From mieko em ccuec.unicamp.br  Thu Apr  3 09:22:45 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 3 Apr 2003 09:22:45 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Resumo: Janeiro a Marco de 2003]
Message-ID: <20030403122244.GA17625@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Resumo: Janeiro a Marco de 2003 
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 27 Mar 2003 15:54:49 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

Como e´ de conhecimento da comunidade atuante na area de seguranca, o
CERT/CC divulga a cada tres meses o CERT Summary, fazendo um resumo sobre
os alertas, vulnerabilidades e incidentes ocorridos nos ultimos meses.

Tradicionalmente, o CAIS repassa os CERT Summaries, com uma sinopse onde
faz uma analise comparativa entre os dados apresentados pelo CERT e as
ocorrencias registradas pelo CAIS no mesmo periodo.

A partir de 2003, o CAIS adotara´ uma abordagem diferente, continuara´
repassando os CERT Summaries e divulgara´ uma publicacao em separado, o
"CAIS Resumo", que segue a mesma filosofia do documento do CERT, porem com
foco nos dados registrados pelo CAIS e a realidade das redes brasileiras.

Este primeiro Resumo do CAIS aborda os alertas, vulnerabilidades e demais
acontecimentos que se destacaram na area de seguranca no primeiro
trimestre de 2003.

1. Em janeiro houve a propagacao do worm Slammer, ou Sapphire, que teve
   como alvo sistemas Microsoft Windows vulneraveis a falha no Resolution
   Service do Microsoft SQL Server 2000. Embora tal worm explorasse uma
   vulnerabilidade ja´ conhecida, muitos sistemas foram afetados,
   demonstrando a fragilidade gerada por sistemas desatualizados ou
   instalacoes padrao, feitas sem o devido cuidado com as correcoes
   recomendadas pelos fabricantes.

2. Em fevereiro, o destaque foi o termino do horario de verao 2002/2003,
   no dia 16/02. Lembrando que a precisao dos relogios dos sistemas e´ de
   vital importancia para o tratamento de incidentes de seguranca, pois
   permite manter a consistencia dos logs, sendo imprescindivel nas
   investigacoes e identificao de responsaveis.

3. No inicio de marco foi revelada uma vulnerabilidade do tipo "buffer
   overflow" no Sendmail, que poderia permitir acesso privilegiado
   remotamente. O impacto maior deste alerta reside no fato de que grande
   parte dos servidores de e-mail utiliza o Sendmail como MTA.

4. Tambem em marco, foi identificada uma vulnerabilidade no Snort, um
   software de IDS disponivel em dominio publico e muito usado atualmente.

5. Em marco ainda, o CERT/CC divulgou um alerta abordando o aumento
   de atividade relacionada ao compartilhamento de recursos do Windows, o
   que envolve as portas 137/tcp e udp, 138/udp e 139/tcp, alem da
   445/tcp. O CAIS tambem registrou aumento de atividades de
   reconhecimento envolvendo as referidas portas, principalmente
   scans na porta 445.

6. No dia 11 de marco, foi identificada uma nova versao do worm
   CodeRed: o CodeRed.F. Tal variante e´ quase identica ao CodeRed II,
   exceto a capacidade de se propagar indefinidamente, lembrando que o
   CodeRed II estava programado para interromper sua propagacao no
   final de 2002.

7. No dia 17 de marco, o CERT/CC divulgou o alerta CA-2003-09 tratando de
   vulnerabilidade no modulo WebDAV do IIS 5.0. No entanto, no dia 19 foi
   comprovado que a vulnerabilidade afetava a ntdll.dll, uma biblioteca
   vital no sistema Windows. Como o modulo WebDAV utiliza tal DLL, o IIS
   5.0 foi diretamente afetado.

Os alertas divulgados ou repassados pelo CAIS, com maior destaque e
repercussao nos primeiros tres meses de 2003, sao listados abaixo e
estao disponiveis em:

	http://www.rnp.br/cais/alertas/2003/

Alerta do CAIS ALR-18032003
Informacoes adicionais sobre a vulnerabilidade do IIS 5.0 (815021)
[CAIS, 18.3.2003]

CERT Advisory CA-2003-09
Vulnerabilidade no IIS 5.0
[Cert, 17.3.2003]

Alertas do CAIS ALR-11032003
Nova versao do worm CodeRed
[CAIS, 11.03.2003]

Cert Advisory CA-2003-08
Aumento de atividade relacionada ao compartilhamento
de recursos do Windows
[Cert, 11.03.2003]

Alertas do CAIS ALR-10032003
Novo worm conhecido como "Deloder"
[CAIS, 10.03.2003]

ISS Alert
Snort RPC Preprocessing Vulnerability
[ISS, 03.03.2003]

Cert Advisory CA-2003-07
Remote Buffer Overflow in Sendmail
[Cert, 03.03.2003]

Cert Advisory CA-2003-05
Multiplas Vulnerabilidades em Servidores Oracle
[Cert, 19.02.2003]

Alerta do CAIS ALR-06022003
Termino do Horario de Verao 2002/2003
[CAIS, 06.02.2003]

Cert Advisory CA-2003-04
MS-SQL Worm (Slammer)
[Cert, 25.01.2003]

Cert Advisory CA-2003-02
Vulnerabilidade no CVS  Concurrent Versions System
[Cert, 22.01.2003]


A seguir, sao listadas algumas entrevistas concedidas pelo CAIS,
relacionadas aos temas destacados anteriormente:

"Repercussao do worm Slammer no Brasil"
http://www.modulo.com.br/index.jsp?page=3&catid=7&objid=1679&pagenumber=0&id

"Fim do horario de verao e a importancia do ajuste de servidores"
http://www.modulo.com.br/index.jsp?page=3&catid=6&objid=40&pagenumber=0&idiom=0

"Variante do Code Red explora falta de cultura em seguranca"
http://www.modulo.com.br/index.jsp?page=3&catid=7&objid=1785&pagenumber=0


O CAIS ressalta que manter os sistemas e aplicativos atualizados, seguir
uma politica de seguranca, orientar os usuarios, sao algumas das praticas
recomendadas para diminuir os riscos de comprometimento de sua rede, alem
de contribuir para o aumento da seguranca da Internet como um todo.

O CAIS recomenda aos administradores que se mantenham cientes e
conscientes dos alertas, correcoes e atualizacoes disponibilizadas pelos
fabricantes e orgaos de renome na area de seguranca.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPoNJD+kli63F4U8VAQFOOwQAwA9uhZTfxIXETIRCYTm2fcHvribZwqCs
eKj0uHBVJlEG467Yx+0jLSTAawXvnoJgsIUYg0oWYvwTTjpHbvHVkJcL4JLA+2RU
CefygPGcciPeP3ppT53yNzqFcBt9WjZWp7mmBEfIIhFPgpb0zmLJbfMsCFQWR7ll
Td6n2LXVKyg=
=q2LC
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr  3 09:23:35 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 3 Apr 2003 09:23:35 -0300
Subject: [SECURITY-L] 
	[cert-advisory@cert.org: CERT Advisory CA-2003-12 Buffer Overflow
	in Sendmail]
Message-ID: <20030403122335.GB17625@ccuec.unicamp.br>

----- Forwarded message from CERT Advisory <cert-advisory em cert.org> -----

From: CERT Advisory <cert-advisory em cert.org>
Subject: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail
To: cert-advisory em cert.org
Date: Sat, 29 Mar 2003 14:57:42 -0500
Organization: CERT(R) Coordination Center - +1 412-268-7090



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail

   Original release date: March 29, 2003
   Last revised:
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Sendmail Pro (all versions)
     * Sendmail Switch 2.1 prior to 2.1.6
     * Sendmail Switch 2.2 prior to 2.2.6
     * Sendmail Switch 3.0 prior to 3.0.4
     * Sendmail for NT 2.X prior to 2.6.3
     * Sendmail for NT 3.0 prior to 3.0.4
     * Systems  running  open-source  sendmail  versions prior to 8.12.9,
       including UNIX and Linux systems

Overview

   There  is a vulnerability in sendmail that can be exploited to cause a
   denial-of-service  condition  and  could  allow  a  remote attacker to
   execute  arbitrary  code  with  the privileges of the sendmail daemon,
   typically root.

I. Description

   There  is  a remotely exploitable vulnerability in sendmail that could
   allow  an  attacker  to  gain control of a vulnerable sendmail server.
   Address  parsing code in sendmail does not adequately check the length
   of  email addresses. An email message with a specially crafted address
   could  trigger  a stack overflow. This vulnerability was discovered by
   Michal Zalewski.

   This vulnerability is different than the one described in CA-2003-07.

   Most  organizations  have  a variety of mail transfer agents (MTAs) at
   various  locations  within their network, with at least one exposed to
   the   Internet.   Since   sendmail  is  the  most  popular  MTA,  most
   medium-sized  to  large  organizations are likely to have at least one
   vulnerable   sendmail   server.  In  addition,  many  UNIX  and  Linux
   workstations  provide  a  sendmail  implementation that is enabled and
   running by default.

   This    vulnerability    is    message-oriented    as    opposed    to
   connection-oriented. That means that the vulnerability is triggered by
   the  contents  of  a  specially-crafted  email  message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability will pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through many common packet filters or firewalls.

   This   vulnerability  has  been  successfully  exploited  to  cause  a
   denial-of-service   condition  in  a  laboratory  environment.  It  is
   possible that this vulnerability could be used to execute code on some
   vulnerable systems.

   The CERT/CC is tracking this issue as VU#897604. This reference number
   corresponds to CVE candidate CAN-2003-0161.

   For more information, please see

          http://www.sendmail.org
          http://www.sendmail.org/8.12.9.html
          http://www.sendmail.com/security/

   For  the  latest  information  about this vulnerability, including the
   most recent vendor information, please see

          http://www.kb.cert.org/vuls/id/897604

   This vulnerability is distinct from VU#398025.

II. Impact

   Successful   exploitation   of   this   vulnerability   may   cause  a
   denial-of-service   condition   or  allow  an  attacker  to  gain  the
   privileges  of  the  sendmail  daemon, typically root. Even vulnerable
   sendmail  servers  on  the  interior of a given network may be at risk
   since  the  vulnerability  is triggered by the contents of a malicious
   email message.

III. Solution

Apply a patch from Sendmail, Inc.

   Sendmail  has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
   However,  the  vulnerability  also  exists  in earlier versions of the
   code;  therefore,  site  administrators  using  an earlier version are
   encouraged  to upgrade to 8.12.9. These patches, and a signature file,
   are located at

          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu
          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc

Apply a patch from your vendor

   Many  vendors  include  vulnerable  sendmail  servers as part of their
   software distributions. We have notified vendors of this vulnerability
   and  recorded  the  statements  they  provided  in  Appendix A of this
   advisory.  The  most  recent  vendor  information  can be found in the
   systems affected section of VU#897604.

Enable the RunAsUser option

   There is no known workaround for this vulnerability. Until a patch can
   be  applied,  you  may  wish to set the RunAsUser option to reduce the
   impact  of this vulnerability. As a good general practice, the CERT/CC
   recommends  limiting  the  privileges  of  an  application  or service
   whenever possible.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Red Hat Inc.

   Red  Hat  distributes  sendmail in all Red Hat Linux distributions. We
   are  currently [Mar29] working on producing errata packages to correct
   this  issue,  when  complete  these  will  be available along with our
   advisory  at  the  URL  below.  At  the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

   Red Hat Linux:

          http://rhn.redhat.com/errata/RHSA-2003-120.html

   Red Hat Enterprise Linux:

          http://rhn.redhat.com/errata/RHSA-2003-121.html

The Sendmail Consortium

   The  Sendmail  Consortium  recommends  that  sites  upgrade  to 8.12.9
   whenever possible. Alternatively, patches are available for 8.9, 8.10,
   8.11, and 8.12 on http://www.sendmail.org/.

Sendmail, Inc.

   All  commercial  releases including Sendmail Switch, Sendmail Advanced
   Message  Server (which includes the Sendmail Switch MTA), Sendmail for
   NT,  and Sendmail Pro are affected by this issue. Patch information is
   available at http://www.sendmail.com/security/.
     _________________________________________________________________

   Our  thanks  to  Eric  Allman,  Claus  Assmann, Greg Shapiro, and Dave
   Anderson  of  Sendmail  for  reporting  this  problem  and  for  their
   assistance in coordinating the response to this problem. We also thank
   Michal Zalewski for discovering this vulnerability.
     _________________________________________________________________

   Authors: Art Manion and Shawn V. Hernan
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-12.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo em cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.
   Revision History

   March 29,2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPoX5XGjtSoHZUTs5AQHvjgQAqTy3GQnszPHtUnUBX7VDM4NKSesFHHvC
2JmDAMPYmCO2b32xvWDmMcWdPhOBmJLB2o6zv7mRWX1K0B1GN5TBErIii6dxTaDD
OAUNjirMGdTr+WnxIjdk0gj57JbOU6ZdHHcAijG5SE/dZq4sMrOCGEAMJTVNDzYp
BtHbFwDeLEY=
=dgBI
-----END PGP SIGNATURE-----

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr  3 09:33:49 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 3 Apr 2003 09:33:49 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Fraudes em Internet Banking]
Message-ID: <20030403123349.GD17625@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Fraudes em Internet Banking
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Cc: champs-all em rnp.br
Date: Wed, 2 Apr 2003 15:27:12 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

Recentemente, o CAIS tem registrado um aumento nas denuncias de fraudes
envolvendo Internet Banking. Neste contexto, este alerta tem o intuito de
esclarecer o usuario sobre algumas das tecnicas mais usadas pelos
atacantes, assim como recomendar procedimentos basicos de prevencao a
ataques deste genero.

Os principais artificios usados pelos atacantes sao:

. envio de e-mails, usando engenharia social para convencer o usuario
  a enviar dados como numero da conta e senha para determinado endereco,
  ou ainda, preencher formularios anexados ao e-mail com tais dados.
  Os formularios ou e-mails sao enviados ao atacante.

. envio de e-mails falsos, usando engenharia social para convencer o
  usuario a acessar determinada URL, onde se encontra uma pagina falsa
  solicitando dados sensiveis do usuario, tais como: numero da conta,
  senha de acesso, senha do cartao, etc.

. uso de dominios similares ao original, para legitimar os e-mails
  enviados e as paginas falsas usadas para coletar os dados. Alguns
  exemplos sao: www.banco.com.br e' o site original e www.banco.com
  e' o site falso.
  Analogamente, o e-mail original do banco pode ser banco em banco.com.br
  e o e-mail falso pode ser sac em banco.com.br ou banco em banco.com.

. contaminacao do servidor de nomes, redirecionando o usuario do Internet
  Banking a uma pagina falsa, semelhante a pagina original do Banco, de onde o
  atacante possa extrair dados sensiveis do usuario, tais como: numero
  da conta, senha de acesso, senha do cartao, etc.

. ligacoes telefonicas, usando engenharia social para obter os dados
  do usuario (numero da conta, senha, etc).

Ressalta-se que engenharia social e´ o termo usado para caracterizar um
tipo de ataque onde o atacante explora a ingenuidade ou confianca do
usuario, apresentando estorias e situacoes que o levam a fornecer dados
sigilosos, posteriormente usados para se obter acesso nao autorizado a
computadores ou informacoes. As tecnicas de engenharia social podem ser
usadas em contatos pessoais, por telefone, e-mail, mensagens instantaneas
ou chats.

O CAIS recomenda aos usuarios de Internet Banking:

. Manter bem guardadas e seguras suas senhas bancarias, seguindo as
  recomendacoes de seu banco.

. Nao fornecer detalhes de sua conta bancaria ou senhas a terceiros
  quando abordados por qualquer meio, seja pessoalmente, telefone ou
  e-mail.

. Usar senhas fortes e nao triviais, trocar as senhas com frequencia,
  seguindo as normas e recomendacoes de seu banco.

. Ao acessar o site de seu banco, dedicar algum tempo a verificar a
  pagina, propagandas e dados solicitados, em busca de algo suspeito.
  Recomenda-se tambem verificar se o endereco mostrado pelo navegador
  corresponde ao endereco acessado, por exemplo: www.banco.com.br.

. Ficar atento aos comunicados oficiais do seu banco. Alguns bancos tem
  destacado nos seus sites, mensagens de advertencia sobre recentes
  tentativas de fraude.

. Ao ser alvo de situacoes suspeitas (e-mails do banco, contatos
  telefonicos solicitando senha ou conta bancaria, erros consecutivos
  no acesso ao site do banco), notificar o ocorrido ao servico de suporte
  ao usuario do respectivo banco.

. Manter sempre atualizado o navegador utilizado, por exemplo Netscape e
  Internet Explorer.

. Verificar o certificado digital do site do banco, confirmando se
  este foi realmente emitido para o referido banco e seu prazo de
  validade. Recomenda-se tambem ficar atento as mensagens emitidas
  pelo seu navegador, verificando se este reconheceu a autoridade
  certificadora que emitiu o certificado ao site que voce esta
  acessando.

. Nao descartar automaticamente as mensagens de aviso geradas pelo
  navegador em relacao a certificados digitais e paginas criptografadas.
  A pratica recomendada e' ler atentamente tais mensagens e em caso
  de duvidas interromper o processo, consultando o servico de suporte ao
  usuario do banco.

Sao listadas a seguir, as referencias de alguns bancos brasileiros,
contendo recomendacoes sobre seguranca em Internet Banking:

http://www.bradesco.com.br/html/prodserv/homeoffice/internetbank.html
http://www.bb.com.br/appbb/portal/bb/ds/problemas.jsp
http://www.itau.com.br/bankline/seguranca.htm
https://internetcaixa.caixa.gov.br/InternetCaixa/index.asp
http://www.bancoreal.com.br/pessoas/real_ate_voce/tpl_rib_duvidas.shtm
http://galeriadeinvestimentos.unibanco.com.br/url.asp?nu_texto=142
http://www.banespa.com.br/site/servicos/atendimento/sn_netbanking_pessoas.jsp

Finalmente, seguem dois documentos relacionados ao tema abordado neste
alerta.

"AL-2003.04 - Increase in fraudulent activity targeting users of online
banking and electronic payment sites"
http://www.auscert.org.au/render.html?it=2909

"Cartilha de Seguranca para Internet, Parte IV: Fraudes na Internet"
http://www.nbso.nic.br/docs/cartilha/cartilha-04-fraudes.html


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPosrh+kli63F4U8VAQEU7AP/X8sbUbYA2RyAK8XSz9aAyUep5yYDBrNi
IxpKKSxLnlL8v09X/5o8isW6b+5jhyL6H8/EuLAgJD9Ng1c9wHdJvcy78a56MPov
Fqd1XlE4BHCbzjcwwbPwM95uNsBVNOv6E9WjH/9n/nvc6k9ctcDglC0RpqhqnUDE
zteO0Ong9NI=
=EQfD
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr  3 09:28:04 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 3 Apr 2003 09:28:04 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta:  Remote Buffer Overflow in Sendmail]
Message-ID: <20030403122804.GC17625@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta:  Remote Buffer Overflow in Sendmail
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Sat, 29 Mar 2003 18:46:28 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta´ repassando o alerta divulgado hoje pelo CERT/CC, "CERT
Advisory CA-2003-12 Remote Buffer Overflow in Sendmail", a respeito de uma
vulnerabilidade do tipo ´buffer overflow´ no Sendmail. Tal vulnerabilidade
permitiria ser explorada remotamente por um atacante, permitindo-lhe
acesso privilegiado ao sistema -basicamente, acesso de "root" ou de super
usuário- ou causar um ataque do tipo negacao de servico (DoS).

*** Ressalta-se que esta vulnerabilidade e´ diferente à reportada pelo
    CAIS no dia 03/03/2003, acessivel atraves da seguinte URL:

	  http://www.rnp.br/cais/alertas/2003/CA200307.html     ***

Muito provavelmente o Sendmail seja o MTA (Mail Transfer Agent) de maior
uso na Internet (tem sido documentado que entre 50 a 75% dos servidores de
e-mail). Se a isto soma-se o fato que por seu carater publico estes
servidores encontram-se altamente expostos e totalmente impedidos de algum
tipo de protecao por firewalls e/ou filtros de pacotes, o impacto da
exploracao desta vulnerabilidade se torna ainda maior.

Foi reportado tambem que foi possivel implementar um ataque DoS em
laboratorio, assim, o CAIS recomenda fortemente aos administradores que
atualizem os seus sistemas **com urgencia**, devido `a gravidade do
problema notificado.


* Sistemas afetados:

. Sistemas Unix e Linux rodando a versao publica do software Sendmail
  (versoes anteriores a 8.12.9)
. Sendmail Pro (todas as versoes)
. Sendmail Switch 2.1 - versoes anteriores a 2.1.6
. Sendmail Switch 2.2 - versoes anteriores a 2.2.6
. Sendmail Switch 3.0 - versoes anteriores a 3.0.4
. Sendmail para NT 2.X - versoes anteriores a 2.6.3
. Sendmail para NT 3.0 - versoes anteriores a 3.0.4


* Correcoes disponiveis:

Recomenda-se fazer a atualizacao para a versao 8.12.9, disponivel em:

	http://www.sendmail.org/8.12.9.html

Caso esteja utilizando alguma das seguintes versoes: 8.9.x, 8.10.x, 8.11.x
ou 8.12.[1-8], existe a alternativa de se aplicar a correcao ("patch")
respectiva. Tais correcoes podem ser obtidas acessando a seguinte URL:

	http://www.sendmail.org/patchps.html

Para aqueles que usem versoes de Sendmail comerciais, recomenda-se
contatar o seu respectivo fornecedor a fim de providenciar uma correcao.

Caso voce nao tenha condicoes de fazer a atualizacao ou aplicar o patch
*imediatamente*, uma forma de reduzir o impacto da vulnerabilidade e´
habilitar a opcao "RunAsUser". De um modo geral, quando possivel, e´
altamente recomendado limitar os privilegios de uma aplicacao ou servico.


* Maiores informacoes:

	http://www.cert.org/advisories/CA-2003-12.html
	http://www.sendmail.org
	http://www.sendmail.org/8.12.9.html
	http://www.sendmail.com/security
	http://www.kb.cert.org/vuls/id/897604


* Identificador CVE:

O projeto CVE (http://cve.mitre.org), que padroniza nomes para problemas
de seguranca, designou o nome CAN-2003-0161 para esta vulnerabilidade.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


CERT Advisory CA-2003-12 Buffer Overflow in Sendmail

   Original release date: March 29, 2003
   Last revised:
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Sendmail Pro (all versions)
     * Sendmail Switch 2.1 prior to 2.1.6
     * Sendmail Switch 2.2 prior to 2.2.6
     * Sendmail Switch 3.0 prior to 3.0.4
     * Sendmail for NT 2.X prior to 2.6.3
     * Sendmail for NT 3.0 prior to 3.0.4
     * Systems  running  open-source  sendmail  versions prior to 8.12.9,
       including UNIX and Linux systems

Overview

   There  is a vulnerability in sendmail that can be exploited to cause a
   denial-of-service  condition  and  could  allow  a  remote attacker to
   execute  arbitrary  code  with  the privileges of the sendmail daemon,
   typically root.

I. Description

   There  is  a remotely exploitable vulnerability in sendmail that could
   allow  an  attacker  to  gain control of a vulnerable sendmail server.
   Address  parsing code in sendmail does not adequately check the length
   of  email addresses. An email message with a specially crafted address
   could  trigger  a stack overflow. This vulnerability was discovered by
   Michal Zalewski.

   This vulnerability is different than the one described in CA-2003-07.

   Most  organizations  have  a variety of mail transfer agents (MTAs) at
   various  locations  within their network, with at least one exposed to
   the   Internet.   Since   sendmail  is  the  most  popular  MTA,  most
   medium-sized  to  large  organizations are likely to have at least one
   vulnerable   sendmail   server.  In  addition,  many  UNIX  and  Linux
   workstations  provide  a  sendmail  implementation that is enabled and
   running by default.

   This    vulnerability    is    message-oriented    as    opposed    to
   connection-oriented. That means that the vulnerability is triggered by
   the  contents  of  a  specially-crafted  email  message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability will pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through many common packet filters or firewalls.

   This   vulnerability  has  been  successfully  exploited  to  cause  a
   denial-of-service   condition  in  a  laboratory  environment.  It  is
   possible that this vulnerability could be used to execute code on some
   vulnerable systems.

   The CERT/CC is tracking this issue as VU#897604. This reference number
   corresponds to CVE candidate CAN-2003-0161.

   For more information, please see

          http://www.sendmail.org
          http://www.sendmail.org/8.12.9.html
          http://www.sendmail.com/security/

   For  the  latest  information  about this vulnerability, including the
   most recent vendor information, please see

          http://www.kb.cert.org/vuls/id/897604

   This vulnerability is distinct from VU#398025.

II. Impact

   Successful   exploitation   of   this   vulnerability   may   cause  a
   denial-of-service   condition   or  allow  an  attacker  to  gain  the
   privileges  of  the  sendmail  daemon, typically root. Even vulnerable
   sendmail  servers  on  the  interior of a given network may be at risk
   since  the  vulnerability  is triggered by the contents of a malicious
   email message.

III. Solution

Apply a patch from Sendmail, Inc.

   Sendmail  has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
   However,  the  vulnerability  also  exists  in earlier versions of the
   code;  therefore,  site  administrators  using  an earlier version are
   encouraged  to upgrade to 8.12.9. These patches, and a signature file,
   are located at

          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu
          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc

Apply a patch from your vendor

   Many  vendors  include  vulnerable  sendmail  servers as part of their
   software distributions. We have notified vendors of this vulnerability
   and  recorded  the  statements  they  provided  in  Appendix A of this
   advisory.  The  most  recent  vendor  information  can be found in the
   systems affected section of VU#897604.

Enable the RunAsUser option

   There is no known workaround for this vulnerability. Until a patch can
   be  applied,  you  may  wish to set the RunAsUser option to reduce the
   impact  of this vulnerability. As a good general practice, the CERT/CC
   recommends  limiting  the  privileges  of  an  application  or service
   whenever possible.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Red Hat Inc.

   Red  Hat  distributes  sendmail in all Red Hat Linux distributions. We
   are  currently [Mar29] working on producing errata packages to correct
   this  issue,  when  complete  these  will  be available along with our
   advisory  at  the  URL  below.  At  the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

   Red Hat Linux:

          http://rhn.redhat.com/errata/RHSA-2003-120.html

   Red Hat Enterprise Linux:

          http://rhn.redhat.com/errata/RHSA-2003-121.html

The Sendmail Consortium

   The  Sendmail  Consortium  recommends  that  sites  upgrade  to 8.12.9
   whenever possible. Alternatively, patches are available for 8.9, 8.10,
   8.11, and 8.12 on http://www.sendmail.org/.

Sendmail, Inc.

   All  commercial  releases including Sendmail Switch, Sendmail Advanced
   Message  Server (which includes the Sendmail Switch MTA), Sendmail for
   NT,  and Sendmail Pro are affected by this issue. Patch information is
   available at http://www.sendmail.com/security/.
     _________________________________________________________________

   Our  thanks  to  Eric  Allman,  Claus  Assmann, Greg Shapiro, and Dave
   Anderson  of  Sendmail  for  reporting  this  problem  and  for  their
   assistance in coordinating the response to this problem. We also thank
   Michal Zalewski for discovering this vulnerability.
     _________________________________________________________________

   Authors: Art Manion and Shawn V. Hernan
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-12.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo em cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.
   Revision History

   March 29,2003: Initial release
- ------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  signature not checked.
Signature made 2003/03/29 19:52 GMT
key does not meet validity threshold.
WARNING:  Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "(KeyID: 0xD9513B39)".


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPoYUSukli63F4U8VAQH+OgQAvvDiOQDLKikTSwpFUVZnGCk7ZdsQ6AVP
JMf13Dhn37gAb99mTvlO5Qac5xdE3nFrSoLWvRoKSCcqyRTqvzwPxsOPYnCTinnb
1W94ZFcwj5HJ5jQgU/g08bhVvSgVAI+5fBAcH+UWwpzT5as3+In5jncKVF0nkSJz
8uIRugEb2Nk=
=FmHB
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr  3 11:14:08 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 3 Apr 2003 11:14:08 -0300
Subject: [SECURITY-L] [andre@agr.unicamp.br:
	=?iso-8859-1?q?Netscape_7_adotar=E1?=chave raiz da ICP-Brasil]
Message-ID: <20030403141408.GA17794@ccuec.unicamp.br>

----- Forwarded message from Andre Aparecido Nogueira <andre em agr.unicamp.br> -----

From: Andre Aparecido Nogueira <andre em agr.unicamp.br>
Subject: Netscape 7 adotará chave raiz da ICP-Brasil
To: undisclosed-recipients: ;
Date: Fri, 28 Mar 2003 13:59:09 -0300

 Conectiva conseguiu resolver a última pendência para a inserção da 
chave raiz da ICP-Brasil no sistema operacional Conectiva Linux 9, 
versão que deverá estar disponível para os usuários a partir de abril.

A America Online, detentora do Netscape, foi contatada pelos técnicos da 
Conectiva, que depois de fazerem adaptações, receberam o aval para a 
inserção da chave digital, último passo para que todos os browsers 
gráficos do Linux 9 reconhecessem o certificado brasileiro.

Com isso, além do Konqueror, Mozzilla e do Galeon, a versão do Netscape 
7 também será compatível com a chave raiz da ICP-Brasil.

O acordo firmado entre o governo e a Conectiva é de significativa 
importância para a comunidade Linux/Free Software/Open Source. Trata-se 
do primeiro governo no mundo a reconhecer e manifestar interesse em 
adotar padrões de segurança em certificação digital nas próximas versões 
do Linux.

Fonte: [ Luiz Queiroz, de Brasília]

*O que é o ICP-Brasil*

É um conjunto de técnicas, práticas e procedimentos, a ser implementado 
pelas organizações governamentais e privadas brasileiras com o objetivo 
de estabelecer os fundamentos técnicos e metodológicos de um sistema de 
certificação digital baseado em chave pública.





-- 
      Andre Aparecido Nogueira
      Faculdade de Eng. Agricola/UNICAMP
      °v°  E-mail: mailto:andre em agr.unicamp.br
     /(_)\ Seja livre, use Linux!
      ^ ^  





----- End forwarded message -----

From mieko em ccuec.unicamp.br  Fri Apr  4 09:33:12 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 4 Apr 2003 09:33:12 -0300
Subject: [SECURITY-L] 
	[nelson@pangeia.com.br: [S] [ Anuncio - Chkrootkit 0.40 ]]
Message-ID: <20030404123305.GA19394@ccuec.unicamp.br>

----- Forwarded message from Nelson Murilo <nelson em pangeia.com.br> -----

From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] [ Anuncio - Chkrootkit 0.40 ]
To: seguranca em pangeia.com.br
Date: Fri, 4 Apr 2003 09:18:49 -0300


A versao 0.40 do chkrootkit esta disponivel. Esta versao inclui:

  * chkproc.c
    - funcao kill() removida por conta de varios falso-negativos;
    - pequenas correcoes de codigo;

  * chkrootkit
    - suporte a True64;
    - novo teste adicionado: init
    - novos rootkits detectados:
      - shv4
      - Aquatica
      - ZK
    - pequenas correcoes de codigo;

chkrookit e' uma ferramenta para testar localmente sinais de rootkits.
Mais informacoes sobre o chkrootkit e rootkits podem ser encontradas em:
information about chkrootkit and rootkits can be found at
http://www.chkrootkit.org/.

O pacote foi testado com sucesso nas seguintes plataformas: Linux
2.0.x, 2.2.x e 2.4.x (qualquer distribuicao), FreeBSD 2.2.x, 3.x e 4.x,
OpenBSD 2.x e 3.x, NetBSD 1.5.x e 1.6, Solaris 2.5.1, 2.6 and 8.0., 
HP-UX e True64.

O pacote esta disponivel em:

  * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

ou na pagina oficial em: 

  * http://www.chkrootkit.org/

Mais informacoes sobre rootkits podem ser encontradas em:

  * http://www.chkrootkit.org/index.html#related_links



./nelson -murilo

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Fri Apr  4 12:36:02 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 4 Apr 2003 12:36:02 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030404153602.GA19539@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


31/03/2003
----------


Red Hat Security Advisory (RHSA-2003:034-01)
Assunto: Updated dhcp packages fix possible packet storm
http://www.security.unicamp.br/docs/bugs/2003/03/v131.txt    


Red Hat Security Advisory (RHSA-2003:120-01)
Assunto: Updated sendmail packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/03/v130.txt    


Gentoo Linux Security Announcement (200303-29)
Assunto: integer overflow in dietlibc
http://www.security.unicamp.br/docs/bugs/2003/03/v129.txt    


Gentoo Linux Security Announcement (200303-28)
Assunto: multiple vulnerabilities fixed in krb5 & mit-krb5
http://www.security.unicamp.br/docs/bugs/2003/03/v128.txt    


Gentoo Linux Security Announcement (200303-27)
Assunto: buffer overflow in sendmail
http://www.security.unicamp.br/docs/bugs/2003/03/v127.txt    



30/03/2003
----------

FreeBSD Security Advisory (FreeBSD-SA-03:07)
Assunto: a second sendmail header parsing buffer overflow
http://www.security.unicamp.br/docs/bugs/2003/03/v126.txt    


Gentoo Linux Security Announcement (200303-26)
Assunto: cryptographic weakness in Kerberos v4  
http://www.security.unicamp.br/docs/bugs/2003/03/v125.txt    


OpenPKG Security Advisory (OpenPKG-SA-SA-2003.027)
Assunto: remote root exploit in sendmail
http://www.security.unicamp.br/docs/bugs/2003/03/v124.txt    



29/03/2003
----------

CAIS-Alerta
Assunto: Remote Buffer Overflow in Sendmail
http://www.security.unicamp.br/docs/bugs/2003/03/v123.txt    


CERT Advisory (CA-2003-12)
Assunto:  Buffer Overflow in Sendmail
http://www.security.unicamp.br/docs/bugs/2003/03/v122.txt    


Slackware Security Team
Assunto: Samba buffer overflow fixed
http://www.security.unicamp.br/docs/bugs/2003/03/v121.txt    


Slackware Security Team
Assunto: Sendmail buffer overflow fixed
http://www.security.unicamp.br/docs/bugs/2003/03/v120.txt    


28/03/2003
----------

Debian Security Advisory (DSA 274-1)
Assunto: buffer overflow in mutt
http://www.security.unicamp.br/docs/bugs/2003/03/v119.txt    


Debian Security Advisory (DSA 273-1)
Assunto: Cryptographic weakness in krb4
http://www.security.unicamp.br/docs/bugs/2003/03/v118.txt    


Gentoo Linux Security Announcement (200303-25)
Assunto: buffer overrun in zlib
http://www.security.unicamp.br/docs/bugs/2003/03/v117.txt    


Debian Security Advisory (DSA 272-1)
Assunto: integer overflow in dietlibc
http://www.security.unicamp.br/docs/bugs/2003/03/v116.txt    


Mandrake Linux Security Update Advisory (MDKSA-2003:039)
Assunto: Vulnerabilidade de Seguranca no kernel22
http://www.security.unicamp.br/docs/bugs/2003/03/v115.txt    


Mandrake Linux Security Update Advisory (MDKSA-2003:038)
Assunto: Vulnerabilidade de Seguranca no kernel
http://www.security.unicamp.br/docs/bugs/2003/03/v114.txt    


27/03/2003
----------

CAIS-Resumo: Janeiro a Marco de 2003
http://www.security.unicamp.br/docs/bugs/2003/03/v113.txt    


Trustix Secure Linux Security Advisory (#2003-0014)
Assunto: Vulnerabilidade de Seguranca no pacote glibc
http://www.security.unicamp.br/docs/bugs/2003/03/v112.txt    


Trustix Secure Linux Security Advisory (#2003-0013)
Assunto: The openssl-0.9.6-13tr was open to the Klima-Pokorny-Rosa attack, this new one is patched against this problem.
http://www.security.unicamp.br/docs/bugs/2003/03/v111.txt    
 

Debian Security Advisory (DSA 271-1)
Assunto: unauthorized password change in ecartis and listar 
http://www.security.unicamp.br/docs/bugs/2003/03/v110.txt    


Debian Security Advisory (DSA 270-1)
Assunto: local privilege escalation
http://www.security.unicamp.br/docs/bugs/2003/03/v109.txt    


26/03/2003
----------

Red Hat Security Advisory (RHSA-2003:051-01)
Assunto: Updated kerberos packages fix various vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/03/v108.txt    
 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Fri Apr  4 16:57:00 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 4 Apr 2003 16:57:00 -0300
Subject: [SECURITY-L] Boletins de Noticias
Message-ID: <20030404195658.GA19902@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e
redes da Unicamp com os seguintes boletins de noticia e/ou
revistas eletronicas:




31/03/2003
----------

No.287 : Brasil pioneiro - Linux compativel com certificacao digital brasileira
Fonte: Modulo
http://www.security.unicamp.br/docs/informativos/2003/03/b16.txt


SecurityFocus Newsletter #190
Fonte: Security Focus
http://www.security.unicamp.br/docs/informativos/2003/03/b15.txt


SANS Critical Vulnerability Analysis Vol 2 No 12
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/03/b14.txt


26/03/2003
----------

SANS NewsBites Vol. 5 Num. 12
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/03/b13.txt



--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
mailto:security em unicamp.br
http://www.security.unicamp.br      

From mieko em ccuec.unicamp.br  Mon Apr  7 17:20:08 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Mon, 7 Apr 2003 17:20:08 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade no aplicativo
	SETI@home]
Message-ID: <20030407202008.GB499@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no aplicativo SETI em home
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Mon, 7 Apr 2003 17:08:44 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado por Berend-Jan Weve,
Information leakage and remotely exploitable buffer overflow in various
seti em home clients and the main server, tratando da identificacao de uma
seria vulnerabilidade envolvendo os clientes do projeto SETI em home.

O projeto SETI em home e' um experimento cientifico que utiliza o tempo livre
de computadores conectados a Internet para analisar informacoes coletadas
de radio telescopios.


Sistemas afetados:

Clientes com vulnerabilidade remota:

	. setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
	. setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
	. setiathome-3.03.i386-pc-linux-gnulibc1-static
	. setiathome-3.03.i686-pc-linux-gnulibc1-static
	. setiathome-3.03.i386-winnt-cmdline.exe
	. i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
	. SETI em home.exe (v3.07 Screensaver)


Correcoes disponiveis:

A correção consiste na atualizacao do aplicativo disponivel em:

	. http://setiathome.berkeley.edu/download.html


Maiores informacoes:


	. http://spoor12.edup.tudelft.nl/

        . http://setiathome.berkeley.edu/


O CAIS recomenda aos administradores que informem a seus usuarios sobre
esta vulnerabilidade.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


Advisories/Seti em home

Information leakage and remotely exploitable buffer overflow in various
seti em home clients and the main server.

Affected versions

Confirmed information leaking:

This issue affects all clients.

Confirmed remote exploitable:

setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI em home.exe (v3.07 Screensaver)

Confirmed DoS-able using buffer overflow:

The main seti em home server at shserver2.ssl.berkeley.edu

Presumed vulnerable to buffer overflow:

All other clients.


PATCHED VERSION

Are available


BACKGROUND INFORMATION

- From "http://setiathome.berkeley.edu/" :

"SETI em home is a scientific experiment that uses Internet-connected
computers in the Search for Extraterrestrial Intelligence (SETI). You can
participate by running a free program that downloads and analyzes radio
telescope data. "

"The SETI em home program is a special kind of screensaver. Like other
screensavers it starts up when you leave your computer unattended, and it
shuts down as soon as you return to work. What it does in the interim is
unique. While you are getting coffee, or having lunch or sleeping, your
computer will be helping the Search for Extraterrestrial Intelligence by
analyzing data specially captured by the world's largest radio telescope.
"

"The client/screensaver is available for download only from this web page
- - we do not support SETI em home software obtained elsewhere. This software
will upload and download data only from our data server here at Berkeley.
The data server doesn't download any executable code to your computer. All
in all, the screensaver is much safer than the browser you're running
right now!"

There are currently over four million registered users of seti em home. Over
half a million of these users are "active"; they have returned at least
one result within the last four weeks.


THE VULNERABILITIES

The seti em home clients use the HTTP protocol to download new workunits,
user information and to register new users. The implementation leaves two
security vulnerabilities:

1) All information is send in plaintext across the network. This
information includes the processor type and the operating system of the
machine seti em home is running on.

2) There is a bufferoverflow in the server responds handler. Sending an
overly large string followed by a newline ('\n') character to the client
will trigger this overflow. This has been tested with various versions of
the client. All versions are presumed to have this flaw in some form.

3) A similar buffer overflow seems to affect the main seti em home server at
shserver2.ssl.berkeley.edu. It closes the connection after receiving a too
large string of bytes followed by a '\n'.


THE TECHNIQUE

1) Sniffing the information exposed by the seti em home client is trivial and
very usefull to a malicious person planning an attack on a network. A
passive scan of machines on a network can be made using any packetsniffer
to grab the information from the network.

2) All tested clients have similar buffer overflows, which allowed setting
eip to an arbitrairy value which can lead to arbitrairy code execution. An
attacker would have to reroute the connection the client tries to make to
the seti em home webserver to a machine he or she controls. This can be done
using various widely available spoofing tools. Seti em home also has the
ability to use a HTTP-proxy, an attacker could also use the machine the
PROXY runs on as a base for this attack. Routers can also be used as a
base for this attack.

3) Exploitation of the bug in the server has offcourse not been tested. Do
understand that successfull exploitation of the bug in the server would
offer a platform from which ALL seti em home clients can be exploited.


THE EXPLOITS

Is available for linux by yours truely
Is available for linux/*BSD by Zillion


TIMELINE

2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti em home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti em home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti em home team contacted again, this time through email.
2003/01/21 Seti em home team confirmed the problem.
2003/01/25 Seti em home team promissed fixed version are being build.
2003/02/03 Seti em home team informed me about problems with the fixes for
the win32 version.
2003/04/06 New Seti em home clients available, advisory released.


THANKS

Special thanks go out to:

- - Aleph1 for "Smashing the Stack for Fun and Profit".
- - Niels Heinen for his work on exploiting seti em home on FreeBSD.
- - Blazde and the other 0dd folks for help with the win32 shellcode.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpHa0ekli63F4U8VAQEruAQAtjVle0O3vyL846LuvoSk7Mp5ReBXRHXg
wdaXzJ18no69I0577A4I09KE/+sGeRE8a49fft7cBnlAYfl2a+RjJZPD7knIF8b8
efKdKH04pU+xXoWcU9nFc6s+5UtfICkOtLhQZpFmMd5X/fLZxr1WceFVHeFK7Vdm
gVyJYnWHdso=
=J5Rt
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Mon Apr  7 17:19:45 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Mon, 7 Apr 2003 17:19:45 -0300
Subject: [SECURITY-L] 
	[pserrano@ccuec.unicamp.br: Servidor Apache ganha correcao
	preventiva]
Message-ID: <20030407201944.GA499@ccuec.unicamp.br>

----- Forwarded message from Paulo Serrano <pserrano em ccuec.unicamp.br> -----

From: "Paulo Serrano" <pserrano em ccuec.unicamp.br>
Subject: Servidor Apache ganha correcao preventiva
To: <mieko em ccuec.unicamp.br>
Date: Mon, 7 Apr 2003 15:53:06 -0300
X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0)


Sexta-feira, 04 de abril de 2003 - 13h35
SÃO PAULO - Uma nova versão do servidor web Apache, 2.0.45, corrige um bug
de segurança nas versões de 2.0 a 2.0.44 do produto.
Segundo a Apache Software Foundation - ASF, que desenvolve o servidor, a
atualização corrige uma vulnerabilidade séria, que permite a invasão do
sistema.
A ASF, no entanto, não revela os detalhes técnicos da falha, para evitar que
ela seja explorada antes que os usuários tenham aplicado a correção. Os
detalhes só serão revelados no próximo 8 de abril.
O Apache 2.0.45 está disponível no endereço
www.infoexame.com.br/aberto/download/390.shl
<http://www.infoexame.com.br/aberto/download/390.shl>


Paulo Serrano
GTTEC/CCUEC-Unicamp


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.467 / Virus Database: 266 - Release Date: 1/4/2003



----- End forwarded message -----

From mieko em ccuec.unicamp.br  Wed Apr  9 17:35:39 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Wed, 9 Apr 2003 17:35:39 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030409203539.GA3642@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


04/04/2003
----------

Tripbit Security Advisory (TA-2003-03)
Assunto: Buffer Overflow Vulnerability in Hyperion FTP Server 3.0
http://www.security.unicamp.br/docs/bugs/2003/04/v25.txt    


Debian Security Advisory (DSA 278-2)
Assunto: Vulnerabilidade de Seguranca no sendmail
http://www.security.unicamp.br/docs/bugs/2003/04/v24.txt    


Secure Network Operations (SRT2003-04-04-1106)
Assunto: Vulnerabilidade de Seguranca no AOLServer Proxy Daemon API
http://www.security.unicamp.br/docs/bugs/2003/04/v23.txt    


Debian Security Advisory (DSA 278-1)
Assunto: Vulnerabilidade de Seguranca no sendmail
http://www.security.unicamp.br/docs/bugs/2003/04/v22.txt    


SuSE Security Announcement (SuSE-SA:2003:024)
Assunto: Vulnerabilidade de Seguranca no openssl
http://www.security.unicamp.br/docs/bugs/2003/04/v21.txt    


Red Hat Network Alert (RHSA-2003:101-15)
Assunto: Updated OpenSSL packages fix vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v20.txt    


03/04/2003
----------


Red Hat Network Alert (RHSA-2003:034-06)
Assunto: Updated dhcp packages fix possible packet storm
http://www.security.unicamp.br/docs/bugs/2003/04/v19.txt    


Red Hat Security Advisory (RHSA-2003:109-03)
Assunto: Updated balsa and mutt packages fix vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v18.txt    


SCO Security Advisory (CSSA-2003-016.0)
Assunto: OpenLinux: sendmail sign extension buffer overflow (CERT CA-2003-12)
http://www.security.unicamp.br/docs/bugs/2003/04/v17.txt    


Debian Security Advisory (DSA 277-1)
Assunto: buffer overflows, format string in apcupsd
http://www.security.unicamp.br/docs/bugs/2003/04/v16.txt    


Debian Security Advisory (DSA 276-1)
Assunto: local privilege escalation in kernel-patch-2.4.17-s390, kernel-image-2.4.17-s390
http://www.security.unicamp.br/docs/bugs/2003/04/v15.txt    


Secure Network Operations (SRT2003-04-03-1300)
Assunto: Interbase ISC_LOCK_ENV overflow
http://www.security.unicamp.br/docs/bugs/2003/04/v14.txt    


Red Hat Security Advisory (RHSA-2003:060-01)
Assunto: Updated NetPBM packages fix multiple vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v13.txt    



02/04/2003
----------


Red Hat Security Advisory (RHSA-2003:128-01)
Assunto: Updated Eye of GNOME packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v12.txt    


SGI Security Advisory (20030401-01-P)
Assunto: Sendmail parseaddr security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v11.txt    


Centro de Atendimento a Incidentes de Seguranca 
Assunto: CAIS-Alerta: Fraudes em Internet Banking
http://www.security.unicamp.br/docs/bugs/2003/04/v10.txt    


Debian Security Advisory (DSA 275-1)
Assunto: buffer overflow in lpr-ppd
http://www.security.unicamp.br/docs/bugs/2003/04/v9.txt    


Red Hat Security Advisory (RHSA-2003:091-01)
Assunto: Updated kerberos packages fix various vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v8.txt    


Apache
Assunto: Apache 2.0.45 Released
http://www.security.unicamp.br/docs/bugs/2003/04/v7.txt    


Red Hat Network Alert (RHSA-2003:120-07)
Assunto: RHN Errata Alert: Updated sendmail packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v6.txt    


01/04/2003
----------

OpenBSD
Assunto: OpenSSH 3.6.1 released
http://www.security.unicamp.br/docs/bugs/2003/04/v5.txt    


Mandrake Linux Security Update Advisory (MDKSA-2003:040)
Assunto: Vulnerabilidade de Seguranca no pacote Eterm
http://www.security.unicamp.br/docs/bugs/2003/04/v4.txt    


Red Hat Security Advisory (RHSA-2003:084-01)
Assunto: Updated vsftpd packages re-enable tcp_wrappers support
http://www.security.unicamp.br/docs/bugs/2003/04/v3.txt    


Red Hat Security Advisory (RHSA-2003:095-03)
Assunto: New samba packages fix security vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v2.txt    


Red Hat Security Advisory (RHSA-2003:101-01)
Assunto: Updated OpenSSL packages fix vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v1.txt    
 

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Thu Apr 10 09:17:50 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 09:17:50 -0300
Subject: [SECURITY-L] 
	[0_46534_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Microsoft Security Bulletin MS03-012: Flaw In Winsock Proxy Service
	And ISA Server Firewall Service Can Cause Denial Of Service	(331066)]
Message-ID: <20030410121750.GA4646@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_46534_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46534_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-012: Flaw In Winsock Proxy Service And ISA Server Firewall Service Can Cause Denial Of Service (331066)
To: <mieko em ccuec.unicamp.br>
Date: Thu, 10 Apr 2003 02:37:07 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title:      Flaw In Winsock Proxy Service And ISA Firewall Service 
	    Can Cause Denial Of Service (331066)
Date:       09 April 2003
Software:   Microsoft Proxy Server 2.0, Microsoft ISA Server 
Impact:     denial of service
Max Risk:   Important
Bulletin:   MS03-012

Microsoft encourages customers to review the Security Bulletins 
at: 

http://www.microsoft.com/technet/security/bulletin/MS03-012.asp
http://www.microsoft.com/security/security_bulletins/ms03-012.asp
- -------------------------------------------------------------------


Issue:
======
There is a flaw in the Winsock Proxy service in Microsoft Proxy 
Server 2.0, and the Microsoft Firewall service in ISA Server 2000, 
that would allow an attacker on the internal network to send a 
specially crafted packet that would cause the server to stop 
responding to internal and external requests. Receipt of such a 
packet would cause CPU utilization on the server to reach 100%, and 
thus make the server unresponsive. The Winsock Proxy service and 
Microsoft Firewall service work with FTP, telnet, mail, news, 
Internet Relay Chat (IRC), or other client applications that are 
compatible with Windows Sockets (Winsock). These services allow 
these applications to perform as if they were directly connected to 
the Internet. These services redirect the necessary communications 
functions to a Proxy Server 2.0 or ISA Server computer, thus 
establishing a communication path from the internal application to 
the Internet through it. 

Mitigating Factors:
====================

- - The vulnerability would not enable an attacker to gain any 
privileges on an affected Proxy Server 2.0 or ISA Server computer 
or compromise any cached content. It is strictly a denial of 
service.
 
- - ISA Server computers running in cache mode are not affected 
because the Microsoft Firewall service is disabled by default. 


Risk Rating:
============
Important

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the 
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-012.asp
http://www.microsoft.com/security/security_bulletins/ms03-12.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION 
MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPpRVY40ZSRQxA/UrAQG2pQf/Ul+QJaTR+qnbNvyp9Z9ypv2MS1ryDe6J
g+S1HMmVFGgs5T5k7I4xQBc7KjWsr6Hm7wVabItomQVyR7fc7pI9a1fNFkewyVw+
yHFIoOGaee3/vQ3eFRhEN8zPGXswgHB6Th3BWfk1qK51XxDQusywGXjzDRNRJlCb
hJbjs/HXt6Z+WqtbHE1uuoH92/+BgCIBqptIXgHcWRC7jzRGZNNoj8Z2vmw9EcWc
9xjtvlnGVNyy14GYwZvNevD3JoVLZ4AjCDvJj+D6d1nHHW3IXY12Pj3gyjIXWNhu
gvv6U6eTPBKCNO7/XkeAfy8e7tC2lkmVPvCYiIbIQVHxu3/aSYry5A==
=zsNm
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 10 09:18:23 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 09:18:23 -0300
Subject: [SECURITY-L] 
	[0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Microsoft Security Bulletin MS03-011:Flaw in Microsoft VM Could
	Enable System Compromise (816093)]
Message-ID: <20030410121823.GB4646@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-011:Flaw in Microsoft VM Could Enable System Compromise (816093)
To: <mieko em ccuec.unicamp.br>
Date: Thu, 10 Apr 2003 05:00:12 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title:      Flaw in Microsoft VM Could Enable System Compromise 
	    (816093)
Date:       09 April 2003
Software:   Microsoft VM 
Impact:     Allow attacker to execute code of his or her choice
Max Risk:   Critical
Bulletin:   MS03-011

Microsoft encourages customers to review the Security Bulletins 
at: 

http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-011.asp
- -------------------------------------------------------------------


Issue:
======
The Microsoft VM is a virtual machine for the Win32(r) operating 
environment. The Microsoft VM is shipped in most versions of 
Windows, as well as in most versions of Internet Explorer. 

The present Microsoft VM, which includes all previously released 
fixes to the VM, has been updated to include a fix for the newly 
reported security vulnerability. This new security vulnerability 
affects the ByteCode Verifier component of the Microsoft VM, and 
results because the ByteCode verifier does not correctly check for 
the presence of certain malicious code when a Java applet is being 
loaded. The attack vector for this new security issue would likely 
involve an attacker creating a malicious Java applet and inserting 
it into a web page that when opened, would exploit the 
vulnerability. An attacker could then host this malicious web page 
on a web site, or could send it to a user in e-mail. 


Mitigating Factors:
====================

- - In order to exploit this vulnerability via the web-based attack 
vector, the attacker would need to entice a user into visiting a 
web site that the attacker controlled. The vulnerability themselves 
provide no way to force a user to a web site. 

- - Java applets are disabled within the Restricted Sites Zone. As a 
result, any mail client that opened HTML mail within the Restricted 
Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98 
or 2000 when used in conjunction with the Outlook Email Security 
Update, would not be at risk from the mail-based attack vector. 

- - The vulnerability would gain only the privileges of the user, so 
customers who operate with less than administrative privileges 
would be at less risk from the vulnerability. 

- - Corporate IT administrators could limit the risk posed to their 
users by using application filters at the firewall to inspect and 
block mobile code. 


Risk Rating:
============
Critical

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the 
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-11.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION 
MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPpRYWI0ZSRQxA/UrAQEXiwgAgvUzIpThMuGXB4RjSMCXVHV2wI7dT6/n
aWTNS9BBwypERdcr8L4N3oCpgyWb4DPNCCPTMjHWZ4jIEn5pTs6W8MoPT3a3RGSX
SYkdqj5eOR0/0gh7ZeZZS4UU3hFvi4we2M7opxsTtTjFhOU/GhxESQZlRVyLyu5a
OCvj7eiY4zor9lgVp8uqKpu2WLX3Ymy6+kHRfAMzuW9sS2f6AfsFIs/NBH5K0Bhi
kENM2cAYXwGtvNf6TyYbCG5fAWD2vAOMqOf5vTQCfQrezUm0dwMEvQc6G6VYB9Uw
gtfp7iaDRAe9TdsjqBaiTZnxelH4VOT0NPwXn4cocnEut+540WM7dw==
=I/mL
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 10 09:55:10 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 09:55:10 -0300
Subject: [SECURITY-L] 
	[0_46535_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Microsoft Security Bulletin MS00-084: Patch Available for 'Indexing
	Services Cross Site Scripting' Vulnerability]
Message-ID: <20030410125508.GA4687@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_46535_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46535_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS00-084: Patch Available for 'Indexing Services Cross Site Scripting' Vulnerability
To: <mieko em ccuec.unicamp.br>
Date: Thu, 10 Apr 2003 05:32:43 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- - -----------------------------------------------------------------
Title:      Patch Available for 
            'Indexing Services Cross Site Scripting' Vulnerability
Released:   02 November 2000
Revised:    09 April 2003 (version 2.0)
Software:   Microsoft Indexing Services for Windows 2000
            Microsoft Indexing Services for Windows NT 4.0
Impact:     Cross Site Scripting
Bulletin:   MS00-084

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS00-084.asp
- - -----------------------------------------------------------------

Reason for Revision:
====================
Subsequent to the release of this bulletin, it was discovered
that an available package for the version of the Indexing Service
which shipped with the NT 4.0 Option Pack had never been released.
The bulletin is being updated to include the download locations for
that version of the fix.

Issue:
======
On February 20, 2000, Microsoft and the CERT Coordination Center
published information on a newly-identified security vulnerability
affecting all web server products. This vulnerability, known as
Cross-Site Scripting (CSS), results when web applications don't
properly validate inputs before using them in dynamic web pages.
If a malicious web site operator were able to lure a user to his
site, and had identified a third-party web site that was vulnerable
to CSS, he could potentially use the vulnerability to "inject" 
script into a web page created by the other web site, which would
then be delivered to the user. The net effect would be to cause
the malicious user's script to run on the user's machine using
the trust afforded the other site. 

The vulnerability can affect any software that runs on a web
server, accepts user input, and uses it to generate web pages
without sufficient validation. Microsoft has identified an
Indexing Service component (CiWebHitsFile) that, when called
from a specially crafted URL, is vulnerable to this scenario. 

Mitigating Factors:
===================
 -  The Indexing Service ships and installs with Windows 2000,
    but is not enabled by default.
 -  The Indexing Service for Windows NT 4.0 ships with the
    NT Option Pack, and is not installed or enabled by default.

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms00-084.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Eiji "James" Yoshida <mailto:ptrs-ejy em bp.iij4u.or.jp>

- - -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED"AS IS "WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPpRdTI0ZSRQxA/UrAQFlBwf/elvaBlFt/dLSzTCgo9oB7L+29DyR7wL4
G0f/lyN6vJ8zp4wwA73OzuZ9vgaKcM4SBtbwOh39Bl6tr/q+Ut4Zt4soLcbirarr
0EgKCq6VfXUjebvwrKITEXxFZZzRTRe/8ktf5dtgou9wVj5xAMqY6ZVEwwAQhFkT
Sf6LEHjS1snR+lapZ64Q0N5GbJOApDjD8c5PmSQwdYVuZ4xPzdFBRhWn9EStJY4c
nurtP6OEdR609sjSHuMAfQldX3hDx+6z3Gz1g51/yAbEIHuz8r6KjaivW/eYxKte
Wq4n3WEfT0NJDIifRWbOza7Yz3UA+FbNfiVuZVo07HcyrednyZSGWw==
=c+W1
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 10 11:42:59 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 11:42:59 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030410144259.GA4778@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


07/04/2003
----------


OpenPKG Security Advisory (OpenPKG-SA-2003.028)
Assunto: remote root exploit in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v47.txt    


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:618)
Assunto: Local vulnerability, ptrace, in kernel
http://www.security.unicamp.br/docs/bugs/2003/04/v46.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:618)
Assunto: Vulnerabilidade local, ptrace, no pacote kernel  
http://www.security.unicamp.br/docs/bugs/2003/04/v45.txt    


FreeBSD Security Advisories (FreeBSD-SN-03:01)
Assunto: security issue in samba ports
http://www.security.unicamp.br/docs/bugs/2003/04/v44.txt    


Debian Security Advisory (DSA 279-1)
Assunto: insecure temporary file creation in metrics
http://www.security.unicamp.br/docs/bugs/2003/04/v43.txt    


Digital Defense Inc. Security Advisory (DDI-1013)
Assunto: Buffer Overflow in Samba allows remote root compromise
http://www.security.unicamp.br/docs/bugs/2003/04/v42.txt    



06/04/2003
----------

Red Hat Network Alert (RHSA-2003:060-09)
Assunto: Updated NetPBM packages fix multiple vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v41.txt    


Red Hat Network Alert (RHSA-2003:108-19)
Assunto: Updated Evolution packages fix multiple vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v40.txt    


05/04/2003
----------

Red Hat Network Alert (RHSA-2003:109-12)
Assunto: Updated balsa and mutt packages fix vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v39.txt    


Red Hat Network Alert (RHSA-2003:128-07)
Assunto: Updated Eye of GNOME packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v38.txt    


04/04/2003
----------

CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:617)
Assunto: Buffer overflow vulnerability in file 
http://www.security.unicamp.br/docs/bugs/2003/04/v37.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:617)
Assunto: Vulnerabilidade de estouro de buffer no pacote file 
http://www.security.unicamp.br/docs/bugs/2003/04/v36.txt    


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:616)
Assunto: Denial of service vulnerability in dhcp 
http://www.security.unicamp.br/docs/bugs/2003/04/v35.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:616)
Assunto: Vulnerabilidade de negação de serviço no dhcp 
http://www.security.unicamp.br/docs/bugs/2003/04/v34.txt    


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:615)
Assunto: Remote vulnerability and local race condition in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v33.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:615)
Assunto: Vulnerabilidade remota no samba 
http://www.security.unicamp.br/docs/bugs/2003/04/v32.txt    


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:614)
Assunto: Buffer overflow vulnerability 
http://www.security.unicamp.br/docs/bugs/2003/04/v31.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:614)
Assunto: Vulnerabilidade de buffer overflow
http://www.security.unicamp.br/docs/bugs/2003/04/v30.txt    


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:613)
Assunto: RPC preprocessor vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v29.txt    


Anuncio de Seguranca do Conectiva Linux (CLA-2003:613)
Assunto: Vulnerabilidade no pre-processador RPC
http://www.security.unicamp.br/docs/bugs/2003/04/v28.txt    


NetBSD Security Advisory (2003-009)
Assunto: sendmail buffer overrun in prescan() address parser
http://www.security.unicamp.br/docs/bugs/2003/04/v27.txt    


NetBSD Security Advisory (2003-006)
Assunto: Cryptographic weaknesses in Kerberos v4 protocol
http://www.security.unicamp.br/docs/bugs/2003/04/v26.txt    

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Fri Apr 11 09:37:48 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 11 Apr 2003 09:37:48 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030411123748.GA6087@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


08/04/2003
----------

SGI Security Advisory (20030402-01-P)
Assunto: Multiple Vulnerabilities in libc RPC functions
http://www.security.unicamp.br/docs/bugs/2003/04/v68.txt 


Red Hat Network Alert (RHSA-2003:137-09)
Assunto:  RHN Errata Alert: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v67.txt 


Anuncio de Atualizacao do Conectiva Linux (CLA-2003:623)
Assunto: Correções para o navegador Galeon
http://www.security.unicamp.br/docs/bugs/2003/04/v66.txt 


iDEFENSE Security Advisory (04.08.03)
Assunto: Denial of Service in Apache HTTP Server 2.x
http://www.security.unicamp.br/docs/bugs/2003/04/v65.txt 


Debian Security Advisory (DSA 281-1)
Assunto: buffer overflow in moxftp
http://www.security.unicamp.br/docs/bugs/2003/04/v64.txt 


Red Hat Security Advisory (RHSA-2003:036-01)
Assunto: Updated mgetty packages available
http://www.security.unicamp.br/docs/bugs/2003/04/v63.txt 


FreeBSD Security Advisories (FreeBSD-SN-03:02)
Assunto: security issue in SETI em home client
http://www.security.unicamp.br/docs/bugs/2003/04/v62.txt 


Red Hat Security Advisory (RHSA-2003:137-01)
Assunto: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v60.txt 


07/04/2003
----------

Trustix Secure Linux Security Advisory (#2003-0019)
Assunto: Remote root exploit in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v61.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-007-01)
Assunto: Multiple vulnerabilities have been found in the MIT Kerberos suite.
http://www.security.unicamp.br/docs/bugs/2003/04/v59.txt 
 

Red Hat Network Alert (RHSA-2003:098-11)
Assunto: RHN Errata Alert: Updated 2.4 kernel fixes vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v58.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:619)
Assunto: Local vulnerability in man 
http://www.security.unicamp.br/docs/bugs/2003/04/v57.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:620)
Assunto: Vulnerabilidade local no pacote man
http://www.security.unicamp.br/docs/bugs/2003/04/v56.txt 


SuSE Security Announcement (SuSE-SA:2003:025)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v55.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:619)
Assunto: gzprintf() buffer overflow
http://www.security.unicamp.br/docs/bugs/2003/04/v54.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:619)
Assunto: Estouro de buffer na função gzprintf()
http://www.security.unicamp.br/docs/bugs/2003/04/v53.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Vulnerabilidade no aplicativo SETI em home
http://www.security.unicamp.br/docs/bugs/2003/04/v52.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-004-01)
Assunto: Vulnerabilidade de Seguranca no pacote cvs
http://www.security.unicamp.br/docs/bugs/2003/04/v51.txt 


Debian Security Advisory (DSA 280-1)
Assunto: buffer overflow in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v50.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-006-01)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v49.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:044)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v48.txt    

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Fri Apr 11 09:56:43 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 11 Apr 2003 09:56:43 -0300
Subject: [SECURITY-L] 
	=?iso-8859-1?q?=5Bpserrano=40ccuec=2Eunicamp=2Ebr=3A_Micro?=
	=?iso-8859-1?q?soft_alerta_para_falha_em_m=E1quina?=virtual ]
Message-ID: <20030411125643.GA6109@ccuec.unicamp.br>

----- Forwarded message from Paulo Serrano <pserrano em ccuec.unicamp.br> -----

From: "Paulo Serrano" <pserrano em ccuec.unicamp.br>
Subject: Microsoft alerta para falha em máquina virtual 
To: <mieko em ccuec.unicamp.br>
Date: Fri, 11 Apr 2003 09:44:43 -0300
X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0)



Quinta-feira, 10 de Abril de 2003 - 17h25


A Microsoft adverte - há duas novas vulnerabilidades de segurança que afetam
os produtos Microsoft Virtual Machine, Microsoft Proxy Server 2.0 e
Microsoft ISA Server 2000.
A máquina virtual (VM, em inglês) contém uma vulnerabilidade crítica que
permite que um invasor remoto tome controle dos computadores afetados,
segundo o boletim de segurança MS03-011. A falha está presente em um código
do processo VM chamado ByteCode Verifier e pode deixar que um intruso use
sequências ilegais de códigos de bytes para ultrapassar as checagens de
segurança do software.
O ByteCode Verifier é um processo responsável pela checagem do código que
está sendo carregado para a máquina virtual, segundo a Microsoft. Invasores
poderiam iniciar um ataque usando um applet Java embutido em uma página da
Web ou e-mail em formato HTML. Uma vez dentro do PC, a máquina virtual
vulnerável pode ser usada para rodar o código malicioso, apesar de isso
acontecer apenas com a permissão do usuário ativo daquela conta.
A Máquina Virtual da Microsoft é um componente principal em todas as versões
do Windows, incluindo o 2000 e o XP. Ela também faz parte do Internet
Explorer e de outros produtos da companhia, segundo a Microsoft. A companhia
lançou uma correção para a VM e recomenda aos usuários que estão com versões
anteriores à 3810 que atualizem seus sistemas.
Para descobrir se você tem a VM instalada no Windows, vá ao menu Iniciar,
Executar. Digite command e, na linha do prompt, escreva jview. Se surgirem
informações sobre Java na tela, o programa está instalado. Se surgir uma
mensagem de erro, o programa não foi instalado anteriormente.
Já as falhas no Proxy Server 2.0 e no ISA Server 2000 podem permitir ataques
em redes internas ou iniciar um ataque do tipo denial of service (DNS), de
acordo com o boletim MS03-12. A vulnerabilidade é considerada importante
pela Microsoft, que informa que a correção para o problema já está pronta.


Paulo Serrano
GTTEC/CCUEC-Unicamp


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.471 / Virus Database: 269 - Release Date: 10/4/2003






----- End forwarded message -----

From mieko em ccuec.unicamp.br  Fri Apr 11 09:10:27 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 11 Apr 2003 09:10:27 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Nova vulnerabilidade no SAMBA]
Message-ID: <20030411121027.GA6056@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Nova vulnerabilidade no SAMBA
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 10 Apr 2003 17:30:09 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta´ repassando o alerta divulgado pela empresa Digital Defense,
reportanto uma vulnerabilidade de "buffer overflow" no servidor Samba. Tal
vulnerabilidade poderia ser explorada remotamente por um atacante,
permitindo acesso privilegiado ao sistema.

O CAIS possui informacoes sobre a existencia de codigo malicioso que
explora essa vulnerabilidade, inclusive atraves da acao de um possivel
"worm".

Ressalta-se que esta vulnerabilidade e´ diferente da reportada pelo CAIS
no dia 16/03/2003, acessivel atraves da seguinte URL:

	. http://www.rnp.br/cais/alertas/2003/cais-alr-16032003.html

O Samba e' um servidor open source para diversos tipos de Unix, que prove
servicos de acesso a arquivos e impressoras, compativel com o "Microsoft
File and Printing Services".


Sistemas afetados:

As seguintes versoes do software foram confirmadas como vulneraveis:

	. Versoes anteriores a Samba 2.2.8a,
	. Versoes anteriores e incluindo a Samba 2.0.10,
	. Versoes anteriores a Samba-TNG 0.3.2

Ressalta-se que as versoes Samba 3.0 Alpha e versoes CVS do Samba-TNG *nao
estao vulneraveis*.


Correcoes disponiveis:

Recomenda-se fortemente fazer a atualização para a versão 2.2.8a, que pode
ser obtida através da seguinte URL:

	. http://www.samba.org/samba/download.html

Ou a partir de qualquer um dos seguintes sites de download listados em:

	. http://www.samba.org/samba

Ressalta-se que esta atualizacao corrige apenas a vulnerabilidade descrita
neste alerta. Um patch para as versoes 2.2.7a, 2.0.10 e anteriores que
corrige as vulnerabilidades mais recentes pode ser encontrada no seguinte
diretorio:

	. http://us2.samba.org/samba/ftp/patches/security/

As atualizacoes para o Samba-TNG podem ser encontradas na seguinte URL:

	. http://www.samba-tng.org/


Maiores informacoes:

	. http://www.digitaldefense.net/labs/advisories.html
	. http://us2.samba.org/samba/samba.html
	. http://www.ciac.org/ciac/bulletins/n-073.shtml


Regra do Snort

A seguinte regra pode ser usada para identificar tentativas de ataque à
essa vulnerabilidade:

alert tcp $ANY any -> $ANY 139 ( sid: 1000009; rev: 1; msg:
"netric/eSDee samba Exploit"; flow: to_server,established; content: "|00
D0 07 0C 00 D0 07 0C 00|"; content: "|90 90 90|"; content: "|D0 07 43 00
0C 00 14 08 01|"; depth: 120; classtype: attempted-admin;)


Identificador do CVE: CAN-2003-0201 (http://cve.mitre.org)


O CAIS recomenda aos administradores que atualizem seus sistemas com
urgencia.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


|------------------------------------------------------------------------------|
 Digital Defense Inc. Security Advisory DDI-1013        labs em digitaldefense.net
 http://www.digitaldefense.net/
|------------------------------------------------------------------------------|

Synopsis          : Buffer Overflow in Samba allows remote root compromise
Package           : Samba, Samba-TNG
Type              : Remote Root Compromise
Issue date        : 04-07-2003
Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10,  < Samba-TNG 0.3.2
Not Affected      : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG
CVE Id            : CAN-2003-0201

|------------------------------------------------------------------------------|


o Product description:
   Samba is an Open Source/Free Software suite that provides seamless file and
   print services to SMB/CIFS clients. Samba-TNG was originally a fork off of
   the Samba source tree, and aims at being a substitute for a Windows NT domain
   controller.


o Problem description:
   An anonymous user can gain remote root access due to a buffer overflow caused
   by a StrnCpy() into a char array (fname) using a non-constant length
   (namelen).

   StrnCpy(fname,pname,namelen);    /* Line 252 of smbd/trans2.c */

   In the call_trans2open function in trans2.c, the Samba StrnCpy function
   copies pname into fname using namelen. The variable namelen is assigned the
   value of strlen(pname)+1, which causes the overflow.

   The variable 'fname' is a _typedef_ pstring, which is a char with a size of
   1024. If pname is greater than 1024, you can overwrite almost anything you
   want past the 1024th byte that fits inside of sizeof(pname), or the value
   returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which should
   be around 2000 bytes.

   The Common Vulnerabilities and Exposures (CVE) project has assigned the name
   CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE
   list (http://cve.mitre.org), which standardizes names for security problems.


o Testing Environment:
   Tested against source compiles and binary packages of Samba from version
   2.2.5 to 2.2.8 on the following x86 platforms:

   Redhat Linux 7.1, 7.3, 8.0
   Gentoo Linux 1.4-rc3
   SuSe Linux 7.3
   FreeBSD 4.6, 4.8, 5.0
   Solaris 9


o Solutions and Workarounds:
   Upgrading to the latest version of Samba or Samba-TNG is the recommended
   solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG version
   0.3.2 are not vulnerable. There will be no new releases for the 2.0 line of
   Samba code. The only fix for Samba 2.0 is to apply the patches that Samba is
   providing.

   A workaround in the current source code for this specific vulnerability
   would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in the
   Samba 2.2.8 source code:

   -StrnCpy(fname,pname,namelen);
   +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));

   As a result of this vulnerability being identified at least three others
   have also been found by the Samba team after reviewing similar usages in the
   source tree. One is a static overflow and the other two are heap overflows.
   Applying the fix above will only protect against the specific problem
   identified in this advisory. To fully protect yourself, you must apply the
   patches from Samba, or upgrade to 2.2.8a.

   Samba is available for download from: http://www.samba.org/
   Samba-TNG is available for download from: http://www.samba-tng.org/


o Exploit:
   An exploit named trans2root.pl has been posted on the Digital Defense, Inc.
   website. A quick udp based based scanner named nmbping.pl has also been
   posted to assist you in identifying Samba servers on your network. Both are
   available for download from the following URL:

   http://www.digitaldefense.net/labs/securitytools.html

   This exploit works against all distributions listed in the testing
   environment section. Usage is as follows:

   trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>

   This exploit should work against all x86 Linux, Solaris, and  FreeBSD hosts
   running the 2.2.x branch of Samba. Hosts with a non-executable stack are not
   vulnerable to this particular exploit. The exploit will cause the target host
   to connect back to the host running the exploit and spawn a root shell on the
   defined port (default is 1981).

   The scanner is very easy to use, and should detect and identify Samba and
   Windows SMB services. Usage is as follows:

   nmbping.pl <network/cidr>


o Forced Release:
   This vulnerability is being actively exploited in the wild. Digital Defense,
   Inc. discovered this bug by analyzing a packet capture of an attack against a
   host running Samba 2.2.8. The attack captured was performed on April 1st,
   2003. Samba users are urged to check their Samba servers for signs of
   compromise. Samba and Digital Defense, Inc. decided to release their
   advisories before all vendors had a chance to update their packages due to
   this vulnerability being actively exploited.


o Revision History:
   04-07-2003     Initial public release

   Latest revision available at:
   http://www.digitaldefense.net/labs/advisories.html


o Vendor Contact Information:
   04-03-2003     security em samba.org notified
   04-03-2003     elrond em samba-tng.org notified.
   04-03-2003     Samba Team responds via telephone, acknowledges vulnerability
   04-03-2003     Elrond of Samba-TNG responds and acknowledges vulnerability
   04-04-2003     Samba Team notifies vendorsec mailing list
   04-07-2003     Initial public release

o Thanks to:
   Elrond of Samba-TNG, The Samba Security Team, and everyone on the
   Digital Defense Inc., SECOPS team.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpXUWOkli63F4U8VAQHqyAP/SJCk7FnGE0JgtWZweZDDCEviVGauu0SH
FzuQJd4NVxH4cGmYfHhsZQUADxZMhLEslNSQCUTwXNXAiAh/YdS4v1zrfrMnJkR8
TMRd3jlT744JKsU4Svv6hpvnJwmxe+ZROREu5uRdsreU5Q4K0+LJaLjJICgnpb9n
+sC62GHifDQ=
=gaa7
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Fri Apr 11 14:04:32 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 11 Apr 2003 14:04:32 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030411170432.GA6308@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


11/04/2003
----------

Red Hat Network Alert (RHSA-2003:089-11)
Assunto: RHN Errata Alert: Updated glibc packages fix vulnerabilities in RPC XDR decoder
http://www.security.unicamp.br/docs/bugs/2003/04/v95.txt 


10/04/2003
----------

Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Nova vulnerabilidade no SAMBA
http://www.security.unicamp.br/docs/bugs/2003/04/v94.txt 


SGI Security Advisory (20030404-01-P)
Assunto: xfsdump creates files insecurely
http://www.security.unicamp.br/docs/bugs/2003/04/v93.txt 


Gentoo Linux Security Announcement (200304-04)
Assunto: aribitrary code execution in kde-3.x
http://www.security.unicamp.br/docs/bugs/2003/04/v92.txt 
 

Mandrake Linux Security Update Advisory (MDKSA-2003:038-1)
Assunto: Vulnerabilidade de Seguranca no kernel
http://www.security.unicamp.br/docs/bugs/2003/04/v91.txt 


KDE Security Advisory (2003-04-09)
Assunto: PS/PDF file handling vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v90.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:625)
Assunto: Vulnerabilidades na biblioteca OpenSSL 
http://www.security.unicamp.br/docs/bugs/2003/04/v89.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Vulnerabilidade no Microsoft Winsock Proxy e ISA Firewall (331066)
http://www.security.unicamp.br/docs/bugs/2003/04/v88.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Vulnerabilidade no Microsoft virtual machine (816093)
http://www.security.unicamp.br/docs/bugs/2003/04/v87.txt 


Red Hat Network Alert (RHSA-2003:139-07)
Assunto: Updated httpd packages fix security vulnerabilities.
http://www.security.unicamp.br/docs/bugs/2003/04/v86.txt 


Red Hat Network Alert (RHBA-2003:080-10)
Assunto: Updated RHN Notification Tool available
http://www.security.unicamp.br/docs/bugs/2003/04/v85.txt 


09/04/2003
----------

Microsoft Security Bulletin (MS00-084)
Assunto: Patch Available for 'Indexing Services Cross Site Scripting' Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v84.txt 


Microsoft Security Bulletin (MS03-011)
Assunto: Flaw in Microsoft VM Could Enable System Compromise (816093)
http://www.security.unicamp.br/docs/bugs/2003/04/v83.txt 


Microsoft Security Bulletin (MS03-012)
Assunto: Flaw In Winsock Proxy Service And ISA Server Firewall Service Can Cause Denial Of Service (331066)
http://www.security.unicamp.br/docs/bugs/2003/04/v82.txt 


Red Hat Network Alert (RHSA-2003:036-10)
Assunto: RHN Errata Alert: Updated mgetty packages available
http://www.security.unicamp.br/docs/bugs/2003/04/v81.txt 


Red Hat Network Alert (RHSA-2003:137-09)
Assunto: RHN Errata Alert: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v80.txt 


SGI Security Advisory (20030403-01-P)
Assunto: Samba Security Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v79.txt 


Red Hat Security Advisory (RHSA-2003:137-02)
Assunto: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v78.txt 


iDEFENSE Security Advisory (04.09.03)
Assunto: Denial of Service in Microsoft Proxy Server 2.0 and Internet Security and Acceleration Server 2000
http://www.security.unicamp.br/docs/bugs/2003/04/v77.txt 


Gentoo Linux Security Announcement (200304-02)
Assunto: Buffer overflow in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v76.txt 


Debian Security Advisory (DSA 269-2)
Assunto: Cryptographic weakness in heimdal
http://www.security.unicamp.br/docs/bugs/2003/04/v75.txt 
 

Gentoo Linux Security Announcement (200304-01)
Assunto: Denial of service in Apache 2.x 
http://www.security.unicamp.br/docs/bugs/2003/04/v73.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-008-01)
Assunto: There have been a number of vulnerabilities found in MySQL and the MySQL Client package.
http://www.security.unicamp.br/docs/bugs/2003/04/v72.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-005-01)
Assunto: Multiple vulnerabilities have been discovered in PostgreSQL.
http://www.security.unicamp.br/docs/bugs/2003/04/v71.txt 


Gentoo Linux Security Announcement (200304-03)
Assunto: buffer overflow in setiathome
http://www.security.unicamp.br/docs/bugs/2003/04/v70.txt 


08/04/2003
----------


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:624)
Assunto: Remote vulnerability in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v74.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:624)
Assunto: Vulnerabilidade remota no samba
http://www.security.unicamp.br/docs/bugs/2003/04/v69.txt 

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Thu Apr 10 14:46:19 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 14:46:19 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade no Microsoft
	virtual machine (816093)]
Message-ID: <20030410174619.GA4919@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Microsoft virtual machine (816093)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 10 Apr 2003 14:24:26 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-011: Flaw in Microsoft VM Could Enable System
Compromise (816093), que trata de uma vulnerabilide no Microsoft virtual
machine (Microsoft VM) que pode permitir a um atacante a execucao de
codigo arbitrario.


Sistemas Afetados:

        . Versoes do Microsoft virtual machine (Microsoft VM) inferiores e
	  incluindo a versao 5.0.3809

Os seguites produtos da Microsoft possuem o Microsoft virtual machine
(Microsoft VM):

	. Microsoft Windows 95
	. Microsoft Windows 98 e 98SE
	. Microsoft Windows Millennium
	. Microsoft Windows NT 4.0, com Service Pack 1
	. Microsoft Windows 2000
	. Microsoft Windows XP


Outros softwares da Microsoft podem conter o Microsoft virtual machine. E'
necessario verificar sua presenca atraves da seguinte sequencia de
comandos:

	. Abrir um Command Prompt e executar o comando Jview. Se este
comando for executado com sucesso voce possui o Microsoft virtual machine
instalado.


Exemplo da execucao do comando Jview:

C:\>jview
Microsoft (R) Command-line Loader for Java  Version 5.00.3805
Copyright (C) Microsoft Corp 1996-2000. All rights reserved.

Usage: JView [options] <classname> [arguments]



Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponíveis nas URLs listadas abaixo.


	. Windows update web site:
	  http://windowsupdate.microsoft.com

	. Windows 2000 Service Packs 2 & 3

	. All except Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=DD870EAC-69EF-4287-9A07-6C740F162644&displaylang=en

	. NEC Japanese
http://microsoft.com/downloads/details.aspx?FamilyId=65CC342B-5139-4F81-B3A0-F3F1184CF2F6&displaylang=ja


Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-011.asp


Identificador do CVE: CAN-2003-0111 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

- -------------------------------------------------------------------

Title:      Flaw in Microsoft VM Could Enable System Compromise
	    (816093)
Date:       09 April 2003
Software:   Microsoft VM
Impact:     Allow attacker to execute code of his or her choice
Max Risk:   Critical
Bulletin:   MS03-011

Microsoft encourages customers to review the Security Bulletins
at:

http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-011.asp
- -------------------------------------------------------------------


Issue:
======
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. The Microsoft VM is shipped in most versions of
Windows, as well as in most versions of Internet Explorer.

The present Microsoft VM, which includes all previously released
fixes to the VM, has been updated to include a fix for the newly
reported security vulnerability. This new security vulnerability
affects the ByteCode Verifier component of the Microsoft VM, and
results because the ByteCode verifier does not correctly check for
the presence of certain malicious code when a Java applet is being
loaded. The attack vector for this new security issue would likely
involve an attacker creating a malicious Java applet and inserting
it into a web page that when opened, would exploit the
vulnerability. An attacker could then host this malicious web page
on a web site, or could send it to a user in e-mail.


Mitigating Factors:
====================

- - In order to exploit this vulnerability via the web-based attack
vector, the attacker would need to entice a user into visiting a
web site that the attacker controlled. The vulnerability themselves
provide no way to force a user to a web site.

- - Java applets are disabled within the Restricted Sites Zone. As a
result, any mail client that opened HTML mail within the Restricted
Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98
or 2000 when used in conjunction with the Outlook Email Security
Update, would not be at risk from the mail-based attack vector.

- - The vulnerability would gain only the privileges of the user, so
customers who operate with less than administrative privileges
would be at less risk from the vulnerability.

- - Corporate IT administrators could limit the risk posed to their
users by using application filters at the firewall to inspect and
block mobile code.


Risk Rating:
============
Critical

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-11.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.


*******************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpWo0ukli63F4U8VAQH/RgQAnOLVFK5tYsYI8uh1UZ9hu+8piBdALPFi
YC3Hv7sf05iVWYtH+OPzCx6jbX7AkqShi2mNAE6Tlg67RDud/wPCBmx/3p+kHUvH
jG75QAMO7V4CA0eXsUkpMowhIdUQrKOsGtjzieGtlaPnD4ghLG9mJxwokifmc1wi
7dfK0nzyt5c=
=ZDdF
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 10 17:05:02 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 17:05:02 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030410200456.GA5057@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


08/04/2003
----------

SGI Security Advisory (20030402-01-P)
Assunto: Multiple Vulnerabilities in libc RPC functions
http://www.security.unicamp.br/docs/bugs/2003/04/v68.txt 


Red Hat Network Alert (RHSA-2003:137-09)
Assunto:  RHN Errata Alert: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v67.txt 


Anuncio de Atualizacao do Conectiva Linux (CLA-2003:623)
Assunto: Correções para o navegador Galeon
http://www.security.unicamp.br/docs/bugs/2003/04/v66.txt 


iDEFENSE Security Advisory (04.08.03)
Assunto: Denial of Service in Apache HTTP Server 2.x
http://www.security.unicamp.br/docs/bugs/2003/04/v65.txt 


Debian Security Advisory (DSA 281-1)
Assunto: buffer overflow in moxftp
http://www.security.unicamp.br/docs/bugs/2003/04/v64.txt 


Red Hat Security Advisory (RHSA-2003:036-01)
Assunto: Updated mgetty packages available
http://www.security.unicamp.br/docs/bugs/2003/04/v63.txt 


FreeBSD Security Advisories (FreeBSD-SN-03:02)
Assunto: security issue in SETI em home client
http://www.security.unicamp.br/docs/bugs/2003/04/v62.txt 


Red Hat Security Advisory (RHSA-2003:137-01)
Assunto: New samba packages fix security vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v60.txt 


07/04/2003
----------

Trustix Secure Linux Security Advisory (#2003-0019)
Assunto: Remote root exploit in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v61.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-007-01)
Assunto: Multiple vulnerabilities have been found in the MIT Kerberos suite.
http://www.security.unicamp.br/docs/bugs/2003/04/v59.txt 
 

Red Hat Network Alert (RHSA-2003:098-11)
Assunto: RHN Errata Alert: Updated 2.4 kernel fixes vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v58.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:619)
Assunto: Local vulnerability in man 
http://www.security.unicamp.br/docs/bugs/2003/04/v57.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:620)
Assunto: Vulnerabilidade local no pacote man
http://www.security.unicamp.br/docs/bugs/2003/04/v56.txt 


SuSE Security Announcement (SuSE-SA:2003:025)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v55.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:619)
Assunto: gzprintf() buffer overflow
http://www.security.unicamp.br/docs/bugs/2003/04/v54.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:619)
Assunto: Estouro de buffer na função gzprintf()
http://www.security.unicamp.br/docs/bugs/2003/04/v53.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Vulnerabilidade no aplicativo SETI em home
http://www.security.unicamp.br/docs/bugs/2003/04/v52.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-004-01)
Assunto: Vulnerabilidade de Seguranca no pacote cvs
http://www.security.unicamp.br/docs/bugs/2003/04/v51.txt 


Debian Security Advisory (DSA 280-1)
Assunto: buffer overflow in samba
http://www.security.unicamp.br/docs/bugs/2003/04/v50.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-006-01)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v49.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:044)
Assunto: Vulnerabilidade de Seguranca no pacote samba
http://www.security.unicamp.br/docs/bugs/2003/04/v48.txt    

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Thu Apr 10 14:46:52 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 10 Apr 2003 14:46:52 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade no Microsoft
	Winsock Proxy e ISA Firewall (331066)]
Message-ID: <20030410174652.GB4919@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Microsoft Winsock Proxy e ISA Firewall
 (331066)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 10 Apr 2003 14:27:01 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-012: Flaw In Winsock Proxy Service And ISA Firewall
Service Can Cause Denial Of Service (331066), que trata de uma
vulnerabilidade identificada no Winsock Proxy Service e ISA Firewall
Service que pode permitir a um atacante realizar um ataque de negacao de
servico (DoS).


Sistemas Afetados:

	. Microsoft Proxy Server 2.0
	. Microsoft ISA Server


Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponíveis nas URLs listadas abaixo.

	. Proxy Server 2.0:
http://microsoft.com/downloads/details.aspx?FamilyId=C81688B7-20FB-45EB-BAFD-031A0D2923E6&displaylang=en


	. ISA Server:

	English:
http://microsoft.com/downloads/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang=en

	French:
http://microsoft.com/downloads/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang=fr

	German:
http://microsoft.com/downloads/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang=de

	Spanish:
http://microsoft.com/downloads/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang=es

	Japanese:
http://microsoft.com/downloads/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang=ja



Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-012.asp


Identificador do CVE: CAN-2003-0110 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


- -------------------------------------------------------------------

Title:      Flaw In Winsock Proxy Service And ISA Firewall Service
	    Can Cause Denial Of Service (331066)
Date:       09 April 2003
Software:   Microsoft Proxy Server 2.0, Microsoft ISA Server
Impact:     denial of service
Max Risk:   Important
Bulletin:   MS03-012

Microsoft encourages customers to review the Security Bulletins
at:

http://www.microsoft.com/technet/security/bulletin/MS03-012.asp
http://www.microsoft.com/security/security_bulletins/ms03-012.asp
- -------------------------------------------------------------------


Issue:
======
There is a flaw in the Winsock Proxy service in Microsoft Proxy
Server 2.0, and the Microsoft Firewall service in ISA Server 2000,
that would allow an attacker on the internal network to send a
specially crafted packet that would cause the server to stop
responding to internal and external requests. Receipt of such a
packet would cause CPU utilization on the server to reach 100%, and
thus make the server unresponsive. The Winsock Proxy service and
Microsoft Firewall service work with FTP, telnet, mail, news,
Internet Relay Chat (IRC), or other client applications that are
compatible with Windows Sockets (Winsock). These services allow
these applications to perform as if they were directly connected to
the Internet. These services redirect the necessary communications
functions to a Proxy Server 2.0 or ISA Server computer, thus
establishing a communication path from the internal application to
the Internet through it.

