Telecom and Logistics Associates, 10 rue des Savoises, CH-1205 Geneva
phone +41 328 14 88 Contact: calt@tla.ch
archive du bulletin de décembre 97
18.8.98
WINDOWS NT SECURITY BRIEFING
http://www.sans.org
On August 20, at 1:00 PM Eastern Standard Time, Microsoft and the SANS Institute will
present a 45-minute briefing on Windows NT Security with leading security experts. People
can watch a live interview with independent Windows NT Server security expert, Dr. Gene
Schultz. Viewers can ask real-time questions by e-mail and hear Dr. Schultz's answers over
the Web.
To register: Send e-mail to info@sans.org with the
subject "NT Security Briefing Live." In the body of the message include your
name, title and employer. After you register, you will receive an e-mail with a URL and a
username/password combination and system requirements. To see a recorded copy of the
briefing after the live date, send e-mail with the subject "NT Security Briefing
Delayed Broadcast."
28.7.98
Security: : Netscape Communicator and
Microsoft Outlook Express, what a disaster when client software are vulnerable. Hackers
could insert a program of their choosing and have it run on your machine.
On June 23rd, Ari Takanen, the sole full-time resource at Finland's Oulu University Secure Programming Group (OUSPG), together with Marko Laakso, the security researcher and network administrator for the Department of Electrical Engineering, began some manual security testing of Microsoft's Windows NT operating system. To support their research, they were looking for "overflows", an extremely old and common programming mistake that can result in allowing someone to run their program on your computer without your knowledge. Such an exploit is the goal of every hacker, since finding one could let them into your network, your computer, your valuable computer resources.
They decided to focus on programs that run on workstations rather than servers, since they are more widely deployed. They started with Web Browsers and Email programs. Target: Outlook Express.
They sent themselves a perfectly normal email message with an attachment. Then they wrote a little test program which would alter the contents of the message replacing valid data with abnormal data. They then sent each of the resulting messages to their Outlook Express test machine (running on Windows NT 4.0 with Service Pack 3).
6 tries later (about 30 minutes of testing), they had identified an "overflow" condition. Based on the results of a three week technical study of this problem category in the Windows NT environment they determined that with this "overflow" they could insert a program of their choosing and have it run on the test machine.
What's worse is that they didn't have to open the attachment in order to get their program to run. They didn't even have to open the Email message. Simply activating the paper-clip icon that represented the list of attachments was enough to cause their program to get run.
2 days later, after one of their co-workers mistakenly tried to open one of their test messages in his Netscape Mail client but couldn't because the program kept crashing, they discovered that a similar problem existed in that popular Email program also.
To put this into perspective, a lot of press has been published regarding the risks of attachments sent to you from unknown sources. Most administrators warn their users that they shouldn't open attachments on messages if they don't know who sent it. Opening an attachment might invoke a program which could give you a virus, or search for your passwords, or some other malicious intent. At the same time, however, as a result of an email hoax known as the "Good Times Virus", administrators have been telling their users that no email message can harm their machine just by the user looking at the message. The "Good Times Virus" claims that if you open a certain email message, it will reformat your hard disk and do other bad things to you. The hoax is well documented at the CIAC Internet Hoaxes web site.
With the discovery from OUSPG, its possible to send someone a Trojan and get it started without them doing anything other than what they've been told is Ok to do.
Ari and Marko realized they had discovered something with enormous potential for damage. Their test messages contained nothing that current Firewalls or Email Anti-Virus software would identify as being bad. Given the wide deployment of the two affected Email programs, they realized that the number of affected users could be quite significant. This fact was made even more obvious by the fact that the version of Outlook Express which is affected is currently shipping on the Microsoft Windows '98 operating system.
Netscape intends on including the fix in their next release, v4.06
Microsoft should soon release a hot fix for that issue
24.7.98 Security:The Apache Group is pleased to
announce the release of version 1.3.1
of the Apache HTTP server.
The changes in this release consist of UNIX portability fixes, Win32 security issues, and
assorted other minor features or fixes.
WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
TO UPGRADE IMMEDIATELY.
Users on other platforms should review the CHANGES file and decide on their upgrade plans;
the security issues apply only to Apache on Win32. We consider Apache 1.3.1 to be
the most stable version of Apache available.
Apache 1.3.1 is available for download from
http://www.apache.org/dist/
Please see the CHANGES file in the same directory for a full list of changes. The
distribution is also available via any of the mirrors listed at
http://www.apache.org/mirrors/
For an overview of new features in 1.3 please see
http://www.apache.org/docs/new_features_1_3.html
In general, Apache 1.3 offers several substantial improvements over version 1.2, including
better performance, reliability and a wider-range of supported platforms, including
Windows 95 and NT (which both fall under the "Win32" label).
Apache is the most popular web-server in the known universe; over half of the servers on
the Internet are running Apache or one of its variants.
IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come to trust Apache as a
secure and stable server. It must be realized that the current Win32 code has not
yet reached these levels and should still be considered to be of beta quality. Any
Win32 stability or security problems do not impact, in any way,
Apache on other platforms. With the continued donation of time and resources by
individuals and companies, we hope that the Win32 version of Apache will grow stronger
through the 1.3.x release cycle.
