IDGNet Virus & Security Watch Monday 24 March 2003

This issue's topics: Introduction: * Ganda at war photos; critical patches for all Windows OSes, OpenSSL & XDR libraries Virus News: * Expect Iraqi war-themed malware... Security News: * Patch for critical buffer overflow in Windows 2000 triggered by WebDAV * Fix for script engine vulnerability for all Windows versions * ISA Server 2000 DNS intrusion filter update * Further RSA key timing attacks prompt OpenSSL patches * Flaw in RPC XDR libraries allowing remote exploits patched * Unix/Linux file utility updated * McAfee ePolicy Orchestrator format string patch

This issue's topics:


* Ganda at war photos; critical patches for all Windows OSes, OpenSSL & XDR libraries

Virus News:

* Expect Iraqi war-themed malware...

Security News:

* Patch for critical buffer overflow in Windows 2000 triggered by WebDAV

* Fix for script engine vulnerability for all Windows versions

* ISA Server 2000 DNS intrusion filter update

* Further RSA key timing attacks prompt OpenSSL patches

* Flaw in RPC XDR libraries allowing remote exploits patched

* Unix/Linux file utility updated

* McAfee ePolicy Orchestrator format string patch


There were no big computer virus stories last week, but one small item may be a precursor for things to come. An e-mail worm named Ganda uses, among other topics, items relating to the Iraqi war in an attempt to catch the attention of readers of its virus-bearing messages.

On the security front though, it was far from quiet. A critical severity vulnerability in Windows 2000 that has already been used to deface US military websites was announced, along with its patch. Windows ISA server admins also have a less critical update to consider and administrators of all Windows 98, 98Se, ME, NT 4.0, 2000 and XP OSes have a critical vulnerability in the Windows JScript engine to patch.

Linux and Unix administrators may not have a quiet few days ahead of them either, with more OpenSSL updates to obviate two new timing attacks and all the flow-on updating that entails and multiple products affected by an exploitable overflow in the RPC XDR libraries. For some such administrators the recent file(1) update may be considered critical too.

Finally, sites using McAfee and NAI ePolicy Orchestrator may wish to obtain and deploy the update described in our final item.

Virus News:

* Expect Iraqi war-themed malware...

Celebrities and high-profile current events tend to be the basis of social engineering attempts employed by malware writers. This is presumably because they believe people will be more likely to be curious about such topics and more likely to drop their guards to learn of some new development. Given the Iraqi war has now started and the political turmoil surrounding it, it seems a fair bet that some mass-mailing worms and quite possibly other malware, will try to exploit the perceived heightened interest in the Iraqi situation and the characters involved.

In fact, this is more than a safe bet - on Monday last week Win32/Ganda was distributed. As well as drawing on Nazi hatred politics, some of the messages generated by this self-mailing worm include Iraqi war themes, such as promising spy-satellite pictures of Iraq, various US patriotism themes and questions about the motivations of US involvement in the war.

Experience with events of similar significance suggest that this is unlikely to be the only malware exploiting such themes in its social engineering.

Computer Associates Virus Information Center - Win32/Ganda

F-Secure Security Information Center - Win32/Ganda

Kaspersky Lab Virus Encyclopedia - Win32/Ganda

Network Associates Virus Information Library - Win32/Ganda

Sophos Virus Info - Win32/Ganda

Symantec Security Response - Win32/Ganda

Trend Micro Virus Information Center - Win32/Ganda

Security News:

* Patch for critical buffer overflow in Windows 2000 triggered by WebDAV

Administrators of IIS 5.0 on Windows 2000 machines up to and including SP3 should take immediate action either to apply the latest IIS 5.0 security patch, released by Microsoft earlier last week, or to take various mediating actions if certain IIS safeguards are not already in effect. A core OS component, ntdll.dll, has a buffer overflow flaw that can be remotely exploited via WebDAV (Web Distributed Authoring and Versioning) in IIS 5.0.

According to two third-party security services companies, this flaw was exploited in attacks against US military web servers about two weeks ago. Microsoft has only confirmed that a large customer brought the problem to its attention at that time. Because there was no evidence of the attack being used more widely or having been deployed in a network worm, Microsoft says it took the time to properly test its hotfix before announcing the flaw and shipping the patch. Unfortunately, it seems that that testing was perhaps not as thorough as Microsoft would have us believe, as the security bulletin was been revised pointing out that the patch was incompatible with certain SP2 configurations running specially patched ntoskrnl.exe builds supplied by Product Support Services (PSS) to resolve other OS bugs. If your Windows 2000 machines are running SP2 and you have installed PSS-supplied patches, pay special attention to the 'Caveats' section of the security bulletin.

Note that although the only known attack vector is currently a remote exploit via IIS, the fact that the flaw is in a core OS component means that all Windows 2000 machines should be considered vulnerable. However, in prioritizing patching large Windows 2000 installations, machines with Internet-accessible IIS 5.0 installations with WebDAV enabled should be patched first, or at least as quickly as possible depending on the local requirements regarding pre-rollout testing.

As commonly happens in such cases, there is much interest in the underground hacker community in learning more about this vulnerability. With many likely target machines, the obvious implication is that some of these folk wish to exploit this flaw to perpetrate mischief against these machines, or worse, to co-opt them into bot-nets for warez distribution and/or as DDoS agents for use in large-scale network attacks against other targets.

Other than patching, note that servers protected with URLScan (part of the IIS Lockdown Tool) are effectively immune from attack because of URLScan's blocking of 'overly long' URLs (the overflow is widely held to require approximately 50,000 bytes in the request URL). Also, there are configuration options that 'safely' limit the size of buffers used for URL processing in IIS and WebDAV can be disabled if not needed on your servers. Information on these options is provided in the security bulletin.

Aside from the usual link to the Microsoft security bulletin covering this issue and the relevant patch, we have included a link to the NTBugtraq FAQ on this issue. This FAQ collects a diverse bunch of 'roll-you-own' tools contributed by various system administrators who have faced the issues of finding all (potentially) vulnerable machines on their networks, automating the installation of various workarounds and so on, and should be a valuable resource for others facing these issues.

NTDLL Attack FAQ -

Microsoft Security Bulletin MS03-007

* Fix for script engine vulnerability for all Windows versions

An integer overflow flaw in the Microsoft JScript engine has been fixed. If exploited, this overflow could be used to execute arbitrary code of the attacker's choice in the security context of the user viewing the affected HTML. Aside from installing the patch as soon as practicable, Microsoft has provided several workarounds that can entirely mitigate one's exposure to the vulnerability (albeit at the cost of some functionality) - these are also described in the security bulletin.

Microsoft rightly rates this a critical vulnerability and it affects all OSes still on support. That is, all OSes from Windows 98 and NT 4.0 through Windows XP inclusive are affected and need to be patched. It is a safe bet that this also affects Windows 95 if Internet Explorer 4.0 (or later) has been installed, but Microsoft no longer supports that OS.

A few more technical details of the vulnerability are available in the iDefense security advisory describing the problem.

Heap Overflow in Windows Script Engine -

Microsoft Security Bulletin MS03-008

* ISA Server 2000 DNS intrusion filter update

Microsoft Internet Security and Acceleration (ISA) Server 2000 includes a DNS intrusion detection filter. A flaw in this filter's handling of a specific form of DNS request means the filter can be made to stop forwarding all incoming requests to the DNS server it is 'protecting'. Restarting the ISA Server restores service but the ISA Server could be 'stopped' again on receipt of another such DNS request. Other protocols processed by the ISA Server are not affected by this problem - it is purely a denial of service against DNS services.

As this filter is not enabled by default and the effect of exploitation of the vulnerability is an external DNS DoS, Microsoft has rated the vulnerability as 'moderate' severity. Administrators of ISA Servers running the DNS intrusion detection filter may consider it slightly more urgent.

Microsoft Security Bulletin MS03-009

* Further RSA key timing attacks prompt OpenSSL patches

Two more esoteric timing attacks against RSA keys using PKCS #1 have prompted the OpenSSL Project to publish patches to current versions of OpenSSL. After applying these patches, rebuilding and installing a patched version of OpenSSL, administrators of affected systems should rebuild all other products that depend on OpenSSL for SSL or TLS functionality - this is quite a list of software that, perhaps most notably, includes most Apache configurations. Popular Linux distributions are shipping updated packages of affected software.

Timing-based attacks on RSA keys -

Klima-Pokorny-Rosa attack on RSA in SSL/TLS -

* Flaw in RPC XDR libraries allowing remote exploits patched

The 'xdrmem_getbytes' function in Sun's XDR libraries, and those of many other vendors derived from that code, are vulnerable to an integer overflow that may enable remote exploitation of machines running services dependent on the affected libraries. Major vulnerable implementations include Sun Microsystems' network services library (libnsl), BSD-derived libraries with XDR/RPC routines (libc), GNU C library with sunrpc (glibc) and some Kerberos implementations.

The vulnerability was originally discovered in the Sun XDR code by an eEye Digital Security researcher. Because so many other vendors have code that is also affected, the CERT Coordination Center advisory is the best place to get an overview of the likely exposure to this flaw in the systems you are responsible for. Note that precise exposure details vary greatly, as they are dependent on many issues, including platform- and implementation-specific details, but it is probably best to assume that any product noted by its vendor as vulnerable or possibly vulnerable should be treated as a potential remote code execution vulnerability. Such flaws are usually considered as being of critical severity, at least if the affected service is accessible from a public or otherwise 'hostile' network.

XDR Integer Overflow -

CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines

* Unix/Linux file utility updated

A buffer overflow vulnerability in the ELF executable format handler of the file utility has been fixed. Although the announcement of this vulnerability was ridiculed by some, several e-mail content scanning systems depend (partly) on the file utility for determining message attachment types and thus guiding policy decisions. In such applications, file often runs with somewhat heightened privileges - not because it needs to but because the whole e-mail scanning and policy enforcement system runs with raised privileges. The overflow is exploitable and gives an attacker's code the privileges of the user running the file utility.

Most popular Linux and Unix distributions include file and update packages for most of these are already available. Alternately, the patch diffs or whole source can be downloaded from's freeware page and a new version compiled and installed.

'file' source distribution -

Locally Exploitable Buffer Overflow in file(1) -

* McAfee ePolicy Orchestrator format string patch

A format string vulnerability in the processing of network requests in McAfee ePolicy Orchestrator (ePO) has been fixed. If exploited this vulnerability could allow an attacker to anonymously run arbitrary code on the ePO administrative server. Normally the ePO server should not be visible outside of the corporate LAN, significantly reducing the likelihood of exposure to this vulnerability.

Security researchers at @Stake discovered the flaw. According to their security advisory, a patch has not been made publicly available but affected ePO customers can request the patch directly from NAI, the parent company of McAfee.

ePolicy Orchestrator Format String Vulnerability -

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCERT AustraliaeEye Digital SecurityF-SecureiDefenseKasperskyKasperskyLANLinuxMcAfee AustraliaMicrosoftNAIRSASophosSun MicrosystemsSymantecTrend Micro Australia

Show Comments