Mitigating Factors:
====================

- - The vulnerability would not enable an attacker to gain any
privileges on an affected Proxy Server 2.0 or ISA Server computer
or compromise any cached content. It is strictly a denial of
service.

- - ISA Server computers running in cache mode are not affected
because the Microsoft Firewall service is disabled by default.


Risk Rating:
============
Important

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-012.asp
http://www.microsoft.com/security/security_bulletins/ms03-12.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.


*******************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPpWpbOkli63F4U8VAQFh9gP/QDmf3GWyzrpk5CantJzfG2+1GTik9o/n
LQzmgnEcTyKIMDLivSpZlBO4+V5PFN8TFJ6GspwyeShlszuYLxHdIZS7lpL1v8e4
i3RDUQjzbsRDB5FH8na6fzsn13olTNtqJhFq5zAD48VCsfNAsDCKo/T4S/Y1NSbZ
SW0WrwAfkO4=
=g5yw
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Mon Apr 14 17:04:50 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Mon, 14 Apr 2003 17:04:50 -0300
Subject: [SECURITY-L] Boletins de Noticias
Message-ID: <20030414200449.GA779@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e
redes da Unicamp com os seguintes boletins de noticia e/ou
revistas eletronicas:



14/04/2003
----------

SecurityFocus Newsletter #192
Fonte: Security Focus
http://www.security.unicamp.br/docs/informativos/2003/04/b7.txt


SANS Critical Vulnerability Analysis Vol 2 No 14
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/04/b6.txt


09/04/2003
----------

SANS NewsBites Vol. 5 Num. 14
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/04/b4.txt


07/04/2003
----------


No.288 : Legislacao e pratica hacking: o real cenario brasileiro
Fonte: Modulo
http://www.security.unicamp.br/docs/informativos/2003/04/b5.txt


SecurityFocus Newsletter #191
Fonte: Security Focus
http://www.security.unicamp.br/docs/informativos/2003/04/b3.txt


SANS Critical Vulnerability Analysis Vol 2 No 13
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/04/b2.txt


02/04/2003
----------
SANS NewsBites Vol. 5 Num. 13
Fonte: SANS
http://www.security.unicamp.br/docs/informativos/2003/04/b1.txt



--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
mailto:security em unicamp.br
http://www.security.unicamp.br      

From mieko em ccuec.unicamp.br  Tue Apr 22 14:00:30 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Tue, 22 Apr 2003 14:00:30 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: CERT Advisory CA-2003-13 -
	Multiplas vulnerabilidades no Snort]
Message-ID: <20030422170030.GD471@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: CERT Advisory CA-2003-13 - Multiplas vulnerabilidades
 no Snort
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 17 Apr 2003 13:54:35 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pelo CERT/CC, CERT Advisory
CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors, tratando de
duas vulnerabilidades identificadas na ferramenta IDS Snort. Tais
vulnerabilidades foram identificadas nos pre-processadores do Snort e
podem permitir a um atacante remoto a execucao de codigo arbitrario com os
privilegios do usuario executando o snort, normalmente root.


Sistemas afetados:

	. Snort IDS, versoes 1.8.x, 1.9.x ate' 2.0 RC1


Correcoes disponiveis:

Ambas vulnerabilidades (VU#139129 e VU#916785) sao resolvidas com o
upgrade do Snort para a versao 2.0, disponivel em:

	. http://www.snort.org/dl/snort-2.0.0.tar.gz

Caso nao seja possivel o upgrade do Snort e' possivel se proteger das
vulnerabilidades com as seguintes alteracoes no arquivo "snort.conf":

Para a vulnerabilidade VU#139129, deve-se comentar a seguinte linha:

	preprocessor stream4_reassemble

Para a vulnerabilidade VU#916785, deve-se comentar a seguinte linha:

	preprocessor rpc_decode: 111 32771


Maiores informacoes:

        . http://www.cert.org/advisories/CA-2003-13.html

	. http://www.kb.cert.org/vuls/id/139129

	. http://www.kb.cert.org/vuls/id/916785

	. http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

	. http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951


Identificadores do CVE: CAN-2003-0029, CAN-2003-0033,
			(http://cve.mitre.org)


O CAIS recomenda aos administradores que atualizem seus sistemas com
urgencia.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors

   Original release date: April 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Snort IDS, versions 1.8 through 2.0 RC1

Overview

   There are two vulnerabilities in the Snort Intrusion Detection System,
   each  in  a  separate  preprocessor module. Both vulnerabilities allow
   remote  attackers to execute arbitrary code with the privileges of the
   user running Snort, typically root.

I. Description

   The   Snort  intrusion  detection  system  ships  with  a  variety  of
   preprocessor  modules  that  allow  the  user  to  selectively include
   additional    functionality.    Researchers   from   two   independent
   organizations have discovered vulnerabilities in two of these modules,
   the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
   preprocessor.

   For additional information regarding Snort, please see

     http://www.snort.org/.

   VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-0029)

   Researchers  at  CORE Security Technologies have discovered a remotely
   exploitable  heap overflow in the Snort "stream4" preprocessor module.
   This  module  allows  Snort  to  reassemble  TCP  packet fragments for
   further analysis.

   To  exploit  this  vulnerability,  an  attacker must disrupt the state
   tracking  mechanism  of the preprocessor module by sending a series of
   packets  with  crafted  sequence  numbers.  This  causes the module to
   bypass a check for buffer overflow attempts and allows the attacker to
   insert arbitrary code into the heap.

   For additional information, please read the Core Security Technologies
   Advisory located at

     http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

   This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
   to  RC1. Snort has published an advisory regarding this vulnerability;
   it is available at

     http://www.snort.org/advisories/snort-2003-04-16-1.txt.

   VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)

   Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
   remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
   module.  Martin  Roesch,  primary  developer  for Snort, described the
   vulnerability as follows:

     When the RPC decoder normalizes fragmented RPC records, it
     incorrectly checks the lengths of what is being normalized against
     the current packet size, leading to an overflow condition. The RPC
     preprocessor is enabled by default.

   For  additional  information,  please  read  the  ISS X-Force advisory
   located at

     http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

   This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
   version 2.0 Beta.

II. Impact

   Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
   arbitrary  code  with  the  privileges  of  the  user  running  Snort,
   typically  root.  In addition, it is not necessary for the attacker to
   know  the  IP  address of the Snort device they wish to attack; merely
   sending  malicious  traffic  where  it  can be observed by an affected
   Snort sensor is sufficient to exploit these vulnerabilities.

III. Solution

Upgrade to Snort 2.0

   Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
   is available at

     http://www.snort.org/dl/snort-2.0.0.tar.gz

   Binary-only versions of Snort are available from

     http://www.snort.org/dl/binaries

   For  information  from  other  vendors  that ship affected versions of
   Snort, please see Appendix A of this document.

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

   You  may  be  able  limit  an attacker's capabilities if the system is
   compromised  by  blocking  all outbound traffic from the Snort sensor.
   While   this   workaround   will   not  prevent  exploitation  of  the
   vulnerability,  it  may  make  it  more  difficult for the attacker to
   create a useful exploit.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Snort is not shipped with Mac OS X or Mac OS X Server.

Ingrian Networks

   Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
   VU#916785 since they do not use Snort.

   Ingrian  customers  who  are  using the IDS Extender Service Engine to
   mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
   software.

NetBSD

   NetBSD does not include snort in the base system.

   Snort  is  available from the 3rd party software system, pkgsrc. Users
   who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
   should  update  to a fixed version. pkgsrc/security/audit-packages can
   be used to keep up to date with these types of issues.

Red Hat Inc.

   Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
   products.

SGI

   SGI does not ship snort as part of IRIX.

Snort

   Snort  2.0 has undergone an external third party professional security
   audit funded by Sourcefire.
     _________________________________________________________________

   The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
   Alejandro David Weil of Core Security Technologies for their discovery
   of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
   X-Force for their discovery of VU#916785.
     _________________________________________________________________

   Authors: Jeffrey P. Lanza and Cory F. Cohen.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-13.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo em cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
April 17, 2003:  Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPp7cVOkli63F4U8VAQEgegQAh0Y327aZBw/halcJRIa4ad+ILzW7jruZ
cdV6EvSI3PRFjaTssPT9eZGc356LVqKtGNXClXU3DggTPd5QhJPU1TCeirHgK2bV
C+192Tt9YWMpKLACP/Dw/5uy9GR7uSqdBAg+6MPjbJT/o+wlTkyfQEllX+ItO5y+
yDzqDn3h9SY=
=5M9m
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Tue Apr 22 13:58:36 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Tue, 22 Apr 2003 13:58:36 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade no Kernel do
	Windows (811493)]
Message-ID: <20030422165836.GB471@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Kernel do Windows (811493)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 17 Apr 2003 10:08:09 -0300 (BRT)


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-013: Buffer Overrun in Windows Kernel Message
Handling could Lead to Elevated Privileges (811493), que trata de uma
vulnerabilidade identificada no kernel do Windows e que pode permitir a um
atacante a elevacao de privilegios dentro do sistema


Sistemas Afetados:

	. Microsoft Windows NT 4.0
	. Microsoft Windows NT 4.0 Server, Terminal Server Edition
	. Microsoft Windows 2000
	. Microsoft Windows XP


Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponíveis nas URLs listadas abaixo.

	. Windows NT 4.0:
          o All except Japanese NEC and Chinese - Hong Kong
	  http://microsoft.com/downloads/details.aspx?FamilyId=C3596ED1-596F-416C-8BE5-91AE65619A1A&displaylang=en

          o Japanese NEC
	  http://microsoft.com/downloads/details.aspx?FamilyId=6D83F8BA-BF16-4EC5-9187-9B03E9AE825F&displaylang=ja

	  o Chinese - Hong Kong
	  http://microsoft.com/downloads/details.aspx?FamilyId=0FF5C348-F7A0-44E8-8D82-557389FB4590&displaylang=zh-tw

	. Windows NT 4.0, Terminal Server Edition:
	  o All
	  http://microsoft.com/downloads/details.aspx?FamilyId=910A0015-3723-4A4E-9049-99A4CE52B5F8&displaylang=en

	. Windows 2000:
          o All except Japanese NEC
	  http://microsoft.com/downloads/details.aspx?FamilyId=CACAC8C0-81E9-413E-B565-5D7B3257A733&displaylang=en

	  o Japanese NEC
	  http://microsoft.com/downloads/details.aspx?FamilyId=81E6E80C-5E56-4466-98C1-4DDF6CF3893F&displaylang=ja

	. Windows XP:
          o 32-bit Edition
	  http://microsoft.com/downloads/details.aspx?FamilyId=9F81E615-3DEC-4A4B-826A-4E0FEAB42323&displaylang=en

	  o 64-bit Edition
	  http://microsoft.com/downloads/details.aspx?FamilyId=DBC47904-51C8-475A-9900-3DF363A51A3A&displaylang=en


Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-013.asp


Identificador do CVE: CAN-2003-0112 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

----------------------------------------------------------------------
Title:      Buffer Overrun in Windows Kernel Message Handling could
            Lead to Elevated Privileges (811493)
Date:       16 April 2003
Software:   Microsoft Windows NT 4.0, Windows 2000, and Windows XP
Impact:     Local Elevation of Privilege
Max Risk:   Important
Bulletin:   MS03-013

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/security/security_bulletins/ms03-013.asp
----------------------------------------------------------------------

Issue:
======
The Windows kernel is the core of the operating system. It provides
system level services such as device and memory management,
allocates processor time to processes and manages error handling.

There is a flaw in the way the kernel passes error messages to a
debugger. A vulnerability results because an attacker could write a
program to exploit this flaw and run code of their choice. An
attacker could exploit this vulnerability to take any action on the
system including deleting data, adding accounts with administrative
access, or reconfiguring the system.

For an attack to be successful, an attacker would need to be able
to logon interactively to the system, either at the console or
through a terminal session. Also, a successful attack would require
the introduction of code in order to exploit this vulnerability.
Because best practices recommends restricting the ability to logon
interactively on servers, this issue most directly affects client
systems and terminal servers.

Mitigating Factors:
====================
- A successful attack requires the ability to logon
  interactively to the target machine, either directly at the console
  or through a terminal session.
- Properly secured servers would be at little risk from this
  vulnerability. Standard best practices recommend only allowing
  trusted administrators to log onto such systems interactively;
  without such privileges, an attacker could not exploit the
  vulnerability.

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-013.asp
   http://www.microsoft.com/security/security_bulletins/ms03-013.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Oded Horovitz of Entercept Security Technologies -
http://www.entercept.com
---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Tue Apr 22 13:56:55 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Tue, 22 Apr 2003 13:56:55 -0300
Subject: [SECURITY-L] 
	[0_46831_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Microsoft Security Bulletin MS03-013: Buffer Overrun in Windows
	Kernel Message Handling could Lead to Elevated Privileges (811493)]
Message-ID: <20030422165655.GA471@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_46831_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46831_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-013: Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493)
To: <mieko em ccuec.unicamp.br>
Date: Wed, 16 Apr 2003 15:58:31 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Buffer Overrun in Windows Kernel Message Handling could 
            Lead to Elevated Privileges (811493)
Date:       16 April 2003
Software:   Microsoft Windows NT 4.0, Windows 2000, and Windows XP
Impact:     Local Elevation of Privilege
Max Risk:   Important
Bulletin:   MS03-013

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/security/security_bulletins/ms03-013.asp
- ----------------------------------------------------------------------

Issue:
======
The Windows kernel is the core of the operating system. It provides 
system level services such as device and memory management, 
allocates processor time to processes and manages error handling.

There is a flaw in the way the kernel passes error messages to a 
debugger. A vulnerability results because an attacker could write a 
program to exploit this flaw and run code of their choice. An 
attacker could exploit this vulnerability to take any action on the 
system including deleting data, adding accounts with administrative 
access, or reconfiguring the system. 

For an attack to be successful, an attacker would need to be able 
to logon interactively to the system, either at the console or 
through a terminal session. Also, a successful attack would require 
the introduction of code in order to exploit this vulnerability. 
Because best practices recommends restricting the ability to logon 
interactively on servers, this issue most directly affects client 
systems and terminal servers.

Mitigating Factors:
====================
- - A successful attack requires the ability to logon 
  interactively to the target machine, either directly at the console
  or through a terminal session. 
- - Properly secured servers would be at little risk from this 
  vulnerability. Standard best practices recommend only allowing 
  trusted administrators to log onto such systems interactively; 
  without such privileges, an attacker could not exploit the 
  vulnerability.

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-013.asp
   http://www.microsoft.com/security/security_bulletins/ms03-013.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Oded Horovitz of Entercept Security Technologies - 
http://www.entercept.com 
- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPp2ViY0ZSRQxA/UrAQEiawf9EUnqORGjrdoZdh+Gu8Kz/B8vY3IIeuG4
UOzXkbSb50A0JRWz81eH6Iji3PVinzLea0ENFm+xJDaMlWmV8OtVVtCDmiImvbDS
9rkK7s6o4y/fQLhM5aKPua3Zttzl8dZi58kxwnliuvRqviGtVtWGaTGlIFxCbkkD
1G7GXv1QrzTPfbVSJzuCTJdlL48lBTgfmx7ga4LeS1VkBBVqPEV/fKj3qlYWVjfB
ld9aIxgCLq9OsYO4Fzk4gBfFO0NXp3cwdZQE3UzqUJUpbWrN4diN6FL6Uw92268o
iKh6hQBaToBANQ8GNwjME59sq/qUHkAItx+zD6sypufZQtWqOat3pw==
=Hy8d
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Tue Apr 22 13:59:10 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Tue, 22 Apr 2003 13:59:10 -0300
Subject: [SECURITY-L] 
	[cert-advisory@cert.org: CERT Advisory CA-2003-13 Multiple
	Vulnerabilities in Snort Preprocessors]
Message-ID: <20030422165910.GC471@ccuec.unicamp.br>

----- Forwarded message from CERT Advisory <cert-advisory em cert.org> -----

From: CERT Advisory <cert-advisory em cert.org>
Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
To: cert-advisory em cert.org
Date: Thu, 17 Apr 2003 11:30:32 -0400
Organization: CERT(R) Coordination Center - +1 412-268-7090



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors

   Original release date: April 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Snort IDS, versions 1.8 through 2.0 RC1

Overview

   There are two vulnerabilities in the Snort Intrusion Detection System,
   each  in  a  separate  preprocessor module. Both vulnerabilities allow
   remote  attackers to execute arbitrary code with the privileges of the
   user running Snort, typically root.

I. Description

   The   Snort  intrusion  detection  system  ships  with  a  variety  of
   preprocessor  modules  that  allow  the  user  to  selectively include
   additional    functionality.    Researchers   from   two   independent
   organizations have discovered vulnerabilities in two of these modules,
   the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
   preprocessor.

   For additional information regarding Snort, please see
   
     http://www.snort.org/.

   VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-0029)

   Researchers  at  CORE Security Technologies have discovered a remotely
   exploitable  heap overflow in the Snort "stream4" preprocessor module.
   This  module  allows  Snort  to  reassemble  TCP  packet fragments for
   further analysis.

   To  exploit  this  vulnerability,  an  attacker must disrupt the state
   tracking  mechanism  of the preprocessor module by sending a series of
   packets  with  crafted  sequence  numbers.  This  causes the module to
   bypass a check for buffer overflow attempts and allows the attacker to
   insert arbitrary code into the heap.

   For additional information, please read the Core Security Technologies
   Advisory located at

     http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

   This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
   to  RC1. Snort has published an advisory regarding this vulnerability;
   it is available at

     http://www.snort.org/advisories/snort-2003-04-16-1.txt.

   VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)

   Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
   remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
   module.  Martin  Roesch,  primary  developer  for Snort, described the
   vulnerability as follows:

     When the RPC decoder normalizes fragmented RPC records, it
     incorrectly checks the lengths of what is being normalized against
     the current packet size, leading to an overflow condition. The RPC
     preprocessor is enabled by default.

