IDGNet Virus & Security Watch Friday 1 March 2002

Introduction: * IE and MS server updates, Solaris Apache, PHP, Squid and Linux kernel patches & a not so sharp virus Virus News: * First C-Sharp virus a blunt instrument? Security News: * Correct URL for SQL Server 7.0/2000 buffer overflow patch * Patch for local file access in Microsoft XML Core Services * Another critical security patch for Internet Explorer * Patch for critical Microsoft Commerce Server 2000 hole * Unauthorized SMTP relaying on Windows 2000 & Exchange 5.5 fixed * SMTP denial of service flaw fixed for Windows/Exchange 2000, XP Pro * Gator susceptible to arbitrary code execution * Update fixes remote exploits of PHP * Squid patches fix several security issues * Linux kernel patch fixes netfilter hole * Solaris-specific patch for Apache 1.3.23 * Jail, restitution for employee's computer 'revenge'

This issue's topics:

Introduction:

* IE and MS server updates, Solaris Apache, PHP, Squid and Linux kernel patches & a not so sharp virus

Virus News:

* First C-Sharp virus a blunt instrument?

Security News:

* Correct URL for SQL Server 7.0/2000 buffer overflow patch

* Patch for local file access in Microsoft XML Core Services

* Another critical security patch for Internet Explorer

* Patch for critical Microsoft Commerce Server 2000 hole

* Unauthorized SMTP relaying on Windows 2000 & Exchange 5.5 fixed

* SMTP denial of service flaw fixed for Windows/Exchange 2000, XP Pro

* Gator susceptible to arbitrary code execution

* Update fixes remote exploits of PHP

* Squid patches fix several security issues

* Linux kernel patch fixes netfilter hole

* Solaris-specific patch for Apache 1.3.23

* Jail, restitution for employee's computer 'revenge'

Introduction:

A very busy week this...

Microsoft shops have a handful with another critical IE security patch and having to locate machines running recent versions of Microsoft XML Core services and patch all them too. Then there are the server patches covering several serious holes in various Microsoft SMTP e-mail server components. If any of your users have installed the Gator web browser plugin, you need to track them down too and remove it or update it to a version that will not install any old thing from anywhere without so much as a 'by your leave...'.

Linux and Solaris administrators do not get off easily either with kernel patches/updates for the former and an apparently urgent (forunspecified reasons) Apache patch for the latter. And, although available and used with various Windows web servers, the PHP server side scripting language is probably most at home on Apache web sites and means an awful lot of Unix and Linux administrators will be among those applying PHP upgrades to fix some serious security flaws in the current and many older versions.

But first, on the otherwise rather quiet virus front, we have a quite dull and uninspired virus. Its only claim to fame (and it's a small claim at that!) is it was the first written in Microsoft's 'new' C# (C-Sharp) language - part of the .NET paraphernalia...

Virus News:

* First C-Sharp virus a blunt instrument?

Variously named Sharpei, Harp and Blunt, a new virus claims to be the first written in Microsoft's C# (C-Sharp) programming language. Because of this language choice, part of Win32/Sharpei only works on machines with the .NET framework installed. However, Sharpei has three component parts, each written in different languages. The aim appears to be to greatly improve its likelihood of 'successfully' spreading, as few machines currently have the .NET Framework installed.

Sharpei's basic idea is that a standard Windows PE-style EXE is mass mailed from victim machines, regardless of whether they have the .NET Framework installed or not. This is achieved through the rather crude expedient of the PE EXE writing a simple VBS mass mailing routine and running it, with the VBS code sending out a copy of the executable. Further, on those occasional victim machines that do support .NET, the virus' parasitic infection mode (the only part written in C#) is activated. This is also achieved by dropping a separate file, carried inside the PE EXE and executing it.

When run, this program finds _any_ files with .EXE extensions in selected directories, not just .NET programs. It infects them by prepending a copy of the virus' code to the existing program file. When such programs are run, the virus' code gets control and detects it is running from a parasitic infection, rather than 'standalone' and it detaches a copy of the original program from after its own code in the infected file and executes that so things appear (more or less) normal. Sharpei has not been reported in the field and seems unlikely to be although its e-mail messages claim that the attached EXE is an important Microsoft security patch that also greatly improves machine speed.

Computer Associates Virus Information Center

F-Secure Security Information Center

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Correct URL for SQL Server 7.0/2000 buffer overflow patch

Last week we included the wrong URL for the security bulletin linking to the patches that fix several remotely exploitable buffer overflows in SQL Server v7.0 and 2000. The correct URL is:

Microsoft Security Bulletin MS02-007

* Patch for local file access in Microsoft XML Core Services

An ActiveX control shipped with Microsoft XML Core Services (MSXML) incorrectly applies security zone settings. As a result, a remote web page can read and retrieve local files it should not be able to access. Microsoft says the XMLHTTP ActiveX control included in versions 2.6, 3.0 and 4.0 of MSXML is vulnerable to this flaw, but that the versions in MSXML v2.0 and v2.5 are not vulnerable. MSXML versions prior to 2.0 were not tested. Microsoft rates the severity of this flaw as moderate on servers and critical on client workstations.

Deciding whether this affects your organization, and if so, precisely which machines may be quite an effort. Microsoft says that affected versions of MSXML have shipped with, and install by default as part of, Windows XP, SQL Server 2000, and Internet Explorer 6.0. Aside from that, MSXML can be installed separately and may be installed in other Microsoft (or possibly third-party) software. If a machine has any of the files MSXML2.DLL, MSXML3.DLL or MSXML4.DLL in the System32 subdirectory of the Windows installation directory, it needs patching regardless of the presence of the just mentioned programs. The file MSXML.DLL is from an earlier version of MSXML and if it is the only MSXML-related DLL on the machine, it does not require patching.

Microsoft Security Bulletin MS02-008

* Another critical security patch for Internet Explorer

Not convinced to disable scripting and ActiveX in all IE security zones yet? Well, get out your patching tools, because you have another Internet Explorer scripting patch to apply. The technical details are too gory to bother with, but as Microsoft has rated this bug as critical severity for workstations, you can ignore the details or at least catch up on them _after_ you have the patch installed on all your machines. In short, this is yet another cross-domain security flaw involving scripting and opening material from different domains in different frames but IE incorrectly determining that the frames are in the same domain. With IE thus fooled, this vulnerability allows a remote server to read files from the local machine. This has a similar effect to, but different cause from, that described above for MS02-008.

Note that the root cause of this problem is clearly not fixed in this patch, which only implements proper security domain verification for VBScript. The security bulletin admits that third-party scripting languages (Perl, Python, etc) may also be affected and that an 'architectural change is being made in a future service pack of IE that will ensure that this cannot be an issue for third-party scripting languages'. Again, as with the recent IE security roll-up package, only IE versions 5.01 SP2, 5.5 and 6.0 are supported with patches (with IE 5.1 SP2 support only being available on Windows 2000 machines). According to the security bulletin, this patch requires a reboot.

Microsoft Security Bulletin MS02-009

* Patch for critical Microsoft Commerce Server 2000 hole

A buffer overflow in the AuthFilter ISAPI extension, installed and enabled by default in Commerce Server 2000, has been patched. Microsoft rates this vulnerability as critical on Internet and intranet servers (obviously, it is not applicable to client systems). This vulnerability can be remotely exploited to execute arbitrary code, which would run in the security context of the operating system. Alternatively, the overflow could be used to implement a denial of service by injecting 'garbage' into memory and running it, probably crashing the service or making it unstable. Commerce Server restarts under such conditions, but any incomplete processes at the time would be lost.

Although Commerce Server is based on IIS, the AuthFilter ISAPI only ships with Commerce Server 2000, so this vulnerability does not apply to IIS machines. According to the security bulletin, this patch requires a reboot.

Microsoft Security Bulletin MS02-010

* Unauthorized SMTP relaying on Windows 2000 & Exchange 5.5 fixed

Although Microsoft rates this vulnerability as low, it is considerably more urgent to fix should you have an affected server exposed to a 'hostile' network (such as the Internet). The Microsoft SMTP service supplied with all versions of Windows 2000 server, and the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5 both suffer from an authentication error that can allow unauthorized e-mail relaying via the affected servers. Open SMTP relays are the meat and potatoes of most spamming operations, and unwittingly running such a relay that is found by a spammer can quickly lead a site into e-mail purgatory (otherwise known as RBL, ORBS, etc), significantly reducing the site's ability to send legitimate e-mail to others (many sites block e-mail from 'spam friendly' sites, such as those listed by RBL, ORBS, etc). This flaw does not quite make susceptible machines open relays - to abuse this flaw, an 'attacker' has to first be able to authenticate as a known user to the affected server.

The affected SMTP service is installed and enabled by default in Windows 2000 installations (although best practise guidelines suggest unused/unneeded services should not be installed). Exchange 2000 and the NT 4.0 SMTP service are not vulnerable to this flaw - other, earlier, versions are no longer supported so were not tested. According to the security bulletin, this patch requires a reboot.

Microsoft Security Bulletin MS02-011

* SMTP denial of service flaw fixed for Windows/Exchange 2000, XP Pro

Another, different, SMTP flaw from that discussed above, and affecting a different set of SMTP service versions, has also been patched. In this case, only the native SMTP service is affected, and only that of Windows 2000 and XP Pro. NT 4.0 and XP Home Edition are not affected (the latter does not ship with an SMTP service). Exchange 2000 installations are also affected, although indirectly - Exchange 2000 only installs on Windows 2000 and it installs and uses the native SMTP service (if it is not already available) for its SMTP needs (earlier versions of Exchange implement their own SMTP service regardless of the system providing SMTP or not).

Improper handling of a malformed SMTP command results in the temporary unavailability of affected SMTP servers while the crashed service is stopped and restarted. However, all other Internet network services would also be stopped and restarted, so the impact of such an attack would be more wide ranging than just affecting the e-mail service. According to the security bulletin, this patch requires a reboot.

Microsoft Security Bulletin MS02-012

* Gator susceptible to arbitrary code execution

EyeOnSecurity has discovered that some versions of the popular Gator web browser plugin will download _and install_ any program without warning the user or asking their permission. The flaw is actually in the part of the software designed to install (and presumably update) the Gator software itself, but there are no security or authenticity checks on what this installer component accepts nor any limits on the sites that direct this plugin to download and install a file. Rather controversially, EyeOnSecurity supplied a test exploit page that would download and install a small remote access Trojan to prove the point. An update to Gator has been released and should have been automatically installed on most Gator clients by now. It can be manually downloaded from the Gator web page linked below.

Gator installer plugin allows any software to be installed - EyeOnSecurity

Download Gator update - gator.com

* Update fixes remote exploits of PHP

Developers of PHP, the popular web server scripting language, have released an update to the current version (to v4.1.2) and patches to several widely used earlier versions. This update is in response to the discovery by German web developers, e-matters, that some PHP code for handling file uploads is vulnerable to multiple overflows that allow remote execution of arbitrary code.

These overflows are present, in slightly different forms, in many versions of PHP. Details of the exploits have not been released, but the PHP developers clearly agree with e-matters' assessment of the seriousness of these bugs. Their home page advises 'All users of PHP are strongly encouraged to either upgrade to PHP 4.1.2, or install the patch (available for PHP 3.0.18, 4.0.6 and 4.1.0/4.1.1).'

Sites running PHP that are unable to install the update should consider applying a workaround to disable support for this functionality. This is achieved simply by adding/altering the line "file_uploads = Off" (without the quotes) in the php.ini file. PHP users running it as a web server module should then stop and restart the server.

PHP remote vulnerabilities - e-matters.de

PHP downloads page - php.net

* Squid patches fix several security issues

The recent release of the 2.4STABLE4 version of the popular open source web proxy server, Squid, fixes several security problems. If exploited, these could result in remote code execution, and include an SNMP problem (not related to the recent SNMP warnings from CERT) and a configuration problem whereby, if built with HTCP enabled (it is not by Squid default but several Linux distributions ship packages built with it enabled), HTCP cannot be properly disabled.

Updated code is released on the Squid site and several Linux distributors have shipped, or soon will be shipping, updated packages.

Security Update Advisory SQUID-2002:1 - squid-cache.org

* Linux kernel patch fixes netfilter hole

The netfilter team has announced a kernel patch that corrects a problem in all Linux kernels from v2.4.14 to v2.4.18-pre8 inclusive. Netfilter's IRC DCC connection tracking module temporarily opens a hole in inbound port filtering to allow a remote machine hailed to join a DCC conversation with an internal machine. A bug in this code means an unnecessarily wide hole is opened, allowing inbound connections to the port in the DCC request to _any_ internal machine, rather than to just the machine requesting the DCC conversation. The precise impact of this bug on any given machine running netfilter depends on the ruleset in place, but the netfilter maintainers believe that many sites have sufficiently liberal rulesets to be concerned about this possibility.

Aside from obtaining the patch from netfilter.org and recompiling your own kernel, various Linux distributions that support packaging the kernel have, or soon will have, update packages available.

IRC connection tracking opens unwanted ports - netfilter.org

* Solaris-specific patch for Apache 1.3.23

The Apache Software Foundation has released a Solaris-specific patch for the current, 1.3.23, release of its Apache HTTP server. A bug that only affects the current Solaris version, and then only if the default accept() mutex method ('pthreads') is configured is fixed by the patch. No indication is given as to the type or severity of exposure the bug opens a vulnerable machine. (There have been several informal reports recently of unspecified Unix-based web servers being compromised, so there is some suspicion this is related...)

To fix affected machines, either install the Apache patch or use the AcceptMutex directive to change to the 'sysvsem' or 'fcntl' method. The 1.3.24 release will ship with this patch built in.

Solaris specific patch for Apache 1.3.23 - apache.org

* Jail, restitution for employee's computer 'revenge'

Over 3 years in jail and having to pay his former employers US$2 million restitution was the sentence passed on a New Jersey man on Tuesday. Timothy LLoyd had earlier been found guilty under a previously untried federal law (others charged under it have plead guilty or agreed to other plea bargains before their cases have reached court). Lloyd's employer's claim that his actions, reputedly taken as revenge for his demotion from a senior programming position, cost the company US$10 million. If we accept that claim, and given that it has taken since mid-1996 to get a prosecution and sentence (and will take several more years before Lloyd is able to earn money to start paying the restitution), it is hardly surprising that so few of these cases ever make it to court.

Computer programmer sentenced in NJ sabotage case - InfoWorld

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationCA TechnologiesCERT AustraliaF-SecureLinuxMicrosoftSharpSNMPSymantecTrend Micro Australia

Show Comments
[]