From Thu Apr 27 13:45:30 2006 Date: Thu, 27 Apr 2006 13:45:30 -0700 (PDT) From: Postmaster Subject: Message from mail server Content-Length: 93 Mime-Version: 1.0 Status: RO X-IMAP: 1141423413 191 Delete. This is a system message. --END+PSEUDO-- From - Wed Feb 28 14:42:37 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f1SMfUe07435; Wed, 28 Feb 2001 14:41:30 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.10) with SMTP id PAA22774; Wed, 28 Feb 2001 15:21:15 -0500 (EST) Date: Wed, 28 Feb 2001 15:21:15 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 28 Feb 2001 15:16:20 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Summary CS-2001-01 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: b7929d44472f16e4257c9dd4688b9c53 Status: RO X-Status: $$$$ X-UID: 0000000004 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-01 February 28, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2000 (CS-2000-04), we have seen continued compromises via well-known vulnerabilities in rpc.statd and FTPD, as well as exploitations of recently discovered vulnerabilities in BIND and LPRng. Notable virus activity includes W32/Hybris and VBS/OnTheFly (Anna Kournakova). For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Multiple Vulnerabilities in BIND The CERT/CC has learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure. The CERT/CC has begun receiving reports of these vulnerabilities being successfully exploited. Sites are encouraged to follow the advice in CA-2001-02 to protect systems. CERT Advisory CA-2001-01 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 2. Compromises Via Ramen Toolkit The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits known vulnerabilities in FTPD, rpc.statd, and LPRng; and it contains a mechanism to self-propagate. Over the past several months we have received multiple daily reports of sites being root compromised by the Ramen toolkit. Sites, especially those running Linux, are encouraged to review the following document: CERT Incident Note IN-2001-01, Widespread Compromises via "ramen" Toolkit http://www.cert.org/incident_notes/IN-2001-01.html 3. Input Validation Problems in LPRng A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect, known as a "format string vulnerability," which may allow remote users to execute arbitrary code on vulnerable systems. Sites are encouraged to follow the advice in CA-2000-22 to protect systems. CERT Advisory CA-2000-22 Input Validation Problems in LPRng http://www.cert.org/advisories/CA-2000-22.html 4. VBS/OnTheFly (Anna Kournikova) Malicious Code The "VBS/OnTheFly" malicious code is a VBScript program that, when executed, sends a copy of itself as an email file attachment. On February 12, the CERT Coordination Center received a large number of reports from sites infected with VBS/OnTheFly. Several of the sites reported suffering network degradation as a result of mail traffic generated by VBS/OnTheFly. The CERT/CC has received few reports since the initial outbreak. For information on how to prevent or recover from a VBS/OnTheFly infection, please see: CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code http://www.cert.org/advisories/CA-2001-03.html ______________________________________________________________________ New Vulnerability Notes Database On December 15, 2000, the CERT/CC began publishing vulnerability notes in a new format, and at a new location. Vulnerability notes are very similar to advisories, but they may have less complete information and solutions may not be available for all the vulnerabilities described in vulnerability notes. There are currently more than 70 vulnerability notes available in the database. We will continue publishing vulnerability notes in accordance with our vulnerability disclosure policy. Vulnerability notes can be found at: The CERT Coordination Center Vulnerability Notes Database http://www.kb.cert.org/vuls/ ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident notes http://www.cert.org/incident_notes/ * CERT/CC statistics http://www.cert.org/stats/cert_stats.html * Security improvement modules http://www.cert.org/security-improvement/ Descriptions of these documents and links to them can be found on our "What's New" page: What's New http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright (C) 2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOp1bcQYcfu8gsZJZAQFIMQP9G2X9YFe3JOfExLMiu4sRGjCIlLwqhlnq DdIXAAkAoaEZ9aVn6xKlSWLezmxlf8vftx+m+6kNRmHUf26VIKfARBUYXIG2bIjP EkydQwuteDHX4ZmDLZZbm8Yg1beCSBkFrVcrn9PAOMSFn1Qs5YqESDYaBDxEGQo6 5EJRBR1nEIw= =r/mx -----END PGP SIGNATURE----- From - Thu Mar 22 16:06:00 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f2MNvIo06099; Thu, 22 Mar 2001 15:57:18 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.10) with SMTP id SAA27468; Thu, 22 Mar 2001 18:26:04 -0500 (EST) Date: Thu, 22 Mar 2001 18:26:04 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 22 Mar 2001 18:21:09 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-04 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 4bceb49c96cb416035666817e782f94f Status: RO X-Status: $$$$ X-UID: 0000000005 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-04 Unauthentic "Microsoft Corporation" Certificates Original release date: March 22, 2001 Last revised: March 22, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems whose users run code signed by Microsoft Corporation. Overview On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Although users who try to run code signed with these certificates will generally be presented with a warning dialog, there will not be any obvious reason to believe that the certificate is not authentic. I. Description Microsoft released a security bulletin on March 22, 2001, describing two certificates issued by VeriSign to an individual fraudulently claiming to be an employee of Microsoft. The full text of Microsoft's security bulletin is available from their web site at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Additional information about this issue is also available from VeriSign's web site: http://www.verisign.com/developer/notice/authenticode/index.html This issue presents a security risk because even a reasonably cautious user could be deceived into trusting the bogus certificates, since they appear to be from Microsoft. Once accepted, these certificates may allow an attacker to execute malicious code on the user's system. This problem is the result of a failure by the certificate authority to correctly authenticate the recipient of a certificate. Verisign has taken the appropriate action by revoking the certificates in question. However, this in itself is insufficient to prevent the malicious use of these certificates until a patch has been installed, because Internet Explorer does not check for such revocations automatically. II. Impact Anyone with the private portions of the certificates can sign code such that it appears to have originated from Microsoft Corporation. If the user approves the execution of code signed by one of the bogus certificates, it can take any action on the system with the privileges of the user who approved the execution. The fake certificates can only be used for Authenticode signing. III. Solution Check "Microsoft Corporation" Certificates You can identify the fake certificates by checking the validity dates and serial numbers of the certificates. When prompted to authorize the execution of code signed by "Microsoft Corporation", press the "More Info" button to obtain additional information about the certificate used to sign the code. The fake certificates have the following description: Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/29/2001 to 1/30/2002 Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/30/2001 to 1/31/2002 Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD No legitimate certificates were issued to Microsoft between January 29 and 30, 2001. Certificates with these initial validity dates or serial numbers should not be authorized to execute code. The certificate revocation list for the fake certificates can be found at http://crl.verisign.com/Class3SoftwarePublishers.crl Apply a Patch from Your Vendor While there do not appear to be any patches available at this time that directly address this issue, Microsoft is working on producing patches that will ensure the invalid certificates are not used. Appendix A. - Vendor Information Microsoft Corporation Microsoft has published a security bulletin describing this issue at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Netscape Netscape takes all security and privacy issues very seriously. The Netscape browser does not allow the execution of ActiveX controls, signed or unsigned, and therefore Netscape users are not vulnerable to exploits which rely on signed ActiveX. In the unlikely event that Netscape users are presented with signed content from Microsoft requesting enhanced privileges, Netscape users can protect themselves by denying permission to any such request. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History March 22, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOrqFRQYcfu8gsZJZAQHmXwQAnv3ZVVEmHT2FtU65E9cqo9YIhqGmJoGw cEGD3p8I/gF4hYRWXu0TQiohj/tG3/E1ensFcO9fGOREESNbkNErMIpp5c3d0e8Y ruYPTwD8H+ZcBwgg1MiBzeQG9CgJI8Br/eil3xjKEu+f62I9A3Gn4kast/TitTXV 2adcgOHQ/5g= =Kr9o -----END PGP SIGNATURE----- From - Tue Apr 3 11:35:43 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f33IW9f12116; Tue, 3 Apr 2001 11:32:09 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA19015; Tue, 3 Apr 2001 14:03:32 -0400 (EDT) Date: Tue, 3 Apr 2001 14:03:32 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 3 Apr 2001 13:58:13 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-06 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 190da9d936be780e253c9f75f28a9988 Status: RO X-Status: $$$$ X-UID: 0000000006 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-06 Automatic Execution of Embedded MIME Types Original release date: April 03, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2 * Any software which utilizes vulnerable versions of Internet Explorer to render HTML Overview Microsoft Internet Explorer has a vulnerability triggered when parsing MIME parts in a document that allows a malicious agent to execute arbitrary code. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer. I. Description There exists in Internet Explorer a table which is used to determine how IE handles MIME types when it encounters MIME parts in any type of HTML document, be it email message, newsgroup posting, web page, or local file. This table contains a set of entries that cause Internet Explorer to open the MIME part without giving the end user the opportunity to decide if the MIME part should be opened. This vulnerability allows an intruder to construct malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine), can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient to execute arbitrary code. For more details, see Microsoft Security Bulletin MS01-020 on this topic at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability. The impact of viewing malicious code in this manner is being evaluated. The CERT/CC is currently unaware of any reports of this vulnerability being used to successfully attack a system. Demonstration code exploiting this vulnerability has been published in several public forums. This vulnerability is being referenced in CVE as CAN-2001-0154 and by the CERT/CC as VU#980499. II. Impact Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page. III. Solution Apply the patch from Microsoft Apply the patch from Microsoft, available at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp As noted in the 'Caveats' section of the Microsoft advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must be upgraded to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 before users can apply this patch. Users who have not previously upgraded will incorrectly receive a message stating that they do not need to apply this patch, even though they are vulnerable. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it) and apply the appropriate patch. An excerpt from MS01-020: Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cyrusoft International, Inc. Mulberry does not use Internet Explorer to render HTML within Mulberry itself and is not vulnerable to these kinds of problems. Users can save HTML attachments to disk and then view those in browsers susceptible to this problem, but this requires the direct intervention of the user to explicitly save to disk - simply viewing HTML in Mulberry does not expose users to these kinds of problems. Our HTML rendering is a basic styled-text only renderer that does not execute any form of scripts. This is true on all the platforms we support: Win32, Mac OS (Classic & X), Solaris, linux. An official statement about this is available on our website at: http://www.cyrusoft.com/mulberry/htmlsecurity.html Lotus Development Corporation Notes does not use IE to render HTML-formatted mail messages. Microsoft Corporation Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp A patch is available for this issue at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp Netscape Communications Corporation Netscape is currently investigating the impact this vulnerability, if any, has on users of the Netscape browser. Opera Software Opera does not use Internet Explorer or any other external software to render HTML. QUALCOMM Incorporated It is unclear at this time what impact, if any, this vulnerability has on Eudora clients. Appendix B. - References 1. Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499: Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML", March 2001. https://www.kb.cert.org/vuls/id/980499 _________________________________________________________________ Microsoft has acknowledged Juan Carlos Cuartango for bringing this issue to their attention. This document was written by Jeffrey S. Havrilla and Shawn V. Hernan. If you have feedback, comments, or additional information about this issue, please send us email. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History April 03, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOsoNNQYcfu8gsZJZAQFd3gQAkCKdIcdKJ/gaii0odrJdM/jlZUv7MYYf R8LUHkV1dUTxEI/SRrKtAoEsf/UVVgZI4PGBB/pyptkmSv2axMWf4AD1Ubful712 ojVaHG7hJuV5RNiw2yE/R4AoWZ5GbdaQByYWpCB+OfwNzsz/7MYibjI6xUtvqRvV JxYMB6q5TqM= =B0Bv -----END PGP SIGNATURE----- From - Wed May 2 17:18:54 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f430GhJ09565; Wed, 2 May 2001 17:16:43 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA24071; Wed, 2 May 2001 18:24:16 -0400 (EDT) Date: Wed, 2 May 2001 18:24:16 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 2 May 2001 18:19:10 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-10 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1e3747e02162ae011224161f8e92ad60 Status: RO X-Status: $$$$ X-UID: 0000000007 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-10 Buffer Overflow Vulnerability in Microsoft IIS 5.0 Original release date: May 02, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft Windows 2000 with IIS 5.0 enabled Overview A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. I. Description Windows 2000 includes support for the Internet Printing Protocol (IPP) via an ISAPI extension. According to Microsoft, this extension is installed by default on all Windows 2000 systems, but it is only accesible through IIS 5.0. The IPP extension contains a buffer overflow that could be used by an attacker to execute arbitrary code in the Local System security context, essentially giving the attacker compete control of the system. This vulnerability was discovered by eEye Digital Security. Microsoft has issued the following bulletin regarding this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp This vulnerability has been assigned the identifier CAN-2001-0241 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0241 II. Impact Anyone who can reach a vulnerable web server can execute arbitrary code in the Local System security context, resulting in the intruder gaining complete control of the system. Note that this may be significantly more serious than a simple "web defacement." III. Solution Apply a patch from your vendor A patch is available from Microsoft at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321 Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp References 1. VU#516648: Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow, CERT/CC, 05/02/2001, http://www.kb.cert.org/vuls/id/516648 Authors: Chad Dougherty, Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-10.