Date: Wed, 23 Jun 1999 16:26:34 

Subject: NTools E-NewsFlash - New NT Vulnerabilities 

To: "Latest Win NT News"  

From: nt-list-admin@lyris.sunbelt-software.com 

Reply-To: comments@lyris.sunbelt-software.com 

Precedence: bulk 

Status: 



**************************************************************** 

NTools E-NewsFlash - New NT Vulnerabilities 

***************************************************************** 

--- June 23, 1999 ---

STAT Version 2.0 Update 8 June 18, 1999. This update contains the following additions/changes: 1. Added the following Vulnerabilities:

• 515 There is an insufficient buffer size problem in Kmddsp.tsp. This will cause a Routing and Remote Access Server (RRAS) computer to stop responding to incoming calls.

• 516 The Gasys.dll is a dynamic link library file used with getadmin.exe to gain administrative privileges. It adds a user to the Admin group.

• 517 If the logon.scr screen saver file security permissions are other than read only by Everyone, it can be renamed and replaced by any user to gain increased privileges. For example, the usrmgr.exe file could be renamed to logon.scr. When the screen saver is activated, the replaced file (usrmgr.exe) will start as SYSTEM, giving the user the ability to be added to the local administrator group. Note: There is no 'Security' tab in the directory 'Properties' dialog box when partitioned with the FAT file system instead of NTFS.

• 518 All the initialization and configuration information used by Windows NT is stored in the registry. The Registry Editor supports remote access to the Windows NT registry. When a user connects over the network to the registry, the Server Service on the target computer checks for the existence of the winreg key. If winreg is not present, the connection is allowed. Hackers can gain remote access to the registry if winreg is missing.

• 519 This allows users to log in at the domain controller using the console keyboard, or at a workstation in a workgroup system. For domain controllers, only administrators should have this right. This right should be denied to Everyone and Guests on any type of Windows NT operating system.

• 520 This allows a user to access the Shut Down option on the Start menu. In a domain system, this applies only to the domain controllers. Users can shut down workstations without restrictions. This right should be denied to Everyone and Guests.

• 521 The Allaire ColdFusion web server has sample applications (Expression Evaluator) and code that allows web users to view files anywhere on the server. Web users also have the ability to upload files to the server.

• 522 Microsoft Exchange protocols may no longer function properly after applying Service Pack 4. Protocols such as LDAP SSL, POP3, and IMAP4 may fail.

• 523 A Dynamic Host Configuration Protocol (DHCP) server has IP address reservations that are outside of the DHCP scope. After applying Service Pack 4, clients that match these reservations no longer receive IP addresses from the server.

• 524 A previous user's old password is visible to a third party Gina.dll. The Microsoft Msgina.dll file does not reset the old password flag and the old password string. When a user changes his/her password, MSGINA keeps a flag indicating that the password has changed and stores the old password. When the next user logs on, this flag is not rest and the previous user's.

• 525 Under stress, a computer running Windows NT Server or Workstation with an outdated Win32k.sys may stop responding (hang) with a STOP error message on a blue screen.

• 526 After applying Service Pack 4 to a Windows NT 4.0 DNS Server, the server will appear to stop resolving queries for hosts to certain remote domains. The first query for a host will succeed, but subsequent queries for other hosts in the same domain will fail.

• 527 Showcode.asp is a sample file that comes with Internet Information Server 4.0 and Site Server 3.0. It is designed to view the source code of that sample applications via a web browser. Anyone can view the contexts of any text file on the web server.

• 528 The Profiles directory provides profile information of users and the administrator account. This directory must be restricted from being altered.

• 529 Viewcode.asp is a sample file that comes with Site Server 3.0. It is designed to view the source code of that sample applications via a web browser. Anyone can view the contexts of any text file on the web server.

• 530 Codebrws.asp is a sample file that comes with IIS 4.0 and Site Server 3.0. It is designed to view the source code of that sample apps via a web browser. Anyone can view the contexts of any text file on the web server.

• 531 Winmsdp.exe is a sample file that comes with IIS 4.0 and Site Server 3.0. It is designed to view the source code of that sample apps via a web browser. Anyone can view the contexts of any text file on the web server.

• 532 Microsoft Excel 97 SR-2 provides a feature that displays a warning message when you try to start an external file that may contain a macro virus. This warning could be bypassed.

• 533 The help utility could allow arbitrary code to be run on a local Windows NT machine. An unchecked buffer exists in the Help utility that may cause the Help file tool to stop responding.

• 535 The component of the RAS client (rasfil32.dll) that processes phonebook entries has an unchecked buffer. A malformed phonebook entry could overflow the buffer, causing the RAS client service to crash. This vulnerability could also allow arbitrary code to be executed. This vulnerability affects RAS clients, not RAS servers.

• 536 NetMonExploit.tgz is a hacker program that extracts and decrypts the password out of Bhsupp.dll. This DLL is used as a password authentication scheme for the Network Monitor Agent.

• 537 A user's password is cached even if the user de-selects the "Save password" option when using the Windows NT Remote Access Service RAS.

• 538 A user's password is cached even if the user de-selects the "Save password" option when using the Windows NT Routing and Remote Access Service (RRAS).

• 539 If unauthorized users can restore or backup files to a new directory, they can compromise those files. Enable audits of backups and restores if you can handle the increased size of the event log.

• 540 Base System Objects are not enabled by default. If you are in a highly secure environment, Base System Objects should be enabled.

• 541 This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express, MS Exchange and confirmed in Netscape- mail. This worm replies to messages received with an email message with the following body: I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. The worm named zipped_files.exe" is attached, with a file size of 210,432 bytes. It makes another copy in the system32 directory, named Explore.exe.