IDGNet Virus & Security Watch Friday 5 July 2002

This issue's topics: Introduction: * Apache worm, Windows RAS & web app, JRun, libbind & libc, Squid, sendmail updates Virus News: * Apache Scalper no 'code red'... Security News: * Severity of MS02-028 increased to 'critical' * Revised MS02-029 patch for local privilege escalation in Windows RAS * Multiple Windows web application servers reveal sensitive information * Macromedia/Allaire JRun administration console authentication bypass * Exploitable buffer overflow in DNS resolver on many platforms * Squid web proxy cache updated * Another sendmail update * Shifting from IT security to IT survivability perspective

This issue's topics:

Introduction:

* Apache worm, Windows RAS & web app, JRun, libbind & libc, Squid, sendmail updates

Virus News:

* Apache Scalper no 'code red'...

Security News:

* Severity of MS02-028 increased to 'critical'

* Revised MS02-029 patch for local privilege escalation in Windows RAS

* Multiple Windows web application servers reveal sensitive information

* Macromedia/Allaire JRun administration console authentication bypass

* Exploitable buffer overflow in DNS resolver on many platforms

* Squid web proxy cache updated

* Another sendmail update

* Shifting from IT security to IT survivability perspective

Introduction:

A quiet week on the virus front with the only vaguely interesting story being the 'discovery' of a worm based on exploits of recent Apache web server vulnerabilities. Despite a brief whiff of media attention, this story deservedly died a quick and fairly quite death.

The security side of the equation saw several developments though. Microsoft revised its severity rating for the IIS equivalent to the vulnerability attacked by the just-mentioned Apache worm and released a revised patch for the recent RAS privilege escalation bug. Aside from this, several popular Windows web application servers have been found vulnerable to a critical configuration leak that may expose sensitive information.

Further, JRun (for all platforms, not just Windows) was shown to have little effective limitation on use of its web-based administration console. The popular caching web proxy server Squid and mail server sendmail applications also both saw updates fixing security flaws, but perhaps the most widespread security bug of the week is the buffer overflow in common DNS resolver code. This bug is known to be remotely exploitable in several cases and likely to be so in many more.

Finally, we include a link to an interesting three page article discussing the seven shifts in perspective necessary to move your organization from information security- to informtation survivability-focussed.

Virus News:

* Apache Scalper no 'code red'...

A worm that affects FreeBSD machines running versions of Apache not patched against the chunked encoding vulnerability has been created (and despite media reports suggesting otherwise, was perhaps not released). Modelled on some of the Apache chunked encoding 'proof of concept' exploit code released a couple of weeks back, the worm has been named 'Scalper' and aside from looking for vulnerable Apache machines and spreading to them, the worm has DDoS agent ('zombie') and backdoor code, leaving any machines it should infest well compromised.

The worm's discovery was rather suspiciously announced on a security mailing list with the claim that it had been captured in a honeypot. The 'odd' thing about this was the capturer also posted source code for one of the two variants he supplied despite the worm not copying any source around and compiling it on its new hosts as some worms do. Whether this was some kind of publicity stunt or otherwise, very few other reports of the worm have been heard and none reliably confirmed to the knowledge of your newsletter compiler.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Severity of MS02-028 increased to 'critical'

Microsoft has increased its severity rating of the recent HTR chunked encoding buffer overflow affecting IIS 4.0 and 5.0 to 'critical'. According to Microsoft this revision 'is in response to a significant change in the threat environment due to an increased focus on chunked encoding vulnerabilities in general, and the discovery of hostile code attempting to exploit similar vulnerabilities on other platforms'. This is clearly a reference to the release of working exploits of the similar chunked encoding buffer overflows in rival web browser Apache. If you use IIS 4.0 and/or 5.0, cannot disable HTR and have not already applied the MS02-028 patch, you really should obtain and install that patch.

Microsoft Security Bulletin MS02-028

* Revised MS02-029 patch for local privilege escalation in Windows RAS

The original patch released to fix a local privilege escalation bug via the Remote Access Service (RAS) phonebook has been replaced. Although the original MS02-029 patch fixed the privilege escalation problem, it could prevent normal-privilege users from establishing some types of VPN connections. The revised patch correct this problem and can be applied either over the original MS02-029 patch or directly onto machines not already patched for this problem.

Microsoft Security Bulletin MS02-029

* Multiple Windows web application servers reveal sensitive information

The Windows file system behaviour whereby filenames with and without a trailing dot character are (usually) treated as equivalent has already been found to be exploitable in several situations. UK-based security researchers at Westpoint Ltd revealed another such bug this past week with the Windows versions of several web application servers being found to miss that 'WEB-INF' and 'WEB-INF.' are both references to the 'special' web application configuration folder whose contents are supposed to be protected from being served to a browser.

Normally, requests to a web application server that include '/WEB-INF/' in the path should return an error indicating the folder is not accessible or even non-existent. By simply adding a dot character between the end of that folder name and the trailing '/' several common web application servers are tricked into treating the folder as any other browsable folder on the server and the contents of files not intended to be seen by end-users can be served up. Attackers exploiting this flaw would have to know the names of the files they wanted to access, but as there are conventional names commonly used in these web application servers, this may not be much of a challenge.

Products known to be affected by this bug are Sybase EA Server 4.0, Oracle Containers for J2EE (OC4J), Orion 1.5.3, Macromedia/Allaire JRun 3.0, 3.1 & 4 (also see the next item), Hewlett Packard App Server (HPAS) 8.0, Pramati App Server 3.0, and Jo Webserver. Contact details and availability of fixed versions of these applications is included in the original advisory disclosing the problem, an archived copy of which is linked below.

'WEB-INF' Folder accessible in Multiple Web Application Servers - westpoint.ltd.uk

* Macromedia/Allaire JRun administration console authentication bypass

Westpoint researchers (see previous item) have also discovered that the administration console interface of JRun web application servers can be accessed by any user without requiring the administrative user's login name and password. This is obviously a very serious flaw and is fixed in a new cumulative security update for JRun (which also fixes the vulnerability described in the previous item).

Macromedia JRun Admin Server Authentication Bypass - westpoint.ltd.uk

Macromedia security bulletin MPSB02-06

* Exploitable buffer overflow in DNS resolver on many platforms

A buffer overflow in the network name resolution functions of several very common library implementations has been discovered. Of particular concern is that the very commonly used ISC (libbind) and BSD (libc) libraries are affected. Many applications are linked against these libraries and many OSes (including those embedded in network devices) either include these libraries or functionality of their own derived from the sources of these libraries. As is common with flaws affecting such a range of products, the CERT/CC advisory is a good place to start when tracking which devices, OSes and applications you maintain may be affected. Of special note, however, is that it can be very difficult for anyone other than the developer of applications statically linked against possibly vulnerable libraries to determine which versions, if any, of those applications include the vulnerable code.

CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

* Squid web proxy cache updated

Several security fixes are included in the squid-2.4.STABLE7 release of this popular HTTP proxy server. Some of the security flaws fixed in this release are believed vulnerable to remote arbitrary code execution, and one of the flaws may see the proxy forwarding user authentication data to remote servers under some circumstances. Users should obtain and install this update as soon as practicable.

Security Update Advisory SQUID-2002:3 - squid-cache.org

* Another sendmail update

Aside from some minor functional changes and bug fixes, a buffer overflow vulnerability - described as 'theoretical' in the Sendmail Consortium's release notes - is fixed in the 8.12.5 release of the venerable mail server.

Sendmail 8.12.5 - sendmail.org

* Shifting from IT security to IT survivability perspective

This article from the July 2002 issue of CrossTalk magazine describes seven shifts in organizational perspective necessary to move an organization from an information security-centric perspective to one embracing an information survivability. Its authors argue that an increasing focus on survivability requires a change of focus if information technology and business needs are to ensure the continuity of critical services under attack.

Information Survivability: Required Shifts in Perspective (PDF)

Join the newsletter!

Error: Please check your email address.

More about AllaireApacheCA TechnologiesCERT AustraliaF-SecureHewlett PackardMacromediaMicrosoftOracleOrionSophosSybase AustraliaSymantecTrend Micro Australia

Show Comments
[]