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 02, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOvCEtQYcfu8gsZJZAQG11QP+Ipbm1xOc1d0fiY6KbQefsvBVbUDKdwFk jN2mBm9BM28lniyxvP2Jhbw5vt/6vxFlYKnXF7jQvuw5VpHSPkOs+zuQamt15a0u 3rd4l2nWgRFo10vaykFPYLYjjpfW0BOz5ULkkgKwjbswDQfQQ00o9EurXDXOt276 9pPCMThcy4Q= =eVKj -----END PGP SIGNATURE----- From - Tue May 8 01:07:43 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f487vIN16824; Tue, 8 May 2001 00:57:18 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id BAA18554; Tue, 8 May 2001 01:06:48 -0400 (EDT) Date: Tue, 8 May 2001 01:06:48 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 8 May 2001 01:01:58 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-11 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: b9739b3409b7ae56683bd60b0716fbb2 Status: RO X-Status: $$$$ X-UID: 0000000008 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-11 sadmind/IIS Worm Original release date: May 08, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running unpatched versions of Microsoft IIS * Systems running unpatched versions of Solaris up to, and including, Solaris 7 Overview The CERT/CC has received reports of a new piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). The worm uses two well-known vulnerabilities to compromise systems and deface web pages. I. Description Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris systems and subsequently installs software to attack Microsoft IIS web servers. In addition, it includes a component to propagate itself automatically to other vulnerable Solaris systems. It will add "+ +" to the .rhosts file in the root user's home directory. Finally, it will modify the index.html on the host Solaris system after compromising 2,000 IIS systems. To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer overflow vulnerability in the Solstice sadmind program. For more information on this vulnerability, see http://www.kb.cert.org/vuls/id/28934 http://www.cert.org/advisories/CA-1999-16.html After successfully compromising the Solaris systems, it uses a seven-month-old vulnerability to compromise the IIS systems. For additional information about this vulnerability, see http://www.kb.cert.org/vuls/id/111677 Solaris systems that are successfully compromised via the worm exhibit the following characteristics: * Sample syslog entry from compromised Solaris system May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Bus Error - c ore dumped May 7 02:40:01 carrier.domain.com last message repeated 1 time May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Hangup May 7 02:40:08 carrier.domain.com last message repeated 1 time May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Killed * A rootshell listening on TCP port 600 * Existence of the directories * /dev/cub contains logs of compromised machines * /dev/cuc contains tools that the worm uses to operate and propagate Running processes of the scripts associated with the worm, such as the following: * /bin/sh /dev/cuc/sadmin.sh * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 * /bin/sh /dev/cuc/uniattack.sh * /bin/sh /dev/cuc/time.sh * /usr/sbin/inetd -s /tmp/.f * /bin/sleep 300 Microsoft IIS servers that are successfully compromised exhibit the following characteristics: * Modified web pages that read as follows: fuck USA Government fuck PoizonBOx contact:sysadmcn@yahoo.com.cn * Sample Log from Attacked IIS Server 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe \ /c+copy+\winnt\system32\cmd.exe+root.exe 502 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/root.exe /c+echo+\ <HTML code inserted here>.././index.asp 502 - II. Impact Solaris systems compromised by this worm are being used to scan and compromise other Solaris and IIS systems. IIS systems compromised by this worm can suffer modified web content. Intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with root privileges on vulnerable Solaris systems, and arbitrary commands with the privileges of the IUSR_machinename account on vulnerable Windows systems. We are receiving reports of other activity, including one report of files being destroyed on the compromised Windows machine, rendering them unbootable. It is unclear at this time if this activity is directly related to this worm. III. Solutions Apply a patch from your vendor A patch is available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp For IIS Version 4: http://www.microsoft.com/ntserver/nts/downloads/critical/q26986 2/default.asp For IIS Version 5: http://www.microsoft.com/windows2000/downloads/critical/q269862 /default.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp Sun Microsystems Sun has issued the following bulletin for this vulnerability: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba References 1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078) http://www.kb.cert.org/vuls/id/111677 2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind http://www.cert.org/advisories/CA-1999-16.html Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, Ian Finlay, John Shaffer ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-11.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 08, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOvd6LAYcfu8gsZJZAQFyUAP8DVaGiB1G7LM2FFsx5YEWEIPFD8Qt/HDI A+GTyi/LA2JUAVCA5GX5GCMqMOoKEczYJCAIysoacal7YOJOTZliTqCQQV1tbK+8 8J3IdSRBo5oKsAKeQ5M2Hg78uZPGJwOwooNoQDsKzxVJXo0Bng3YBtiIVG3flg6x 8IoirGdclIw= =+B8w -----END PGP SIGNATURE----- From - Tue May 15 12:35:15 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f4FJP9O13898; Tue, 15 May 2001 12:25:09 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id LAA19379; Tue, 15 May 2001 11:11:38 -0400 (EDT) Date: Tue, 15 May 2001 11:11:38 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 15 May 2001 11:06:56 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-12 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: d928562cf9462ea2b2a4e027446462b7 Status: RO X-Status: $$$$ X-UID: 0000000009 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS Original release date: May 15, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft IIS Overview A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. I. Description URIs may be encoded according to RFC 2396. Among other things, this RFC provides an encoding for arbitrary octets using the percent sign (%) and hexadecimal characters. Quoting from RFC 2396: An escaped octet is encoded as a character triplet, consisting of the percent character "%" followed by the two hexadecimal digits representing the octet code. For example, "%20" is the escaped encoding for the US-ASCII space character. escaped = "%" hex hex hex = digit | "A" | "B" | "C" | "D" | "E" | "F" Like all web servers, Microsoft IIS decodes input URIs to a canonical format. Thus, the following encoded string: A%20Filename%20With%20Spaces will get decoded to A Filename With Spaces Unfortunately, IIS decodes some of the input twice. The second decoding is superfluous. Security checks are applied to the results of the first decoding, but IIS utilizes the results of the second decoding. If the results of the first decoding pass the security checks and the results of the second decoding refer to a valid file, access will be granted to the file even if it should not be. More information is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp http://www.nsfocus.com/english/homepage/sa01-02.htm http://www.kb.cert.org/vuls/id/789543 Note that this does not permit intruders to bypass ACLs enforced by the filesystem, only security checks performed by IIS. We encourage you to configure your web server according to the guidelines provided in http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/iischk.asp http://www.microsoft.com/technet/security/tools.asp Theses guidelines can help you reduce your exposure to this problem, and possibly to problems that have not yet been discovered. This issue was discovered by NSFocus. The CVE Project has assigned the following identifier to this vulnerability: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333 This vulnerability has many similarities to the Web Server Folder Directory Traversal Vulnerability, which has been widely exploited. For more information on that vulnerability, see http://www.kb.cert.org/vuls/id/111677 II. Impact Intruders can run arbitrary commands with the privileges of the IUSR_machinename account. III. Solutions Apply a patch from your vendor Information on patches from Microsoft is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Authors: Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-12.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 15, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOwFD9wYcfu8gsZJZAQEc0AP6A7XLQiQ7to6uzTeOyFRb+vXUBI1zBmT1 TvVwLodq6wfeS0vG/+Ta0KC28CFthDs9vUrw6HTnVeeFilKRqUhPgR8Izgd56ePc SKalqxv41DRvkusTlvrygFw1IUzdCJ0/EzWUiRpqu1QV7ZWmNTTVG4ycoEM++cLh 67h5IqMR/iU= =z3yR -----END PGP SIGNATURE----- From - Tue May 29 16:03:18 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f4TMsAB13115; Tue, 29 May 2001 15:54:10 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA20018; Tue, 29 May 2001 16:49:27 -0400 (EDT) Date: Tue, 29 May 2001 16:49:27 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 29 May 2001 16:44:44 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2001-02 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: d1d6c17acfa8dea020395d17b151ae05 Status: RO X-Status: $$$$ X-UID: 0000000010 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-02 May 29, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. sadmind/IIS Worm The CERT/CC has received reports from more than 400 sites affected by a piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). This worm uses two well-known vulnerabilities to compromise Solaris systems and deface web pages running on IIS servers. Reports indicate more than 500 Solaris machines have been compromised by the sadmind/IIS worm and more than 6000 IIS servers have been defaced. Sites running either Solaris or IIS are strongly encouraged to review CA-2001-11 and