ID

VAR-200306-0042

CVE

CVE-2003-0344

TITLE

OpenSSH contains buffer management errors

DESCRIPTION

Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. A vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to cause a denial of service. An exploit for this vulnerability is publicly available. A Microsoft Windows DirectX library, quartz.dll, does not properly validate certain parameters in Musical Instrument Digital Interface (MIDI) files. A remotely exploitable vulnerability has been discovered in Internet Explorer. A remote attacker could execute arbitrary code with the privileges of the user running IE. When a web page containing an OBJECT tag using a parameter containing excessive data is encountered by a vulnerable client, a internal memory buffer will be overrun. Description Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Any application that uses DirectX/DirectShow to process MIDI files may be affected by this vulnerability. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit this vulnerability by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents. Further technical details are available in eEye Digital Security advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers to these vulnerabilities as CAN-2003-0346. Disable embedded MIDI files Change the Run ActiveX controls and plug-ins security setting to Disable in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses the WebBrowser ActiveX control to render HTML. This modification will prevent MIDI files from being automatically loaded from HTML documents. This workaround is not a complete solution and will not prevent attacks that attempt to load MIDI files directly. Instructions for modifying IE security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. References * CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 * CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232 * eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html * Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp * Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696 _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. _________________________________________________________________ Feedback can be directed to the author, Art Manion. -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-04 November 24, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in September 2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft Windows Workstation Service, RPCSS Service, and Exchange. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Mimail Variants The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service. The message requests that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and sends it to a number of email addresses. Current Activity - November 19, 2003 http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili 2. CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service http://www.cert.org/advisories/CA-2003-28.html Vulnerability Note VU#567620 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message http://www.kb.cert.org/vuls/id/567620 3. CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange http://www.cert.org/advisories/CA-2003-27.html Vulnerability Note VU#575892 Buffer overflow in Microsoft Windows Messenger Service http://www.kb.cert.org/vuls/id/575892 Vulnerability Note VU#422156 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests http://www.kb.cert.org/vuls/id/422156 Vulnerability Note VU#467036 Microsoft Windows Help and support Center contains buffer overflow in code used to handle HCP protocol http://www.kb.cert.org/vuls/id/467036 Vulnerability Note VU#989932 Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) http://www.kb.cert.org/vuls/id/989932 Vulnerability Note VU#838572 Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user http://www.kb.cert.org/vuls/id/838572 Vulnerability Note VU#435444 Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form http://www.kb.cert.org/vuls/id/435444 Vulnerability Note VU#967668 Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message http://www.kb.cert.org/vuls/id/967668 4. Multiple Vulnerabilities in SSL/TLS Implementations Multiple vulnerabilities exist in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations http://www.cert.org/advisories/CA-2003-26.html Vulnerability Note VU#935264 OpenSSL ASN.1 parser insecure memory deallocation http://www.kb.cert.org/vuls/id/935264 Vulnerability Note VU#255484 OpenSSL contains integer overflow handling ASN.1 tags (1) http://www.kb.cert.org/vuls/id/255484 Vulnerability Note VU#380864 OpenSSL contains integer overflow handling ASN.1 tags (2) http://www.kb.cert.org/vuls/id/380864 Vulnerability Note VU#686224 OpenSSL does not securely handle invalid public key when configured to ignore errors http://www.kb.cert.org/vuls/id/686224 Vulnerability Note VU#732952 OpenSSL accepts unsolicited client certificate messages http://www.kb.cert.org/vuls/id/732952 Vulnerability Note VU#104280 Multiple vulnerabilities in SSL/TLS implementations http://www.kb.cert.org/vuls/id/104280 Vulnerability Note VU#412478 OpenSSL 0.9.6k does not properly handle ASN.1 sequences http://www.kb.cert.org/vuls/id/412478 5. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks, providing generic proxy services, reading sensitive information from the Windows registry, and using a victim system's modem to dial pay-per-minute services. The vulnerability described in VU#865940 exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. W32/Swen.A Worm On September 19, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Swen.A, spreading on the Internet. Similar to W32/Gibe.B in function, this worm arrives as an attachment claiming to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. The W32/Swen.A worm requires a user to execute the attachment either manually or by using an email client that will open the attachment automatically. Upon opening the attachment, the worm attempts to mail itself to all email addresses it finds on the system. The CERT/CC updated the current activity page to contain further information on this worm. Current Activity - September 19, 2003 http://www.cert.org/current/archive/2003/09/19/archive.html#swena 7. Buffer Overflow in Sendmail Sendmail, a widely deployed mail transfer agent (MTA), contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. CERT Advisory CA-2003-25 Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-25.html Vulnerability Note VU#784980 Sendmail prescan() buffer overflow vulnerability http://www.kb.cert.org/vuls/id/784980 8. RPCSS Vulnerabilities in Microsoft Windows On September 10, the CERT/CC reported on three vulnerabilities that affect numerous versions of Microsoft Windows, two of which are remotely exploitable buffer overflows that may an allow an attacker to execute code with system privileges. CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows http://www.cert.org/advisories/CA-2003-23.html Vulnerability Note VU#483492 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines http://www.kb.cert.org/vuls/id/483492 Vulnerability Note VU#254236 Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling http://www.kb.cert.org/vuls/id/254236 Vulnerability Note VU#326746 Microsoft Windows RPC service vulnerable to denial of service http://www.kb.cert.org/vuls/id/326746 ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On October 15, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Training Schedule http://www.cert.org/training/ * CSIRT Development http://www.cert.org/csirts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright \xa92003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78 7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU UENALuNdthA= =DD60 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface Original issue date: July 31, 2003 Last revised: - Source: CERT/CC A complete revision history is at the end of this file. I. Known exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port number specified by the intruder at run-time. We have also received reports of scanning activity for common backdoor ports such as 4444/TCP. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. Based on current information, we believe this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. The CERT/CC is tracking this additional vulnerability as VU#326746 and is continuing to work to understand the issue and mitigation strategies. In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. II. III. Solutions Apply patches All users are encouraged to apply the patches referred to in Microsoft Security Bulletin MS03-026 as soon as possible in order to mitigate the vulnerability described in VU#568148. These patches are also available via Microsoft's Windows Update service. Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network. Therefore, sites are encouraged to use the packet filtering tips below in addition to applying the patches supplied in MS03-026. Filter network traffic Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include * 135/TCP * 135/UDP * 139/TCP * 139/UDP * 445/TCP * 445/UDP If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering all types of network traffic that are not required for normal operation. Because current exploits for VU#568148 create a backdoor, which is in some cases 4444/TCP, blocking inbound TCP sessions to ports on which no legitimate services are provided may limit intruder access to compromised hosts. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line. Appendix A. Vendor Information This appendix contains information provided by vendors. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-026. Appendix B

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Derek Soeder※ dsoeder@eeye.com

SOURCES

LAST UPDATE DATE

2022-05-08T07:26:52.746000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE