IDGNet Virus & Security Watch Friday 7 March 2003

This issue's topics: Introduction: * sendmail, snort, BIND, Flash Player updates; bots to worms Virus News: * Warez/DDoS bots morph into worms Security News: * Critical remote buffer overflow in sendmail patched * Update for remotely exploitable buffer overflow in snort * BIND update fixes two non-default remotely exploitable overflows * Macromedia updates Flash Player for unspecified critical security flaw * Windows 2000 Server 'Security Operations Guide' released

This issue's topics:

Introduction:

* sendmail, snort, BIND, Flash Player updates; bots to worms

Virus News:

* Warez/DDoS bots morph into worms

Security News:

* Critical remote buffer overflow in sendmail patched

* Update for remotely exploitable buffer overflow in snort

* BIND update fixes two non-default remotely exploitable overflows

* Macromedia updates Flash Player for unspecified critical security flaw

* Windows 2000 Server 'Security Operations Guide' released

Introduction:

It has been a bad week for security on Unix, Linux and similar OSes. Several major applications, commonly run on the large (and not so large) servers making up the backbone of several core Internet services that typically run on machines with these OSes, have been found to have serious security flaws. BIND, sendmail and snort have all been shown to suffer potential remotely exploitable buffer overflows. All these are available for Windows too, and these implementations are equally affected, so it is not just the admins of Unix-like systems that will be busy with fixing these.

Further a field in the security realm, desktop administrators for most OSes should be checking their charges have the latest Macromedia Flash Player updates and Windows 2000 Server folk may be interested in the 'Security Operations Guide' Microsoft has recently released.

On the virus front it has been a relatively quiet week, with the perhaps the most interesting event being the appearance of Randon. This is one of a fairly new breed of malware, combining some form of bot (warez FTP server, DDoS, etc) with self-spreading or 'worm' functionality.

Virus News:

* Warez/DDoS bots morph into worms

Bot networks, usually used for storing and distributing warez and pornography and/or as agents in DDoS networks, waiting for the command to attack some hapless victim, have been with us for a while. Recently however, it seems the folk writing and running such tools have decided to automate the process of finding and compromising further machines to add to their bot-nets, and further, this functionality has been added to the bots themselves.

A few weeks back we reported on the arrest of two men in the UK and one in the US for their involvement in the development, distribution and use of the TK Worm. Whereas the TK Worm used an old IIS vulnerability to initially 'crack' its victim systems, other methods have been employed. For example, over the last few days several network monitors have seen increases in port 445 traffic. This is thought, and in a few cases is known, to reflect activity of similar 'bot-worms' that infiltrate through very weak Windows 2000 and XP administrator account passwords. This is achieved by trying to attach to administrative shares with common administrative user/password combinations (e.g. administrator and admin). If successful, the bot-worms copy themselves to the new host and execute those new copies.

This is not actually new, but it seems there is an increase in such activity at the moment. One such bot-worm is Randon (and known by some products as one of the IRCFlood family). Detection of it has been added to most of the major virus scanners even if their web sites are not carrying descriptions. We have also included a link to an independent security consultant's analysis of an earlier bot-worm spread via port 445 and weak passwords.

Network Associates Virus Information Library

Kaspersky Lab Virus Encyclopedia

mIRC (port 445) Trojan Analysis - klcconsulting.net

Security News:

* Critical remote buffer overflow in sendmail patched

Administrators of sites running Sendmail are being urged to obtain and install the latest update immediately. All commercial versions of Sendmail (including Sendmail Switch, Sendmail Advanced Message Server, Sendmail for NT and Sendmail Pro), open source versions 5.1 through 8.12.7 inclusive, and probably every other version based on the sendmail open source code are vulnerable to a remotely exploitable buffer overflow. If successfully exploited an attacker's code would run with the privileges of the affected sendmail process - usually root or similarly elevated.

Discovered by a security researcher at Internet Security Solutions (ISS), the flaw is in message header parsing code that has been in sendmail almost forever. Although the ISS advisory describing the vulnerability does not provide sufficient technical details for 'script kiddie' exploitation, it suggests that, somewhat ironically, the flaw is in a security routine.

As the number and range of affected systems, versions and distributions of sendmail is so diverse, the CERT Coordination Center advisory should be a good starting point for many, in determining if an update for their system is available and where to get it from. We have also included links to the general information pages, which include links to the relevant download locations, for the open source and Sendmail Inc versions of the software. Most Unix, Linux and the like distributions (and don't forget that now includes Mac OS X!) have already released updated packages.

Finally, note that this vulnerability is not a low-level network protocol problem but embodied in the text stream of a message. Thus, sites that do not have sendmail MTAs exposed to the Internet, but whose Internet-facing MTAs can forward messages to internal sendmail servers are effectively as exposed as those with sendmail on their e-mail perimeter, as the unaffected MTAs can pass messages exploiting this vulnerability onto potentially vulnerable servers. Thus, _all_ sendmail servers that can communicate with a potentially hostile network must be patched. The 'hacker underground' is seriously interested in obtaining functional exploits of this vulnerability and one has already been posted to a public mailing list.

Remote Sendmail Header Processing Vulnerability - iss.net

Sendmail 8.12.8 - sendmail.org

Sendmail Security Alert - sendmail.com

CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail

* Update for remotely exploitable buffer overflow in snort

Internet Security Solutions (ISS) also released an advisory this week describing a buffer overflow in the RPC pre-processor of snort - the widely popular open source network intrusion detection system (IDS). Exploitation of this overflow does not require an attacker to establish an RPC connection with an RPC portmapper - directing a suitably formed packet sequence to a machine in a snort-monitored network is sufficient.

Since version 1.8, a pre-processor intended to detect IDS evasion via RPC fragmentation techniques has been included in snort. It is enabled by default in that and all subsequent releases. Code run as a result on successful exploitation of the vulnerability in this pre-processor executes with snort's privileges, usually root or local system. Further to 'known' installations of snort, administrators should be aware that snort may be employed by default on commercial network security devices they may have deployed around their networks.

Snort RPC Preprocessing Vulnerability - iss.net

Snort homepage - snort.org

* BIND update fixes two non-default remotely exploitable overflows

Internet Software Consortium (ISC) 'strongly recommends' users of BIND 9.x to upgrade to the latest 9.2.2 release. At least, that seems to be the situation according to the security page at the BIND website. Inspecting the details shows that the only acknowledged security vulnerabilities fixed between the 9.2.1 and 9.2.2 releases are both in optional libraries, not included in the default build. Users may thus elect not to rush into an update if they use a default build, or another configuration not using the affected libraries.

The vulnerabilities are both remotely exploitable buffer overflows with ISC assigning a 'moderate' and 'serious' severity rating to them. System administrators running earlier 9.x versions of BIND can decide for themselves from the information on the BIND security page, linked below.

BIND Vulnerabilities - isc.org

* Macromedia updates Flash Player for unspecified critical security flaw

Version 6.0.79.0 of Macromedia Flash Player is now available. In a delightfully vague security advisory Macromedia, the most detail provided is that this new version 'addresses the potential for future exploits surrounding buffer overflows (read/write) and sandbox integrity within the player which might allow malicious users to gain access to a user's computer'.

Macromedia rates this as being of critical severity, so obtaining and installing the updates should be a priority.

Macromedia security bulletin MPSB03-03

* Windows 2000 Server 'Security Operations Guide' released

Microsoft has released its 'Security Operations Guide' for Windows 2000 Server. The guide approaches securing Windows 2000 Server systems in two phases - 'get secure' and 'stay secure' - starting with determining an acceptable level of risk and working through the steps involved in obtaining that level while retaining a functional system, and then the steps involved in maintaining the desired security posture. The guide may be read online or an electronic copy of the entire guide downloaded, and the tools mentioned in the guide but not shipped standard with Windows 2000 Server are also available for download.

Security Operations Guide for Windows 2000 Server - microsoft.com

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaInternet Software ConsortiumISS GroupKasperskyKasperskyLinuxMacromediaMicrosoft

Show Comments
[]