those running IIS should review the advisories listed below in the "Other Recent IIS Security Issues" section as well. CERT Advisory CA-2001-11: sadmind/IIS Worm http://www.cert.org/advisories/CA-2001-11.html 2. Other Recent IIS Security Issues The CERT/CC has recently published information on two new vulnerabilities in IIS. Given the current level of exploitation of IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly encourages sites to review the following advisories and take appropriate steps to protect IIS servers. + Superfluous Decoding Vulnerability in IIS A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. CERT Advisory CA-2001-12: Superfluous Decoding Vulnerability in IIS http://www.cert.org/advisories/CA-2001-12.html + Buffer Overflow Vulnerability in Microsoft IIS 5.0 A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. CERT Advisory CA-2001-10: Buffer Overflow Vulnerability in Microsoft IIS 5.0 http://www.cert.org/advisories/CA-2001-10.html Additional advice on securing IIS web servers is available from: Microsoft Technet Security Tools http://www.microsoft.com/technet/security/tools.asp 3. Exploitation of snmpXdmid The CERT/CC has received dozens of reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system. CERT Advisory CA-2001-05: Exploitation of snmpXdmid http://www.cert.org/advisories/CA-2001-05.html 4. Exploitation of BIND Vulnerabilities On January 29, 2001, the CERT/CC published CERT Advisory CA-2001-02, detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are still being actively exploited by the intruder community to compromise systems. CERT Incident Note IN-2001-03: Exploitation of BIND Vulnerabilities http://www.cert.org/incident_notes/IN-2001-03.html CERT Advisory CA-2001-02: Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 5. The "cheese" Worm The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the "cheese" worm which may contribute to this pattern. CERT Incident Note IN-2001-05: The "cheese" Worm http://www.cert.org/incident_notes/IN-2001-05.html 6. Increase in Reconnaissance Activity Over the past several weeks, the CERT/CC has observed a significant increase in network reconnaissance activity. While some of this traffic may be attributed to the sadmind/IIS worm or the "cheese" worm, reports indicate active scanning for known vulnerabilities in other network services as well. In addition, we have seen a significant increase in the number of generalized port scans of hosts. In order to minimize exposure to this activity, the CERT/CC recommends that sites review and apply vendor-supplied security patches, disable non-critical network services, and actively monitor system and network logs for unusual activity. 7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers A new vulnerability has been identified which is present when using random increments to constantly increase TCP ISN values over time. Systems are vulnerable if they have not incorporated RFC 1948 or equivalent improvements, or do not use cryptographically secure network protocols like IPsec. CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers http://www.cert.org/advisories/CA-2001-09.html _________________________________________________________________ Collaboration between the CERT Coordination Center and the Internet Security Alliance Using its standard process for collaborating with industry organizations, the CERT/CC, as part of the SEI, has entered into an agreement with the Electronic Industries Alliance, a not-for-profit organization in Virginia, to support the activity of the Internet Security Alliance (ISA). ISA is a member organization that is focused on the overall improvement of Internet security. Internet Security Alliance http://www.isalliance.org Frequently Asked Questions (FAQ) about the collaboration between CERT Coordination Center and the Internet Security Alliance http://www.cert.org/faq/certcc_ISA.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Annual Reports http://www.cert.org/annual_rpts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI 0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ Lv+z0JyeV/M= =I/U5 -----END PGP SIGNATURE----- From - Thu Jun 28 11:22:34 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f5SIE3i20196; Thu, 28 Jun 2001 11:14:03 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id LAA28669; Thu, 28 Jun 2001 11:28:08 -0400 (EDT) Date: Thu, 28 Jun 2001 11:28:08 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 28 Jun 2001 11:21:08 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-14 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: de4d45cc77b338e8001e59640cfa6b62 Status: RO X-Status: $$$$ X-UID: 0000000011 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-14 Cisco IOS HTTP Server Authentication Vulnerability Original release date: June 28, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Cisco IOS systems using local authentication databases with the HTTP server enabled Overview A problem with the HTTP server component of Cisco IOS system software allows an intruder to execute privileged commands on Cisco routers if local authentication databases are used. I. Description By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attacker may be able to execute commands at the highest privilege level (15). The malicious URL is of the following form: http://
/level/XX/exec/... The value of XX is a number between 16 and 99. While a single malicious URL will not work consistently against all devices, the limited number of possible URLs can allow an attacker to try each URL until the attack succeeds. This problem occurs if the system is using a local authentication database, but not if the Terminal Access Controller Access Control System (TACACS+) or Radius authentication systems are used. Cisco has published a security advisory describing this vulnerability and its solutions, in more detail at: http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html II. Impact A remote attacker can execute arbitrary commands at the highest privilege level (15) on systems using local authentication databases with the HTTP server enabled. This access allows a remote attacker to inspect or change the configuration of the device, effectively allowing complete control. III. Solution Upgrade your IOS Release Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. Disable the HTTP server Because this problem exists in the handling of HTTP requests, disabling the HTTP server prevents the vulnerability from being exploited. Information about disabling the HTTP server is provided in the Cisco security advisory on this topic. Enable TACACS+ or Radius Authentication This vulnerability is not present when the Terminal Access Controller Access Control System (TACACS+) or Radius authentication systems are used. Enabling one of these authentication mechanisms in place of local authorization databases will prevent the vulnerability from being exploited. Information about enabling TACACS+ or Radius can be found in the following Cisco document: http://www.cisco.com/warp/public/480/tacplus.shtml Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cisco Systems Cisco has published a security advisory describing this vulnerability at http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html _________________________________________________________________ The CERT/CC thanks Cisco Systems for their advisory, on which this document is based. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-14.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History June 28, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOztJpAYcfu8gsZJZAQFoOgP/UBtU8yqFbhHf/xD82wCewpBi6NhBAk2M 66WLouQrnXIMWzRWnLmRNV74p+7u+92IxFS/u+TqTzIfByUOtwXLswcRRvHlXYXk 511yHK01wlfgtgv7wwg8doYyCUGPamznNnVEAnbZ/9zoM6Y1nuvUEUgOnvvT9ZMu sCRihIv2WGg= =THYA -----END PGP SIGNATURE----- From - Tue Jul 3 17:45:34 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f640h6Z06239; Tue, 3 Jul 2001 17:43:06 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id RAA21344; Tue, 3 Jul 2001 17:36:22 -0400 (EDT) Date: Tue, 3 Jul 2001 17:36:22 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 3 Jul 2001 17:31:24 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-16 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1203b7da17eefdd4ba3eff2c30537dd8 Status: RO X-Status: $$$$ X-UID: 0000000012 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-16 Oracle 8i contains buffer overflow in TNS listener Original release date: July 03, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Oracle 8i Overview A vulnerability in Oracle 8i allows remote intruders to assume control of database servers running on victim machines. If the Oracle server is running on a Windows system, an intruder may also be able to gain contol of the underlying operating system. I. Description The COVERT labs at PGP Security have discovered a buffer overflow vulnerability in Oracle 8i that allows intruders to execute arbitrary code with the privileges of the TNS listener process. The vulnerability occurs in a section of code that is executed prior to authentication, so an intruder does not require a username or password. For more information, see the COVERT Labs Security Advisory, available at http://www.pgp.com/research/covert/advisories/050.asp II. Impact An intruder who exploits the vulnerability can remotely execute arbitrary code. On UNIX systems, this code runs as the 'oracle' user. If running on Windows systems, the intruder's code will run in the Local System security context. In either case, the attacker can gain control of the database server on the victim machine. On Windows systems, the intruder can also gain administrative control of the operating system. III. Solutions Install a patch from Oracle. More information is available in Appendix A. Appendix A Oracle Oracle has issued an alert for this vulnerability at http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf Oracle has fixed this potential security vulnerability in the Oracle9i database server. Oracle is in the process of backporting the fix to supported Oracle8i database server Releases 8.1.7 and 8.1.6 and Oracle8 Release 8.0.6 on all platforms. The Oracle bug number for the patch is 1489683. Download the patch for your platform from Oracle's Worldwide Support web site, Metalink: http://metalink.oracle.com Please check Metalink periodically for patch availability if the patch for your platform is not yet available. _________________________________________________________________ Our thanks to COVERT Labs at PGP Security for the information contained in their advisory. _________________________________________________________________ This document was written by Shawn V. Hernan. If you have feedback concerning this document, please send email to: mailto:cert@cert.org?Subject=[VU#620495]%20Feedback%20CA-2001-16 Copyright 2001 Carnegie Mellon University. Revision History July 03, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0I28QYcfu8gsZJZAQF1AQP/QvE4AO+I5HP8VXK850g83NlPiFCxlG1K 51GjO/KCFqK78DoBK9YWvxGaZiR6xKaxYJbGftcJh1zKwNqiRDIGk1OdeW873uhj bR8vjobFMzNSZU5y9gXPa9YQWdEg1KozQH1VuNsBxRnmHu6Yi3WANbmZXYcRck2x lhP8noPes/Q= =nVFt -----END PGP SIGNATURE----- From - Mon Jul 9 13:10:52 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f69K8mF04341; Mon, 9 Jul 2001 13:08:49 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id NAA16657; Mon, 9 Jul 2001 13:35:09 -0400 (EDT) Date: Mon, 9 Jul 2001 13:35:09 -0400 (EDT) Received: by canaveral.red.cert.org; Mon, 9 Jul 2001 13:30:01 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-17 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: ced08c93acc5a0ee91a60ec8d33b2d05 Status: RO X-Status: $$$$ X-UID: 0000000013 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability Original release date: July 09, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Check Point VPN-1 and FireWall-1 Version 4.1 Overview A vulnerability in Check Point FireWall-1 and VPN-1 may allow an intruder to pass traffic through the firewall on port 259/UDP. I. Description Inside Security GmbH has discovered a vulnerability in Check Point FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP (Reliable Data Protocol) connections to traverse the firewall. RFC-908 and RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from RFC-908: The Reliable Data Protocol (RDP) is designed to provide a reliable data transport service for packet-based applications such as remote loading and debugging. RDP was designed to have much of the same functionality as TCP, but it has some advantages over TCP in certain situations. FireWall-1 and VPN-1 include support for RDP, but they do not provide adequate security controls. Quoting from the advisory provided by Inside Security GmbH: By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. For more information, see the Inside Security GmbH security advisory, available at http://www.inside-security.de/advisories/fw1_rdp.html Although the CERT/CC has not seen any incident activity related to this vulnerability, we do recommend that all affected sites upgrade their Check Point software as soon as possible. II. Impact An intruder can pass UDP traffic with arbitrary content through the firewall on port 259 in violation of implied security policies. If an intruder can gain control of a host inside the firewall, he may be able to use this vulnerability to tunnel arbitrary traffic across the firewall boundary. Additionally, even if an intruder does not have control of a host inside the firewall, he may be able to use this vulnerability as a means of exploiting another vulnerability in software listening passively on the internal network. Finally, an intruder may be able to use this vulnerability to launch certain kinds of denial-of-service attacks. III. Solutions Install a patch from Check Point Software Technologies. More information is available in Appendix A. Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter. Appendix A Check Point Check Point has issued an alert for this vulnerability at http://www.checkpoint.com/techsupport/alerts/ Download the patch from Check Point's web site: http://www.checkpoint.com/techsupport/downloads.html Appendix B. - References 1. http://www.inside-security.de/advisories/fw1_rdp.html 2. http://www.kb.cert.org/vuls/id/310295 3. http://www.ietf.org/rfc/rfc908.txt 4. http://www.ietf.org/rfc/rfc1151.txt _________________________________________________________________ Our thanks to Inside Security GmbH for the information contained in their advisory. _________________________________________________________________ This document was written by Ian A. Finlay. If you have feedback concerning this document, please send email to: mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295] Copyright 2001 Carnegie Mellon University. Revision History July 09, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW 4qSlIxoiHEQ= =v8vs -----END PGP SIGNATURE----- From - Tue Jul 17 09:31:42 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6H64lL22911; Mon, 16 Jul 2001 23:04:47 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id AAA17429; Tue, 17 Jul 2001 00:43:29 -0400 (EDT) Date: Tue, 17 Jul 2001 00:43:29 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 17 Jul 2001 00:38:35 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-18 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 3c4e250d63a8f4cd691befe40f18c9aa Status: RO X-Status: $$$$ X-UID: 0000000014 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP) Original release date: July 16, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * iPlanet Directory Server, version 5.0 Beta and versions up to and including 4.13 * Certain versions of IBM SecureWay running under Solaris and Windows 2000 * Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior to 5.0.7a * Teamware Office for Windows NT and Solaris, prior to version 5.3ed1 * Qualcomm Eudora WorldMail for Windows NT, version 2 * Microsoft Exchange 5.5 LDAP Service (Hotfix pending) * Network Associates PGP Keyserver 7.0, prior to Hotfix 2 * Oracle 8i Enterprise Edition * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8 Overview Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below. I. Description The LDAP protocol provides access to directories that support the X.500 directory semantics without requiring the additional resources of X.500. A directory is a collection of information such as names, addresses, access control lists, and cryptographic certificates. Because LDAP servers are widely used in maintaining corporate contact information and providing authentication services, any threats to their integrity or stability can jeopardize the security of an organization. To test the security of protocols like LDAP, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. This approach may reveal vulnerabilities that would not manifest themselves under normal conditions. As a member of the PROTOS project consortium, the Oulu University Secure Programming Group (OUSPG) co-developed and subsequently used the PROTOS LDAPv3 test suite to study several implementations of the LDAP protocol. The PROTOS LDAPv3 test suite is divided into two main sections: the "Encoding" section, which tests an LDAP server's response to packets that violate the Basic Encoding Rules (BER), and the "Application" section, which tests an LDAP server's response to packets that trigger LDAP-specific application anomalies. Each section is further divided into "groups" that collectively exercise a particular encoding or application feature. Finally, each group contains one or more "test cases," which represent the network packets that are used to test individual exceptional conditions. By applying the PROTOS LDAPv3 test suite to a variety of popular LDAP-enabled products, the OUSPG revealed the following vulnerabilities: VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code The iPlanet Directory Server contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product had an indeterminate number of failures in the group that tests invalid BER length of length fields. In the application section of the test suite, this product failed four groups and had inconclusive results for an additional five groups. The four failed groups indicate the presence of buffer overflow vulnerabilities. For the inconclusive groups, the product exhibited suspicious behavior while testing for format string vulnerabilities. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code The IBM SecureWay Directory server contains one or more vulnerabilities in the code that processes LDAP requests. These vulnerabilities were discovered independently by IBM using the PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of the nature of these vulnerabilities. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code The Lotus Domino R5 Server Family (including the Enterprise, Application, and Mail servers) contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 1 of 77 groups. The failed group tests a server's response to miscellaneous packets with semi-valid BER encodings. In the application section of the test suite, this product failed 23 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code The Teamware Office suite is packaged with a combination X.500/LDAP server that provides directory services. Multiple versions of the Office product contain vulnerabilities that cause the LDAP server to crash in response to traffic sent by the PROTOS LDAPv3 test suite. In the encoding section of the test suite, this product failed 9 of 16 groups involving invalid encodings for several BER object types. In the application section of the test suite, this product failed 4 of 32 groups. The remaining 45 groups were not exercised during the test runs. The four failed groups indicate the presence of buffer overflow vulnerabilities. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code While investigating the vulnerabilities reported by OUSPG, it was brought to our attention that the Eudora WorldMail Server may contain vulnerabilities that can be triggered via the PROTOS test suite. The CERT/CC has reported this possibility to Qualcomm and an investigation is pending. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks The Microsoft Exchange 5.5 LDAP Service contains a vulnerability that causes the LDAP server to freeze in response to malformed LDAP requests generated by the PROTOS test suite. This only affects the LDAP service; all other Exchange services, including mail handling, continue normally. Although this product was not included in OUSPG's initial testing, subsequent informal testing revealed that the LDAP service of the Microsoft Exchange 5.5 became unresponsive while processing test cases containing exceptional BER encodings for the LDAP filter type field. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code The Network Associates PGP Keyserver 7.0 contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 12 of 16 groups. In the application section of the test suite, this product failed 1 of 77 groups. The failed group focused on out-of-bounds integer values for the messageID parameter. Due to a peculiarity of this test group, this failure may actually represent an encoding failure. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code The Oracle 8i Enterprise Edition server contains multiple vulnerabilities in the code used to process LDAP requests. In the encoding section of the test suite, this product failed an indeterminate number of test cases in the group that tests a server's response to invalid encodings of BER OBJECT-IDENTIFIER values. In the application section of the test suite, this product failed 46 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks There are multiple vulnerabilities in the OpenLDAP implementations of the LDAP protocol. These vulnerabilities exist in the code that translates network datagrams into application-specific information. In the encoding section of the test suite, this product failed the group that tests the handling of invalid BER length of length fields. In the application section of the test suite, this product passed all 6685 test cases. Additional Information For the most up-to-date information regarding these vulnerabilities, please visit the CERT/CC Vulnerability Notes Database at: http://www.kb.cert.org/vuls/ Please note that the test results summarized above should not be interpreted as a statement of overall software quality. However, the CERT/CC does believe that these results are useful in describing the characteristics of these vulnerabilities. For example, an application that fails multiple groups indicates that problems exist in different areas of the code, rather than in a specific code segment. II. Impact VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Directory Server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment under Windows NT 4.0, but they may affect other platforms as well. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code These vulnerabilities allow a remote attacker to crash affected SecureWay Directory servers, resulting in a denial-of-service condition. It is not known at this time whether these vulnerabilities will allow a remote attacker to execute arbitrary code. These vulnerabilities exist on the Solaris and Windows 2000 platforms but are not present under Windows NT, AIX, and AIX with SSL. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Domino server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code These vulnerabilities allow a remote attacker to crash affected Teamware LDAP servers, resulting in a denial-of-service condition. They may also allow a remote attacker to execute arbitrary code with the privileges of the Teamware server. The server typically runs with system privileges. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code The CERT/CC has not yet determined the impact of this vulnerability. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks This vulnerability allows a remote attacker to crash the LDAP component of vulnerable Exchange 5.5 servers, resulting in a denial-of-service condition within the LDAP component. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Keyserver. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Oracle server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks These vulnerabilities allow a remote attacker to crash affected OpenLDAP servers, resulting in a denial-of-service condition. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly. Block access to directory services at network perimeter As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter. Please note that this workaround does not protect vulnerable products from internal attacks. ldap 389/tcp # Lightweight Directory Access Protocol ldap 389/udp # Lightweight Directory Access Protocol ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. IBM Corporation IBM and Tivoli are currently investigating the details of the vulnerabilities in the various versions of the SecureWay product family. Fixes are being implemented as these details become known. Fixes will be posted to the download sites (IBM or Tivoli) for the affected platform. See http://www-1.ibm.com/support under "Server Downloads" or "Software Downloads" for links to the fix distribution sites. iPlanet E-Commerce Solutions [CERT/CC Addendum: These vulnerabilities were originally discovered in Directory Server 5.0 Beta and were later found to exist in versions up to and including version 4.13. These vulnerabilities have been addressed in the released version of Directory Server 5.0.] Lotus Development Corporation Lotus reproduced the problem as reported by OUSPG and documented it in SPR#DWUU4W6NC8. Lotus considers security issues as top priority, so we acted quickly to resolve the problem in a maintenance update to Domino. It was addressed in Domino R5.0.7a, which was released on May 18th, 2001. This release can be downloaded from Notes.net at http://www.notes.net/qmrdown.nsf/qmrwelcome. The fix is documented in the fix list at http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU 4W6NC8 Microsoft Corporation Microsoft is developing a hotfix for this issue which will be available shortly. Customers can obtain this hotfix by contacting Product Support Services at no charge and asking for Q303448 and Q303450. Information on contacting Microsoft Product Support Services can be found at http://www.microsoft.com/support/ Network Associates, Inc. Network Associates has resolved these vulnerabilities in Hotfix 2 for both Solaris and Windows NT. All Network Associates Enterprise Support customers have been notified and have been provided access to the Hotfix. This Hotfix can be downloaded at http://www.pgp.com/downloads/default.asp The OpenLDAP Project [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC recommends that users of OpenLDAP contact their software vendor or obtain the latest version, available at http://www.openLDAP.org/software/download/.] QUALCOMM Incorporated The LDAP service in WorldMail may be vulnerable to this exploit, but our tests so far have been inconclusive. At this time, we strongly urge all WorldMail customers to ensure that the LDAP service is not accessible from outside their organization nor by untrusted users. The Teamware Group An issue has been discovered with Teamware Office Enterprise Directory (LDAP server) that shows a abnormal termination or loop when the LDAP server encounters a maliciously or incorrectly created LDAP request data. If the maliciously formatted LDAP request data is requested, the LDAP server may excessively copy the LDAP request data to the stack area. This overflow is likely to cause execution of malicious code. In other case, the LDAP server may go into abnormal termination or infinite loop. [CERT/CC Addendum: Teamware has provided additional documentation of these issues in their "Teamware Solution Database," available at http://support.teamw.com/Online/s_database1.shtml. Registered users can find information on these vulnerabilities by searching for document #010703-0000 for Windows NT or document #010703-0001 for Solaris.] Appendix B. - Supplemental Information The PROTOS Project The PROTOS project is a research partnership between the University of Oulu and VTT Electronics, an independent research organization owned by the Finnish government. The project studies methods by which protocol implementations can be tested for information security defects. Although the vulnerabilities discussed in this advisory relate specifically to the LDAP protocol, the methodology used to research, develop, and deploy the PROTOS LDAPv3 test suite can be applied to any communications protocol. For more information on the PROTOS project and its collection of test suites, please visit http://www.ee.oulu.fi/research/ouspg/protos/ ASN.1 and the BER Abstract Syntax Notation One (ASN.1) is a flexible notation that allows one to define a variety data types. The Basic Encoding Rules (BER) describe how to represent or encode the values of each ASN.1 type as a string of octets. This allow programmers to encode and decode data for platform-independent transmission over a network. References The following is a list of URLs referenced in this advisory as well as other useful sources of information: http://www.cert.org/advisories/CA-2001-18.html http://www.ietf.org/rfc/rfc2116.txt http://www.ietf.org/rfc/rfc2251.txt http://www.ietf.org/rfc/rfc2252.txt http://www.ietf.org/rfc/rfc2253.txt http://www.ietf.org/rfc/rfc2254.txt http://www.ietf.org/rfc/rfc2255.txt http://www.ietf.org/rfc/rfc2256.txt http://www.ee.oulu.fi/research/ouspg/protos/ http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ http://www.kb.cert.org/vuls/ http://www.kb.cert.org/vuls/id/276944 http://www.kb.cert.org/vuls/id/505564 http://www.kb.cert.org/vuls/id/583184 http://www.kb.cert.org/vuls/id/688960 http://www.kb.cert.org/vuls/id/717380 http://www.kb.cert.org/vuls/id/763400 http://www.kb.cert.org/vuls/id/765256 http://www.kb.cert.org/vuls/id/869184 http://www.kb.cert.org/vuls/id/935800 _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for their detailed technical analyses, and for their assistance in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities. _________________________________________________________________ Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this advisory is greatly appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 16, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18 8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq PaynurnhNrw= =mEjW -----END PGP SIGNATURE----- From - Thu Jul 19 18:25:09 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6K1FFL24943; Thu, 19 Jul 2001 18:15:15 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id TAA00316; Thu, 19 Jul 2001 19:19:03 -0400 (EDT) Date: Thu, 19 Jul 2001 19:19:03 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 19 Jul 2001 19:14:11 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-19 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 8cfff4d3147d1024de536d0a67a367d7 Status: RO X-Status: $$$$ X-UID: 0000000015 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL Original release date: July 19, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0 or IIS 5.0 enabled Overview The CERT/CC has received reports of new self-propagating malicious code that exploits certain configurations of Microsoft Windows susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm may have already affected as many as 225,000 hosts, and continues to spread rapidly. Description In examples we have seen, the "Code Red" worm attack proceeds as follows: * The victim host is scanned for TCP port 80 by the "Code Red" worm. * The attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory CA-2001-13 * If the exploit is successful, the worm begins executing on the victim host. Initially, the existence of the c:\notworm file is checked. Should this file be found, the worm ceases execution. * If c:\notworm is not found, the worm begins spawning threads to scan seemingly random IP addresses for hosts listening on TCP port 80, exploiting any vulnerable hosts it finds. * If the victim host's default language is English, then after 100 scanning threads have started and a certain period of time has elapsed following infection, all web pages served by the victim host are defaced with the message HELLO! Welcome to http://www.worm.com! Hacked By Chinese! * If the victim host's default language is not English, the worm will continue scanning but no defacement will occur. System Footprint The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a Additionally, web pages on victim machines may be defaced with the following message: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! The text of this page is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect compromise. Network Footprint A host running an active instance of the "Code Red" worm scans random IP addresses on port 80/TCP looking for other hosts to infect. Additional detailed analysis of this worm has been published by eEye Digital Security at http://www.eeye.com. Impact In addition to web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm. Non-compromised systems and networks that are being scanned by other hosts infected by the "Code Red" worm may experience severe denial of service. This occurs because each instance of the "Code Red" worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, all victim hosts scan the same IP addresses. Furthermore, it is important to note that while the "Code Red" worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the victim system. Solutions The CERT/CC encourages all Internet sites to review CERT advisory CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network. If you believe a host under your control has been compromised, you may wish to refer to http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#36881]". ______________________________________________________________________ Author(s): Roman Danyliw and Allen Householder ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-19.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 19, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1dohAYcfu8gsZJZAQGazQP/YSiWvPHNreLfTIBPp0JwM0KpJJ3Lif5y BtF1G+EuE9tN+PQwF4HO4gC3h02VmJDb02IKMtiHTQxldN7fkzzodcjK7dNpc20x YlNC/ez0XKpy+TRKNB9Rw/l/d+vglMRL5nt8ZaKocaGO7z1AYz8spVmhLnjXg3sU kS2E8WJf38w= =Ox7X -----END PGP SIGNATURE----- From - Wed Jul 25 14:16:12 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6PLCPk10456; Wed, 25 Jul 2001 14:12:25 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA26035; Wed, 25 Jul 2001 14:39:58 -0400 (EDT) Date: Wed, 25 Jul 2001 14:39:58 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 25 Jul 2001 14:34:41 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-22 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: bb031ad6c08bb79bd1d1cf707dc749d4 Status: RO X-Status: $$$$ X-UID: 0000000016 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-22 W32/Sircam Malicious Code Original release date: July 25, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows (all versions) Overview "W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information. As of 10:00EST(GMT-4) Jul 25, 2001 the CERT/CC has received reports of W32/Sircam from over 300 individual sites. I. Description W32/Sircam can infect a machine in one of two ways: * When executed by opening an email attachment containing the malicious code * By copying itself into unprotected network shares Propagation Via Email The virus can appear in an email message written in either English or Spanish with a seemingly random subject line. All known versions of W32/Sircam use the following format in the body of the message: English Hi! How are you? [middle line] See you later. Thanks Spanish Hola como estas ? [middle line] Nos vemos pronto, gracias. Where [middle line] is one of the following: English I send you this file in order to have your advice I hope you like the file that I sendo you I hope you can help me with this file that I send This is the file with the information you ask for Spanish Te mando este archivo para que me des tu punto de vista Espero te guste este archivo que te mando Espero me puedas ayudar con el archivo que te mando Este es el archivo con la informacion que me pediste Users who receive copies of the malicious code through electronic mail might recognize the sender. We encourage users to avoid opening attachments received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the file or a valid digital signature. The email message will contain an attachment whose name matches the subject line and has a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension will be .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contains both the malicious code and the contents of a file copied from an infected system. When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background. It is possible for the recipient to be tricked into opening this malicious attachment since the file will appear without the .EXE, .BAT, .COM, .LNK, or .PIF extensions if the "Hide file extensions for known file types" is enabled in Windows. See IN-2000-07 for additional information on the exploitation of hidden file extensions. W32/Sircam includes its own SMTP client capabilities, which it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Cache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Desktop for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder. W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays: * prodigy.net.mx * NetBIOS name for 'MAIL' * mail. (e.g., mail.example.org) * dobleclick.com.mx * enlace.net * goeke.net Propagation Via Network Shares In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, which requires a user to open an attachment to infect the machine, propagation of W32/Sircam via network shares requires no human intervention. If W32/Sircam detects Windows networking shares with write access, it 1. copies itself to \\[share]\Recycled\SirC32.EXE 2. appends "@ win\Recycled\SirC32.exe" to AUTOEXEC.BAT If the share contains a Windows folder, it also 3. copies \\[share]\Windows\rundll32.exe to \\[share]\Windows\run32.exe 4. copies itself to \\[share]\Windows\rundll32.exe 5. when virus is executed from rundll32.exe, it calls run32.exe Infection process 1. When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files: + %SYSTEM%\SCam32.exe + Recycled\SirC32.exe Installing in Recycled may hide it from anti-virus software since some do not check this folder by default. Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explor er\Shell Folders\Startup (the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam will be started automatically. 2. The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\Driver32 is set to %SYSTEM%\SCam32.exe so that W32/Sircam will run automatically at system startup. 3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to "C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam to execute whenever another executable is run. 4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution. 5. W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell Folders\Personal HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell Folders\Desktop While the personal folder may vary with configuration, it is often set to \My Documents or \Windows\Profiles\%username%\Personal. A list of these files is stored in %SYSTEM%\scd.dll. 6. W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder. II. Impact W32/Sircam can have a direct impact on both the computer which was infected as well as those with which it communicates over email. * Breaches of confidentiality: The malicious code will at a minimum search through select folders and mail potentially sensitive files. This form of attack is extremely serious since it is one from which it is impossible to recover. Once a file has been publicly distributed, any potentially sensitive information in it cannot be retracted. * Limit Availibility (Denial of Service) + Fill entire hard drive: Based on external analyses, on any given day, there is a probability that it will create a file named C:\Recycled\sircam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving files to that drive, and in certain configurations impede system-level tasks (e.g., swapping, printing). + Propagation via mass emailing: W32/Sircam will attempt to propagate by sending itself through email to addresses obtained as described above. This propagation can lead to congestion in mail servers that may prevent them from functioning as expected. NOTE: Since W32/Sircam uses native SMTP routines connecting to pre-defined mail servers, propagation is independent of the mail client software used. * Loss of Integrity: Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on which Windows is installed (typically C:). III. Solution Run and Maintain an Anti-Virus Product It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. Exercise Caution When Opening Attachments Exercise caution when receiving email with attachments. Users should never open attachments from an untrusted origin, or ones that appear suspicious in any way. Finally, cryptographic checksums should also be used to validate the integrity of the file. The effects of this class of malicious code are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. The best advice with regard to malicious files is to avoid executing them in the first place. The following tech tip offers suggestions as to how to avoid them: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond Filter the Email or use a Firewall Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments. Likewise, a firewall or border router can be used to stop the W32/Sircam outbound SMTP connections to mail servers outside of the local network. This filtering strategy will prevent further propagation of the worm from a particular host when the local mail configuration is not used. Appendix A. - Vendor Information Aladdin Knowledge Systems http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10068 Central Command, Inc. http://support.centralcommand.com/cgi-bin/command.cfg/php/endus er/std_adp.php?p_refno=010718-000010 Command Software Systems http://www.commandsoftware.com/virus/sircam.html Computer Associates http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam 137216.htm Data Fellows Corp http://www.datafellows.com/v-descs/sircam.shtml McAfee http://vil.mcafee.com/dispVirus.asp?virus_k=99141& Norman Data Defense Systems http://www.norman.com/virus_info/w32_sircam.shtml Panda Software http://www.pandasoftware.es/vernoticia.asp?noticia=987 Proland Software http://www.pspl.com/virus_info/worms/sircam.htm Sophos http://www.sophos.com/virusinfo/analyses/w32sircama.html Symantec http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.h tml Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName= TROJ_SIRCAM.A You may wish to visit the CERT/CC's Computer Virus Resources Page located at: http://www.cert.org/other_sources/viruses.html ______________________________________________________________________ Authors: Roman Danyliw, Chad Dougherty, Allen Householder ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-22.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History July 25, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO18P/QYcfu8gsZJZAQH2XAP/dFPRLX4MGRYxKSc67J+hRclhijxGIFn+ Jo7M4jWb2GeImjxdzRO5bbqGHUfV7Jm7gjXRdIdBTJuK0xIN2tdGjdp3/kEbaWE7 oqise1azNitAWSn2pEaVXidHyY3wm3ed5XHKZmShU/5PXGoa/avhnXqRrv7p/yup hBWgsoeBiLI= =WuU+ -----END PGP SIGNATURE----- From - Fri Jul 27 08:43:30 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6R4HsD09859; Thu, 26 Jul 2001 21:17:54 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id VAA02275; Thu, 26 Jul 2001 21:26:23 -0400 (EDT) Date: Thu, 26 Jul 2001 21:26:23 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 26 Jul 2001 21:18:48 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-23 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 22affac9cfdaa0956630c4324a15ec25 Status: RO X-Status: $$$$ X-UID: 0000000017 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-23 Continued Threat of the "Code Red" Worm Original release date: July 26, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed * Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing services installed * Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager (these systems run IIS) * Unpatched Cisco 600 series DSL routers Overview Since around July 13, 2001, at least two variants of the self-propagating