Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
Issue of January 2003 
-
  -  
 
 Home > Security > Full Story
 Print Friendly Page ||  Email this story

Security Watch

Read about the latest developments in security every month in Security Watch

Buffer Overflow in Solaris X Window Font Service
The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service. Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system.

The Solaris XFS serves font files to clients.

Sun describes the XFS service as follows: The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on all versions of the Solaris operating system. Note that this vulnerability is in the X Window Font Server, and not the file system of a similar name. A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.

Systems Affected
Sun Microsystems Solaris 2.5.1/ 2.6 / 7 / 8 / 9 (Sparc/Intel)

Solution/Patches
Disable vulnerable service:
Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, it is recommended disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the fs.auto daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process.

Workarounds
Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter.

Vendor Information:

  • NetBSD
    NetBSD ships the xfs from XFree86, though it is not on or used by default.
  • Sun Microsystems
    The Solaris X font server (xfs(1)) is affected in the following versions:
    Solaris 2.6/7/8/9
    The patches will be available from:
    http://sunsolve.sun.com/securitypatch

Heap Overflow Vulnerability in Microsoft Data Access Components
A vulnerability in the Microsoft Data Access Components (MDAC) could lead to remote execution of code with the privileges of the current process or user.

Microsoft Data Access Components (MDAC) is a collection of utilities and routines to process requests between databases and network applications. A buffer overflow vulnerability exists in the Remote Data Services (RDS) component of MDAC.

The RDS component provides an intermediary step for a client's request for service from a back-end database that enables the web site to apply business logic to the request.

According to Microsoft's Security Bulletin MS02-065, a routine in the RDS component, specifically the RDS Data Stub function, contains an unchecked buffer. The RDS Data Stub function's purpose is to parse incoming HTTP requests and generate RDS commands. This unchecked buffer could be exploited to cause a heap overflow.

There are two ways in which this vulnerability can be exploited. By an attacker sending a malicious HTTP request to a vulnerable service, such as an IIS server. If RDS is enabled, the attacker can execute arbitrary code as the IIS server. The other way to exploit this vulnerability is a malicious web site hosting a page that exploits the buffer overflow through a client application, such as Internet Explorer. Most systems running Internet Explorer on operating systems other than Windows XP are vulnerable to this attack.

Both web servers and client applications that rely on MDAC are affected. It is recommended that all users of Microsoft Windows 98, Windows 98 SE, Windows ME, Windows NT 4.0, and Windows 2000 apply the patch (Q329414). Windows XP users are not affected since MDAC 2.7, the non-vulnerable version, is installed by default.

Systems Affected
All Microsoft Windows systems running the following:
Versions of MDAC prior to 2.7
Internet Explorer version 6/5.5/5.1
Microsoft Windows XP is shipped with MDAC version 2.7 and is not vulnerable by default even though Internet Explorer 6.0 is installed.

A remote attacker could execute arbitrary code with the privileges of the application that processed the request. In the case of a web server or other service, this is likely to be the system or another account with elevated privileges. In the case of a client application, this will be the account used to view the web page.

Solution/Patches
Microsoft has released a patch (Q329414) and a security bulletin (MS02-065) to address this issue. An end-user version of MS02-065 is available at:

http://www.microsoft.com/security/security_bulletins/ms02-065.asp.

According to the Microsoft advisory, a scenario exists in by which a vulnerable version of the control may be re-installed on a Windows system even after the patch has been applied. This is due to the fact that the vulnerable ActiveX control is signed by Microsoft and the patch does not set the kill bit for the MDAC control.

Backdoor in OmniSwitch AOS
Alcatel recently discovered a serious vulnerability in its AOS version 5.1.1. Exploitation of this vulnerability can lead to full administrative control of the device running AOS. AOS typically runs on network infrastructure devices, such as the Alcatel OmniSwitch 7000 series switch.

During an NMAP audit of the AOS 5.1.1 code that runs on the Alcatel OmniSwitch 7700/7800 LAN switches, it was determined a telnet server was listening on TCP port number 6778. This was used during development to access the Wind River Vx-Works operating system. Due to an oversight, this access was not removed prior to product release.

An attacker can gain full access to any device running AOS version 5.1.1, which can result in, but is not limited to, unauthorized access, unauthorized monitoring, information leakage, or denial of service.

Systems Affected
Alcatel OmniSwitch 7700/7800 switches running Alcatel Operating System (AOS) version 5.1.1

Solution/Patches
Upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03
Block access to port 6778/TCP at your network perimeter.

SSH Secure Shell for Workstations has a buffer overflow
The Windows version of SSH Secure Shell for Workstations contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.

The SSH Secure Shell for Workstations client includes a URL handling feature that allows users to launch URLs that appear in the terminal window. When the user clicks on a URL, it will be launched using their default browser.

Versions 3.1 to 3.2.0 of this application contain a buffer overflow vulnerability that is triggered when the launched URL is approximately 500 characters or greater in length. To exploit this vulnerability, an attacker must supply a malicious URL to a terminal session and convince the victim to launch it. This vulnerability allows an attacker to execute arbitrary code by convincing an unsuspecting user to click on a malicious URL.

Systems Affected
SSH Communications Security

Solution/Patches
SSH Communications Security has addressed this vulnerability at:
http://www.ssh.com/company/newsroom/article/287/
 
     
- <Back to Top>-  
© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.