INTRODUCTION
A5.com was tasked to perform a Security Auditor's Research Assistant (SARA) security scan on hosts on the 169.100.98.0-26 sub-nets. The SARA scan was performed to identify potential security vulnerabilities in the 169.100.98.0-26 sub-domain. The SARA scan was completed on 2002/07/02 and its scan mode was set to heavy. The version of SARA was Version 3.6.2 .
DISCUSSION
SARA is a third generation security analysis tool that analyzes network-based services on the target computers. SARA classifies a detected service in one of five categories:
A total of 25 devices were detected of which 3 are possibly vulnerable.
| Green | 20 |
| Grey | 2 |
| Red | 2 |
| Yellow | 0 |
| Brown | 1 |
Figure 1 Host Summary by Color
The SARA scan results are distributed as three appendices to this paper:
Appendices are hyper-linked to assist the reader in navigating through this report. The report includes information on all non-Windows hosts that have one or more vulnerabilities. In addition, Windows hosts that have Red and/or Yellow vulnerabilities are also included.
RECOMMENDATION
The identified hosts should be analyzed immediately.
| Host Name | IP Address | Host Type | Green | Red | Yellow | Brown | FP |
| isdnbox.mydomain.com | 169.100.98.1 | Shiva AccessPort |
|
|
|
|
0 |
| news.mydomain.com | 169.100.98.59 | SCO TCP |
|
|
|
|
0 |
| pc1.mydomain.com | 169.100.98.2 | unknown type |
|
|
|
|
0 |
| pc10.mydomain.com | 169.100.98.11 | Windows |
|
|
|
|
0 |
| pc11.mydomain.com | 169.100.98.12 | Windows |
|
|
|
|
0 |
| pc12.mydomain.com | 169.100.98.13 | Windows |
|
|
|
|
0 |
| pc14.mydomain.com | 169.100.98.15 | Windows |
|
|
|
|
0 |
| pc18.mydomain.com | 169.100.98.19 | Windows |
|
|
|
|
0 |
| pc19.mydomain.com | 169.100.98.20 | Windows |
|
|
|
|
0 |
| pc2.mydomain.com | 169.100.98.3 | Windows |
|
|
|
|
0 |
| pc20.mydomain.com | 169.100.98.21 | Windows |
|
|
|
|
0 |
| pc22.mydomain.com | 169.100.98.23 | Windows |
|
|
|
|
0 |
| pc23.mydomain.com | 169.100.98.24 | Windows |
|
|
|
|
0 |
| pc3.mydomain.com | 169.100.98.4 | Windows |
|
|
|
|
0 |
| pc4.mydomain.com | 169.100.98.5 | Windows |
|
|
|
|
0 |
| pc42.mydomain.com | 169.100.98.43 | Windows |
|
|
|
|
0 |
| pc5.mydomain.com | 169.100.98.6 | Windows |
|
|
|
|
0 |
| pc50.mydomain.com | 169.100.98.51 | Windows |
|
|
|
|
0 |
| pc59.mydomain.com | 169.100.98.60 | Windows |
|
|
|
|
0 |
| pc6.mydomain.com | 169.100.98.7 | Windows |
|
|
|
|
0 |
| pc61.mydomain.com | 169.100.98.62 | Windows |
|
|
|
|
0 |
| pc7.mydomain.com | 169.100.98.8 | Windows |
|
|
|
|
0 |
| pc8.mydomain.com | 169.100.98.9 | Windows |
|
|
|
|
0 |
| pc9.mydomain.com | 169.100.98.10 | Windows |
|
|
|
|
0 |
Host: pc62.mydomain.com
Host: isdnbox.mydomain.com
Vulnerability information:
Host: news.mydomain.com
Vulnerability information:
Host: pc1.mydomain.com
Host: pc10.mydomain.com
Host: pc11.mydomain.com
Host: pc12.mydomain.com
Host: pc14.mydomain.com
Vulnerability information:
Host: pc18.mydomain.com
Host: pc19.mydomain.com
Host: pc2.mydomain.com
Host: pc20.mydomain.com
Host: pc22.mydomain.com
Host: pc23.mydomain.com
Host: pc3.mydomain.com
Host: pc4.mydomain.com
Host: pc42.mydomain.com
Host: pc5.mydomain.com
Host: pc50.mydomain.com
Host: pc59.mydomain.com
Host: pc6.mydomain.com
Host: pc61.mydomain.com
Host: pc7.mydomain.com
Host: pc8.mydomain.com
Host: pc9.mydomain.com
Root Access via Buffer Overflow (RED)
User shell Problems (RED)
User writing file problems (RED)
Target for Abuse(YELLOW)
Possible Vulnerabilities (BROWN)
Limit Internet Access ? (BROWN)
DNS Vulnerabilities
Impact
There are numerous vulnerabilities in Domain Name Servers (DNS) that are documented in the CERT Advisories. The two principal areas are:
Problems
BIND 4.9 releases and BIND 8 releases prior to 8.2.3 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges.
BIND 4.9 releases and BIND 8 releases prior to 8.2.3 do not properly bounds check many memory references in the server and the resolver. An improperly or maliciously formatted DNS message can cause the server to read from invalid memory locations, yielding garbage record data or crashing the server. Many DNS utilities that process DNS messages (e.g., dig, and nslookup) also fail to do proper bounds checking. BIND 4.9 releases and BIND 8 release prior to 8.2.3 have a variety of security issues. You can review them and BIND Security.
Resolutions
To resolve these problems, upgrade to the latest version of bind. If this is not feasible, you can apply a patch, or use a workaround, described in the various CERT Advisories. Refer to SecurityFocus bid 2302 and bid 2304
CVE References(s):
Doubtful Internet Service
Summary
SARA has detected a trivial or hacker-useful Internet service running on the target machine.
The problem
Many Internet useless or hacker-useful Internet services are enabled by default 'out of the box'. Services include rlogin, rsh, netstat, systat, sprayd, and walld. Wherever, these services should be disabled.
Fix
Disable all doubtful services in /etc/inetd.conf and reboot the system (Unix). Disable all doubtful services in the Control Panel/Services (Windows).
Common Gateway Interface Interface (CGI) Access
Impact
Many Web servers support dynamic page generation through CGI, related scripting, and remote program execution. Several of these scripts/programs present vulnerabilities to the Web server to include:
| Exploit | CVE | Characteristic | Reference |
| webdist | 1999-0039 | Execute commands on IRIX Web Server | http://www.securityfocus.com/bid/374 |
| phf | 1999-0067 | Execute commands on Web Server | http://www.securityfocus.com/bid/629 |
| htmlscript | 1999-0264 | Access files on Web Server | http://xforce.iss.net/static/1466.php |
| php | 1999-0058 | View files on Web Server | http://www.securityfocus.com/bid/911 |
| counter | 1999-0021 | Execute commands on Web Server | http://www.securityfocus.com/bid/128 |
| jj | 1999-0260 | View files on Web Server | http://xforce.iss.net/static/1808.php |
| pfdispaly | 1999-0270 | Access files on Web Server | http://www.securityfocus.com/bid/64 |
| faxsurvey | 1999-0262 | Execute commands on Web Server | http://xforce.iss.net/static/1532.php |
| view_source | 1999-0174 | View files on Web Server | http://www.securityfocus.com/bid/303 |
| htsearch | 2000-0208 | View files on Web Server | http://www.securityfocus.com/bid/1026 |
| FrontPage | Access to files on Web Server | http://xforce.iss.net/static/3682.php | |
| rds | Execute commands on IIS Server | http://xforce.iss.net/static/1212.php | |
| ezshopper | Execute commands on Web Server | http://xforce.iss.net/static/4044.php | |
| mylog | 1999-0068 | View files on Web Server | http://xforce.iss.net/static/1468.php |
| mlog | 1999-0346 | View files on Web Server | http://xforce.iss.net/static/1505.php |
| jetadmin | View files on Web Server | http://xforce.iss.net/static/4525.php | |
| big brother | View files on Web Server | http://xforce.iss.net/static/4879.php | |
| source.asp | Write files on Apache Servers | http://xforce.iss.net/static/4931.php | |
| pollit cgi | View files on Web Server | http://xforce.iss.net/static/4878.php | |
| PUT Request | Write files on Web Server | Check Permissions for / and /cgi-bin | |
| PHP | Execute commands on Web Server | http://www.securityfocus.com/bid/1786 | |
| Web Shopper | Read files on Web Server | http://www.securityfocus.com/bid/1776 | |
| Shopping Cart | Read files on Web Server | http://www.securityfocus.com/bid/1777 | |
| Netauth CGI | dot-dot directory traversal | http://www.securityfocus.com/bid/1587 | |
| calendar.pl | Execute files on server | http://www.securityfocus.com/bid/1215 | |
| (command execution) | Execute commands on IIS server | http://www.securityfocus.com/bid/1806 www.nsfocus.com/english/homepage/sa01-02.htm | |
| Bugzilla | Execute commands on Bugzilla server | http://www.securityfocus.com/bid/2671 |
Resolution
Resolution of the exploit(s) is provided in the Table Reference
CVE References(s):
Vulnerable IMAP and POP Versions
Impact
Remote users may root access on systems running a vulnerable IMAP or POP that is vulnerable to buffer overflow attacks. Access to an account on the system is not needed to exploit this vulnerability.
Background
IMAP provides remote access to a user's mailbox. It maintains a list of unread as well as read messages so that a user gets the same "view" in a multiple mail client environment.
POPis similar to IMAP but all received mail is loaded to the mail client. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.
The Problem
This vulnerability allows remote intruders to execute arbitrary commands under the privileges of the process running the vulnerable IMAP server. If the vulnerable IMAP server is running as root, remote intruders can gain root access.
Resolution
Install a patch from your vendor or upgrade to the latest version of IMAP
. If your POP server is based on the University of Washington IMAP server code, you should also upgrade to the latest version of IMAP.Until you can take one of the above actions, temporarily disable the POP and IMAP services. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon).
Where can I read more about this?
CVE References(s):
Improper Login Banner (telnet)
Summary
SARA has determined that the telnet login banner is not adequate for proper security.
The problem
SARA conducts a simple test on the pre-login banner of a telnet session by looking for the word Unauthorized or unauthorized. If neither word is found, a warning is reported in the SARA database.
Fix
Build a proper pre login banner. For example, in Linux systems, the pre login banner is contained in /etc/issue.net.
Microsoft SQL Server
Summary
Many implementations of Microsoft SQL Server (both standalone and embedded) have an open system administrator (SA) account. This could enable a malicious user to execute arbitrary commands on the target machine.
Microsoft SQL Server 2000 has been reported to contain multiple vulnerabilities. These include heap and stack based buffer overflows and network denial of services attacks. (27 May 2002)
Fix
Confirm that the SA password is not null,blank, or an application default.
Check the Microsoft site for patches to SQL Server 2000. As of 27 May 2002, there are no patches.
Reference(s):
http://www.cert.org/summaries/CS-2002-02.html
http://online.securityfocus.com/bid/4847
Unrestricted SMB Access
Summary
Server Message Block (SMB) files shares are world accessible. SARA could access an SMB share. SARA could do a directory listing of the indicated share. An attempt was made write to the share. If it was successful, the label "(r/w)" was added to the SARA report element. of the directories.
The Problem
This vulnerability allows hackers to access files that have been "shared" to the world without the need of a password or special account.
Fix
CVE References(s):
Possible DoS (fraggle) Problem
Impact
Your machine may be vulnerable to certain types of Denial of Service attacks (Fraggle, Smurf and Papasmurf). These DoS attacks affect Windows 95 and Windows NT 4.0 machines. These attacks will cause a loss of connectivity to the Internet and may slow network activity to a crawl.
Background
The Fraggle attack, and other attacks of this type, such as Smurf and Papasmurf, is the most recent in the category of network-level attacks against hosts. Smurf, and Smurf type attacks, begin when a hacker sends a large amount of ICMP echo (ping) traffic to a subnet broadcast address ( say, for instance, xxx.xxx.xxx.255 - the 255 number marks this as a broadcast address). This traffic will have a spoofed return address. This spoofed address will be the address of the intended victim of the attack. When individual machines on the network receive the ICMP echo requests, they will reply with an echo reply. These replies will all go to the address spoofed in the original ICMP echo requests. On networks with a large number of systems, the traffic generated could be voluminous indeed. The system, which is the victim of the attack (as indicated by the spoofed IP address) quickly, becomes overwhelmed by incoming traffic, and will almost certainly lose connectivity to the Internet.
Actually, there are two victims of this type of attack when it is run: the network that is exploited to generate the ICMP traffic (called the intermediary, or "helper" network) and the system indicated by the spoofed IP address.
The Fraggle DoS attack is essentially based on the same concept as the Smurf attack (namely that generating huge amounts of network traffic will disable a machine or cause it to lose connectivity to the Internet), but uses UDP instead of ICMP. Although it is not as serious as some other attacks of this type, it will still generate a huge amount of network traffic. Here is how it works: a hacker is armed with a list of broadcast addresses, to which he/she sends spoofed UDP packets. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the chargen port (a port that generates a number of characters when queried). Sometimes a hacker is able to set up a loop between the echo and chargen ports, generating all that much more network traffic (this attack generally works on NT boxes).
The result of this attack is, as stated earlier, a massive amount of traffic on the network. Whole networks may crawl to a stop and individual systems may lose connectivity to the Internet and/or, in some cases, crash.
The Problem
The Fraggle attack, and its variations, may affect individual machines as well as entire networks. Affected networks and/or systems will become bogged down with large amounts of network traffic, and users on affected systems may lose connectivity to the Internet. The Smurf attack and its many variations have been known to last for a period of hours up to a day or more.
Resolutions
The key to protecting against, and suppressing these types of attacks, is to ensure that your network will not be used as an intermediary. This may be done by configuring routers to not allow IP directed-broadcast transmissions (on Cisco routers, use the "no ip directed-broadcast" interface command). All routers, which provide routing to large multi-access broadcast networks, in other words LANs with more than 5 to 10 devices, should be configured in this way. This resolution is indirect, but is, at this point, the surest method for eliminating these types of attacks.
Unfortunately, there is no sure method for protecting against being the ultimate target for Smurf type attacks. For the Smurf attack, the surest and safest fix is to configure routers to turn away all incoming ICMP packets. Unfortunately, this will render several ICMP dependent services, such as ping and traceroute, unusable. Other router configuration methods do exist, and you may read about them in PSI's Filter Configuration page. Other methods, such as ICMP filtering and dropping excess packets at network border routers, are not foolproof but may help alleviate the symptoms of Smurf type attacks. These methods are described in WinPlanet's Smurf Exploit page, and also in InterNIC rfc2267. If you suspect that you have been the victim of a Smurf attack, you may want to download the Smurf Logger, which will allow you to log future Smurf attacks (and other information, such as the broadcast address being used as the intermediary).
As with the Smurf attack, the Fraggle attack is particularly hard to defend against. Some suggestions include blocking broadcast UDP at the router, and perhaps blocking UDP at all terminal servers as well (to prevent malicious network users from flooding out the network). Read the Smurf information above for more information on router configuration tips and border router packet filtering techniques that may prove useful in defending against these types of attacks.
Where can I read more about this?
Visit Rootshell to read about the Fraggle and Papasmurf Denial of Service attacks.
