[pchelpers] Security and virus alerts from www.ventuer.com


 I just got this email alert froma service I subscribe to.  It seems there
are some new viruses and new variations of others just reported on and fixes
found including Linux and SQL servers.

Bob Weyer
++++++++++++++++++++++++
THIS MESSAGE IS A PUBLIC SECURITY NOTICE OFFERED BY
VENTUER SERVICES, INC. THERE SHOULD BE NO ATTACHMENTS TO
THIS MESSAGE.

FOR MORE INFORMATION ON CURRENT VIRUS ALERTS, FIXES, AND
INTERNET SECURITY STRATEGIES. CONTACT US THROUGH ANY OF
THE FOLLOWING METHODS.

Web page: http://WWW.VENTUER.COM
Email : INFO@xxxxxxxxxxx
Phone : 1-877-VENTUER

========================================
In this issue...
========================================
     ** W32.Langex@mm
     ** W32.Urick.A@mm
     ** Multiple Vulnerabilities in SQL Server 2000
     ** PHP multipart/form-data POST parsing error allows
arbitrary code
     ** Redhat Linux : Updated util-linux package fixes
password locking race


====================
W32.Langex@mm
====================
Discovered on: July 28, 2002

W32.Langex@mm is a mass-mailing worm that uses MAPI to
replicate. The subject of the mail is variable as the worm
simply replies to emails it finds on an infected system.
The name of the attachment is lang.exe. This worm contains
no payload.

http://securityresponse.symantec.com/avcenter/venc/data/w32.langex@xxxxxxx

====================
W32.Urick.A@mm
====================
Discovered on: July 25, 2002

W32.Urick.A@mm is a mass-mailing worm that sends itself to
all addresses in the Microsoft Outlook Address Book. The
email message has the following characteristics:

Subject: A Windows Trick
Attachment: The file name varies, but it has the double
extension .jpg.exe.

http://securityresponse.symantec.com/avcenter/venc/data/w32.urick.a@xxxxxxx

=================================================================
Multiple Vulnerabilities in SQL Server 2000
=================================================================
Risk:
Medium

Date:
July 25, 2002

Summary:

Last night, Microsoft released two Security Bulletins
describing numerous vulnerabilities in SQL Server 2000.
These security bulletins can be divided into two
low-to-moderate risk vulnerabilities, and three critical
risk vulnerabilities. A hacker could exploit these
vulnerabilities to cause a Denial of Service, take control
of your SQL database, or possibly even gain control over
the entire SQL Server. Administrators running Microsoft
SQL Server 2000 should download, test, and install
Microsoft's critical SQL patch as soon as possible, and
might as well apply the moderate patch at the same time.
Exposure:

Microsoft describes a total of five SQL Server
vulnerabilities, split into two Security Bulletins.

Security Bulletin MS02-039: Critical Vulnerabilities in
the SQL Server 2000 Resolution Service

Normally, clients communicate with a SQL Server using the
standard SQL port (TCP port 1433). However, SQL Server
2000 introduced the ability to run multiple instances of
SQL Server on a single machine. When you are running more
than one instance of SQL Server on the same machine, each
instance cannot use the same port to communicate. The SQL
Server Resolution Service enables multiple instances of
SQL Server to use different ports to communicate. Clients
connect to the Resolution Service on UDP port 1434; then
the service tells each client what port it must contact to
reach the desired instance of SQL Server.

In Security Bulletin 039, Microsoft describes three
vulnerabilities in the SQL Server 2000 Resolution Service:

     * Two buffer overflows. One buffer overflow affects
stack memory, while the other affects heap memory. By
sending the Resolution Service a specially crafted query,
a hacker could exploit these vulnerabilities to either
crash your SQL service or execute code. In the event of a
crash, you would have to restart the SQL service to regain
access to your database. If the hacker were able to
execute code, it would execute with the privileges of the
SQL Service. By default, these privileges give the hacker
full control of your SQL database, but no control over the
server itself. However, if during SQL Server installation
you chose to install SQL Server with higher privileges, it
is possible for the SQL Service to give the hacker
complete control of your system.
     *

       A Denial of Service. An attacker can significantly
slow the performance of a SQL Server using a specially
crafted "keep-alive" packet. "Keep-alive" packets keep an
idle connection open when normally the connection would
time out and close. An attacker can send a specially
crafted "keep-alive" query that evokes an
identical-looking  "keep-alive" reply from the server he
sends it to. When an attacker sends this specially crafted
"keep-alive" query to a SQL Server, he can also spoof his
return address, replacing it with the address of another
SQL Server he knows of. Since the specially-crafted query
generates an identical query, both SQL Servers will
continuously send "keep-alive" queries to one another in
an endless loop, significantly slowing their performance.
An administrator would have to reboot one of the SQL
Servers to break this loop. How severely the SQL servers'
performance degrades depends upon their processor speed
and how many servers were involved in the attack.

