IDGNet Virus & Security Watch Friday 18 July 2003

This issue's topics: Introduction: * Windows, Cisco IOS, nfs-utils critical patches; spammers using malware Virus News: * New malware turns PCs into spam machines, porn proxies, etc... * It's a Gruel, Gruel world!! Security News: * Critical Windows RPC remote code execution flaw fixed * Patch released for Windows XP shell vulnerability * XSS flaw in Microsoft ISA Server 2000 error pages fixed * Two WatchGuard ServerLock bypasses fixed * Mac OS X screensaver password bypass fixed * Highly critical Cisco IOS flaw * Remote code execution through nfs-utils bug fixed * Open SMTP relay through misconfigured qmail-smtpd-auth

This issue's topics:

Introduction:

* Windows, Cisco IOS, nfs-utils critical patches; spammers using malware

Virus News:

* New malware turns PCs into spam machines, porn proxies, etc...

* It's a Gruel, Gruel world!!

Security News:

* Critical Windows RPC remote code execution flaw fixed

* Patch released for Windows XP shell vulnerability

* XSS flaw in Microsoft ISA Server 2000 error pages fixed

* Two WatchGuard ServerLock bypasses fixed

* Mac OS X screensaver password bypass fixed

* Highly critical Cisco IOS flaw

* Remote code execution through nfs-utils bug fixed

* Open SMTP relay through misconfigured qmail-smtpd-auth

Introduction:

Trojans subverting normal machines - usually in small businesses and homes but on fast (DSL or cable) Internet connections - into porn-serving or spam-relaying proxies are the latest interesting development in the malware scene. Many victims of these 'attacks' have the attitude 'there's nothing worth taking on my machine so why bother securing it'. Of course, this ignores the fact that obscuring a service's real location and/or 'stealing' the victim's bandwidth and network identity are actually highly valuable resources to many malcontents such as spammers, scammers, kiddie-porn peddlers and their ilk. The other item in our virus section is coverage of a mass-mailer that has (so far) not 'made it', which is an especially good ting given the severity of its destructive payload.

This week also saw the release of the first 'critical' patch for Windows Server 2003 - a DCOM RPC problem that runs across the whole NT-based families of OSes. This is a remotely exploitable vulnerability that does not require any form of user authentication to exploit and gives the attacker local system privileges. Last week I commented on the lack of an NT 4.0 Workstation patch for MS03-023 because it had reached its official 'end of life' a little over a week earlier than MS03-023's release. What I missed at the time was that a Windows 98 patch was released for MS03-023 despite Windows 98 having the same 'end of life'. To further confuse matters, it seems that MS03-026 - released a further week later - does include an NT 4.0 Workstation patch (no, I'm not trying to claim any credit for that!). I guess consistency is not part of the Trustworthy Computing rubric...

Nor, it seems, is keeping new bugs out of fixes. Reading between a lines of another of this week's crop of three security bulletins from Microsoft, MS03-027, it seems quite clear that XP SP1 included a presumed 'fix' for something in the Windows shell that introduced an entirely new vulnerability.

Anyone using WatchGuard's ServerLock for Windows should check they have the latest updates, as a couple of methods of circumventing its protections and getting rogue code running with high privileges have been publicized in an advisory posted to a security mailing list. Both methods have been seen in experimental Windows root kits, so installing the latest ServerLock updates which are claimed to block these attacks would be a good idea.

Second biggest patch of the week, at least in terms of number of potentially affected users, if not machines, is the Cisco IOS update to fix a problem in _all_ Cisco devices running IOS and configured to handle IPv4. That is, nearly every Cisco IOS device. IOS devices can effectively disable an interface if it is sent a specially crafted sequence of packets, requiring a hardware reset to restore functionality. A fairly trivial to implement DoS scenario is easily imagined...

Linux and Mac administrators are not let off the patch circus this week with updates for the popular nfs-utils package and a qmail configuration check for the former, and a screen saver password bypass fix for the latter.

Virus News:

* New malware turns PCs into spam machines, porn proxies, etc...

Several variants of a new Trojan Horse program have been discovered in the last few days. Variously known as BackDoor-AXJ, Berbew, Heloc, Rebbew and Webber (we stopped listing them after this -- there are even more names for this from even less well-known antivirus developers) these Trojans have been implicated in several identity (or at least credit card information) theft scams. Further, machines compromised with these Trojans may be being used as SMTP e-mail proxies and/or as web proxies.

The current crop of these Trojans are seen as comprising two parts. First, a small program is sent as an e-mail attachment to large numbers of potential victims in a spammed e-mail message. In the last few day messages claiming to be from the CitiBank group and from E-Loan Inc, both under the pretext of processing a loan application, have been seen, although all manner of other scams are possible and other messages will likely be seen in the coming days. These messages attempt to entice the recipient to open that attachment, which is actually a 'downloader' - a small program that obtains another program (or several programs) from a server on the Internet and executes it (or them) on the victim's machine. The second part of these Trojans is actually the downloaded part, and for now that has been a program with password stealing and network proxy functions. Descriptions of this latest Trojan and/or its downloader are the first links (or first and second where there are more than two links) listed under our usual antivirus web sites, below.

