived NTBugtraq list message (9218) -

Archived NTBugtraq list message (9340) -

Archived NTBugtraq list message (8437) -

Microsoft Baseline Security Analyzer home page -

Archived NTBugtraq list message (331071) -

Microsoft Security Bulletin MS03-026

* MS03-029 updated - RRAS problems

NT 4.0 administrators who have not yet installed the MS03-029 patch but are considering doing so should take note of Microsoft's recent update to the accompanying security advisory. Subsequent to the initial release of the MS03-029 patch, several NT 4.0 Server administrators reported problems with Routing and Remote Access Service (RRAS) failing to start. Backing out the patch fixes this RRAS problem. Microsoft now says that the security fix per se still works as planned and no other services are affected.

A special hotfix addressing this problem is available from Microsoft Product Support Services (PSS) and details of obtaining that are available in the updated security bulletin. Those who have already applied the MS03-029 patch to RRAS systems should consider backing out the patch and waiting for its re-issue once full testing of the hotfix has been completed, or contact PSS for the interim hotfix.

Systems not running RRAS are unaffected by all this.

Microsoft Security Bulletin MS03-029

* Fixes for McAfee ePolicy Orchestrator

Security researchers from @stake have discovered three security vulnerabilities in the McAfee ePolicy Orchestrator (ePO) tools from Network Associates (NAI). ePO is a policy-driven enterprise management system for the NAI/McAfee range of antivirus products and such products from some other antivirus vendors.

The vulnerabilities can be exploited to allow the execution of arbitrary code with the privileges of the vulnerable ePO code. Under default installations, the affected ePO agent and server processes run in the Windows local system security context. Typical best practices should mean that the vulnerable machines should not be visible outside the corporate LAN, reducing the likely severity of risk exposure in most cases.

NAI has a security bulletin describing these vulnerabilities, and a fourth. Patches addressing these flaws are also available from the NAI security bulletin linked below.

ePolicy Orchestrator multiple vulnerabilities -

Network Associates Security Bulletin 07/31/03

* Multiple Linux kernel patches

Red Hat has posted an advisory describing multiple security-related bugs in the 2.4 kernel that have recently been fixed. The severity of this flaws range from sensitive information leakage through all manner of undesirable privilege escalations to kernel panic-induced crashes. Aside from Red Hat, most popular distributions have now released update packages to address these vulnerabilities.

Updated 2.4 kernel fixes vulnerabilities -

* Solaris buffer overflow gives local root

Finnish security researcher Jouko Pynnonen has discovered a locally exploitable buffer overflow in the Solaris runtime linker, This vulnerability can be exploited by a local user to gain elevated privileges should there be any dynamically linked SUID/SGID programs on the local file system. As a typical Solaris system has several such executables and Sun is recommending developers move to only dynamic linking (Solaris 10 will not support statically linked executables), it seems most Solaris machines will be exploitable.

Although Pynnonen did not include specific exploitation details in his advisory, he did describe a trivial overflow causing a core dump. Sun has released a patch to fix this vulnerability, which is present in both SPARC and Intel platform versions of the OS.

Archived Bugtraq list message (330929) -

Security Vulnerability in Runtime Linker - Sun Alert ID: 55680

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CA TechnologiesF-SecureIntelLANLinuxMBSAMcAfee AustraliaMicrosoftNAIRed HatSophosSymantecTrend Micro Australia

Show Comments