Security Bulletin MS02-038: Two Vulnerabilities in the SQL
Server 2000 Utilities

In Security Bulletin 038, Microsoft describes two
vulnerabilities found in SQL Server 2000 utilities. These
vulnerabilities also affect  Microsoft SQL Server Desktop
Engine (MSDE) 2000.

     * SQL Server 2000 includes a collection of console
commands called Database Consistency Checkers (DBCCs),
which provide SQL administrators with ways to perform
certain housekeeping tasks on their databases. Cesar
Ceurrudo found buffer overflow vulnerabilities in many of
these DBCC utilities. By running the vulnerable DBCCs with
specially crafted input, a hacker could exploit these
buffer overflows to crash the SQL service or execute code
with the SQL Service's privileges. However, the DBCCs in
question require significant privilege to run in the first
place. Only users who already have full control over at
least one database can run these utilities. Also, the
attack only elevates the attacker's privileges to that of
the SQL Service. By default, this gives the attacker
control over all SQL databases, but no control over the
server itself. In short, this is mostly an internal
threat.
     *

       The second vulnerability is a complex attack that
requires many factors in order to succeed. It requires
exploiting a SQL feature that is disabled by default, and
also requires the attacker to have significant access to
the SQL Server in the first place. If successful, an
attacker could exploit this attack to run operating system
commands. Because there are simpler ways to achieve that
goal, we think it unlikely that hackers would bother with
this vulnerability. Feel free to read Microsoft's Security
Bulletin if you want full details pertaining to this
attack.

Solution Path:

Administrators using Microsoft SQL Server 2000 should
download, test, and install Microsoft's critical SQL patch
pertaining to MS02-39 as soon as possible. Although the
second SQL patch (pertaining to MS02-38) ranks as a lower
priority, administrators might as well apply it at the
same time.




=================================================================
PHP multipart/form-data POST parsing error allows
arbitrary code
=================================================================
Risk
High

Date Discovered
07-22-2002

Description
A vulnerability exists in the PHP parsing code that
handles file uploads (multipart/form-data). By sending a
specially crafted POST request to the Web server that
corrupts the internal data structures used by PHP, a
remote attacker can run arbitrary code with privileges of
the Web server and, potentially, gain privileged access.

PHP is a popular HTML-embedded scripting language used to
create dynamically generated Web pages.

PHP versions starting with 4.2.0 contain updated
multipart/form-data handler code to intelligently parse
HTTP POST request headers and differentiate variables and
files sent by the user agent in a multipart/form-data
request. The parser, however, fails to provide sufficient
input checking in the way the mime headers are processed.
Anyone who can send HTTP POST requests to an affected Web
server can exploit the vulnerability to compromise the web
server and, under certain conditions, gain privileged
access.


PHP running on x86 platforms is currently verified to be
safe from the execution of arbitrary code. However, the
vulnerability can still be exploited against x86 platforms
to crash PHP and, in most cases, the Web server.

Platforms Affected
Multiple

Components Affected
Apache Software Foundation PHP 4.2.0, 4.2.1
Recommendations
Upgrade: Upgrade to latest version of PHP
The vendor has announced that a fixed version is
forthcoming or is doing research to determine
product/version vulnerability to the issue. Upgrading to
latest version of PHP fixes this vulnerability.

Current versions of PHP are available for download from:
http://www.php.net/downloads.php

Workaround: PHP multipart/form-data POST handler error
workaround
If you are unable or unwilling to upgrade to PHP 4.2.2 or
later and the PHP applications on an affected web server
do not rely on HTTP POST input from user agents, you can
deny POST requests on the Web server.

For example, in the Apache Web server you can deny POST
requests by including following code in the main
configuration file or a top-level .htaccess file:

< Limit POST >
      Order deny,allow
      Deny from all
< /Limit>

Note that an existing configuration and/or .htaccess file
may have parameters that contradict this example.

References
Source: CERT CA-2002-21
URL: http://www.cert.org/advisories/CA-2002-21.html

Source: CERT CERT Vulnerability Note VU#929115
URL: http://www.kb.cert.org/vuls/id/929115

Source: Apache Software Foundation PHP Security Advisory:
Vulnerability in PHP versions 4.2.0 and 4.2.1
URL: http://www.php.net/release_4_2_2.php

==================================================
Updated util-linux package fixes password locking race
==================================================

Advisory: RHSA-2002:132-14
Last updated on: 2002-07-29
CVEs (cve.mitre.org): CAN-2002-0638

back

[Security Advisory]   Security Advisory

Details:

A locally exploitable vulnerability is present in the
util-linux package
shipped with Red Hat Linux

The util-linux package contains a large variety of
low-level system
utilities that are necessary for a Linux system to
function. The 'chfn'
utility included in this package allows users to modify
personal
information stored in the system-wide password file,
/etc/passwd. In order
to modify this file, this application is installed setuid
root.

Under certain conditions, a carefully crafted attack
sequence can be
performed to exploit a complex file locking and
modification race present
in this utility allowing changes to be made to
/etc/passwd.

In order to successfully exploit the vulnerability and
perform privilege
escalation there is a need for a minimal administrator
interaction.
Additionally, the password file must be over 4 kilobytes,
and the local
attackers entry must not be in the last 4 kilobytes of the
password file.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has
assigned the name CAN-2002-0638 to this issue.

An interim workaround is to remove setuid flags from
/usr/bin/chfn and
/usr/bin/chsh. All users of Red Hat Linux should update to
the errata
util-linux packages which contain a patch to correct this
vulnerability.

Many thanks to Michal Zalewski of Bindview for alerting us
to this issue.

Updated packages:
Red Hat Linux 6.2 Alpha
util-linux-2.10f-7.6.2.alpha.rpm
    4e30115e7fd311ac8496637c03716473

Red Hat Linux 6.2 Sparc
util-linux-2.10f-7.6.2.sparc.rpm
    fe28b4c80b9fe909c38f913b899ddb16

Red Hat Linux 6.2 i386
util-linux-2.10f-7.6.2.i386.rpm
    e1c0e740d41aaddc7817604ed449e872

Red Hat Linux 7.0 Alpha
util-linux-2.10m-12.7.0.alpha.rpm
    b2e1b30a837e440297acba35d13fab77

Red Hat Linux 7.0 i386
util-linux-2.10m-12.7.0.i386.rpm
    af9aca214e81e4f306d49ed398a79f22

Red Hat Linux 7.1 Alpha
util-linux-2.11f-17.7.2.alpha.rpm
    c3bc4100fdc6e4e7c4b524c16991f168

Red Hat Linux 7.1 i386
util-linux-2.11f-17.7.2.i386.rpm
    668e4b28b07dcd9718744b2c59383bc2

Red Hat Linux 7.1 ia64
util-linux-2.11f-17.7.2.ia64.rpm
    200e1661f445fca662f51d810f650448

Red Hat Linux 7.2 i386
util-linux-2.11f-17.7.2.i386.rpm
    668e4b28b07dcd9718744b2c59383bc2

Red Hat Linux 7.2 ia64
util-linux-2.11f-17.7.2.ia64.rpm
    200e1661f445fca662f51d810f650448

Red Hat Linux 7.3 i386
losetup-2.11n-12.7.3.i386.rpm
    b1b6d7852f75d1014204b7853f656427
mount-2.11n-12.7.3.i386.rpm
    496ec0a9c0720ba5bed7baa917114aac
util-linux-2.11n-12.7.3.i386.rpm
    da8c81ee48c180694b89c9c99f543256

SRPMs
util-linux-2.10f-7.6.2.src.rpm
    0af6265f350849394fc54ca7f006fd82
util-linux-2.10m-12.7.0.src.rpm
    4aa3502469cc8255aea825cebe82d4db
util-linux-2.11f-17.7.2.src.rpm
    dc87f0566da2f6a37443f9614cb1ff61
util-linux-2.11n-12.7.3.src.rpm
    474988909a18c0f73a65de40bf946e92


Solution

Before applying this update, make sure all previously
released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to
upgrade. Only those
RPMs which are currently installed will be updated. Those
RPMs which are
not installed but included in the list will not be
updated. Note that you
can also use wildcards (*.rpm) if your current directory
*only* contains
the desired RPMs.

Please note that this update is also available via Red Hat
Network. Many
people find this an easier way to apply updates. To use
Red Hat Network,
launch the Red Hat Update Agent with the following
command:

up2date

This will start an interactive process that will result in
the appropriate
RPMs being upgraded on your system.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0638
http://www.kb.cert.org/vuls/id/405955
http://razor.bindview.com/publish/advisories/adv_chfn.html

Other related posts: