+====================================================================+
|                                                                    |
|SANS                                                                |
|     @    @  @@@@@  @@@@   @@@@@   @@@@   @@@@@   @@@@   @@@@@      |
|     @@   @    @    @   @    @    @    @  @      @         @        |
|     @ @  @    @    @   @    @    @       @@@     @@@@     @        |
|     @  @ @    @    @   @    @    @  @@@  @           @    @        |
|     @   @@    @    @   @    @    @    @  @      @    @    @        |
|     @    @    @    @@@@   @@@@@   @@@@   @@@@@   @@@@     @        |
|                                                                    |
|       March 26, 1999                   Volume 2, Number 3          |
|                                                                    |
|                       The SANS NT Digest                           |
|                  Editor:  Jesper M. Johansson                      |
|                           (University of Minnesota)                |
|                                                                    |
|         Contributing Editors:                                      |
|             Dr. Matt Bishop (Univ. California, Davis)              |
|             Jeff Brown (Merrill Lynch)                             |
|             Phil Cox (NTS)                                         |
|             Mark T. Edmead (IBM Global Security Services)          |
|             Chris Lalka (Exxon)                                    |
|             Eric Maiwald (Fortrex)                                 |
|             Rob Marchand (Array Systems),                          |
|             Dr. Gene Schultz (Global Integrity Corporation,        |
|                                      an SAIC Company)              |
|                                                                    |
+=====A Resource for Computer and Network Security Professionals=====+

**********************************************************************

Copyright 1999. The SANS Institute. All rights reserved.  You may forward
this issue to your co-workers and encourage them to subscribe by sending
a note with the subject "NT Digest" to digest@sans.org.  Unsubscribe or
change address by forwarding this digest to digest@sans.org with simple
instructions.

Subscribe by sending a note with the subject "NT Digest" to
<digest@sans.org>.

**********************************************************************

This month we received the fix for the KnownDLLs list vulnerability from
last month. We also found three other new hotfixes, including one Y2K
related hotfix. There have been bugs discovered in a few third-party
applications, and we also tell you a little about some trojans, or
potential trojans. Lastly, we will tell you how to make NT a little more
UNIX like.

JMJ

**********************************************************************

Table of Contents

1. Microsoft Security Bulletins
   1.1. Update to KnownDLLs list vulnerability
   1.2. Windows NT Screensaver Vulnerability and patch
   1.3. MS Exchange 5.5 "Malformed Bind request" vulnerability and patch
2. MS Hotfixes
   2.1. RNR-FIX
   2.2. Scrnsav-fix
   2.3. Smss-fix
   2.4. Sms-fix
   2.5. Y2KUPD
   2.6. roll-up
3. Other NT Issues
   3.1. Date/Time Control Panel Bug
   3.2. Extension mapping and implications
   3.3. Internet Explorer 5 released
      3.3.1. Cross-domain security violation in control
      3.3.2. Cookies
      3.3.3. Currently identified bugs and incompatibilities
         3.3.3.1. Diamond video drivers
         3.3.3.2. PPTP
4. IIS Issues
   4.1. Password Storage
5. Third-party Software issues
   5.1. ArcServe IT transmits loosely encrypted passwords over the network
   5.2. SLMail 3.1 and 3.2 Remote Administration Vulnerability
   5.3. IMail 5.0 buffer overflow vulnerabilities
   5.4. Conseal PC Firewall update available
6. Trojans etc.
   6.1. NetBus Pro
   6.2. ProMail 1.21
7. Tip of the month: Use UNIX commands

**********************************************************************

1. Microsoft Security Bulletins

This month Microsoft released three new security bulletins, one of which
was an update to a previous bulletin.

1.1. Update to KnownDLLs list vulnerability

Microsoft released the fix for the KnownDLLs list vulnerability from
last month, and updated the bulletin. The fix is available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Smss-fix/

The updated security bulletin is available at:
http://www.microsoft.com/security/bulletins/ms99-006.asp.

The attendant KBase article is available at:
http://support.microsoft.com/support/kb/articles/q218/4/73.asp

1.2. Windows NT Screensaver Vulnerability and patch

A privilege elevation vulnerability was discovered in the mechanism by
which NT launches screen savers. These are launched in SYSTEM context
and then switch their context to that of the logged on user. However,
the screen saver mechanism never verifies if the second context switch
was successfully made. This may enable an attacker who can log on
interactively to launch a screen saver which causes the second context
switch to fail, leaving the screen saver running in the SYSTEM context.
At that point, the program could, for example, add the user to
Administrators group. Note that this would give the user administrative
access over the machines controlled by the current SAM. Thus, it is
primarily an issue on workstations, since un-trusted users ordinarily
have no logon privileges on servers and domain controllers. However, all
current versions of NT are vulnerable.

A fully supported fix for SP4 is available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Scrnsav-fix/.

For Terminal Server the fix is at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3/ScrnSav-fix/

The security bulletin is available at:
http://www.microsoft.com/security/bulletins/ms99-008.asp.

The attendant KBase article is available at:
http://support.microsoft.com/support/kb/articles/q221/9/91.asp


1.3. MS Exchange 5.5 "Malformed Bind request" vulnerability and patch

A buffer overflow issue was discovered in MS Exchange 5.5. The issue
involves the use of the Bind request in the LDAP service. If you have
turned off LDAP support, you are not at risk from this issue.

A fix is available at:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/

The security bulletin is available at:
http://www.microsoft.com/security/bulletins/ms99-009.asp

The KBase article is at:
http://support.microsoft.com/support/kb/articles/q221/9/89.asp.

**********************************************************************

2. MS Hotfixes

2.1. RNR-FIX

This fix, fixes issues documented in KBase articles Q214864, Q216091,
and Q217001. The first two of these articles are available on the March
Technet CD. The latter article is not yet available on Technet. The
issue involves a bug in the GetHostByName() call which may result in
getting an invalid IP address. This has been shown to impact multihomed
computers in which one interface is disabled in the current hardware
profile. In such a situation, GetHostByName() may return the IP address
for the disabled interface. The problem could also affect Microsoft
Exchange. The fix, which is not completely regression tested, is
available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Rnr-fix/

2.2. Scrnsav-fix

This fix repairs the screen saver issue discussed in item 1.2 above. It
is available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Scrnsav-fix/

2.3. Smss-fix

This is the fix for the KnownDLLs issue discussed in item 1.1 above. It
is available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Smss-fix/

2.4. Sms-fix

This is a repost of the fix for the SNMP memory leak we reported in the
December 1998 Digest. We do not know, and Microsoft does not volunteer
the information, what was changed in this repost. The updated fix is
available at
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Sms-fix/.
This fix is also contained in the roll-up hotfix discussed in item 2.6.

2.5. Y2KUPD

This fix updates the MFC40.dll. The MFC has an internal function to
resolve dates such that it adds 1900 to any two-digit year passed to it.
However, programs that use this function may not correctly parse the
date. This could result in the year 2000 being identified as the year
100 for example. The fix is discussed in Q218877 and Q221120. The fix is
available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP4/Y2KUPD/

2.6. roll-up

This hotfix contains several prior hotfixes in one package. The
following hotfixes are in this package: Sms-fix, Gina-fix, Msv1-fix,
Nprpc-fix, Clik-fix, Tcpip-fix and the infget hotfix for IIS.

**********************************************************************

3. Other NT Issues

3.1. Date/Time Control Panel Bug

A serious problem in the Date/Time control panel was reported to
NTBugTraq (http://www.ntbugtraq.com) by Brett Robins. If you open the
Date/Time control panel applet and select a different month, the system
will immediately reset the current date to that month. E.g. if I open
the Date/Time control panel on March 23, 1999, and select September from
the Month dropdown list, the system clock immediately gets set to
September 23, 1999. This can have serious implications, for example, if
your user accounts expire between that date and today. Note that you do
not have to hit Apply for this change to take effect! Microsoft has
acknowledged this problem and a fix is likely to be forthcoming
eventually.

