IDGNet Virus & Security Watch Friday 14 March 2003

This issue's topics: Introduction: * Notes/Domino, Sun ONE AS, PeopleSoft patches; WLAN security & two worms Virus News: * New CodeRed variant * Deloder worms through port 445 too Security News: * Multiple Notes/Domino vulnerabilities patched * Buffer overflow fixed in Sun ONE (iPlanet) Application Server 6.x module * CS MAILsweeper misses trivially malformed MIME attachments * PeopleSoft PeopleTools open to data modification, code execution * WLAN lessons still not being learnt... * The business of computer security

This issue's topics:


* Notes/Domino, Sun ONE AS, PeopleSoft patches; WLAN security & two worms

Virus News:

* New CodeRed variant

* Deloder worms through port 445 too

Security News:

* Multiple Notes/Domino vulnerabilities patched

* Buffer overflow fixed in Sun ONE (iPlanet) Application Server 6.x module

* CS MAILsweeper misses trivially malformed MIME attachments

* PeopleSoft PeopleTools open to data modification, code execution

* WLAN lessons still not being learnt...

* The business of computer security


Building on last week's comments in the newsletter that attacking weak windows file sharing passwords, particularly through SMB over port 445, was apparently on the increase, we saw even more activity on this port in the ensuing week. So much so, in fact, that CERT released an advisory on the dangers of weak passwords on Windows file shares. Much of this activity in the last week is being attributed to the Win32/Deloder worm, which is described below. We also saw a new CodeRed variant this week and although based on CodeRed.C, this one may be around for quite a few more years. An IIS configuration tip that may make IIS relatively immune to most worms that simply target by IP address (as all fast spreading IIS worms to date have), is included in one of the articles linked from this item.

On the security front, several vulnerabilities in Notes and Domino have been disclosed by security researchers. In aggregate these affect both server and client software, so it will likely be a busy few days for admins of systems running this software. Similarly, vulnerabilities in Sun ONE Application Server and multiple PeopleSoft products require patching. And, although not known to be actively exploited (yet!), a flaw in Clearswift's CS MAILsweeper e-mail content scanner means that e-mail nasties can easily slip past the products policy enforcement.

We finish this issue with a couple of news stories covering ongoing WLAN configuration slackness and suggesting strategies for the IT department to improve its chances of getting management acceptance of its needs and budgets by adopting a more business-needs focussed approach.

Virus News:

* New CodeRed variant

Although it should be of no direct concern to the readers of this newsletter, a new CodeRed variant has spread rapidly around the Internet since its release, perhaps very early this Wednesday morning. One of the newsletter compiler's machines was the first 'WormCatcher' node to record and report the new variant at 2:20am (NZDT). This variant, known as CodeRed.F, is almost identical to CodeRed.C. In fact, most IDSes, log analysers and similar products capable of detecting or alerting to CodeRed.C will have started reporting CodeRed.C detections on Wednesday, as CodeRed.F only differs from CodeRed.C in two of the worm's 3818 bytes and very few such products are sensitive to the area of code where this difference exists.

what difference can two bytes make?

Quite a deal, as in this case the bytes that are changed are those holding the value the worm tests the current year against. Due to that test and some other date-based tests, CodeRed.C effectively kills itself if the date is 1 October 2001 or later. However, in this new variant, the year value used in these date tests is very large (34,952) so this variant will potentially keep on going and going and going...

However, when first infecting a machine CodeRed.F will, like its forebear, also check whether the month is October or later and if so reboot the new host rather than trying to spread further. Thus there is still a three month window every year when this new variant will not spread to any newly vulnerable machines or re-infect previously infected ones that have been restarted (except for a few that may have radically incorrect dates). Whether this is sufficient time for all remaining infected machines to be restarted is something we will not know until later in the year.

Finally, amongst all the general discussion of this new variant, NT systems administrator Randy Hinders posted a really good tip to NTBugtraq. Hinders suggests that all IIS 4.0, 5.0 and 5.1 servers should enable host headers. This feature requires that incoming requests match one of the hostnames IIS is configured to serve and should prevent the server from processing requests direct to the IP address of the server. By default, IIS uses a 'blank' host header, meaning that the server will attempt to process any host request, even one directed just to the server's IP address. (Note, that this is untested by the newsletter compiler, but no dissenting opinion has been posted to NTBugtraq, which would be expected if the advice was misleading...)

Archived NTBugtraq list message -

WormCatcher homepage -

Computer Associates Virus Information Center - WinNT.Ali

F-Secure Security Information Center - CodeRed

Network Associates Virus Information Library - W32/CodeRed.f.worm

Sophos Virus Info - CodeRed

Symantec Security Response - CodeRed

Trend Micro Virus Information Center - CodeRed

* Deloder worms through port 445 too

Further to last week's coverage of the apparent upswing in network worms spreading via open and easily guessed Windows Networking shares, particularly on native SMB over TCP/IP (port 445), at least two more such worms have been spotted in the wild. One of these in particular was apparently responsible for a very noticeable increase in port 445 scanning - sufficient to not only get security folk chattering about the likely cause, but to also have the CERT Coordination Center issue an advisory warning Windows 2000 and XP users in particular to take care of basic share security issues.

The worm at the heart of all this Win32/Deloder which installed a fairly typical IRC backdoor and bot-net client on its victims. It then set about scanning the Internet for machines with port 445 open and tried guessing administrator account passwords in repeated attempts to connect to the default administrative IPC$ share. If it succeeded, it copied itself to the remote machine and executed that copy, starting the whole process over. As well as the usual links to the technical descriptions of Deloder, we have included a link to the CERT/CC advisory as it contains much good information on securing network shares under Windows 2000 and XP.

CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares

Computer Associates Virus Information Center - Win32.Deloder Worm

F-Secure Security Information Center - Deloader

Network Associates Virus Information Library - W32/Deloder.worm

Sophos Virus Info - W32DeloaderA

Symantec Security Response - W32.HLLW.Deloader

Trend Micro Virus Information Center - WORM_DELODER.A

Security News:

* Multiple Notes/Domino vulnerabilities patched

Security researchers at Rapid7 have uncovered several flaws in Lotus Notes and Domino servers and clients and have released three security advisories covering the issues. The first advisory covers a NotesRPC protocol handler in some server products has been found vulnerable to a buffer overflow that can probably be remotely exploited by a non-authenticated user. Servers and clients running the Web Retriever may be vulnerable to a buffer overflow that will crash the hosting server or client process according to the second advisory. The third advisory points out that an old denial of service vulnerability in the LDAP protocol handler, fixed in Notes/Domino R5.0.7a, was re-introduced into the product in the R6.0 development phase.

The upshot of all these vulnerabilities is that users should update servers and clients to the appropriate current release - R5.0.12 or R6.0.1. All R4.x versions are also vulnerable if they contain support for the affected features and it seems that updating to later release is the only solution for these versions. Rapid7 did not test earlier versions.

The Rapid7 advisories contain links to the download locations for the updates.

Rapid7 Advisories R7-0010 -

Rapid7 Advisories R7-0011 -

Rapid7 Advisories R7-0012 -

* Buffer overflow fixed in Sun ONE (iPlanet) Application Server 6.x module

Researchers at @stake have reported a remotely exploitable buffer overflow in the Connector Module provided with the Sun ONE Application Server. Versions 6.0 and 6.5 are affected, but it appears that Sun has, thus far, only produced a patch for Sun ONE Application Server 6.5, available in the SP1 release of that product. The @stake advisory notes that '[q]ueries to the vendor as to the best solution for 6.0 customers were not answered'.

Exploitation of the vulnerability could allow an attacker to take control of an affected web server. Given the seriousness of the possible attacks and the non-availability of a patch for version 6.0, @stake have suggested some workarounds that may suit 6.0 sites. For the technical details, please read the @stake security advisory, linked below.

Sun ONE Application Server Connector Module Overflow -

Sun ONE Application Server, Enterprise Edition 6.5 SP1 -

* CS MAILsweeper misses trivially malformed MIME attachments

Network security firm Corsaire has warned of a weakness in the detection of MIME components in Clearswift's e-mail content scanner, CS MAILsweeper. The problem arises because some end-user client software takes a lax approach, relative to the MIME standards, in what it accepts and handles whereas CS MAILsweeper seems to take a more standards-based approach.

The specific issue Corsaire has uncovered is that simply dropping the 'MIME-Version' header from a MIME container construct means CS MAILsweeper will not 'see' the message component and thus will not process it for policy compliance. This would not actually be a problem if popular client software similarly failed to recognize the message component because of the missing construct header. Unfortunately, some popular products happily handle such 'malformed' messages and thus we have an easy way for unwanted material to slip past CS MAILsweeper.

Note also, that although Corsaire was only looking at CS MAILsweeper, other e-mail content scanning gateway products may be similarly affected. Further, several other forms of trivial MIME 'malformation' should be obvious to anyone familiar with MIME and popular message handling systems.

Clearswift MAILsweeper MIME attachment evasion issue -

* PeopleSoft PeopleTools open to data modification, code execution

Internet Security Systems (ISS) researchers have uncovered a gaping hole in the PeopleTools 'SchedulerTransfer' servlet. It allows unauthenticated users to upload files to the PeopleSoft web server. Unfortunately, its tests to detect and prevent directory traversal attempts in the upload process are insufficient and a malicious person can upload anything to any location on the server accessible with the permissions of the web server.

PeopleTools versions 8.10-8.18, 8.40 and 8.41 are all known to be affected. PeopleTools is included with many PeopleSoft products, and if included are installed in the default configuration. The ISS security advisory includes a partial list of PeopleSoft products known to include PeopleTools and thus likely to be affected by this issue. The advisory also includes some server configuration workarounds that may be able to alleviate exposure to this problem.

PeopleSoft PeopleTools Remote Command Execution Vulnerability -

* WLAN lessons still not being learnt...

Aside from showing an increase in adoption of WLAN technology, as indicated by the number of access points detected, RSA Security's latest war-drive through 'downtown London' reveals that a worrying proportion of WLANs are still not being adequately secured. Barely a third of the WLANs located had WEP enabled, which despite it weaknesses at least shows the administrator who set it up had the nouse to recognize that WLANs in one of the world's major business and financial districts might be an especially attractive target.

Study Exposes WLAN Security Risks -

* The business of computer security

Having trouble getting management buy-in to what you and your colleagues in the IT department see as the minimally sufficient expenditure to cover your company's security risks? The Network Magazine article linked below provides a good guide to talking to management in terms it understands so that management sees how security spending affects the bottom line.

Justifying Security Spending -

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaClearswift Asia PacificF-SecureInternet Security SystemsIPCiPlanetISS GroupPeopleSoftRapid7RSASecurity SystemsSophosSymantecTrend Micro Australia

Show Comments