You can read more about the Smurf attack at Rootshell's Smurf page. Another good source of information is Craig A. Huegen's Smurf Whitepaper. Be sure to also to read the Smurf information in CERT Advisory 98.01.
CVE References(s):
Printer Version
Summary
A buffer overflow exists in the LPRng printer spooler found on newer Linux and other Unix systems. Versions below LPRng 3.6.24-1 are vulnerable.
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7.
A buffer overflow exists in the in.lpd program, part of the Solaris 6,7, and 8 systems.
The problem
By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root.
LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.
On Sparc, the netpr exploits will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
On all Solaris 2.6, 2.7, and 2.8 platforms, the unpatched in.lpd is also vulnerable to a buffer overflow attack resulting in remote root privileges.
Fix
Patches are available for LPRng from most Linux vendors. Upgrade or patch to a non-vulnerable version.
Refer to to http://www.sun.com/ for relevant patches.
Reference(s):
Securityfocus Security Advisory bid 1712
Vulnerable Web Server
Impact
IIS:
Microsoft placed a password backdoor in their IIS 4 and IIS 5 products. Knowledge of the password can provide the user to certain Web administrater operations.
WebSite Pro:
BEA Weblogic:
Apache:
Background
IIS:
Microsoft installed a password backdoor in IIS 4.0 and IIS 5.0 servers where they could access and control Web servers.
Netscape:
BEA Weblogic:
Apache:
Resolution
IIS:
On 10 April 2002, Microsoft released 10 advisories on various vulnerabilities with IIS 4.0, 5.0, and 5.1. Refer to Microsoft Technet Bulletin MS02-018.
On 27 April 2002, SecurityFocus released an additional advisory on HTR ISAPI and recommended that the htr extension be disabled.
Reference: www.securityfocus.com/bid/2674
As of 15 May 2001, Microsoft has not issued an advisory on the password backdoor. However, various CERTs have stated that Microsoft recommends deleting the dvwssr.dll file in any of the FrontPage directories.
Netscape:
Reference: X-Force advisory 39
WebSite Pro:
Reference: CIS advisores
BEA Weblogic:
Reference: www.securityfocus.com/bid/1570
Apache:
Reference: www.securityfocus.com/bid/1728
CVE References(s):
Mail Relay Problem
Impact
Many versions of the sendmail program and other mail transport agents (MTAs) do not provide sufficient safeguards against mailcious users sending spam mail through a third party computer. Further, the spam mail will often have a forged source address.
Background
Until 1999, most implementations of sendmail and its clones provided little checking of source and destination addresses. For example a user on host A could use the sendmail on Host B sending mail to a user on Host C with a source email address from Host D. In other words, A hacker on foo.bar.com would use the sendmail at host1.swipnet.se to send a message 5,000 users with the source address of president@whitehouse.gov.
Similar problems have been detected with Microsoft Mail and Microsoft Exchange products. However, older Microsoft products report a relay operation when none occurred (false positive).
Some MTA's may time out during SARA testing. In these cases, the MTA must be exercised manually to determine if it is a relay.
Resolution
Vendor and Web server patches and workarounds to protect against this vulnerability are available. If your vendor does not have an upgrade, current versions of sendmail from sendmail.org. In addition, sendmail.org has an execellent tutorial on the subject.
Simple Network Management Protocol (SNMP) Access
Impact
SNMP provides useful information to the hacker on the characteristics of the target host. In addition, several vendors have poorly protected "private" Management Information Blocks (MIBs) that can control the target.
Resolution
Determine if your host requires SNMP. On many systems it is installed "out of the box". Unless your enterprise uses SNMP for system management, it may be prudent to simply "turn it off". Check with your vendor on the easiest method for dectivating SNMP.
If SNMP is required, check with your network management group to see if if access can be limited to the enterprise. Routers and firewalls provide this facility.
If SNMP must be available over the Internet, check with the CERT to determine if your configuration may be vulnerable.