Versions of Apache on Win32 prior to version 1.3.1 are vulnerableto a number of security
holes common to several Win32 servers. The problems that impact Apache include:
- trailing "."s are ignored by the
file system. This allowed
certain types of access
restrictions to be bypassed.
- directory names of three or more dots (eg.
"...") are
considered to be valid similar to
"..". This allowed people
to gain access to files outside of
the configured document
trees.
There have been at least four other similar instances of the same basic problem: on Win32,
there is more than one name for a file. Some of these names are poorly documented or
undocumented, and even Microsoft's own IIS has been vulnerable to many of these
problems.This behavior of the Win32 file system and API makes it very difficult
to insure future security; problems of this type have been known about for years, however
each specific instance has been discovered individually. It is unknown if there are
other, yet unpublicized, filename variants. As a result, we recommend that you use
extreme caution when dealing with access restrictions on all Win32 web servers.
23.7.98 Security: Intruders are using a new
tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains
and complete ranges of IP addresses to discover well-known vulnerabilities. This tool
is used to detect exploitable vulnerabilities on target hosts and may provide
information used by an intruder in further attacks.AusCERT has received reports indicating
a recent and substantial increase in network scanning activity. It is believed
that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the
user to scan whole domains and complete ranges of IP addresses to discover well-known
vulnerabilities in the following services:
statd
nfs
cgi-bin Programs (eg: 'handler', 'phf' &
'cgi-test')
X
POP3
IMAP
Domain Name Servers
finger
The 'mscan' documentation mentions the domain 'org.au' as an example
and therefore this domain may be used as a first test case. Therefore, sites should
expect more frequent scans of this domain. 'mscan' als provides information to the user
which may be useful in hiding their probe attempts against a subnet by bouncing
their scans off hosts identified as running the application 'wingate'.
20.7.98 Sécurité:
Attaques sur
notre serveur web, depuis le début de l'année notre serveur web a subi plus
de trois attaques de type phf , voici ce qui se trouve dans les logs de notre serveur web
195.128.72.111 - - [06/Jan/1998:15:14:58 +0000] "GET
/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd%0acat%20/etc/hosts%0auname%20-a" 302 -
Ce type d'attaque est caractérisique. L'attaquant cherche à accèder à notre fichier password en utilisant une vulnérabilités d'un script perl, dont le nom est phf.Ce type d'attatque est facile à déceler dans le logs. il suffit d'utiliser une commande du type suivant:
cat webfile.log | grep phf
et le résultat en sera une extraction de toutes les lignes de
vos logs qui auront subi cette forme d'attaque. Cette forme d'attaque est connue depuis le
début 97.
12.7.98 Security: Phrack Magazine is tickled pink to announce the release of our
lastest offering, issue 53. In this grandiose issue you will find a
wide assortment of articles on several compelling topics, including:
network protocols, MS 95 and NT, and Intrusion detection to name a few.
Phrack en Français
Phrack Magazine can be harvested from the following sites:
http://www.phrack.com
ftp://azrael.phrack.com/pub/phrack
http://www.infonexus.com/~daemon9/Projects
http://www.nmrc.org/compute/intrude.html
http://www.leviathan.org/phrack.html
9.7.98 Formation: Durant le premier semestre 98 ce ne sont pas
moins de 22 séminaires qui furent organisés par Telecom and Logistics Associates.
Plus d'une centaine d'Ingénieurs ont participé à l'un ou l'autre de nos modules de
formation. NTsecurity, le TCP/IP de Microsoft sont les cours pour lesquels nous
rencontrons le plus d'engouement.
Les cours en entreprise conviennent de plus en plus aux entreprises. La formule permet d'entrer de manière plus profonde dans les détails des installations que rencontrent les participants dans leur quotidien.
6.7.98 Sécurité:
Chiffrement, ce que dit la loi française: le 24 février et le 23 mars
1998, les décrets d'application de la loi du 26 juillet 1996 ont été publiés dans le
Journal Officiel. Ils libéralisent, en France, l'emploi de la cryptologie forte,
indispensable à la sécurité des réseaux et au commerce électronique. Ces décrets
dispensent, notamment, de toute formalité, les outils assurant des fonctions de
confidentialité, à conditions que les clés de déchiffrement soient déposées auprès
d'une tierce partie de confiance (TPC).
Le site du ministère des télécommunications
présente les décrets sur: http://www.telecom.gouv.fr/francais.htm
Telecom and Logistics Associates annonce l'ouveture de son services d'alerte de sécurité. Ce service centralise des alertes provenant de sources prestigieuses comme CERT, CIAC, SUN, IBM, DEC, HP, L0pht et bien d'autres.Ces alertes sont extrait de la base de données de sécurité de TLA. Pour atteindre ce service il suffit d'utiliser l'URL http://www.tla.ch/alert
Depuis le début de l'année 98 nous comptons déjà plus de 18 alertes pour les systèmes UNIX et Windows NT.