Security Watch

Read about the latest developments in security every month in Security Watch

Vulnerability in RaQ Server Appliances
A remotely exploitable vulnerability has been discovered in Sun Cobalt RaQ Server Appliances running Sun's Security Hardening Package (SHP). Exploitation of this vulnerability may allow remote attackers to execute arbitrary code with superuser privileges.

Cobalt RaQ is a Sun Server Appliance. Sun provides a Security Hardening Package (SHP) for Cobalt RaQs. Although the SHP is not installed by default, many users choose to install it on their RaQ servers.

A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ Server Appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, overflow.cgi does not adequately filter input destined for the e-mail variable. Because of this flaw, an attacker can use a POST request to fill the e-mail variable with arbitrary commands. The attacker can then call overflow.cgi, which will allow the command the attacker filled the e-mail variable with to be executed with superuser privileges.

An exploit is publicly available and may be circulating.

Impact
A remote attacker may be able to execute arbitrary code on a Cobalt RaQ Server Appliance with the SHP installed.

Systems Affected
Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package installed
Sun Cobalt RaQ 3 Server Appliances running the RaQ 4 build with the Security Hardening Package installed

Solution/Patches
Workarounds
Block access to the Cobalt RaQ administrative httpd server (typically ports 81/TCP and 444/TCP) at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.

Caveats
The patch supplied by Sun removes the SHP completely. If your operation requires the use of the SHP, you may need to find a suitable alternative.

Vendor Information
Sun Microsystems
According to Sun a remote root exploit does affect the Sun/Cobalt RaQ4 platform if the SHP patch was installed.
Sun has released a Sun Alert which describes how to remove the SHP patch at:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377

The removal patch is available from:http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg

W32/Lioten Malicious Code
There have been reports of self-propagating malicious code known as W32/Lioten affecting systems running Windows 2000. This malicious code exploits weak or null passwords in order to propagate. Reports indicate that thousands of systems are scanning in a manner consistent with W32/Lioten's known behavior. Various sources have referred to this malicious code as IraqiWorm and iraqi_oil.exe.

W32/Lioten scans for 445/tcp. When it finds a responsive potential victim, it establishes a null session and retrieves (enumerates) a list of user accounts on the victim system. For each account it finds, it then attempts a number of trivial passwords.

On success, it copies itself to the victim system as iraqi_oil.exe and uses the Task Scheduler (via at) to run the copy a few minutes later. Presence of the iraqi_oil.exe file and scanning for 445/tcp are therefore symptoms of compromise.

Reports indicate that attackers are monitoring for systems infected with W32/Lioten and further exploiting them via other tools for use in distributed denial-of-service (DoS) attacks.

Impact
Systems infected by W32/Lioten scan for 445/tcp. By watching for this scanning activity, attackers are able to easily identify targets with weak passwords and can subsequently compromise those systems for use in other attacks. Additionally, as with other self-propagating malicious code, W32/Lioten may cause DoS conditions in networks where multiple systems are affected.

Systems Affected
Systems running Microsoft Windows 2000

Solution/Patches
Restrict or disable null sessions
Depending on the services your systems are required to provide, it may be possible to restrict or disable anonymous null sessions on your Windows 2000 hosts. This can be done through the HKLM\SYSTEM\CurrentControlSet\Control\LSA key.

Note that this configuration could cause problems in certain network environments.

Windows XP sets the RestrictAnonymousSam key to 0x1 by default. Therefore, unless this setting has been altered by the system administrator, W32/Lioten should not be able to retrieve the account list via a null session on Windows XP systems.

Require strong passwords
W32/Lioten exploits the use of weak or null passwords in order to propagate, hence the use of strong passwords can help keep it from infecting your systems.

Ingress/egress filtering
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services.

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for internal systems to access NetBIOS shares across the Internet.

In the case of W32/Lioten, blocking connections to port 445/tcp from entering or leaving your network reduces the risk of external infected systems attacking hosts inside your network or vice-versa.

Buffer Overflow in Microsoft Windows Shell
A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can use this vulnerability by luring a user to read a malicious e-mail message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then either execute arbitrary code (which would run with the privileges of the victim) or crash the Windows Shell.

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is more known to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session. Browsing and organizing local and remote files and folders, providing the means to start applications, running wizards, and performing configuration tasks are examples of operations utilizing the Windows Shell.

The vulnerability exists in the Windows Shell function used to extract attribute information from audio files. This function is invoked automatically when a user browses to a folder containing .MP3 or .WMA files.

Systems Affected
All versions of Microsoft Windows XP

Solution/Patches
Microsoft is actively deploying the patch for this vulnerability via Windows Update.

Vendor Information
Microsoft Corporation
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp