Russ | 1 Nov 07:57 2003
Picon

MinorRev: Microsoft Security Bulletin MS03-001 - Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)

Reason for Revision:
V1.1 (October 28, 2003): Updated bulletin to reflect recommendation for
patching member servers

Microsoft Security Bulletin MS03-001:
Unchecked Buffer in Locator Service Could Lead to Code Execution
(810833)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v2.1)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

Russ | 1 Nov 07:53 2003
Picon

MinorRev: Microsoft Security Bulletin MS02-014 - Unchecked Buffer in Windows Shell Could Lead to Code Execution

Reason for Revision:
V1.2 (October 13, 2003): Updated Windows 2000 download link in Patch
Availability Section

Microsoft Security Bulletin MS02-014:
Unchecked Buffer in Windows Shell Could Lead to Code Execution

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS02-014.asp

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v2.1)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

Russ | 4 Nov 00:03 2003
Picon

MinorRev: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

Reason for Revision:
V3.1 November 3, 2003: Updated Patch Replacement section. This patch
replaces the patch provided by Security Bulletin MS02-071. 

Microsoft Security Bulletin MS03-045:
Buffer Overrun in the ListBox and in the ComboBox Control Could Allow
Code Execution (824141)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS03-045.asp

Summary:
 Version Number: V3.1
 Revision Date: 11-03-2003
 Impact of Vulnerability: Local Elevation of Privilege
 Maximum Severity Rating: Important
 Patch(es) Replaced: MS02-071
 Caveats: None
 CVE Number(s): CAN-2003-065

Tested Software: 
 Affected Software:
 * Microsoft Windows NT Workstation 4.0, Service Pack 6a
<http://www.ntbugtraq.com/link/5EA88ABE-8D53-4E25-959C-E80EB5FD7A91.asp>
 * Microsoft Windows NT Server 4.0, Service Pack 6a
<http://www.ntbugtraq.com/link/F3E87075-AAE5-49F4-9D37-24A116296188.asp>
 * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service
Pack 6
<http://www.ntbugtraq.com/link/0ADC8D90-2355-49A0-976B-57281B4521C1.asp>
 * Microsoft Windows 2000, Service Pack 2
(Continue reading)

Multiple SQL Injection Vulnerabilities in Oracle Application Server 9i and RDBMS (#NISR05112003)

NGSSoftware Insight Security Research Advisory

Name  : Multiple Oracle Application Server SQL Injection Vulnerabilities
Systems Affected: All OS platforms; Oracle9i Application Server Release 1
and 2 and RDBMS
Severity : High Risk
Vendor URL : http://www.oracle.com/
Author  : David Litchfield (david <at> ngssoftware.com)
Date  : 5th November 2003
Advisory number : #NISR05112003

Description
***********
Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be accessed through Oracle's Application Server's Portal module. Oracle
Application Server is a web server designed for Oracle applications. Many of
the PL/SQL packages and procedures are vulnerable to SQL Injection. Using
these vulnerabilities an unauthenticated attacker can gain access to all
data in the database from the Internet.

Details
*******
By default, Oracle Application Server allows unauthenticated users on the
web to access PL/SQL packages and procedures stored in the RDBMS. When a
PL/SQL procedure is executed it either does so with the security rights of
the invoker or the definer. In the latter case, if a PL/SQL procedure
defined by the powerful 'SYS' or 'SYSTEM' login is executed by a low
privileged user that user can access data they would not directly be able to
access. By executing such a procedure via Oracle Application Server and with
(Continue reading)

http-equiv@excite.com | 5 Nov 18:51 2003

POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III


Wednesday, November 5, 2003 

In our never-ending quest for entertainment, we commece from 
this date forward to end-2004 our POS series of findings. That
is the 'perfect operating system'. Today we debut and regurgitate
new and not so new for fun as follows. A warm up for the New Year if 
you will !:

The following file is an html file comprising both scripting and an 
executable [*.exe]. 

We inject scripting and an executable into the html file which is 
designed to point back to the executable in the html file and execute 
it. Provided the html file is an html file, Internet Explorer 5.5 and 
6.0 will execute it. 

Because it is an html file proper, Internet Explorer opens it. The 
scripting inside is then parsed and fired. That scripting is pointing 
back to the same executable file and because it is a self-executing 
html file, it executes ! 

Fully self-contained harmless *.exe:

CAUTION: back up notepad.exe before opening

http://www.malware.com/self-exec.zip 

What a POS !

(Continue reading)

Kurt Seifried | 6 Nov 10:02 2003

Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

> In our never-ending quest for entertainment, we commece from
> this date forward to end-2004 our POS series of findings. That
> is the 'perfect operating system'. Today we debut and regurgitate
> new and not so new for fun as follows. A warm up for the New Year if
> you will !:

This is easy to avoid. Just set the kill bit for the affected Active
component, Adodb.Stream for which the CLSID is
4B106874-DD36-11D0-8B44-00A024DD9EFF.

Kurt Seifried, kurt <at> seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

http-equiv@excite.com | 5 Nov 17:32 2003

Re: Six Step IE Remote Compromise Cache Attack

I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every
conceivable patch, security pack, gadget enabled updating twaddle it
comes with and installed to date.

I demand a refund from the vendor ! This is a disgrace. 2 year old
remnant bugs and holes unattended culminating in this full and
complete remote takeover via a web page [again !]. 5 Million dollar
bounties to chase ghosts in the closets wasting law inforcement's
valuable and over-worked time, when it can be better spent on
bounties for bugs and repairing of product I have been duped into
buying.

Pathetic !

Six Step IE Remote Compromise Cache Attack

[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30

[Overview]

A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
a webpage.

This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
(Continue reading)

Art Manion | 7 Nov 18:22 2003

Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

--On Thursday, November 06, 2003 2:02 AM -0700 Kurt Seifried
<kurt <at> seifried.org> wrote:

>> In our never-ending quest for entertainment, we commece from
>> this date forward to end-2004 our POS series of findings. That
>> is the 'perfect operating system'. Today we debut and regurgitate
>> new and not so new for fun as follows. A warm up for the New Year if
>> you will !:
> 
> This is easy to avoid. Just set the kill bit for the affected Active
> component, Adodb.Stream for which the CLSID is
> 4B106874-DD36-11D0-8B44-00A024DD9EFF.

{4B106874-DD36-11D0-8B44-00A024DD9EFF} is the Local Troubleshooter control.

The ADODB.Stream control, an important part of several current IE exploits,
is {00000566-0000-0010-8000-00AA006D2EA4}.

MS KB article about the kill bit:

  <http://support.microsoft.com/support/kb/articles/q240/7/97.asp>

Disable Active scripting for untrusted sites.

  - Art

Kurt Seifried | 7 Nov 22:38 2003

Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

> >> In our never-ending quest for entertainment, we commece from
> >> this date forward to end-2004 our POS series of findings. That
> >> is the 'perfect operating system'. Today we debut and regurgitate
> >> new and not so new for fun as follows. A warm up for the New Year if
> >> you will !:
> >
> > This is easy to avoid. Just set the kill bit for the affected Active
> > component, Adodb.Stream for which the CLSID is
> > 4B106874-DD36-11D0-8B44-00A024DD9EFF.
>
> {4B106874-DD36-11D0-8B44-00A024DD9EFF} is the Local Troubleshooter
control.
>
> The ADODB.Stream control, an important part of several current IE
exploits,
> is {00000566-0000-0010-8000-00AA006D2EA4}.
>
> MS KB article about the kill bit:
>
>   <http://support.microsoft.com/support/kb/articles/q240/7/97.asp>
>
> Disable Active scripting for untrusted sites.

Ack, my bad, I cut and paste the wrong one (to many bits to kill, and after
a while CLSID's all look the same). It should also be noted that exploit
code for this problem has been around since early (i.e. first week) of
September, and it at least one major virus has used it.

The good news is that MS is setting kill bits with some service packs, the
bad news is that they aren't publicizing what CLSID's need to be killed.
(Continue reading)

Mike Healan | 8 Nov 00:14 2003

Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

Kurt Seifried wrote:

 > If anyone knows a tool for finding out the CLSID of an ActiveX object I
 > would love to know it.

Sorry if this isn't what you're asking. I'm not sure I understood what 
you meant.

HijackThis will enumerate the CLSID associated with any activex control 
found in the Downloaded Program Files folder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Example:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - 
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - 
http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - 
http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - 
http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - 
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - 
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.0377662037
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime 
Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime 
Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash 
(Continue reading)


Gmane