3.2. Extension mapping and implications

An issue was reported to NTBugtraq (http://www.ntbugtraq.com) about how
NT parses extensions. NT will allow most extensions on executables. To
show this, copy notepad.exe from %systemroot% into a temporary directory
and rename it notepad.dummy. If you double-click this file in Explorer
you are prompted for an application to open it with. However, if you run
it from the command line it works. This has some important implications
for system administrators. Firstly, it is very easy for users to hide
executables from administrators. They do not even need to rename the
file to run it. Secondly, it means that virus scanners that check files
based on the extension are not very effective. Some virus scanners
actually check the header to determine what kind of file it is and
whether to scan it. However, unless you can prove that your particular
virus scanner correctly identifies executables based on the header, and
not the extension, you may want to turn on scanning of all files, rather
than just executables.

3.3. Internet Explorer 5 released

Microsoft released the new version of Internet Explorer last week. Since
it is now part of the operating system, the expectation is that all
machines will be updated to IE 5 eventually. Here are a few things to
keep in mind if you upgrade yours

3.3.1. Cross-domain security violation in control

A cross-frame navigation vulnerability in the DHTML edit control was
discovered by Juan Carlos Cuartango. Microsoft has acknowledged this and
will revoke the existing control and release a fixed version.

3.3.2. Cookie setting

IE 5 will reset your cookie setting to "Accept Always," regardless of
what it was under IE 4. If you do not wish to receive cookies you must
change this setting back manually.  There was also a report on NTBugTraq
(http://www.ntbugtraq.com) reporting some strange behavior regarding how
IE 5 treats cookies. The editorial board investigated this and found the
following:

1 If you have the browser prompt you for cookies and then let a site set
  a cookie, all subsequent cookies from that site will be set without your
  being prompted.
2 If a site has previously been allowed to set a cookie on your
  computer-e.g. if there was one from an older browser, from before you
  turned on prompting for cookies, or if you have previously allowed a
  cookie from a site-you will not be prompted for any further cookies from
  that site. They will be allowed automatically. 
3 If a site already has a cookie on your computer and the site tries to
  update information in that cookie, that will be allowed, even if
  prompting for cookies is turned on.

Of course, if you disable cookies, no cookies will be set on your
computer. However, this will break many sites.

3.3.3. Currently identified bugs and incompatibilities

A few bugs and incompatibilities have been reported with IE 5.

3.3.3.1. Diamond video drivers

If you are using Diamond video drivers you must download a new driver
>from Diamond if you would like to re-install the driver after you have
installed IE 5. The drivers replace a critical file used by IE 5 with
the result that the machine will not reboot if you install over IE 5.
New drivers were posted on March 24 at
http://www.diamondmm.com/products/support/ie5.html.

3.3.3.2. PPTP

According to BugTraq (http://www.bugnet.com) IE 5 may disable PPTP. The
editorial board has not verified this claim, but, as with all upgrades,
you should test IE 5 thoroughly in your organization before rolling it
out on a large scale.

**********************************************************************

4. IIS Issues

4.1. Password Storage

The IIS metabase, stored in C:\WINNT\system32\inetsrv\MetaBase.bin,
stores passwords for the IIS service accounts loosely obfuscated form.
This file is readable using a tool called MetaEdit from the IIS resource
kit. Care must be taken so that this file is protected from untrusted
users.

**********************************************************************

5. Third-party Software issues

5.1. ArcServe IT transmits loosely encrypted passwords over the network

ArcServe IT has been reported to transmit loosely encrypted passwords
over the network from its NT Agents. Computer Associates promptly
released a fix which is available at:
http://support.cai.com/Download/patches/asnt.html

5.2. SLMail 3.1 and 3.2 Remote Administration Vulnerability

A vulnerability in Seattle Labs SLMail 3.1 and 3.2 was reported by
Mnemonix. Using the Remote Administration Service in SLMail any user
with an account on the system can make changes to the mail services and
user account information. This can result in several problems, such as
the ability to read any file on the system by setting it as a user's
plan file. Seattle Labs is reportedly working on a fix.

5.3. IMail 5.0 buffer overflow vulnerabilities

The eEye Digital Security Team (http://www.eEye.com) reported several
buffer overflows in IMail 5.0. The vulnerabilities are in the Imapd,
LDAP, Imonitor, IMail web service, and WhoIs32 daemon services.  The
vendor has been notified but it is unknown as of yet whether a fix is
forthcoming.

5.4. Conseal PC Firewall update available

Signal9 has discovered a vulnerability in its Conseal PC Firewall
product. Versions 1.3 and 1.35 may exit prematurely when run as a
service. A fix is available at
http://www.signal9.com/cgi-bin/update.exe.

**********************************************************************

6. Trojans etc.

6.1. NetBus Pro

A new version of NetBus was released last month. NetBus is a program
designed to allow remote control over a computer. By itself, it can be a
useful management tool. However, if clandestinely introduced, it could
be used by an attacker to gain control over a computer. The new version
has some significant upgrades over the previous version. For example, it
can now run on a user-selected port. CIAC issued a bulletin regarding
this new release of NetBus. The bulletin is available at
http://www.ciac.org.

To determine if NetBus is running on your computer look in the registry
for a key called HKEY_CURRENT_USER\NetBus Server. To determine which
port NetBus is listening to look at HKEY_CURRENT_USER\NetBus
Server\General\TCPPort and then use netstat -an to determine whether the
system is actually listening on that port. In addition, NetBus may be
set to start automatically. In that case, there will be an entry called
NetBus Server Pro under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.
That entry will list the path to the NetBus executable. You can delete
the registry entry and the executable.

NetBus now also supports a plug-in architecture similar to that
supported by BackOrifice. The only plug-in available right now is a
file-find utility.

6.2. ProMail 1.21

ProMail 1.21, a mail package for Win9x, apparently hides a trojan. Aeon
labs (http://cool.icestorm.net/aeon) have disassembled the program and
found that, in addition to the regular mail transfer feature, it
transmits user information, such as passwords, e-mail address, and so
on, to an e-mail account on a free e-mail provider. Apparently, the
program works well otherwise.

**********************************************************************

7. Tip of the month: Use UNIX commands

If you are like us, you have sometimes wished that you had some of the
powerful commands we got used to under UNIX on NT (actually, if you are
like us, you have probably written one or two of these yourselves, like
mv). Well, these commands are available in the NT Resource Kit as Win32
native programs:
        cat.exe
        cp.exe
        ls.exe
        mv.exe
        touch.exe
        wc.exe
        vi.exe

Since NT is POSIX compliant, the Resource Kit also includes the above
commands in POSIX versions, as well as the following commands in a POSIX
version:
        chmod.exe
        chown.exe
        find.exe
        grep.exe
        ln.exe
        mkdir.exe
        rm.exe
        rmdir.exe
        sh.exe

Note that the Win32 clone is not always equivalent to the POSIX version.
The POSIX version of the ls command, for example (stored in
/ntreskit/POSIX), supports the full complement of BSD 4.4 switches, with
the exception of -o. However, the Win32 clone (stored in /ntreskit)
supports [-FrqRdlt1sSvu] and can also take those switches with a /, like
ls /1F.

The resource kit documentation also claims that there are POSIX CC.EXE
and LINK.EXE commands. However, those do not seem to be present

Due to some security risks with the POSIX sub-system, you may want to
run only the Win32 versions of the commands. If you do not modify your
path environment variable, those are the only commands available to you.
Those commands do not cause the POSIX sub-system to be loaded and should
work even if the POSIX sub-system has been removed.

Now, if only we had a where command. Maybe we will write one for you for
next month.

=======================================================================

The SANS NT Digest is provided at no cost to those people who attend
SANS and SANS Network Security conferences. Others may subscribe for a
small annual fee. To subscribe, email <digest@sans.org> with the subject
NT Digest.