   For  additional  information,  please  read  the  ISS X-Force advisory
   located at

     http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

   This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
   version 2.0 Beta.

II. Impact

   Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
   arbitrary  code  with  the  privileges  of  the  user  running  Snort,
   typically  root.  In addition, it is not necessary for the attacker to
   know  the  IP  address of the Snort device they wish to attack; merely
   sending  malicious  traffic  where  it  can be observed by an affected
   Snort sensor is sufficient to exploit these vulnerabilities.

III. Solution

Upgrade to Snort 2.0

   Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
   is available at

     http://www.snort.org/dl/snort-2.0.0.tar.gz

   Binary-only versions of Snort are available from

     http://www.snort.org/dl/binaries

   For  information  from  other  vendors  that ship affected versions of
   Snort, please see Appendix A of this document.

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

   You  may  be  able  limit  an attacker's capabilities if the system is
   compromised  by  blocking  all outbound traffic from the Snort sensor.
   While   this   workaround   will   not  prevent  exploitation  of  the
   vulnerability,  it  may  make  it  more  difficult for the attacker to
   create a useful exploit.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Snort is not shipped with Mac OS X or Mac OS X Server.

Ingrian Networks

   Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
   VU#916785 since they do not use Snort.

   Ingrian  customers  who  are  using the IDS Extender Service Engine to
   mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
   software.

NetBSD

   NetBSD does not include snort in the base system.

   Snort  is  available from the 3rd party software system, pkgsrc. Users
   who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
   should  update  to a fixed version. pkgsrc/security/audit-packages can
   be used to keep up to date with these types of issues.

Red Hat Inc.

   Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
   products.

SGI

   SGI does not ship snort as part of IRIX.

Snort

   Snort  2.0 has undergone an external third party professional security
   audit funded by Sourcefire.
     _________________________________________________________________

   The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
   Alejandro David Weil of Core Security Technologies for their discovery
   of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
   X-Force for their discovery of VU#916785.
     _________________________________________________________________

   Authors: Jeffrey P. Lanza and Cory F. Cohen.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-13.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo em cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
April 17, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl
T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC
A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq
NW70cU8gbgs=
=Vs2Q
-----END PGP SIGNATURE-----

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Tue Apr 22 14:27:50 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Tue, 22 Apr 2003 14:27:50 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030422172750.GA540@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:



16/04/2003
----------

CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:627)
Assunto: Several vulnerabilities in ethereal
http://www.security.unicamp.br/docs/bugs/2003/04/v123.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:627)
Assunto: Diversas vulnerabilidades no pacote ethereal
http://www.security.unicamp.br/docs/bugs/2003/04/v122.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:048)
Assunto: Vulnerabilidade de Seguranca no pacote eog
http://www.security.unicamp.br/docs/bugs/2003/04/v121.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:047)
Assunto: Vulnerabilidade de Seguranca no pacote xfsdump
http://www.security.unicamp.br/docs/bugs/2003/04/v120.txt 



15/04/2003
----------

Core Security Technologies Advisory (CORE-2003-0307)
Assunto: Snort TCP Stream Reassembly Integer Overflow Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v119.txt 


Immunix Secured OS Security Advisory (IMNX-2003-7+-009-01)
Assunto: Vulnerabilidade de Seguranca no pacote glibc
http://www.security.unicamp.br/docs/bugs/2003/04/v118.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:046)
Assunto: Vulnerabilidade de Seguranca no pacote gtkhtml
http://www.security.unicamp.br/docs/bugs/2003/04/v117.txt 


Mandrake Linux Security Update Advisory (MDKSA-2003:045)
Assunto: Vulnerabilidade de Seguranca no pacote evolution 
http://www.security.unicamp.br/docs/bugs/2003/04/v116.txt 


Debian Security Advisory (DSA 267-2)
Assunto: buffer overflow in lpr
http://www.security.unicamp.br/docs/bugs/2003/04/v115.txt 


Security Corporation Security Advisory (SCSA-016)
Assunto: Multiple vulnerabilities in Ez publish
http://www.security.unicamp.br/docs/bugs/2003/04/v114.txt 



14/04/2003
----------

Debian Security Advisory (DSA 287-1)
Assunto: buffer overflows in epic
http://www.security.unicamp.br/docs/bugs/2003/04/v113.txt 


Gentoo Linux Security Announcement (200304-04.1)
Assunto: aribitrary code execution in kdegraphics-3.1.x
http://www.security.unicamp.br/docs/bugs/2003/04/v112.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT
Assunto:  Buffer overflow in IMAP code on mutt
http://www.security.unicamp.br/docs/bugs/2003/04/v111.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:626)
Assunto:  Estouro de buffer no leitor IMAP do pacote mutt
http://www.security.unicamp.br/docs/bugs/2003/04/v110.txt 


SGI Security Advisory (20030406-01-P)
Assunto: Multiple Vulnerabilities in BSD LPR Subsystem
http://www.security.unicamp.br/docs/bugs/2003/04/v109.txt 


Debian Security Advisory (DSA 286-1)
Assunto: insecure temporary file in gs-common
http://www.security.unicamp.br/docs/bugs/2003/04/v108.txt 


Debian Security Advisory (DSA 285-1)
Assunto: insecure temporary file in lprng
http://www.security.unicamp.br/docs/bugs/2003/04/v107.txt 


Red Hat Security Advisory (RHSA-2003:126-01)
Assunto: Updated gtkhtml packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v106.txt 


Gentoo Linux Security Announcement (200304-05)
Assunto: arbitrary code execution in kde-2.x
http://www.security.unicamp.br/docs/bugs/2003/04/v105.txt 


13/04/2003
----------


Beyond Security Ltd.
Assunto: Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach 
http://www.security.unicamp.br/docs/bugs/2003/04/v104.txt 


12/04/2003
----------

Debian Security Advisory (DSA 284-1)
Assunto: insecure execution in kdegraphics
http://www.security.unicamp.br/docs/bugs/2003/04/v103.txt 


11/04/2003
----------


Rapid7, Inc. Security Advisory (R7-0013)
Assunto: Heap Corruption in Gaim-Encryption Plugin
http://www.security.unicamp.br/docs/bugs/2003/04/v102.txt 


SGI Security Advisory (20030405-01-I)
Assunto: Brocade Firmware SNMP Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v101.txt 


SGI Security Advisory (20021102-03-P)
Assunto: ToolTalk Vulnerabilities Update 
http://www.security.unicamp.br/docs/bugs/2003/04/v100.txt 


Gentoo Linux Security Announcement (200304-05)
Assunto: aribitrary code execution in kde-2.x
http://www.security.unicamp.br/docs/bugs/2003/04/v99.txt 


Debian Security Advisory (DSA 283-1)
Assunto: insecure file creation in xfsdump
http://www.security.unicamp.br/docs/bugs/2003/04/v98.txt 



10/04/2003
----------

@stake Security Advisory (a041003-1 -)
Assunto: MacOS X DirectoryService Privilege Escalation and DoS Attack 
http://www.security.unicamp.br/docs/bugs/2003/04/v97.txt 



07/04/2003
----------

Debian Security Advisory (DSA 274-2)
Assunto: buffer overflow in mutt
http://www.security.unicamp.br/docs/bugs/2003/04/v96.txt 


 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Thu Apr 24 10:13:35 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 24 Apr 2003 10:13:35 -0300
Subject: [SECURITY-L] 
	[0_47099_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Revised: Microsoft Security Bulletin MS03-007: Unchecked Buffer In
	Windows Component Could Cause Server Compromise (815021)]
Message-ID: <20030424131335.GA3472@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_47099_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_47099_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Revised: Microsoft Security Bulletin MS03-007: Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)
To: <mieko em ccuec.unicamp.br>
Date: Thu, 24 Apr 2003 05:59:45 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer In Windows Component Could Cause        
   
Server Compromise (815021)
Released:   17 Mar 2003
Revised:    23 Apr 2003 (version 2.0)
Software:   Microsoft (r) Windows (r) NT 4.0 and Windows 2000
Impact:     Run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS03-007

Microsoft encourages customers to review the Security Bulletin 
at: http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/security/security_bulletins/ms03-007.asp
- ----------------------------------------------------------------------

Reason for Revision:
====================
Microsoft originally released this security bulletin on March 17, 
2003. At that time, Microsoft was aware of a publicly available 
exploit that was being used to attack Windows 2000 Servers 
running IIS 5.0. The attack vector in this case was WebDAV 
although the underlying vulnerability was in a core operating 
system component, ntdll.dll. Microsoft issued a patch to protect 
Windows 2000 customers shortly afterwards, but also continued to 
investigate the underlying vulnerability. Windows NT 4.0 also 
contains the underlying vulnerability in ntdll.dll, however it 
does not support WebDAV and therefore the known exploit was not 
effective against Windows NT 4.0. Microsoft has now released a 
patch for Windows NT 4.0.

Issue:
======
Microsoft Windows 2000 supports the World Wide Web Distributed 
Authoring and Versioning (WebDAV) protocol. WebDAV, defined in 
RFC 2518, is a set of extensions to the Hyper Text Transfer 
Protocol (HTTP) that provide a standard for editing and file 
management between computers on the Internet. A security 
vulnerability is present in a Windows component used by WebDAV 
and results because a core operating system component, ntdll.dll, 
contains an unchecked buffer. 

An attacker could exploit the vulnerability by sending a 
specially formed HTTP request to a machine running Internet 
Information Server (IIS). The request could cause the server to 
fail or to execute code of the attacker's choice. The code would 
run in the security context of the IIS service (which, by 
default, runs in the LocalSystem context). 

Although Microsoft has supplied a patch for this vulnerability 
and recommends all affected customers install the patch 
immediately, additional tools and preventive measures have been 
provided that customers can use to block the exploitation of 
this vulnerability while they are assessing the impact and 
compatibility of the patch. These temporary workarounds and 
tools are discussed in the "Workarounds" section in the FAQ 
below.

Mitigating Factors:
====================
- -URLScan, which is a part of the IIS Lockdown Tool will block 
this attack in its default configuration.

- -The vulnerability can only be exploited remotely if an attacker 
can establish a web session with an affected server.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
   http://www.microsoft.com/security/security_bulletins/ms03-007.asp
   for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION 
MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPqbKy40ZSRQxA/UrAQFYbAgApHo9krHk00+PGAkdg0W0lZLbVChL0rNO
nxiTtaLQOJ5l1IGUxGA9j2yKoj735iJQAsZiIDQyVNKjArbgoz7FOrCzZb7N4omZ
jeI2c2YT0gMF0EtAPPT7N7RdS5EX6RyoGG3b3AI2JP4DUS61OY0we5sQ+cXiFYAu
RjzDsgI+YiRgKkM7xAaQUlhtL+RS4/2T5swWFw96hubhBqJ6dHkg03JwYgH1h1o3
DNjmZA4m1aMzwTlHSMayYELzxNMgwQyXvbg+Fs48gfMfw7phQjtwS4MGFFYe1zAO
hnwocIB+BkXNgLwxAWV646hMUpRNxSh16fPQF+rSj4TSz++Q/GqI9w==
=+rX0
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 24 13:36:57 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 24 Apr 2003 13:36:57 -0300
Subject: [SECURITY-L] 
	[0_47098_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR@Newsletters.Microsoft.com:
	Microsoft Security Bulletin MS03-014: Cumulative Patch for Outlook
	Express (330994)]
Message-ID: <20030424163656.GA3631@ccuec.unicamp.br>

----- Forwarded message from Microsoft <0_47098_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_47098_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-014: Cumulative Patch for Outlook Express (330994)
To: <mieko em ccuec.unicamp.br>
Date: Thu, 24 Apr 2003 08:38:16 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Outlook Express (330994)
Date:       23 April 2003
Software:   Microsoft (c) Outlook Express
Impact:     Run code of the attacker's choice on a user's machine.
Max Risk:   Critical
Bulletin:   MS03-014

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-014.asp
http://www.microsoft.com/security/security_bulletins/ms03-014.asp
- ----------------------------------------------------------------------

Issue:
======
MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an 
Internet standard that defines the MIME (Multipurpose Internet Mail 
Extensions) structure used to send HTML content in e-mail message 
bodies. The MHTML URL Handler in Windows is part of Outlook Express 
and provides a URL type that can be used on the local machine. This 
URL type (MHTML://) allows MHTML documents to be launched from a 
command line, from Start/Run, using Windows Explorer or from within 
Internet Explorer.

A vulnerability exists in the MHTML URL Handler that allows any 
file that can be rendered as text to be opened and rendered as part 
of a page in Internet Explorer. As a result, it would be possible 
to construct a URL that referred to a text file that was stored on 
the local computer and have that file render as HTML. If the text 
file contained script, that script would execute when the file was 
accessed. Since the file would reside on the local computer, it 
would be rendered in the Local Computer Security Zone. Files that 
are opened within the Local Computer Zone are subject to fewer 
restrictions than files opened in other security zones. 

Using this method, an attacker could attempt to construct a URL and 
either host it on a website or send it via email. In the web based 
scenario, where a user then clicked on a URL hosted on a website, 
an attacker could have the ability to read or launch files already 
present on the local machine. In the case of an e-mail borne attack, 
if the user was using Outlook Express 6.0 or Outlook 2002 in their 
default configurations, or Outlook 98 or 2000 in conjunction with 
the Outlook Email Security Update, then an attack could not be 
automated and the user would still need to click on a URL sent in 
the e-mail. However if the user was not using Outlook Express 6.0 
or Outlook 2002 in their default configurations, or Outlook 98 or 
2000 in conjunction with the Outlook Email Security Update, the 
attacker could cause an attack to trigger automatically without the 
user having to click on a URL contained in an e-mail. In both the 
web based and e-mail based cases, any limitations on the user's 
privileges would also restrict the capabilities of the attacker's 
script.

Applying the update listed in Microsoft Security Bulletin MS03-004 
- -- Cumulative Patch for Internet Explorer-will help block an 
attacker from being able to load a file onto a user's computer and 
prevent the passing of parameters to an executable. This means that 
an attacker could only launch a program that already existed on the 
computer-provided the attacker was aware of the location of the 
program-and would not be able to pass parameters to the program for 
it to execute.

MHTML is a standard for exchanging HTML content in e-mail and as a 
result the MHTML URL Handler function has been implemented in 
Outlook Express. Internet Explorer can also render MHTML content, 
however the MHTML function has not been implemented separately in 
Internet Explorer - it simply uses Outlook Express to render the 
MHTML content.

Mitigating Factors:
====================
- -For the web-based scenario, the attacker would have to host a web 
site that contained a web page used to exploit this vulnerability 
and entice a user to visit it. An attacker would have no way to 
force a user to visit the site. Instead, the attacker would need to 
lure the user there, typically by getting the user to click on a 
link to the attacker's site. 

- -The HTML mail-based attack scenario would be blocked by Outlook 
Express 6.0 and Outlook 2002 in their default configurations, and 
by Outlook 98 and 2000 if used in conjunction with the Outlook 
Email Security Update. 

- -Exploiting the vulnerability would allow the attacker only the 
same privileges as the user. Users whose accounts are configured to 
have few privileges on the system would be at less risk than ones 
who operate with administrative privileges. 

- -If the cumulative patch for Internet Explorer MS03-004 has been 
installed, known means by which an attacker may place a file onto a 
user's computer will be blocked. 

- -In order to invoke an executable already present on the local 
system, an attacker must know the path to that executable.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-014.asp
   http://www.microsoft.com/security/security_bulletins/ms03-014.asp

   for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPqbHv40ZSRQxA/UrAQHbUAf/VzKrQyD3n12YF3Pv91bV4b69Qw/WsUVR
cirf0u4djXpL8++lcMJrJh8dI0VKGi4u295HRw6g1VsHSklseQEf44hJLciXAED3
nFNPNH3kC98NLhREbZRFWtYsdS+FjV8FuMC6+4HhhhbXAVYxkyefB0s1UlDnAeUI
UMXITK9/wX0CsoiOBViHjuUEz7mYZzZ+1SvQwqvULtrvFlPp/j8lyYL7jfvC3L76
XExoCrnnMrL8O3jgcZEYu26CeByUu+xt8gEdxSob89/vZ2r5RdCO0iAVgzSmRPkI
VkWUjE8rdZdxCfdRvCnw7WExEmp0PwwmBah6nzNVDE46LEzlc8jG/A==
=9IQk
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 24 16:49:04 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 24 Apr 2003 16:49:04 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Patch Acumulativo para o Internet
	Explorer (813489)]
Message-ID: <20030424194904.GA3782@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Patch Acumulativo para o Internet Explorer (813489)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 24 Apr 2003 16:39:44 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-015: Cumulative Patch for Internet Explorer
(813489), que trata da disponibilização de patch acumulativo para o
Microsoft Internet Explorer.


Sistemas Afetados:

        . Microsoft Internet Explorer 5.01
        . Microsoft Internet Explorer 5.5
        . Microsoft Internet Explorer 6.0


Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponível em:

http://www.microsoft.com/windows/ie/downloads/critical/813489/default.asp


Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-015.asp

Identificadores do CVE:	CAN-2003-0113, CAN-2003-0114, CAN-2003-0115,
			CAN-2003-0116, (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

- -------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (813489)
Date:       23 April 2003
Software:   Microsoft (c) Internet Explorer
Impact:     Run code of the attacker's choice on a user's machine.
Max Risk:   Critical
Bulletin:   MS03-015

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
http://www.microsoft.com/security/security_bulletins/ms03-015.asp
- -------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and
6.0. In addition, it eliminates the following four newly discovered
vulnerabilities:


- -A buffer overrun vulnerability in URLMON.DLL that occurs because
Internet Explorer does not correctly check the parameters of
information being received from a web server. It could be possible
for an attacker to exploit this vulnerability to run arbitrary code
on a user's system. A user simply visiting an attacker's website
could allow the attacker to exploit the vulnerability without any
other user action.

- -A vulnerability in the Internet Explorer file upload control that
allows input from a script to be passed to the upload control. This
vulnerability could allow an attacker to supply a file name to the
file upload control and automatically upload a file from the user's
system to a web server.

- -A flaw in the way Internet Explorer handles the rendering of third
party files. The vulnerability results because the Internet
Explorer method for rendering third party file types does not
properly check parameters passed to it. An attacker could create a
specially formed URL that would inject script during the rendering
of a third party file format and cause the script to execute in the
security context of the user.

- -A flaw in the way modal dialogs are treated by Internet Explorer
that occurs because an input parameter is not properly checked.
This flaw could allow an attacker to use an injected script to
provide access to files stored on a user's computer. Although a
user who visited the attacker's website could allow the attacker to
exploit the vulnerability without any other user action, an
attacker would have no way to force the user to visit the website.

In addition to eliminating the above vulnerabilities, this patch
also includes a fix for Internet Explorer 6.0 SP1 that corrects the
method by which Internet Explorer displays help information in the
local computer zone. While we are not aware of a method to exploit
this vulnerability by itself, if it were possible to exploit it, it
could allow an attacker to read local files on a visiting user's
system.

This patch also sets the Kill Bit on the Plugin.ocx ActiveX control
which has a security vulnerability. This killbit has been set in
order to ensure that the vulnerable control cannot be reintroduced
onto users' systems and to ensure that users who already have the
vulnerable control on their system are protected. This issue is
discussed further in Microsoft Knowledge Base Article 813489.

Like the previous Internet Explorer cumulative patch released with
bulletin MS03-004, this cumulative patch will cause
window.showHelp( ) to cease to function if you have not applied the
HTML Help update. If you have installed the updated HTML Help
control from Knowledge Base article 811830, you will still be able
to use HTML Help functionality after applying this patch.

Mitigating factors:
====================
There are common mitigating factors across all of the
vulnerabilities:


- -The attacker would have to host a web site that contained a web
page used to exploit the particular vulnerability.

- -By default, Outlook Express 6.0 and Outlook 2002 open HTML mails
in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open
HTML mails in the Restricted Sites Zone if the Outlook Email
Security Update has been installed. Customers who use any of these
products would be at no risk from an e-mail borne attack that
attempted to automatically exploit these vulnerabilities. The
attacker would have no way to force users to visit a malicious web
site. Instead, the attacker would need to lure them there,
typically by getting them to click on a link that would take them
to the attacker's site.

In addition to the common factors, there are a number of individual
mitigating factors:

URLMON.DLL Buffer Overrun:

- -Code that executed on the system would only run under the
privileges of the locally logged in user.

File Upload Control vulnerability:

- -The attacker would have to know the explicit path and name of the
file to be uploaded in advance.

Third Party plug-in rendering:

- -The third party plugin would have to be present on the user's
system in order for it to be exploited

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-015.asp
http://www.microsoft.com/security/security_bulletins/ms03-015.asp

   for information on obtaining this patch.


- -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPqg9iOkli63F4U8VAQF9VgQArESeVpDJUYY9w2wZ12sWf5E0B9iS+hzk
P8mwYGQ5QnCy/pwJvELfmRg28D/J3lDfAtGvnQ2DoZMCwlpJ7beSmEPjoaaa9UOo
HbDTzcAUwCWHWaa76nKwgR2dwIJ3Ri+d+wyawSdqb5Rgn/A8tevWsxyRPlbRq5pO
FXJSeKuzjpk=
=7EBZ
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 24 16:49:26 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 24 Apr 2003 16:49:26 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Patch Acumulativo para o Outlook
	Express (330994)]
Message-ID: <20030424194925.GB3782@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Patch Acumulativo para o Outlook Express (330994)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 24 Apr 2003 16:44:24 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-014: Cumulative Patch for Outlook Express (330994),
que trata da disponibilização de patch acumulativo para o Microsoft
Outlook Express.


Sistemas Afetados:

	. Microsoft Outlook Express 5.5
	. Microsoft Outlook Express 6.0


Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponível em:

	. Microsoft Outlook Express

http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp


Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-014.asp

Identificador do CVE: CAN-2002-0980, (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Outlook Express (330994)
Date:       23 April 2003
Software:   Microsoft (c) Outlook Express
Impact:     Run code of the attacker's choice on a user's machine.
Max Risk:   Critical
Bulletin:   MS03-014

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-014.asp
http://www.microsoft.com/security/security_bulletins/ms03-014.asp
- ----------------------------------------------------------------------

Issue:
======
MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an
Internet standard that defines the MIME (Multipurpose Internet Mail
Extensions) structure used to send HTML content in e-mail message
bodies. The MHTML URL Handler in Windows is part of Outlook Express
and provides a URL type that can be used on the local machine. This
URL type (MHTML://) allows MHTML documents to be launched from a
command line, from Start/Run, using Windows Explorer or from within
Internet Explorer.

A vulnerability exists in the MHTML URL Handler that allows any
file that can be rendered as text to be opened and rendered as part
of a page in Internet Explorer. As a result, it would be possible
to construct a URL that referred to a text file that was stored on
the local computer and have that file render as HTML. If the text
file contained script, that script would execute when the file was
accessed. Since the file would reside on the local computer, it
would be rendered in the Local Computer Security Zone. Files that
are opened within the Local Computer Zone are subject to fewer
restrictions than files opened in other security zones.

Using this method, an attacker could attempt to construct a URL and
either host it on a website or send it via email. In the web based
scenario, where a user then clicked on a URL hosted on a website,
an attacker could have the ability to read or launch files already
present on the local machine. In the case of an e-mail borne attack,
if the user was using Outlook Express 6.0 or Outlook 2002 in their
default configurations, or Outlook 98 or 2000 in conjunction with
the Outlook Email Security Update, then an attack could not be
automated and the user would still need to click on a URL sent in
the e-mail. However if the user was not using Outlook Express 6.0
or Outlook 2002 in their default configurations, or Outlook 98 or
2000 in conjunction with the Outlook Email Security Update, the
attacker could cause an attack to trigger automatically without the
user having to click on a URL contained in an e-mail. In both the
web based and e-mail based cases, any limitations on the user's
privileges would also restrict the capabilities of the attacker's
script.

Applying the update listed in Microsoft Security Bulletin MS03-004
- -- Cumulative Patch for Internet Explorer-will help block an
attacker from being able to load a file onto a user's computer and
prevent the passing of parameters to an executable. This means that
an attacker could only launch a program that already existed on the
computer-provided the attacker was aware of the location of the
program-and would not be able to pass parameters to the program for
it to execute.

MHTML is a standard for exchanging HTML content in e-mail and as a
result the MHTML URL Handler function has been implemented in
Outlook Express. Internet Explorer can also render MHTML content,
however the MHTML function has not been implemented separately in
Internet Explorer - it simply uses Outlook Express to render the
MHTML content.

Mitigating Factors:
====================
- -For the web-based scenario, the attacker would have to host a web
site that contained a web page used to exploit this vulnerability
and entice a user to visit it. An attacker would have no way to
force a user to visit the site. Instead, the attacker would need to
lure the user there, typically by getting the user to click on a
link to the attacker's site.

- -The HTML mail-based attack scenario would be blocked by Outlook
Express 6.0 and Outlook 2002 in their default configurations, and
by Outlook 98 and 2000 if used in conjunction with the Outlook
Email Security Update.

- -Exploiting the vulnerability would allow the attacker only the
same privileges as the user. Users whose accounts are configured to
have few privileges on the system would be at less risk than ones
who operate with administrative privileges.

- -If the cumulative patch for Internet Explorer MS03-004 has been
installed, known means by which an attacker may place a file onto a
user's computer will be blocked.

- -In order to invoke an executable already present on the local
system, an attacker must know the path to that executable.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-014.asp
   http://www.microsoft.com/security/security_bulletins/ms03-014.asp

   for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPqg+nukli63F4U8VAQHHCQQAuum7mZFy3o4Jok/vNcg7LEcNKVes9zbh
/WJ3ON9E3Baug+djBYbMnR27hOXiP5EjY+3IFzjmNY4JCTlEOiNhWWdhW33YX3M7
AYu32SWwpif8LrmHDOvGl4YXvK++jooGcb+Xrfjh0trEjIK1ur/UVMBtYsve5J6V
pAdMziq3bCQ=
=3kmr
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Thu Apr 24 16:58:21 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Thu, 24 Apr 2003 16:58:21 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030424195821.GA3807@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:


22/04/2003
----------


Debian Security Advisory (DSA 292-2)
Assunto: insecure temporary file creation in mime-support
http://www.security.unicamp.br/docs/bugs/2003/04/v143.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:630)
Assunto:  Buffer overflow in IMAP code and in libesmtp
http://www.security.unicamp.br/docs/bugs/2003/04/v142.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:630)
Assunto: Vulnerabilidade no leitor IMAP e na biblioteca libesmtp
http://www.security.unicamp.br/docs/bugs/2003/04/v141.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:629)
Assunto: Several vulnerabilities tcpdump
http://www.security.unicamp.br/docs/bugs/2003/04/v140.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:629)
Assunto: Vulnerabilidade de Seguranca no tcpdump
http://www.security.unicamp.br/docs/bugs/2003/04/v139.txt 


Debian Security Advisory (DSA 292-1)
Assunto: insecure temporary file creation in  mime-support
http://www.security.unicamp.br/docs/bugs/2003/04/v138.txt 


Next Generation Security Technologies (NGSEC-2003-5)
Assunto: YABB SE, remote command execution.
http://www.security.unicamp.br/docs/bugs/2003/04/v137.txt 


Debian Security Advisory (DSA 291-1)
Assunto: buffer overflows in ircii
http://www.security.unicamp.br/docs/bugs/2003/04/v136.txt 


Gentoo Linux Security Announcement (200304-05)
Assunto: Multiple Vulnerabilities in Snort Preprocessors
http://www.security.unicamp.br/docs/bugs/2003/04/v135.txt 


17/04/2003
----------

Mandrake Linux Security Update Advisory (MDKSA-2003:049)
Assunto: Vulnerabilidade de Seguranca no pacote kde3
http://www.security.unicamp.br/docs/bugs/2003/04/v134.txt 


CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2003:628)
Assunto: Local vulnerability in vixie-cron
http://www.security.unicamp.br/docs/bugs/2003/04/v133.txt 


Anuncio de Seguranca do Conectiva Linux (CLA-2003:628)
Assunto: Vulnerabilidade local no pacote vixie-cron
http://www.security.unicamp.br/docs/bugs/2003/04/v132.txt 


Centro de Atendimento a Incidentes de Seguranca 
Assunto: CAIS-Alerta: CERT Advisory CA-2003-13 - Multiplas vulnerabilidades no Snort
http://www.security.unicamp.br/docs/bugs/2003/04/v131.txt 


CERT Advisory (CA-2003-13)
Assunto:  Multiple Vulnerabilities in Snort Preprocessors
http://www.security.unicamp.br/docs/bugs/2003/04/v130.txt 


Debian Security Advisory (DSA 290-1)
Assunto: vulnerabilidade de seguranca no pacote sendmail-wide 
http://www.security.unicamp.br/docs/bugs/2003/04/v129.txt 


Debian Security Advisory (DSA 289-1)
Assunto:  incorrect memory resizing in rinetd
http://www.security.unicamp.br/docs/bugs/2003/04/v128.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Vulnerabilidade no Kernel do Windows (811493)
http://www.security.unicamp.br/docs/bugs/2003/04/v127.txt 


Debian Security Advisory (DSA 288-1)
Assunto: several vulnerabilities in openssl
http://www.security.unicamp.br/docs/bugs/2003/04/v126.txt 


Security Corporation Security Advisory (SCSA-017)
Assunto: Directory Traversal Vulnerability in EZ Server
http://www.security.unicamp.br/docs/bugs/2003/04/v125.txt 


16/04/2003
----------

Microsoft Security Bulletin (MS03-013)
Assunto: Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) 
http://www.security.unicamp.br/docs/bugs/2003/04/v124.txt 

 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br    


From mieko em ccuec.unicamp.br  Fri Apr 25 11:38:16 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Fri, 25 Apr 2003 11:38:16 -0300
Subject: [SECURITY-L] 
	[cais@cais.rnp.br: CAIS-Alerta: Exploracao da Vulnerailidade do
	WebDAV (IIS 5.0)]
Message-ID: <20030425143816.GA4947@ccuec.unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Exploracao da Vulnerailidade do WebDAV (IIS 5.0)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Fri, 25 Apr 2003 11:32:56 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS teve conhecimento da disponibilizacao de uma ferramenta hacker que
explora a vulnerabilidade do componente WebDAV do Microsoft IIS 5.0.

A ferramenta, conhecida como "KaHT", foi disponibilizada no undergound
hacker e pode permitir a um atacante obter uma conexao reversa com a
maquina alvo ou executar comandos arbitrarios a partir de um script que e'
enviado para a maquina atacada.

Ao explorar esta vulnerabilidade, a ferramenta adiciona um usuario chamado
"KaHT" no grupo Administrator.

A utilizacao da ferramenta em um ataque real resulta em multiplas falhas
criticas no IIS, que causam o reinicio do servico. A ferramenta executa o
ataque utilizando offsets diferentes por 10 vezes seguidas, resultando em
10 falhas do IIS.


Maiores informações sobre a vulnerabilidade em questao, podem ser
encontradas nas URLs abaixo:

        . http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
	. http://www.cert.org/advisories/CA-2003-09.html
	. http://isc.incidents.org/analysis.html?id=183

	. http://www.rnp.br/cais/alertas/2003/ca200309.html
	. http://www.rnp.br/cais/alertas/2003/cais-alr-18032003.html


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados, alem de ficarem
atentos a eventuais comportamentos anomalos dos servicos.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPqlHH+kli63F4U8VAQGArQP/U/STARCbupbtmGKksx4ZCljgtpnvSJGG
8bDgTMluoN5UKtAieHuFklqlblr+Btv5ZVI5n8BPEAQmvd4wiQ2DPkxeekCjOGh5
9tF/IXDUJuwmAAjOpH7CC2Nh/mO+FHFf+ZJHQ/OK3FNZMVnaw5x8TklEuDZyChTn
cfQl4u0QRhw=
=aFXW
-----END PGP SIGNATURE-----


----- End forwarded message -----

From mieko em ccuec.unicamp.br  Mon Apr 28 17:15:56 2003
From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta)
Date: Mon, 28 Apr 2003 17:15:56 -0300
Subject: [SECURITY-L] Vulnerabilidades de Seguranca
Message-ID: <20030428201556.GA733@ccuec.unicamp.br>


Srs. Usuarios,

Atualizamos o site da Equipe de Seguranca em Sistemas e Redes
da Unicamp com os seguintes boletins de vulnerabilidades:

25/04/2003
----------

Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Exploracao da Vulnerailidade do WebDAV (IIS 5.0)
http://www.security.unicamp.br/docs/bugs/2003/04/v163.txt 


24/04/2003
----------


Mandrake Linux Security Update Advisory (MDKSA-2003:051)
Assunto: Vulnerabilidade de Seguranca no pacote ethereal
http://www.security.unicamp.br/docs/bugs/2003/04/v164.txt 


Secure Network Operations (SRT2003-04-24-1532)
Assunto: Options Parsing Tool library buffer overflows
http://www.security.unicamp.br/docs/bugs/2003/04/v162.txt 


Red Hat Security Advisory (RHSA-2003:118-01)
Assunto: Updated mICQ packages fix vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v161.txt 


Red Hat Security Advisory (RHSA-2003:112-01)
Assunto: Updated squirrelmail packages fix cross-site scripting vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v160.txt 


Red Hat Security Advisory (RHSA-2003:142-01)
Assunto: Updated LPRng packages fix psbanner vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v159.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Patch Acumulativo para o Outlook Express (330994) 
http://www.security.unicamp.br/docs/bugs/2003/04/v158.txt 


Centro de Atendimento a Incidentes de Seguranca
Assunto: CAIS-Alerta: Patch Acumulativo para o Internet Explorer (813489)
http://www.security.unicamp.br/docs/bugs/2003/04/v157.txt 


Red Hat Network Alert (RHSA-2003:076-08)
Assunto: Updated ethereal packages fix security vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v156.txt 


NSFOCUS Security Advisory(SA2003-04)
Assunto: Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS 
http://www.security.unicamp.br/docs/bugs/2003/04/v155.txt 


NGSSoftware Insight Security Research Advisory (#NISR24042003)
Assunto: Internet Explorer ActiveX Control Heap Overflow
http://www.security.unicamp.br/docs/bugs/2003/04/v154.txt 


SuSE Security Announcement (SuSE-SA:2003:026)
Assunto: SuSE Security Announcement: KDE (SuSE-SA:2003:026)
http://www.security.unicamp.br/docs/bugs/2003/04/v153.txt 


Microsoft Security Bulletin (MS03-014)
Assunto: Cumulative Patch for Outlook Express (330994)
http://www.security.unicamp.br/docs/bugs/2003/04/v152.txt 


Cisco Security Advisory (CSCea42030)
Assunto: Cisco Catalyst Enable Password Bypass Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v151.txt 


Microsoft Security Bulletin (MS03-007)
Assunto: Revised: Microsoft Security Bulletin MS03-007: Unchecked Buffer in Windows Component Could Cause Server Compromise (815021)
http://www.security.unicamp.br/docs/bugs/2003/04/v150.txt 


23/04/2003
----------

Red Hat Network Alert (RHSA-2003:032-12)
Assunto: Updated tcpdump packages fix various vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v149.txt 


Red Hat Security Advisory (RHSA-2003:076-01)
Assunto: Updated ethereal packages fix security vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v148.txt 


Red Hat Security Advisory (RHSA-2003:032-01)
Assunto: Updated tcpdump packages fix various vulnerabilities
http://www.security.unicamp.br/docs/bugs/2003/04/v147.txt 


Debian Security Advisory (DSA 293-1)
Assunto: insecure execution in kdelibs
http://www.security.unicamp.br/docs/bugs/2003/04/v146.txt 


Cisco Security Advisory (CSCea51366)
Assunto: Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability
http://www.security.unicamp.br/docs/bugs/2003/04/v145.txt 


Debian Security Advisory (DSA 294-1)
Assunto: missing quoting, incomplete parser
http://www.security.unicamp.br/docs/bugs/2003/04/v144.txt 


 
--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
Mailto:security em unicamp.br
http://www.security.unicamp.br