about the latest developments in security every month
in Security Watch
in RaQ Server Appliances
A remotely exploitable vulnerability has been discovered
in Sun Cobalt RaQ Server Appliances running Sun's Security
Hardening Package (SHP). Exploitation of this vulnerability
may allow remote attackers to execute arbitrary code
with superuser privileges.
Cobalt RaQ is a Sun Server Appliance. Sun provides a
Security Hardening Package (SHP) for Cobalt RaQs. Although
the SHP is not installed by default, many users choose
to install it on their RaQ servers.
A vulnerability in the SHP may allow a remote attacker
to execute arbitrary code on a Cobalt RaQ Server Appliance.
The vulnerability occurs in a cgi script that does not
properly filter input. Specifically, overflow.cgi does
not adequately filter input destined for the e-mail
variable. Because of this flaw, an attacker can use
a POST request to fill the e-mail variable with arbitrary
commands. The attacker can then call overflow.cgi, which
will allow the command the attacker filled the e-mail
variable with to be executed with superuser privileges.
An exploit is publicly available and may be circulating.
A remote attacker may be able to execute arbitrary code
on a Cobalt RaQ Server Appliance with the SHP installed.
Sun Cobalt RaQ 4 Server Appliances with the Security
Hardening Package installed
Cobalt RaQ 3 Server Appliances running the RaQ 4 build
with the Security Hardening Package installed
Block access to the Cobalt RaQ administrative httpd
server (typically ports 81/TCP and 444/TCP) at your
network perimeter. Note that this will not protect vulnerable
hosts within your network perimeter. It is important
to understand your network configuration and service
requirements before deciding what changes are appropriate.
The patch supplied by Sun removes the SHP completely.
If your operation requires the use of the SHP, you may
need to find a suitable alternative.
According to Sun a remote root exploit does affect the
Sun/Cobalt RaQ4 platform if the SHP patch was installed.
Sun has released a Sun Alert which describes how to
remove the SHP patch at:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377
The removal patch is available from:http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg
W32/Lioten Malicious Code
There have been reports of self-propagating malicious
code known as W32/Lioten affecting systems running Windows
2000. This malicious code exploits weak or null passwords
in order to propagate. Reports indicate that thousands
of systems are scanning in a manner consistent with
W32/Lioten's known behavior. Various sources have referred
to this malicious code as IraqiWorm and iraqi_oil.exe.
W32/Lioten scans for 445/tcp. When it finds a responsive
potential victim, it establishes a null session and
retrieves (enumerates) a list of user accounts on the
victim system. For each account it finds, it then attempts
a number of trivial passwords.
On success, it copies itself to the victim system as
iraqi_oil.exe and uses the Task Scheduler (via at) to
run the copy a few minutes later. Presence of the iraqi_oil.exe
file and scanning for 445/tcp are therefore symptoms
Reports indicate that attackers are monitoring for systems
infected with W32/Lioten and further exploiting them
via other tools for use in distributed denial-of-service
Systems infected by W32/Lioten scan for 445/tcp. By
watching for this scanning activity, attackers are able
to easily identify targets with weak passwords and can
subsequently compromise those systems for use in other
attacks. Additionally, as with other self-propagating
malicious code, W32/Lioten may cause DoS conditions
in networks where multiple systems are affected.
Systems running Microsoft Windows 2000
Restrict or disable null sessions
Depending on the services your systems are required
to provide, it may be possible to restrict or disable
anonymous null sessions on your Windows 2000 hosts.
This can be done through the HKLM\SYSTEM\CurrentControlSet\Control\LSA
Note that this configuration could cause problems in
certain network environments.
Windows XP sets the RestrictAnonymousSam key to 0x1
by default. Therefore, unless this setting has been
altered by the system administrator, W32/Lioten should
not be able to retrieve the account list via a null
session on Windows XP systems.
Require strong passwords
W32/Lioten exploits the use of weak or null passwords
in order to propagate, hence the use of strong passwords
can help keep it from infecting your systems.
Ingress filtering manages the flow of traffic as it
enters a network under your administrative control.
In the network usage policy of many sites, external
hosts are only permitted to initiate inbound traffic
to machines that provide public services on specific
ports. Thus, ingress filtering should be performed at
the border to prohibit externally initiated inbound
traffic to non-authorized services.
Egress filtering manages the flow of traffic as it leaves
a network under your administrative control. There is
typically limited need for internal systems to access
NetBIOS shares across the Internet.
In the case of W32/Lioten, blocking connections to port
445/tcp from entering or leaving your network reduces
the risk of external infected systems attacking hosts
inside your network or vice-versa.
Buffer Overflow in Microsoft Windows Shell
A buffer overflow vulnerability exists in the Microsoft
Windows Shell. An attacker can use this vulnerability
by luring a user to read a malicious e-mail message,
visit a malicious web page, or browse to a folder containing
a malicious .MP3 or .WMA file. The attacker can then
either execute arbitrary code (which would run with
the privileges of the victim) or crash the Windows Shell.
The Windows Shell is responsible for providing the basic
framework of the Windows user interface experience.
It is more known to users as the Windows Desktop, but
also provides a variety of other functions to help define
the user's computing session. Browsing and organizing
local and remote files and folders, providing the means
to start applications, running wizards, and performing
configuration tasks are examples of operations utilizing
the Windows Shell.
The vulnerability exists in the Windows Shell function
used to extract attribute information from audio files.
This function is invoked automatically when a user browses
to a folder containing .MP3 or .WMA files.
All versions of Microsoft Windows XP
Microsoft is actively deploying the patch for this vulnerability
via Windows Update.