Proxy functions allow spammers and the web sites they advertise (or whoever else knows of the Trojan's existence and location) to 'hide' their true identities. In turn, this allows the spammers and the various products or scams they promote to extend by days, or even weeks, the 'useful' length of an advertising 'spam burst'. A Trojan known as Migmaf, which is similar to the one described above, has also been used in another recently uncovered scheme. In that case some spammers controlled the DNS servers handling their 'target' domains and, in very short order, the DNS entries for the domains their spammed messages pointed to were rotated to point to victims running the Migmaf Trojan. These copies of Migmaf acted as reverse-proxies, getting the requested web pages from the spammers central servers and passing them back to the requesting machine (being the people reading the spam). Other Migmaf compromised machines were used to relay the spammers' e-mail messages. In those of our usual antivirus web sites that have two or more links listed below, the last link is to that site's description of Migmaf.

Trojan Hijacks PCs to Peddle Porn - pcworld.com

Reverse-Proxy Spam Trojan Migmaf - lurhq.com

Computer Associates Virus Information Center (35848)

Computer Associates Virus Information Center (35814)

F-Secure Security Information Center (webber)

F-Secure Security Information Center (migmaf)

Kaspersky Lab Virus Encyclopedia (61335)

Network Associates Virus Information Library (100487)

Network Associates Virus Information Library (100488)

Network Associates Virus Information Library (100480)

Sophos Virus Info (webbera)

Sophos Virus Info (migmafa)

Symantec Security Response (trojan berbew)

Symantec Security Response (backdoor berbew)

Symantec Security Response (migmaf)

Trend Micro Virus Information Center (rebbew.a)

Trend Micro Virus Information Center (migmaf.a)

* It's a Gruel, Gruel world!!

A new mass-mailing virus made a small splash this week. Now known as Fakerr (for 'fake error') and Gruel by most antivirus products, several minor variants of this virus hit the net mid-week. Fortunately it seems this one did not 'hit a mother lode' of accessible e-mail addresses, but was of some concern when first discovered because of its highly destructive and almost immediate payload. If run, Gruel would mass-mail itself to every address in the Outlook address book the effectively lock its victim's machine while deleting large numbers of crucial files and altering many system configuration settings. On reboot, if Windows would load, it would be all but useless, with the virus having interceded in most program launches and having seriously messed up normal desktop operation through various restrictive policy settings.

Computer Associates Virus Information Center (35846)

F-Secure Security Information Center (fakerr)

Network Associates Virus Information Library (100489)

Sophos Virus Info (w2gruela)

Symantec Security Response (w32.gruel@mm)

Trend Micro Virus Information Center (worm_gruel.a)

Security News:

* Critical Windows RPC remote code execution flaw fixed

Microsoft has released patches for a newly announced flaw in the DCOM interface to RPC services on all NT-based OSes - NT 4.0 (Workstation, Server and Terminal Server), Windows 2000 (all forms), Windows XP (all forms) and Windows Server 2003. The vulnerability is a buffer overflow that can be remotely exploited to execute, with local system privileges, arbitrary code supplied by the attacker. As the affected RPC services are installed, bound to all TCP/IP interfaces, and enabled by default on all affected OSes, this flaw is rightly rated as being of critical severity on all affected OSes. The severity of this vulnerability should not be underestimated as its exploitation does not require an attacker to first authenticate to the target machine, unlike some previous RPC flaws.

Polish hacking group LSD (The Last Stage of Delirium) discovered the flaw and have posted an advisory which we have linked to below, along with the relevant Microsoft security bulletin. LSD says that the extremely serious nature of this flaw and the massive number of exploitable machines on the Internet prevents them from releasing exploit code. Despite that, it is to be expected that others will start investigating this flaw looking for ways to exploit it. Thus patching potentially exposed machines, or ensuring proper firewalling of RPC and related service ports, should be treated as an especially high priority.

Finally, we have also supplied a link to an archived copy of a message posted to several security lists by security researcher Todd Sabin. Sabin claims that the Microsoft security bulletin is incorrect in suggesting that RPC on port 135 is the only point of access to this vulnerability as the flaw is in code accessible via the endpoint mapper which may also, depending on system configuration and other installation options, be accessible via ports 445, 593 and even port 80.

Although the security bulletin includes several workarounds (some of which are far from complete or practicable in some configurations if Sabin's claims are correct), in general Microsoft's recommendation to 'apply the patch immediately' cannot be over-emphasized.

Buffer Overrun In Windows RPC Interface - lsd-pl.net

Archived VulnWatch list message - neohapsis.com

Microsoft Security Bulletin MS03-026

* Patch released for Windows XP shell vulnerability

Another arbitrary code execution bug, but this time only affecting Windows XP SP1 has been patched. A flaw in a shell function that extracts attribute information from folders can be exploited to run code of an attackers choice. However, as exploiting this vulnerability requires manipulating the contents of 'desktop.ini' files accessible to the intended victim machines, its scope for exploitation should be rather limited in normal circumstances.

Usually such files would only be available to the flawed shell functions of one machine by using Windows Explorer to view the contents of a network share. Under normal best practices such shares should only be available across a LAN, or an otherwise protected WAN or VPN connection, rather than directly across the Internet. Thus the risk of exposure to exploits of this vulnerability reduces to the trustworthiness of your own staff and others who have access to shares on your LAN.

Microsoft rates this as an 'important', rather than 'severe' vulnerability because of these mitigating circumstances.

Microsoft Security Bulletin MS03-027

* XSS flaw in Microsoft ISA Server 2000 error pages fixed

Standard HTML error pages included with Microsoft Internet Security and Acceleration (ISA) Server 2000 include cross-site scripting (XSS) vulnerabilities that may be exploited to run HTML-embedded scripts in security contexts in which they do not belong. This opens up all the usual XSS exposures with the specifics depending on the site running ISA Server through to the browser used by the 'victim'.

As this vulnerability does not necessarily open the hosting site to arbitrary code execution, Microsoft rates this vulnerability as 'important'. As XSS exploits can be 'bounced off' arbitrary sites, hopefully ISA Server admins in general will not wish to aid and abet the seedier side of the net that may wish to exploit this flaw, and thus will apply this patch sooner rather than later.

Microsoft Security Bulletin MS03-028

* Two WatchGuard ServerLock bypasses fixed

WatchGuard ServerLock for Windows versions prior to the SL 2.0.4 patch release can be bypassed by to two methods discovered by Jan Rutkowski. Rutkowski claims WatchGuard has kept the methods used to fix the holes in its product secret, but acknowledges the attacks against ServerLock that he discovered do not work against the SL 2.0.4 patch version. The SL 2.0.4 release is available to ServerLock customers from WatchGuard's LiveSecurity site. No information about these problems was found posted on WatchGuard's site, so we can only include a link to an archived copy of the advisory Rutkowski posted to the Bugtraq mailing list.

Archived Bugtraq list message (329443) - securityfocus.com

* Mac OS X screensaver password bypass fixed

A vulnerability in the password input handling code of OS X means that unauthorized users can get access to an OS X machine that is apparently locked with a screensaver. Simply holding down a key 'for several minutes' has been widely described to cause some form of buffer overflow or other exception that, in turn, causes the password authentication routine to 'fail open', thereby clearing the screensaver, keyboard and mouse lock and allowing full access to the 'locked' machine's desktop. Apple has released 'Security Update 2003-07-14 v.1.0' to address this vulnerability. Download instructions are available from the page linked below.

Security Update 2003-07-14 v.1.0: Information and Download - apple.com

* Highly critical Cisco IOS flaw

All Cisco devices running Cisco's IOS operating system and configured to handle IPv4 traffic are vulnerable to a denial of service (DoS) attack from a specially crafted sequence of IPv4 packets. Details of the packet sequence are (fortunately!) sketchy, but the effect of such a sequence, if addressed directly to an interface on an affected device is essentially the same as shutting down that interface. No alarms will be triggered and devices with self-correction capabilities will not restart to clear the problem. Obviously this could cause serious routing failures.

What detail Cisco has released suggests that such traffic must have packets with protocol types 53, 55, 77 or 103. Protocol type 103 (Protocol Independent Multicast, PIM) packets will not be problematic on interfaces specifically configured to handle PIM.

Details of the availability of IOS updates addressing this issue and workarounds that can be implemented to ameliorate the vulnerability until updates are available or can be applied are described in the Cisco security advisory linked below

Cisco IOS Interface Blocked by IPv4 Packet - cisco.com

* Remote code execution through nfs-utils bug fixed

The 'xlog' function used by 'rpc.mountd' in the Linux nfs-utils 1.0.3 and earlier has an off-by-one buffer overflow which has been shown to be remotely exploitable to execute arbitrary code. Version 1.0.4 of nfs-utils has been released to correct this and most distributions that include nfs-utils have update packages available. However, the truly keen may wish to obtain an even more recent update - nfs-utils 1.0.5 has now been released and source is available from the project's home page on SourceForge.

nfs-utils home page - sourceforge.net

Release notes for nfs-utils 1.0.5 - sourceforge.net

* Open SMTP relay through misconfigured qmail-smtpd-auth

John Simpson posted to the Bugtraq mailing list this week, warning that the qmail-smtpd-auth patch (which adds SMTP AUTH support to qmail) is easily misconfigured in such a way that the system becomes an open relay (see the first linked item below). Simpson's contention that the patch was buggy and should be fixed with a patch of his own offering was vigorously challenged - for example, see the second and third linked items below. If you use the qmail-smtpd-auth patch it seems inadvisable to apply Simpson's suggested patch but it may be a good idea to double-check that you have not misconfigured qmail-smtpd-auth so as to make your server an open relay.

Archived Bugtraq list message (329142) - securityfocus.com

Archived Bugtraq list message (329293) - securityfocus.com

Archived Bugtraq list messages (329284) - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesCiscoE-LoanF-SecureKasperskyKasperskyLANLinuxMicrosoftSophosSymantecTrend Micro AustraliaWatchguard

Show Comments
[]