Windows Security Update June 14, 2000. In this issue: Registry Request Denial of Service, Spoofing McAfee VirusScan Alerts, Unify eWave ServletExec Exposes Source Code, Path Exposure and Buffer Overrun in Ceilidh, Firewall-1 Denial of Service, Buffer Overflow Condition in EServ, Circumventing IE Cross-Frame Security, Win2K/NT Denial of Service via Invalid SMB Field, IE Mishandles SSL Certificates, NT Subject to User Session Key Reuse, Win2K and NT SMB-based Denial of Service, The Need for Layered Physical Security, Tip: How to Recover a Lost Administrator Password, and Windows 2000 Security: Checking Your Current Configuration in Group Policy.
fe902e20bf90478117f3a10877b1a53c907cafc498e2c88f49952ce0a7e58755
**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.net/Email/Index.cfm?ID=5
**********************************************************
This week's issue sponsored by
Dorian Software Creations - Event Archiver 3.2
http://www.doriansoft.com
Sunbelt Software - STAT: NT/2000 Vulnerability Scanner
http://www.sunbelt-software.com/product.cfm?id=899
(Below SECURITY ROUNDUP)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
June 14, 2000 - In this issue:
1. IN FOCUS
- The Need for Layered Physical Security
2. SECURITY RISKS
- Registry Request Denial of Service
- Spoofing McAfee VirusScan Alerts
- Unify eWave ServletExec Exposes Source Code
- Path Exposure and Buffer Overrun in Ceilidh
- Firewall-1 Denial of Service
- Buffer Overflow Condition in EServ
- Circumventing IE Cross-Frame Security
- Win2K/NT Denial of Service via Invalid SMB Field
- IE Mishandles SSL Certificates
- NT Subject to User Session Key Reuse
- Win2K and NT SMB-based Denial of Service
3. ANNOUNCEMENTS
- Conference and Expo on Windows 2000/NT 4.0 Security and Control
- Win2000mag.net--A Mile Deep
4. SECURITY ROUNDUP
- Microsoft Releases Outlook Security Update
5. NEW AND IMPROVED
- Management Tool Streamlines Network Security
- Desktop Antivirus Certified for Win2K
6. SECURITY TOOLKIT
- Book Highlight: Securing Intranets
- Tip: How to Recover a Lost Administrator Password
- Windows 2000 Security: Checking Your Current Configuration in
Group Policy
7. HOT THREADS
- Windows 2000 Magazine Online Forums
Security Configuration Manager
- Win2KSecAdvice Mailing List
Reporting Security Issues to Microsoft
- HowTo Mailing List
Trojan-like Activity with ICMP
~~~~ SPONSOR: DORIAN SOFTWARE CREATIONS--EVENT ARCHIVER 3.2 ~~~~
Boost your network security and system reliability by automating and
centralizing the collection of your Windows NT/2000 event logs. Running
as a 24/7 service on a single server, Event Archiver Enterprise can
collect all of the event logs in your domain(s) remotely without the
use of clients!
A friendly GUI management console, flexible scheduling, and many
data storage options (EVT, TXT, Access, and ODBC) makes Dorian Software
Creations' Event Archiver a necessary application in any security
administrator's tool suite. Download your FREE 30-day evaluation from
http://www.doriansoft.com/.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim
Langone (Western Advertising Sales Manager) at 800-593-8268 or
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Over the past few months, I've read at least four news reports about
various world government agencies that have either lost computer
hardware and data or inappropriately provided access to sensitive data.
In April, a laptop with classified code-word information was reported
missing from an allegedly secure conference room at the US State
Department. The laptop had been missing since February. According to
reports, the theft resulted not from poor security procedures but from
department employees' failure to follow existing procedures. The State
Department said 15 additional laptops with unclassified information are
missing too.
In late May, Australia reported a similar incident in which five of
its Parliament laptops were stolen from private, allegedly secure areas
of Parliament House. Then, we learned that former CIA Director John
Deutch took classified information home without permission and left it
accessible in his house.
This week, we're hearing reports that hard disks are missing from
Los Alamos Laboratory vaults-drives that contain US and Russian
nuclear secrets. Some military experts say our national arsenal has
subsequently been completely compromised.
At first, I didn't want to believe these events actually happened.
After all, they took place in highly secured facilities. But the events
are real indeed, and they're probably just the tip of the iceberg when
it comes to less-than-acceptable physical security in government
facilities.
Risk management is only as effective as its weakest link. After all,
what good are high-tech biometric security systems, VPNs, data
encryption techniques, and other forms of defense if physical access
management is inadequate? What about your facilities? Are they as
secure as you'd like them to be?
As with layered network defenses, you must protect physical premise
access with a layered strategy. Just as you might divide up pieces of a
master password among several people so no one person has the entire
password, you might also consider dividing up authority and
accountability with regard to physical security. Involving several
people in a procedure helps build accountability along the way.
Intruders are less likely to attempt mischievous endeavors when several
checks and balances are involved in the process of entering and leaving
a premise. Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* REGISTRY REQUEST DENIAL OF SERVICE
Before a remote machine's request to access the Registry is processed,
it must be authenticated by the Remote Registry server, which is
contained within the winlogon.exe process. If the request is malformed
in a specific fashion, the Remote Registry server can misinterpret it
and crash the entire system.
http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-10.htm
* SPOOFING MCAFEE VIRUSSCAN ALERTS
By default, McAfee VirusScan uses a shared network directory for
storing inbound alerts. The directory lets all VirusScan users read,
write, and delete files in the shared directory. Because of loose
directory permissions and alert files that are formatted in plain text,
malicious users can delete valid virus alerts and spoof bogus alerts.
http://www.ntsecurity.net/go/load.asp?iD=/security/mcafee2.htm
* UNIFY EWAVE SERVLETEXEC EXPOSES SOURCE CODE
The Unify eWave ServletExec software exposes source code for its files
if a user appends ".jsp" to the end of a generated URL. The vendor is
aware of this problem but has not yet responded.
http://www.ntsecurity.net/go/load.asp?iD=/security/servlet1.htm
* PATH EXPOSURE AND BUFFER OVERRUN IN CEILIDH
By using a specially crafted POST statement, an intruder can spawn
multiple copies of the ceilidh.exe program where each process takes
approximately 1 percent of available CPU cycles and approximately 700KB
of memory. Because memory resources are not freed properly, the
intruder can deny service to a Web system hosting the software. The
vendor is aware of this problem but has not yet responded.
http://www.ntsecurity.net/go/load.asp?iD=/security/ceilidh1.htm
* FIREWALL-1 DENIAL OF SERVICE
A Denial of Service (DoS) condition caused by fragmented IP packets
exists in version 4.0 of CheckPoint's FireWall-1. According to
Checkpoint, if a person uses the jolt2 program to send a stream of
extremely large IP fragments to a FireWall-1 gateway, the action might
cause the write mechanism to consume all CPU resources on the firewall
system. Checkpoint is working on a fix and has provided a workaround
for use in the meantime.
http://www.ntsecurity.net/go/load.asp?iD=/security/fw1-2.htm
* BUFFER OVERFLOW CONDITION IN ESERV
A malicious user can crash the Eserv Web Server by sending it long
queries. Because of an unchecked buffer condition, the user can run
arbitrary code on the server.
http://www.ntsecurity.net/go/load.asp?iD=/security/eserv1.htm
* CIRCUMVENTING IE CROSS-FRAME SECURITY
Georgi Guninski discovered that by using Javascript to access the
document object model (DOM) of HTML documents, an intruder can
circumvent Microsoft Internet Explorer's (IE's) cross-frame security
policy. The problem allows reading local files, reading files from
other hosts, window spoofing, and cookies exposure. The problem is that
when the NavigateComplete2 event is initiated, it passes an argument of
WebBrowser control. The WebBrowser control has an accessible property
document that allows access to the DOM of the target document.
http://www.ntsecurity.net/go/load.asp?iD=/security/ie521.htm
* WIN2K/NT DENIAL OF SERVICE VIA INVALID SMB FIELD
Sending Server Message Block (SMB) requests to a Windows 2000 or
Windows NT system without acknowledging those requests causes Denial of
Service (DoS) conditions against the system. Microsoft is aware of this
matter but has not yet responded.
http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-6.htm
* IE MISHANDLES SSL CERTIFICATES
According to a Microsoft bulletin, two vulnerabilities exist in the way
Internet Explorer (IE) handles digital certificates. When a user
connects to a secure server via either an image or a frame, IE verifies
only that the servers Secure Sockets Layer (SSL) certificate was
issued by a trusted root; it does not verify the server name or the
expiration date. When a connection is made via any other means, all
expected validation is performed. The second issue is that even when
the initial validation is made correctly, IE does not revalidate the
certificate if a new SSL session is established with the same server
during the same IE session.
http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-20.htm
* NT SUBJECT TO USER SESSION KEY REUSE
When an administrator uses usrmgr.exe or srvmgr.exe to remotely add
users or workstations to a domain or changes a user's password, the
tool sends an encrypted 516-byte password block over the network. An
intruder can intercept the data block and take it apart to reveal a
User Session Key, which the intruder can use to decrypt further
communication intercepted between the administrator and the domain
controllers. For example, if an administrator changes a user's password
remotely, the intruder can decrypt that password to reveal the clear
text version using the captured User Session Key. Microsoft is aware of
this matter but has not yet responded.
