SecurityFocus Microsoft Newsletter #169
----------------------------------------

SecurityFocus.com Introduces a new search engine for 2004.

In our continued quest to better serve our audience, We here at
SecurityFocus.com look forward to introducing to you our new search engine
for 2004. This new and improved search engine will feature the advantage
of a complete text search of the entire site, as well as full text
searches of the mailing list archives and vulnerabilities. Also included
will be an advanced search interface.
------------------------------------------------------------------------

I. FRONT AND CENTER
1. Checklist for Deploying an IDS
2. A Very Small Step for Music-Kind
II. MICROSOFT VULNERABILITY SUMMARY
1. RhinoSoft Serv-U FTP Server Insecure INI File Permissions Vu...
2. Microsoft Internet Explorer File Download Warning Bypass Vul...
3. Xlight FTP Server PASS Command Remote Buffer Overflow Vulner...
4. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
5. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
6. Microsoft Internet Explorer For Mac HTTP Referer Information...
7. OpenBB Index.PHP Remote SQL Injection Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Hardening the Scheduler Service (Thread)
2. Article Announcement: Low-Level Enumeration With TCP... (Thread)
3. SecurityFocus Microsoft Newsletter #168 (Thread)
4. TCP/IP Stack Hardening (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AccessMaster
2. KeyGhost SX
3. SafeKit
4. SecurDataStor
5. Proactive Windows Security Explorer
6. Outpost Personal Firewall Pro 2.0
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Fingerprint Verification System v0.1.0
2. mrtg v2.10.11
3. Mod_security v 1.8dev1
4. Stealth HTTP Security Scanner v2.0b47
5. IDA Pro - Freeware Edition
6. Enigmail v0.82.5
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Checklist for Deploying an IDS
By Andy Cuff

The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written from the perspective of an outside consultant (even if the IDS is
deployed internally) that appeases all parties can be useful to ensure a
successful implementation.

http://www.securityfocus.com/infocus/1754

2. A Very Small Step for Music-Kind
By Mark Rasch

The District of Columbia Court of Appeals' decision in the Verizon v. RIAA
case will likely be a small and pyrrhic victory for downloaders.

http://www.securityfocus.com/columnists/205


II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. RhinoSoft Serv-U FTP Server Insecure INI File Permissions Vu...
BugTraq ID: 9274
Remote: No
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9274
Summary:
RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows
operating systems.

RhinoSoft Serv-U FTP Server has been reported prone to an insecure file
permission vulnerability. Specifically, a configuration file
ServUDaemon.ini is created with insecure permissions by default. Because
of this any local user may make modifications to the ServUDaemon.ini
file. It has been reported that by adding the line Maintenance=System
the attacker may login to the affected FTP service and use quote site
exec FTP commands to execute files with SYSTEM privileges.

A local attacker may exploit this condition to gain elevated privileges.

It should be noted that although this vulnerability has been reported to
affect RhinoSoft Serv-U FTP Server version 4.1.0.0, other versions might
also be affected.

2. Microsoft Internet Explorer File Download Warning Bypass Vul...
BugTraq ID: 9278
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9278
Summary:
A vulnerability has been discovered in Microsoft Internet Explorer when
handling file URIs. This issue may be exploited to download a malicious
file to the client system.

Internet Explorer warns a user when an attempt is made to download a file.
The warning notifies the user of the dangers of downloading certain types
of files such as '.exe', '.bat' etc.

It has been reported that by renaming a file, an attacker may be able to
trick the browser and bypass the security warning. An attacker may name a
file in the following format to conceal the extension type from the
browser:

http://www.example.com/file.exe?.html

It has been reported that the browser will recognize this file as an HTML
file instead of an executable. Successful exploitation of this issue may
allow an attacker to plant malicious files on vulnerable systems in order
to execute malicious code. This issue may be combined with the Multiple
Browser URI Display Obfuscation Weakness (BID 9182) to carry out further
attacks.

This issue has reportedly been tested with Microsoft Internet Explorer
running on a Windows 2003 Web Server edition platform, however, other
versions are likely to be affected as well.

MyIE2 Web Browser that uses Microsoft Internet Explorer codebase is also
reported to be vulnerable to this issue. It has been reported that MyIE2
versions 0.9.10 and prior are affected by this vulnerability.

3. Xlight FTP Server PASS Command Remote Buffer Overflow Vulner...
BugTraq ID: 9285
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9285
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.

A vulnerability has been identified in XLight FTP Server when handling
certain types of requests. Because of this, it may be possible for a
remote attacker to gain unauthorized access to a system running the
vulnerable software. The condition is present due to insufficient
boundary checking.

The issue presents itself when an attacker sends a specially crafted PASS
command request containing an excessively long string value to the
vulnerable server. Immediate consequences of an attack may result in a
denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Xlight FTP Server versions 1.41 and prior have been reported to be prone
to this issue.

4. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
BugTraq ID: 9289
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9289
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.

Webfroot Shoutbox is prone to a cross-site scripting vulnerability in the
'viewshoutbox.php' script. The source of the problem is that HTML and
script code are not adequately sanitized from input supplied via the
'error' URI parameter. This input will be included in dynamically
generated web pages. A remote attacker could exploit this issue by
embedding hostile HTML and script code in a malicious link to the
vulnerable script. The attacker-supplied code will be interpreted in the
context of the site hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
Webfroot Shoutbox version 2.32, other versions might also be affected.

5. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9290
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9290
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

phpBB is prone to a cross-site scripting vulnerability in the
'privmsg.php' script. The source of the problem is that HTML and script
code are not adequately sanitized from input supplied via the 'mode' URI
parameter. This input will be included in dynamically generated web pages.
A remote attacker could exploit this issue by embedding hostile HTML and
script code in a malicious link to the vulnerable script. The
attacker-supplied code will be interpreted in the context of the site
hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
phpBB version 2.0.6, other versions might also be affected.

6. Microsoft Internet Explorer For Mac HTTP Referer Information...
BugTraq ID: 9295
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9295
Summary:
Microsoft Internet Explorer for the Apple Mac platform has been reported
prone to an information disclosure vulnerability.

The browser allegedly forwards HTTP Referer data in HTTP requests made
from secure HTTPS servers. This behavior does not comply with the HTTP 1.1
RFC and so may present a security risk in certain circumstances. One of
these reported circumstances was when a link to a remote HTTP site is
followed from Outlook Web Access(HTTPS); data contained in the Referer may
include Outlook Inbox Username and Domain name. The most common risk
associated with this issue is situations where session IDs or other
credentials are included in URIs. If a user were to follow a link from
within an HTTPS page, the Referer could be leaked to an external site.

Information gathered by an attacker by exploiting this vulnerability may
be used to aid in further attacks launched against the target server.

7. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with the software may make it possible for remote users to
modify database query logic.

It has been reported that OpenBB does not properly check input passed via
the 'CID' parameter of 'index.php' script. Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software. The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote compromise
of the bulletin board or database itself.

OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.

This issue may be related to BID 7401.


III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Hardening the Scheduler Service (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348399

2. Article Announcement: Low-Level Enumeration With TCP... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348265

3. SecurityFocus Microsoft Newsletter #168 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348259

4. TCP/IP Stack Hardening (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348258


IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AccessMaster
By: Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.evidian.com/accessmaster/about/index.htm
Summary:

Extending onto a networked world means embracing the unknown. Piracy,
vandalism, industrial espionage... - attacks on companies are doubling
each year. With uniquely integrated security software, AccessMaster
manages and safeguards access to your data, end-to-end, from portals to
legacy, and lets you enforce a single, unified security policy across the
enterprise and beyond.

AccessMaster ensures high security level by federating your existing
security solutions, while ensuring at the same time user's convenience
with Single Sign-On and security officer's ease of administration with
centralized, Ldap-compliant, user and PKI management. In this way,
AccessMaster reduces IT security cost of ownership, with rapid return on
investment.

AccessMaster is recognized by analysts as a leading security suite for
large enterprises today. It was awarded best access control software by
Secure Computing Magazine three years running, in 2000, 2001, and 2002.

2. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.

3. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.

4. SecurDataStor
By: encryptX Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.encryptx.com/products/securdatastor.asp
Summary:

The SecurDataStor product line is designed to provide a comprehensive
software security solution that manages and controls access to sensitive
information that you need to share internally and externally.
SecurDataStor is available in three versions: Basic, Premium, and
Platinum. Depending on the level of security that you need, you can choose
the SecurDataStor product that suits your needs.

With its end-to-end protection of sensitive business information,
SecurDataStor products protect sensitive information when used by the
originator, stored locally on a hard drive or file server, and when
shared. Users can safely share sensitive information across different
Microsoft Windows operating systems, over different network and firewall
technologies, and across different forms of removable media.

5. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:

Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.

An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.

6. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:

New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.


V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Fingerprint Verification System v0.1.0
By: Shivang Patel
Relevant URL: http://fvs.sourceforge.net/
Platforms: FreeBSD, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:

Fingerprint Verification System is an easy-to-use library that allows
programmers to integrate fingerprint technology into their software
without specific know-how. It is fast and small, and is great for embedded
systems.

2. mrtg v2.10.11
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:

The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.

3. Mod_security v 1.8dev1
By: Ivan Ristic
Relevant URL: http://www.modsecurity.org
Platforms: FreeBSD, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Summary:

ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting as
a powerful umbrella - shielding applications from attacks. ModSecurity
supports Apache (both branches) today, with support for Java-based servers
coming soon.

4. Stealth HTTP Security Scanner v2.0b47
By: qw erty
Relevant URL: http://www.devhood.com/tools/tool_details.aspx?tool_id=353
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

Stealth 1.0 scans for 2883 HTTP vulnerabilities. This tool is designed
especially for the system administrators, security consultants and IT
professionals to check the possible security holes and to confirm any
present security vulnerabilities that hackers can exploit. Totally free
for commercial and non-commercial use.

5. IDA Pro - Freeware Edition
By: DataRescue Inc.
Relevant URL: http://www.datarescue.com/idabase
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT
Summary:

The freeware version of the Interactive Disassembler Pro. Supports 80x86
binaries and FLIRT, a unique Fast Library Identification and Recognition
Technology that automagically recognizes standard compiler library calls.
Widely used in COTS validation and hostile code analysis.

6. Enigmail v0.82.5
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:

Enigmail is a plugin for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.