http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-9.htm
* WIN2K AND SMB-BASED DENIAL OF SERVICE
If a distributed computing environment (DCE)/remote procedure call
(RPC) request is encapsulated inside a Server Message Block (SMB)
request along with an invalid data length field, the system crashes,
and a reboot is necessary to restore functionality. Microsoft is aware
of the problem but has not yet responded.
http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-7.htm
3. ========== ANNOUNCEMENTS ==========
* CONFERENCE AND EXPO ON WINDOWS 2000/NT 4.0 SECURITY AND CONTROL
The Conference and Expo on Windows 2000/NT 4.0 Security and Control
comes to Boston, July 11 through 13, 2000, with optional workshops on
July 10 and July 13. Produced by MIS Training Institute and cosponsored
by Windows 2000 Magazine, this conference is the place to gain the
technical skills you need to implement and exploit Microsoft's
newest OS. For more details or to register, call 508-879-7999, ext.
346, or go to
http://www.misti.com/conference_show.asp?id=NT00US.
WIN2000MAG.NET--A MILE DEEP
* Introducing the Windows 2000 Magazine Network, a portal site with a
distinct advantage--deep content. Scour more than 10,000 articles from
two magazines, three newsletters, and a dozen Web sites. Search easily
for impartial, straightforward solutions so that you can find the
answer you need, and get on with things. Raise Your IT IQ at
http://www.win2000mag.net.
4. ========== SECURITY ROUNDUP ==========
* MICROSOFT RELEASES OUTLOOK SECURITY UPDATE
Microsoft has released the anticipated Outlook Security Update,
which was prompted in part by the rapid spread of the VBS/Loveletter
virus. The update works for Outlook 2000 and Outlook 98 with Office
Service Release 1 (SR1) to prevent certain file types from taking
action within the mail client without the user's direct intervention.
According to Steven Sinofsky, senior vice president of Microsoft
Office, the update provides four key benefits to Outlook users. It
prevents users from accessing potentially unsafe email attachments; it
intercepts programmatic attempts to access an Outlook Address Book; it
warns with a dialog box if a program tries to send email; and it
changes security zone settings from the Internet Zone to Restricted
Zone.
Before you apply the update, be sure to read Microsoft articles
Q262634 and Q262631 to learn more details, including the current known
limitations. You can download the update from Microsoft's Office Update
Web site.
http://www.officeupdate.com
http://support.microsoft.com/support/kb/articles/Q262/6/34.asp
http://support.microsoft.com/support/kb/articles/Q262/6/31.ASP
~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
network? Plug NT/2000's over 850 holes before they plug you. You _have_
to protect your LAN _before_ it gets attacked. STAT comes with a
responsive web-update service and a dedicated Pro SWAT team that helps
you to hunt down and kill Security holes. Built by anti-hackers for DOD
sites. Download a demo copy before you become a statistic.
http://www.sunbelt-software.com/product.cfm?id=899
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* MANAGEMENT TOOL STREAMLINES NETWORK SECURITY
Labcal Technologies announced NetPulse, a security management tool for
Windows NT. NetPulse enables remote auditing, reporting, setting, and
correction of security features from one software installation. A
NetPulse trial version is available from Labcal's Web site. For more
information, contact Labcal, 877-752-2225.
http://www.labcal.com
* DESKTOP ANTIVIRUS CERTIFIED FOR WIN2K
Trend Micro released PC-cillin 2000, PC virus-protection software
certified by VeriTest for Windows 2000. It also runs on Windows NT and
Win 9x. PC-cillin 2000 includes real-time email virus scanning, manual-
scan capabilities for personal folders, and incremental virus pattern
updates. PC-cillin 2000 is available for download for $29.95 or on CD-
ROM for $39.95. For additional information, contact Trend Micro, 800-
228-5651.
http://www.pc-cillin.com
6. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: SECURING INTRANETS
By NIIT
Online Price: $99.00
CD-ROM
Published by NIIT, January 2000
ISBN IT10216040
"Securing Intranets" is a CD-ROM-based training course for system
administrators and network administrators who want to protect their
networks from various threats posed by connecting to the Internet.
After completing this course, you'll be able to list the encryption
techniques and the methods to secure email communication, describe the
working of pretty good privacy (PGP) and RSA, and describe how
firewalls work on different OSs.
To order the CD-ROM, go to
http://www.fatbrain.com/shop/info/IT10216040?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772&from=win2000mag.
* TIP: HOW TO RECOVER A LOST ADMINISTRATOR PASSWORD
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
At some point, most of you will need to retrieve a lost Administrator
account password. As I tell those who email me for help in this
situation, you have two basic choices: You must either brute-force
crack it or reset it to something known. Resetting the password will
take much less time than brute-force cracking, so it's a more cost-
effective way to handle the situation.
If you do want to brute-force crack the password to see what it was
set to, you need to use a tool such as L0phtcrack, and you must obtain
a copy of the system's SAM database using NTFSDOS or a Linux boot disk
with NTFS drivers on it. Either of those tools let you boot a system
from a disk and read the installed NTFS partitions. You can find
NTFSDOS at Winternals (http://www.winternals.com), and Linux boot disks
are available at various sites, such as Ken Pfiel's NT Toolbox Web site
(http://www.nttoolbox.com).
But if you have access to the SAM database, why not just reset the
Administrator password to something known and be done with it? In that
scenario, you can use NT Locksmith, also available at the Winternals
Web site. If you must have a cost-free way of password recovery, use a
Linux boot disk that comes with a tool that can perform that action.
The Linux boot available for free download at The NT Toolbox site
can reset a Windows NT system's Administrator password. Of course, you
get what you pay for, so don't expect a ton of documentation and an
experienced professional waiting for you to call for help. But using
the boot disk to reset a password is much easier and quicker than
reinstalling NT, so it's worth any problems you encounter.
I think every security administrator should have a copy of a Linux
boot disk such as the one at NT Toolbox. After you download the zip
file, unzip it and run the included executable file to create the
actual boot disk. While you're at The NT Toolbox be sure to check out
the other great security-related tools available for download.
http://www.nttoolbox.com/public/tools/LinNT.zip
http://www.nttoolbox.com
* WINDOWS 2000 SECURITY: CHECKING YOUR CURRENT CONFIGURATION IN GROUP
POLICY
Although you might have a good idea of what a system's security
configuration should be from your knowledge of the Group Policy Objects
relevant to that system, wouldn't you like to see your system's actual
configuration? In this installment of Randy Franklin Smith's biweekly
column, he explains step-by-step how you can achieve that goal. Be sure
to stop by our Web site and read the entire article.
http://www.ntsecurity.net/go/win2ksec.asp
7. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.net/forums).
June 08, 2000 03:26 PM
Security Configuration Manager
I have been looking at the MMC plugin Security Configuration Manager,
and like what I see: a simple interface for creating a security
baseline; however, it only operates if you are working locally on the
server. Ideally, I would like to run the application on my admin
workstation and remotely analyze and configure the servers.
Question: Does anyone know how to get around this limitation?
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38900&mc=3.
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.
Reporting Security Issues to Microsoft
There's been a recent increase in the number of postings whose theme is
"I reported this to Microsoft but never heard anything back." In each
case, we've checked our records but, in most cases, found no record of
the issue having been sent to the Security Response Center. We answer
every email and track every report we receive, so we believe that the
reports in question may have been sent to other email addresses at
Microsoft.
http://www.ntsecurity.net/go/w.asp?A2=IND0006b&L=WIN2KSECADVICE&P=517
Follow this link to read all threads for June, Week 2:
http://www.ntsecurity.net/go/w.asp?A1=ind0006b&L=win2ksecadvice
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week.
Trojan-like Activity with ICMP
I've been at a customer site the last few days trying to track down
this issue. They have multiple internal client machines trying to hit a
couple of different external addresses with a Type 3 Internet Control
Message Protocol (ICMP) request. We're blocking the clients at the
firewall, so ICMP is not getting out of the network but I cannot get
the client machines to stop broadcasting. I've tried various Trojan
cleaners and zombie zappers to no avail. Most of the clients are SP5 or
SP6. Here's what icmpsnif found when executing on one of the clients
(note that the source address isn't on their network so I'm assuming
that it is spoofed).
http://www.ntsecurity.net/go/L.asp?A2=IND0006b&L=HOWTO&P=80
Follow this link to read all threads for June, Week 2:
http://www.ntsecurity.net/go/l.asp?A1=ind0006b&L=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration,
XML, application service providers, and more. Subscribe to our other
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Thank you for reading Security UPDATE.
You are subscribed as packet@PACKETSTORM.SECURIFY.COM.
SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.
UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!
If you have questions or problems with your UPDATE subscription, please
contact securityupdate@win2000mag.com.
___________________________________________________________
Copyright 2000, Windows 2000 Magazine