From mieko em ccuec.unicamp.br Mon Feb 3 10:23:50 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 03 Feb 2003 10:23:50 -0200 Subject: [SECURITY-L] As dez maiores ameacas digitais ao Pais Message-ID: <3E3E5F56.7DC75E@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: As dez maiores ameaXas digitais ao PaXs Data: Fri, 31 Jan 2003 10:48:28 -0300 (ART) Tamanho: 13745 URL: From mieko em ccuec.unicamp.br Mon Feb 3 10:27:03 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 03 Feb 2003 10:27:03 -0200 Subject: [SECURITY-L] VXrus simula jogo do Big Brother Message-ID: <3E3E6017.49C8D68E@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: VXrus simula jogo do Big Brother Data: Fri, 31 Jan 2003 10:50:00 -0300 (ART) Tamanho: 8983 URL: From mieko em ccuec.unicamp.br Tue Feb 4 15:43:55 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 4 Feb 2003 15:43:55 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030204174355.GA2285@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 31/01/2003 ---------- SCO Security Advisory(CSSA-2003-006.0) Assunto: Linux: CVS double free vulnerability http://www.security.unicamp.br/docs/bugs/2003/01/v127.txt Red Hat Security Advisory(RHSA-2003:020-10) Assunto: Updated kerberos packages fix vulnerability in ftp client http://www.security.unicamp.br/docs/bugs/2003/01/v126.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 4 15:28:47 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 4 Feb 2003 15:28:47 -0200 Subject: [SECURITY-L] Boletin de Noticias Message-ID: <20030204172847.GA2263@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 29/01/2003 ---------- SANS NewsBites Vol. 5 Num. 04 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/01/b17.txt 27/01/2003 ---------- SecurityFocus Newsletter #181 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/01/b16.txt Modulo Security News - No. 279 Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/01/b15.txt SANS Critical Vulnerability Analysis Vol 2 No 03 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/01/b14.txt 25/01/2003 ---------- Desparately Seeking Hackers (and other SANS News) Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/01/b13.txt 22/01/2003 ---------- SANS NewsBites Vol. 5 Num. 03 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/01/b12.txt 21/01/2003 ---------- Modulo Security News - No. 278 Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/01/b11.txt 20/01/2003 ---------- SecurityFocus Newsletter #180 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/01/b10.txt SANS Critical Vulnerability Analysis Vol 2 No 02 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/01/b9.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 4 17:05:42 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 04 Feb 2003 17:05:42 -0200 Subject: [SECURITY-L] CorreXXo da Microsoft trava Windows NT 4.0 Message-ID: <3E400F06.40CC752C@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: CorreXXo da Microsoft trava Windows NT 4.0 Data: Tue, 4 Feb 2003 12:50:20 -0300 (ART) Tamanho: 5007 URL: From mieko em ccuec.unicamp.br Tue Feb 4 17:04:46 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 04 Feb 2003 17:04:46 -0200 Subject: [SECURITY-L] Combate a virus eh prioridade em 2003 Message-ID: <3E400ECD.E4C110F7@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Combate a vXrus X prioridade em 2003 Data: Tue, 4 Feb 2003 12:47:56 -0300 (ART) Tamanho: 6902 URL: From mieko em ccuec.unicamp.br Tue Feb 4 17:05:11 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 04 Feb 2003 17:05:11 -0200 Subject: [SECURITY-L] Mais um vXrus para o Kazaa Message-ID: <3E400EE7.1C49D5AF@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Mais um vXrus para o Kazaa Data: Tue, 4 Feb 2003 12:49:28 -0300 (ART) Tamanho: 7541 URL: From mieko em ccuec.unicamp.br Wed Feb 5 10:41:14 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 5 Feb 2003 10:41:14 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030205124114.GB3457@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 04/02/2003 ---------- FreeBSD Security Advisory (FreeBSD-SA-03:01) Assunto: remotely exploitable vulnerability in cvs server http://www.security.unicamp.br/docs/bugs/2003/02/v7.txt Red Hat Security Advisory(RHSA-2003:025-20) Assunto: Updated 2.4 kernel fixes various vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/02/v6.txt Gentoo Linux Security Announcement(200302-03) Assunto: file leaking in qt-dcgui http://www.security.unicamp.br/docs/bugs/2003/02/v5.txt 03/02/2003 ---------- Mandrake Linux Security Update Advisory(MDKSA-2003:012) Assunto: Vulnerabilidade de Seguranca no pacote mysql http://www.security.unicamp.br/docs/bugs/2003/02/v4.txt Mandrake Linux Security Update Advisory(MDKSA-2003:012) Assunto: Vulnerabilidade de Seguranca no pacote vim http://www.security.unicamp.br/docs/bugs/2003/02/v3.txt 02/02/2003 ---------- Gentoo Linux Security Announcement(200302-02) Assunto: buffer overflow in slocate http://www.security.unicamp.br/docs/bugs/2003/02/v2.txt Gentoo Linux Security Announcement(200302-01) Assunto: arbitrary code execution in Mail-SpamAssasin http://www.security.unicamp.br/docs/bugs/2003/02/v1.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Feb 5 10:40:28 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 5 Feb 2003 10:40:28 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20030205124028.GA3457@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 03/02/2003 ---------- Eliminate the SANS/FBI Top 20 Internet Vulnerabilities - Free Webcasts Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b4.txt SecurityFocus Newsletter #182 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/02/b3.txt Modulo Security News - No. 280 Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/02/b2.txt SANS Critical Vulnerability Analysis Vol 2 No 04 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b1.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Feb 5 12:02:56 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 05 Feb 2003 12:02:56 -0200 Subject: [SECURITY-L] Majordomo info leakage, all versions Message-ID: <3E411990.CF622E5B@ccuec.unicamp.br> Subject: Majordomo info leakage, all versions Date: Tue, 04 Feb 2003 03:30:54 +0100 From: Marco van Berkum Organization: OBIT To: bugtraq em securityfocus.com ------------------------------------------------------------------------------- Title : Majordomo info leakage (all versions) Date : 03/02/2003 Article by : Marco van Berkum (m.v.berkum em obit.nl) Bug finder : Jakub Klausa (jacke em bofh.pl) Investigated by : Jakub Klausa and Marco van Berkum ------------------------------------------------------------------------------- Introduction: -------------- Some while ago Jakub Klausa mailed me about a problem regarding the Majordomo mailinglist program. At first we were not sure if it was a one time problem or a common issue, so we checked several other servers and installed Majordomo ourselves and found ALL Majordomo versions to be vulnerable, also the latest Majordomo 2 (alpha). The problem: --------------- All email addresses can be extracted from mailinglists for which 'which_access' is set to "open" in the configuration file, which_access is set to "open" by default !! Majordomo 1.94.5 documentation quote: "8. By default, anyone (even non-subscribers) can use the commands "who", "which", "index", and "get" on a list. If you create an empty file named "listname.private" in the $listdir directory, only members of the list can use those commands." Typical case of RTFDOC of course, but still, why isn't the private configuration file the default one (?!), now people actually have to read the documentation to protect their lists against evil spammers. We all know that admins do not always read the docs (uhuh). So this bug can be exploited without being subscribed to any mailinglist on that server when "which_access" is set to open. This bug can be exploited by sending: which @ or which . To the Majordomo daemon. Majordomo will then match "@" (or ".") on all the mailinglists that have 'which_access' set to "open". This then matches all email addresses that are subscribed to that list. There is a slight difference between the new Majordomo 2 (alpha) and the current Majordomo 1.94.x branch. Majordomo 1.94.x gives output such as this: >>>> which @ The string '@' appears in the following entries in lists served by majordomo em somedomain.com: List Address ==== ======= test-list user em somedomain.com test-list anotheruser em anotherdomain.com another-list satan em evilmajordomodomain.net another-list bush em sopranos.org etc... Majordomo 2 also has the bug, not as much as the 1.94.x though: >>>> which @ The pattern "/\@/i" matched the following subscriptions. Matches for the devils mailing list: satan em majordomo.org -- Match limit of 1 for devils exceeded. Matches for the britney mailing list: eminem em spears.net -- Match limit of 1 for britney exceeded. Impact: ------- High. Not only privacy is the issue here, this bug could be used by evil spammers to fill their databases. And the users did much of their work for them already, as the victims are usually well targeted (subject-specific mailinglists come to mind). Solution: --------- general: Read the documentation regarding $listname.private and set all which_access to "closed", or update to Majordomo 2 alpha, which still requires the same attention. Majordomo 1.94.5 and earlier: As mentioned by the documentation that comes with Majordomo 1.94.5, create an empty file named "$listname.private" in the $listdir. It will only reduce the group of people being able to pick up all the addresses to the ones subscribed to the list. Check your current configurations for open which_access, close them. Majordomo 2: The authors responded quickly and changed default configuration settings to be "closed". Get the latest CVS version, and check your current configurations for open which_access, which_access should be closed at any time. Jakub made a patch for Majordomo 1.94.5. [Patch] This is a patch for Majordomo 1.94.5, which makes the Majordomo ignore the 'which' request if they don't contain e-mail address-like string as a parameter (roughly). --- majordomo.orig Mon Feb 3 13:23:45 2003 +++ majordomo Mon Feb 3 13:23:23 2003 @@ -624,6 +624,11 @@ sub do_which { local($subscriber) = join(" ", @_) || &valid_addr($reply_to); + if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) { + + &log("which abuse -> $subscriber passed as an argument."); + exit(0); + }; local($count, $per_list_hits) = 0; # Tell the requestor which lists they are on by reading through all # the lists, comparing their address to each address from each list Cheers Marco van Berkum / http://ws.obit.nl / m.v.berkum em obit.nl Jakub Klausa / jacke em bofh.pl -- find / -user your -name base -exec chown us:us {}\; ---------------------------------------- | Marco van Berkum / MB17300-RIPE | | m.v.berkum em obit.nl / http://ws.obit.nl | ---------------------------------------- From mieko em ccuec.unicamp.br Thu Feb 6 09:13:21 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 09:13:21 -0200 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) Message-ID: <3E424351.D42B9C52@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: "Microsoft" <0_43921_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Assunto: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) Data: Wed, 5 Feb 2003 21:00:25 -0800 Tamanho: 6913 URL: From mieko em ccuec.unicamp.br Thu Feb 6 09:13:49 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 09:13:49 -0200 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847) Message-ID: <3E42436D.3A03ACC6@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: "Microsoft" <0_43923_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Assunto: Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847) Data: Wed, 5 Feb 2003 22:11:01 -0800 Tamanho: 9582 URL: From mieko em ccuec.unicamp.br Thu Feb 6 09:16:33 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 09:16:33 -0200 Subject: [SECURITY-L] VXrus Fortnight usa site na Web para infectar mXquinas Message-ID: <3E424411.A9281223@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: VXrus Fortnight usa site na Web para infectar mXquinas Data: Wed, 5 Feb 2003 14:28:57 -0300 (ART) Tamanho: 11828 URL: From mieko em unicamp.br Thu Feb 6 11:35:55 2003 From: mieko em unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 11:35:55 -0200 Subject: [SECURITY-L] =?iso-8859-1?Q?T=E9rmino?= do =?iso-8859-1?Q?Hor=E1rio?= de =?iso-8859-1?Q?Ver=E3o?= 2002/2003 Message-ID: <3E4264BB.F16D875E@unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: Centro de Atendimento a Incidentes de Seguranca Assunto: Término do Horário de Verão 2002/2003 Data: Thu, 6 Feb 2003 11:31:00 -0200 (BRST) Tamanho: 3762 URL: From mieko em unicamp.br Thu Feb 6 13:58:49 2003 From: mieko em unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 13:58:49 -0200 Subject: [SECURITY-L] Microsoft revela novas falhas no IE e no XP Message-ID: <3E428639.20778055@unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Microsoft revela novas falhas no IE e no XP Data: Thu, 6 Feb 2003 12:27:33 -0300 (ART) Tamanho: 8584 URL: From mieko em unicamp.br Thu Feb 6 14:46:25 2003 From: mieko em unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Feb 2003 14:46:25 -0200 Subject: [SECURITY-L] Errata: =?iso-8859-1?Q?T=E9rmino?= do =?iso-8859-1?Q?Hor=E1rio?= de =?iso-8859-1?Q?Ver=E3o?= 2002/2003 Message-ID: <3E429161.6C41946E@unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: Centro de Atendimento a Incidentes de Seguranca Assunto: Errata: Término do Horário de Verão 2002/2003 Data: Thu, 6 Feb 2003 14:30:25 -0200 (BRST) Tamanho: 5193 URL: From mieko em ccuec.unicamp.br Fri Feb 7 09:41:42 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 07 Feb 2003 09:41:42 -0200 Subject: [SECURITY-L] MS solta pacote antibug para SQL Server Message-ID: <3E439B76.E4EF2860@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: MS solta pacote antibug para SQL Server Data: Thu, 6 Feb 2003 18:16:47 -0300 (ART) Tamanho: 4154 URL: From mieko em ccuec.unicamp.br Fri Feb 7 09:42:15 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 07 Feb 2003 09:42:15 -0200 Subject: [SECURITY-L] Microsoft revela novas falhas no IE e no XP Message-ID: <3E439B97.BEECBC12@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Microsoft revela novas falhas no IE e no XP Data: Thu, 6 Feb 2003 12:27:33 -0300 (ART) Tamanho: 8584 URL: From mieko em ccuec.unicamp.br Fri Feb 7 11:00:24 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 7 Feb 2003 11:00:24 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030207130023.GA6532@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 06/02/2003 ---------- Red Hat Security Advisory(RHSA-2003:037-09) Assunto: Updated Xpdf packages fix security vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v23.txt Centro de Atendimento a Incidentes de Seguranca - CAIS Assunto: Errata: Termino do Horario de Verao 2002/2003 http://www.security.unicamp.br/docs/bugs/2003/02/v22.txt Centro de Atendimento a Incidentes de Seguranca - CAIS Assunto: Termino do Horario de Verao 2002/2003 http://www.security.unicamp.br/docs/bugs/2003/02/v21.txt Centro de Atendimento a Incidentes de Segurancai - CAIS-Alerta Assunto: Vulnerabilidade no Windows Redirector (810577) http://www.security.unicamp.br/docs/bugs/2003/02/v20.txt Centro de Atendimento a Incidentes de Seguranca - CAIS-Alerta Assunto: Patch Acumulativo para o Internet Explorer (810847) http://www.security.unicamp.br/docs/bugs/2003/02/v19.txt 05/02/2003 ---------- Red Hat Security Advisory (RHSA-2003:043-12) Assunto: Updated WindowMaker packages fix vulnerability in theme-loading http://www.security.unicamp.br/docs/bugs/2003/02/v18.txt Red Hat Security Advisory (RHSA-2003:040-07) Assunto: openldap setuid .ldaprc buffer overflow http://www.security.unicamp.br/docs/bugs/2003/02/v17.txt Microsoft Security Bulletin (MS03-004) Assunto: Cumulative Patch for Internet Explorer (810847) http://www.security.unicamp.br/docs/bugs/2003/02/v16.txt Microsoft Security Bulletin (MS03-005) Assunto: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) http://www.security.unicamp.br/docs/bugs/2003/02/v15.txt Mandrake Linux Security Update Advisory(MDKSA-2003:015) Assunto: Vulnerabilidade de Seguranca no pacote slocate http://www.security.unicamp.br/docs/bugs/2003/02/v14.txt Mandrake Linux Security Update Advisory(MDKSA-2003:014) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2003/02/v13.txt Conectiva Linux Security Announcement(CLA-2003:567) Assunto: Buffer overflow and memory leak vulnerabilities in mcrypt http://www.security.unicamp.br/docs/bugs/2003/02/v12.txt Anuncio de seguranca do Conectiva Linux (CLA-2003:567) Assunto: Estouro de buffer e vazamento de memória no pacote mcrypt http://www.security.unicamp.br/docs/bugs/2003/02/v11.txt 04/02/2003 ---------- Majordomo Assunto: Majordomo info leakage, all versions http://www.security.unicamp.br/docs/bugs/2003/02/v10.txt Gentoo Linux Security Announcement(200302-04) Assunto: arbitrary code execution in bladeenc http://www.security.unicamp.br/docs/bugs/2003/02/v9.txt Red Hat Security Advisory(RHSA-2003:017-06 - PHP) Assunto: Updated PHP packages available http://www.security.unicamp.br/docs/bugs/2003/02/v8.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Fri Feb 7 11:12:18 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 7 Feb 2003 11:12:18 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20030207131218.GA6557@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com o seguinte boletim de noticia e/ou revista eletronica: SANS NewsBites (Vol. 5 Num. 05) Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b5.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Mon Feb 10 08:23:57 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 10 Feb 2003 07:23:57 -0300 Subject: [SECURITY-L] Microsoft Security Bulletin MS02-071: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) Message-ID: <3E477DBD.F3452D5E@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: "Microsoft" <0_44009_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Assunto: Microsoft Security Bulletin MS02-071: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) Data: Fri, 7 Feb 2003 19:31:23 -0800 Tamanho: 8003 URL: From mieko em ccuec.unicamp.br Tue Feb 11 10:40:58 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 11 Feb 2003 09:40:58 -0300 Subject: [SECURITY-L] Microsoft corrige correXXo para o NT 4.0 Message-ID: <3E48EF5A.BDCC2C56@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Microsoft corrige correXXo para o NT 4.0 Data: Mon, 10 Feb 2003 17:30:56 -0300 (ART) Tamanho: 6444 URL: From mieko em ccuec.unicamp.br Tue Feb 11 15:35:39 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 11 Feb 2003 15:35:39 -0200 Subject: [SECURITY-L] Boletins de Noticias Message-ID: <20030211173538.GA2260@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicais: 10/02/2003 ---------- Update to CVA Vol. 2 No. 05 Opera Web Browser Alert Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/02/b9.txt SecurityFocus Newsletter (#183) Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2003/02/b8.txt SANS Critical Vulnerability Analysis (Vol 2 No 05) Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b7.txt Modulo Security News (No 281) Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/02/b6.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 11 15:11:06 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 11 Feb 2003 15:11:06 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030211171105.GA2231@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 11/02/2003 ---------- Debian Security Advisory (DSA 249-1) Assunto: missing HTML quoting in w3mmee http://www.security.unicamp.br/docs/bugs/2003/02/v30.txt CISCO(23074) Assunto: IOS Accepts ICMP Redirects in Non-default Configuration Settings http://www.security.unicamp.br/docs/bugs/2003/02/v29.txt 10/02/2003 ---------- NII Advisory Assunto: Buffer OverFlow in SQLBase 8.1.0 http://www.security.unicamp.br/docs/bugs/2003/02/v28.txt iDEFENSE Security Advisory (02.10.03) Assunto: Buffer Overflow In NOD32 Antivirus Software for Unix http://www.security.unicamp.br/docs/bugs/2003/02/v27.txt 07/02/2003 ---------- Microsoft Security Bulletin (MS02-071) Assunto: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) http://www.security.unicamp.br/docs/bugs/2003/02/v26.txt Red Hat Security Advisory(RHSA-2003:056-08) Assunto: Updated kernel-utils packages fix setuid vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v25.txt Red Hat Security Advisory(RHSA-2003:044-20) Assunto: w3m frame html tag flaw:css http://www.security.unicamp.br/docs/bugs/2003/02/v24.txt 31/01/2003 ---------- Debian Security Advisory (DSA 248-1) Assunto: buffer overflows in hypermail http://www.security.unicamp.br/docs/bugs/2003/01/v128.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Feb 12 10:41:00 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 12 Feb 2003 09:41:00 -0300 Subject: [SECURITY-L] VXrus JS/Seeker-C altera configuraXXes do Internet Explorer Message-ID: <3E4A40DC.9FFC76EA@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: VXrus JS/Seeker-C altera configuraXXes do Internet Explorer Data: Tue, 11 Feb 2003 18:32:20 -0300 (ART) Tamanho: 4371 URL: From mieko em ccuec.unicamp.br Wed Feb 12 10:46:42 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 12 Feb 2003 09:46:42 -0300 Subject: [SECURITY-L] Novo vXrus domina computador Message-ID: <3E4A4232.D239F3F7@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: =?iso-8859-1?q?Caio=20Souza?= Assunto: Novo vXrus domina computador Data: Tue, 11 Feb 2003 20:22:36 -0300 (ART) Tamanho: 7668 URL: From mieko em ccuec.unicamp.br Thu Feb 13 10:11:25 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 13 Feb 2003 09:11:25 -0300 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847) Message-ID: <3E4B8B6D.9F9E9F75@ccuec.unicamp.br> -------------- Próxima Parte ---------- Uma mensagem embutida foi limpa... De: "Microsoft" <0_44244_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Assunto: Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847) Data: Thu, 13 Feb 2003 02:50:27 -0800 Tamanho: 10372 URL: From mieko em ccuec.unicamp.br Thu Feb 13 17:20:47 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 13 Feb 2003 16:20:47 -0300 Subject: [SECURITY-L] Microsoft oferece boletim de seguranXa por e-mail Message-ID: <3E4BF00F.58DFB327@ccuec.unicamp.br> Subject: Microsoft oferece boletim de seguranXa por e-mail Date: Thu, 13 Feb 2003 10:45:55 -0300 (ART) From: Caio Souza Microsoft oferece boletim de segurança por e-mail Quarta, 12 de fevereiro de 2003, 17h13 A Microsoft começará a enviar boletins sobre temas de segurança de computadores por email, numa tentativa de melhorar a conscientização de seus usuários sobre o assunto, após o ataque de um vírus contra a Internet no final de janeiro. A Microsoft afirmou em um comunicado enviado ontem que oferecerá um boletim mensal sobre segurança para "ajudar os usuários a protegerem seus computadores". O vírus SQL Slammer, que atingiu a Internet no final de janeiro, atacou servidores de redes corporativas que usam o sistema de banco de dados SQL, da Microsoft. A companhia fez da segurança uma de suas principais prioridades dentro da iniciativa chamada "Computação Confiável", lançada há um ano. O ataque global do SQL Slammer poderia ter sido evitado, segundo a Microsoft, se os usuários tivessem instalado uma correção de segurança disponível desde meados do ano passado. A Microsoft afirmou que os usuários podem inscrever-se para receberem o boletim pelo endereço: http://www.microsoft.com/security/security_bulletins/decision.asp. http://www.terra.com.br/informatica/ From mieko em ccuec.unicamp.br Fri Feb 14 09:17:40 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 14 Feb 2003 08:17:40 -0300 Subject: [SECURITY-L] Correcao da Microsoft barra acesso a sites Message-ID: <3E4CD054.DB4B0CC7@ccuec.unicamp.br> Subject: CorreXXo da Microsoft barra acesso a sites Date: Thu, 13 Feb 2003 17:42:28 -0300 (ART) From: Caio Souza To: mieko em ccuec.unicamp.br Correção da Microsoft barra acesso a sites Corretivo de segurança para falha crítica no Internet Explorer pode barrar o acesso a determinados sites, incluindo o próprio serviço de e-mail do MSN. Joris Evers, IDG News Service 13/02/2003 15:30:25 Uma correção de segurança para o Internet Explorer lançada recentemente pode barrar o acesso a determinados sites na Web, incluindo o serviço de e-mail do MSN, da própria Microsoft, informou a companhia. O problema afeta a correção acumulativa para as versões 5.01, 5.5 e 6.0 do IE lançada no último dia 5 e considerada "críticas" pela Microsoft. Em um boletim de segurança revisado sobre as falhas(MS03-004), a fabricante lançou um novo corretivo para o bug, que deixava usuários - principalmente domésticos - sem acesso a determinados sites, pedindo autenticação do usuário após a instalação do patch. Esse fato, porém, não cria uma nova vulnerabilidade de segurança - já que a correção realmente acaba com todas as brechas -, informou a Microsoft. Apenas usuários com problemas de autenticação com sites ou acessando o e-mail do MSN precisam instalar a nova correção, que está disponível no site de segurança da Microsoft. O pacote de correções anunciado no boletim MS03-004 inclui todos os "curativos" para o Internet Explorer e corrige outras duas recém-descobertas vulnerabilidades envolvendo o IE que poderiam, na pior das hipóteses, permitir a um operador de um Web site carregar e rodar código malicioso em computadores alheios. http://pcworld.terra.com.br/pcw/update/8549.html From mieko em ccuec.unicamp.br Fri Feb 14 09:19:44 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 14 Feb 2003 08:19:44 -0300 Subject: [SECURITY-L] Virus Igloo chega pelo Kazaa e abre PC da vitima para hackers Message-ID: <3E4CD0CF.95CFA61B@ccuec.unicamp.br> Subject: VXrus Igloo chega pelo Kazaa e abre PC da vXtima para hackers Date: Thu, 13 Feb 2003 19:32:44 -0300 (ART) From: Caio Souza 13/02/2003 - 17h33 Vírus Igloo chega pelo Kazaa e abre PC da vítima para hackers da Folha Online Um nova praga de internet chamada W32/Igloo-15 se espalha por canais de bate-papo do IRC e pelo compartilhamento de arquivos em redes do Kazaa. O vírus é um cavalo de Tróia e quando carregado se autocopia dentro da pasta Windows System com o nome de Explorer.exe e RealWayToHack.exe. Esse arquivos executáveis abrem uma porta do computador, dando total controle do PC a um usuário remoto. Além disso, o Igloo instala um outro programa que infecta o arquivo de inicialização do mIRC. Assim, cada vez que o usuário começar uma nova sessão do bate-papo, a praga é carregada e se auto-envia para os usuários que estiverem conectados ao canal. Especial Defenda-se dos vírus com Dicas & Truques http://www1.folha.uol.com.br/folha/informatica/ult124u12273.shtml From mieko em ccuec.unicamp.br Mon Feb 17 13:23:22 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 17 Feb 2003 13:23:22 -0300 Subject: [SECURITY-L] Microsoft alerta para e-mails falsos Message-ID: <3E510C7A.3175A64F@ccuec.unicamp.br> Subject: Microsoft alerta para e-mails falsos Date: Fri, 14 Feb 2003 17:50:23 -0300 (ART) From: Caio Souza Notícias São Paulo, 14 de Fevereiro de 2003 Microsoft alerta para e-mails falsos CSO Online Em nota oficial divulgada hoje (14/02), a Microsoft está alertando consumidores para a circulação de e-mails falsos que falam sobre falhas em seus sistemas e sorteios de software. Leia a nota na íntegra: Nota Oficial: Microsoft alerta consumidores sobre emails falsos na Internet Estão circulando pela Internet falsas mensagens, de conteúdo absolutamente inverídico. Tais mensagens referem-se a supostas falhas nos produtos da Microsoft, sugerindo atualizações no sistema operacional Windows, bem como a realização de sorteios de software por parte da empresa. Em virtude dos temas abordados e para esclarecimento de seus clientes, a Microsoft gostaria de informar: 1 - A Microsoft não tem como política de comunicação com o cliente o envio de mensagens eletrônicas não solicitadas, muito menos para a instalação de programa ou correção. Toda e qualquer atualização dos sistemas operacionais da Microsoft é feita por meio do Windows Update (www.windowsupdate.com), um serviço de abrangência mundial que centraliza e agiliza as atualizações liberadas pela empresa. Esta é a única fonte oficial para o usuário. 2 – A primeira mensagem menciona supostas falhas no sistema operacional Windows (não há referências à versão) e diz que, para resolvê-las, o usuário deve fazer o download do arquivo www.microsoftbrazil.org/windowsupdate.exe, disponível na Internet. O texto falso tem o seguinte remetente: suporte em microsoftbrazil.org. É altamente recomendada a não instalação do arquivo descrito no corpo do email, uma vez que esta pode conter vírus. 3 - A segunda mensagem é ainda mais grave. O autor diz que a empresa está realizando sorteios de produtos e que, para concorrer, o usuário deve encaminhar seu número de conta bancária ao email harryadans10 em netscap.net. A empresa nega a realização de qualquer concurso e não recomenda o envio de informações pessoais ao remetente, que utiliza-se de SPAM para propagar sua mensagem. 4 – De acordo com a Abranet, a Associação Brasileira dos Provedores de Internet, os emails em circulação são absolutamente falsos e podem trazer danos graves aos usuários que instalarem a suposta correção. A Abranet já alertou a todos os provedores associados sobre as mensagens. 5 – A empresa ainda recomenda aos usuários de computadores manterem sempre seus sistemas operacionais atualizados, assim como os antivírus disponíveis no mercado. Quanto mais atualizados estiverem, menores são as chances serem contaminados por algum vírus ou sofrerem qualquer outro dano em seus computadores. http://www.csoonline.com.br/adCmsDocumentoShow.aspx?documento=22342&Area=2 From mieko em ccuec.unicamp.br Mon Feb 17 13:21:10 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 17 Feb 2003 13:21:10 -0300 Subject: [SECURITY-L] Boletins de Noticias Message-ID: <20030217162110.GA442@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicais: 17/02/2003 ---------- SANS Critical Vulnerability Analysis (Vol 2 No 06) Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b12.txt 14/02/2003 ---------- LinuxSecurity Brasil Edicao Especial Semanal(14/02/03) Fonte: LinuxSecurity Brasil http://www.security.unicamp.br/docs/informativos/2003/02/b11.txt 11/02/2003 ---------- SANS NewsBites Vol. 5 Num. 06 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b10.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Mon Feb 17 12:10:13 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 17 Feb 2003 12:10:13 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030217151013.GA375@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 14/02/2003 ---------- @stake Advisory Assunto: MacOS X TruBlueEnvironment Privilege Escalation Attack http://www.security.unicamp.br/docs/bugs/2003/02/v43.txt Hewlett-Packard Company Security Bulletin (HPSBUX0208-213) Assunto: Potential buffer overflows in lp subsystem http://www.security.unicamp.br/docs/bugs/2003/02/v42.txt Debian Security Advisory (DSA 251-1) Assunto: missing HTML quoting in w3m, w3m-ssl http://www.security.unicamp.br/docs/bugs/2003/02/v41.txt 13/02/2003 ---------- Mandrake Linux Security Update Advisory(MDKSA-2003:016) Assunto: Vulnerabilidades de Seguranca no pacote util-linux http://www.security.unicamp.br/docs/bugs/2003/02/v40.txt Conectiva Linux Security Announcement(CLA-2003:568) Assunto: Several vulnerabilities in mozilla http://www.security.unicamp.br/docs/bugs/2003/02/v39.txt Anuncio de Seguranca do Conectiva Linux(CLA-2003:568) Assunto: Diversas vulnerabilidades no mozilla http://www.security.unicamp.br/docs/bugs/2003/02/v38.txt Red Hat Security Advisory(RHSA-2003:035-10) Assunto: Updated PAM packages fix bug in pam_xauth module http://www.security.unicamp.br/docs/bugs/2003/02/v34.txt 12/02/2003 ---------- Debian Security Advisory (DSA 250-1) Assunto: missing HTML quoting in w3mmee-ssl http://www.security.unicamp.br/docs/bugs/2003/02/v37.txt Microsoft Security Bulletin (MS03-004) Assunto: Cumulative Patch for Internet Explorer (810847) http://www.security.unicamp.br/docs/bugs/2003/02/v36.txt Red Hat Security Advisory(RHSA-2003:015-05) Assunto: Updated fileutils package fixes race condition in recursive operations http://www.security.unicamp.br/docs/bugs/2003/02/v35.txt Red Hat Security Advisory(RHSA-2003:029-06) Assunto: Updated lynx packages fix CRLF injection vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v33.txt SGI Security Advisory(20030201-01-P) Assunto: IP denial-of-service fixes and tunings http://www.security.unicamp.br/docs/bugs/2003/02/v32.txt 11/02/2003 ---------- Mandrake Linux Security Update Advisory(MDKSA-2002:062-1) Assunto: Vulnerabilidade de Seguranca no pacote postgresql http://www.security.unicamp.br/docs/bugs/2003/02/v31.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 18 10:22:50 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 18 Feb 2003 10:22:50 -0300 Subject: [SECURITY-L] VXrus rouba senhas de vXtima Message-ID: <3E5233AA.C0B6AC78@ccuec.unicamp.br> Subject: VXrus rouba senhas de vXtima Date: Mon, 17 Feb 2003 20:39:59 -0300 (ART) From: Caio Souza Notícias São Paulo, 17 de Fevereiro de 2003 Vírus rouba senhas de vítima CSO Online Foi-se o tempo em que os vírus estavam interessados em apenas prejudicar sistemas, travar computadores ou desconfigurar páginas Web. A McAfee Security está alertando para o aparecimento de novas ameaças: PWS/Aileen, Tellafriend, W32/Proget.worm.b e IRC/Yoink. PWS/Aileen O Cavalo de Tróia de origem desconhecida tenta recuperar senhas armazenadas no cache da máquina local e, em seguida, as envia ao autor. Quando executado, uma chave de registro é criada para ser carregado na inicialização do sistema: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run\dancingBaby = %TEMP%\dancingBaby.exe O PWS/Aileen tenta criar e carregar um documento HTML chamado strTempHtm.htm. Esse documento contém comandos que apontam para um script remoto na página trellix.com e, por sua vez, resulta em armazenar senhas no cache da máquina. Tellafriend Outro Cavalo de Tróia que chega como uma mensagem de SPAM. A ameaça se espalha por todos os endereços de e-mail encontrados no catálogo do Windows (WAB) e no catálogo de endereços do Eudora, usando o servidor de SMTP. Um link para a página que contém o instalador da ameaça pode chegar em uma mensagem de e-mail contendo o seguinte formato: Assunto: Hi, i think you need this; Corpo da mensagem: Do you hate POPUPS ?? well i just installed this free Zero POPUP toolbar on my browser, it kills ALL popup ads and best of all it's FREE ! Download it from here http://www.zeropopup.com (its a 10 seconds download with a 56k modem) I hope you'll like it alot, it also has good rating on CNET download.com. Bye :) Finalmente, quando o usuário acessa o link, vai para uma página que contém um controle ActiveX, que é carregado na inicialização do sistema, resultando uma mensagem imediata, porém com assinatura inválida. Se o usuário clicar no botão YES, a instalação é executada. W32/Proget.worm.b O Proget cria milhares de arquivos de 10 bytes no sistema local. Quando executado, o vírus se copia para o diretório System do Windows, mantendo o nome original. Também há uma chave de registro: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "%FileName%" = %WormPath% O vírus tem carga para criar um arquivo de 10 bytes em cada diretório do sistema local, usando 8 caracteres aleatórios seguidos da extensão aaa. A ação ocorre toda vez que o sistema é reinicializado, fazendo com que o disco fique cheio. Além disso, a cada minuto uma cópia do vírus é copiada para o drive A:\ . IRC/Yoink De origem norte-americana, o Yoink é um Cavalo de Tróia que pode se conectar a servidores IRC. A ameaça possui a função de um backdoor que pode "escutar" portas e verificar informações que trafegam pelas portas 1-65535. Além disso, ataques remotos podem capturar senhas e logins da vítima, entre outras ações efetuadas por ele. Depois que entra em ação, inúmeras mensagens são exibidas na tela do usuário, como por exemplo: "You ‘re infected with the xxxxhead virus". No momento, todas as as ameaças são consideradas de Baixo Risco devido ao pequeno número de casos registrados. http://www.csoonline.com.br/adCmsDocumentoShow.aspx?documento=22350&Area=2 From mieko em ccuec.unicamp.br Tue Feb 18 10:24:40 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 18 Feb 2003 10:24:40 -0300 Subject: [SECURITY-L] MS corrige correXXo do IE 6.0 Message-ID: <3E523418.CC83CE57@ccuec.unicamp.br> Subject: MS corrige correXXo do IE 6.0 Date: Mon, 17 Feb 2003 18:17:18 -0300 (ART) From: Caio Souza MS corrige correção do IE 6.0 Segunda-feira, 17 de fevereiro de 2003 - 17h32 SÃO PAULO – Se você usa o Internet Explorer 6.0, instalou o pacote antibug de 05 de fevereiro e começou a ter problemas para se logar em web sites, existe uma correção para um erro nessa correção. Segundo documento da Microsoft, a instalação do pacote pode levar alguns usuários a perder a capacidade de se logar na conta do MSN ou enfrentar idênticos problemas de autenticação com vários sites. Nesse caso, o usuário pode digitar nome e senha corretos e ainda assim o acesso lhe é negado. A solução é instalar a correção 813951, que pode ser obtida no endereço www.infoexame.com.br/aberto/download/3127.shl. Até o momento, esse remendo não está disponível em português. Carlos Machado, da INFO http://info.abril.com.br/aberto/infonews/022003/17022003-5.shl From mieko em ccuec.unicamp.br Tue Feb 18 10:51:25 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 18 Feb 2003 10:51:25 -0300 Subject: [SECURITY-L] O QUE MUDA NA INTERNET COM O NOVO =?iso-8859-1?Q?C=D3DIGO?= Message-ID: <3E523A5D.4AD975D2@ccuec.unicamp.br> A Fundação Getúlio Vargas e o Berkman Center de Internet & Sociedade da Faculdade de Direito de Harvard, com o apoio do Grupo Catho, realizarão, entre os dias 24 e 28 de março de 2003, no Hotel Le Meridien Copacabana, no Rio de Janeiro - RJ, o seminário Direito da Internet. As palestras, que serão conduzidas em inglês com tradução simultânea para o português e o espanhol, abordarão temas como spam , responsabilidade de provedores, propriedade intelectual, privacidade, segurança na rede, nome de domínio, software aberto, crimes eletrônicos e exclusão digital, entre outros. O núcleo do programa do evento é o seminário presencial, no qual serão ministradas várias palestras. Os participantes também contarão com um site projetado para o evento, onde poderão obter informações completas sobre os temas que serão abordados durante os cinco dias do seminário. Além de poder escolher materiais sobre temas específicos, o participante também poderá participar de um fórum de discussão que permite a continuidade dos debates pós-palestra. Durante o encontro, os participantes terão a oportunidade de: entender o ambiente jurídico que regula as atividades online, incluindo os principais modelos jurídicos no mundo, regulamentações e acordos internacionais ampliar a compreensão sobre o caráter de evolução constante da Internet (como a mesma evolui, como esta evolução é afetada pelo direito e qual o futuro da rede) explorar as implicações das políticas públicas e propostas legislativas para a Internet (como as mudanças políticas definem o direito da Internet e afetam o interesse público com relação à rede) aprender a maximizar a utilização de ferramentas legais de informação e tecnologias de comunicação na prática do Direito aprender as principais doutrinas de Direito Privado e Direito Público sobre as quais o Direito da In ternet se encontra estruturado interagir com os palestrante s bem como com os colegas num rico ambiente de engajamento intelectual, utilizando também as ferramentas mais avançadas de educação informatizada Para mais informações, acesse www.fgv.br ou cyber.law.harvard.edu/ilaw O QUE MUDA NA INTERNET COM O NOVO CÓDIGO CIVIL Desde que entrou em vigor o novo Código Civil, no dia 11 de janeiro de 2003, a vida das pessoas e das empresas sofreu várias alterações, facilitando, em alguns casos, o dia-a-dia de todos. E o mundo virtual, da Internet, não ficou de fora destas mudanças. Invasões a sites e envio de mensagens não solicitadas, por exemplo, ganharam mais espaço e força, dentro do novo Código, para serem coibidos. A segurança das operações realizadas pela Internet agora é abrangida pelos artigos 1.011 e 1.016. Além disso, os administradores de empresas .com, pelo novo Código, devem come çar a agir preventivamente em relação à segurança de suas operações, e passam a ser obrigados a tomar providências quando forem constatados problemas como invasões, falhas e fraudes no sistema. Quando o assunto é invasão de privacidade, o artigo 187 é claro ao afirmar que "comete ato ilícito o titular de um direito que, ao exercê-lo, excede manifestamente os limites impostos pelo seu fim econômico ou social, pela boa fé ou pelos maus costumes". Uma outra novidade trazida pelo código diz respeito aos acertos de compras realizadas por meio de chats, e-mails ou telefone, que passam a ser encaradas como negociações com presença física. Isso significa que a pessoa ou empresa que envia mensagens que não foram solicitadas, o conhecido spam, passa a ser enquadrada pelo novo Código, ficando sujeita a processo por danos morais ou financeiros. E isso vale também aos provedores que permitem este tipo de ação por parte dos usuários. "O novo Código ampl ia a possibilidade de que juízes tenham fundamentos para responsabili zar os provedores de acesso e serviços pelos atos de seus usuários. Com isto, o risco jurídico do provedor aumenta, afastando investidores e prejudicando o desenvolvimento de novos negócios. Uma regulamentação racional, do ponto de vista econômico, deve estabelecer uma definição clara de quando e como os provedores são responsáveis pelos atos dos seus usuários, criando, assim, salvaguardas bem definidas para os mesmos”, avalia Ronaldo Lemos, especialista em Direito da Tecnologia. Quando o assunto tratado se refere ao spam, o novo Código não contempla meios mais modernos de lidar com a questão como, por exemplo, a auto-regulamentação amparada por lei ou ainda pela criação de órgãos de fiscalização não-governamentais responsáveis pela criação de um cadastro de endereços de spammers, tal como existem cadastros de devedores inadimplentes. Segundo Lemos, como na Internet é difícil ir atrás dos responsáveis efetivos, a tendência é ir atrás de qu em é fácil de ser encontrado, quem tem endereço físico, como os provedores de acesso e as empresas que prestam serviços online. "Em vez de buscar a responsabilização do agente, busca-se a responsabilização do intermediário. Isto é completamente equivocado". MAIS ATENÇÃO Como empresas e indivíduos podem tornar mais confiáveis as relações virtuais? Na opinião de alguns especialistas, ambos são obrigados, cada vez mais, a recorrer a mecanismos contratuais para tentarem obter um mínimo de segurança jurídica e controle de riscos. "Exemplo disso são os contratos por 'clique', mecanismos de contratação de massa que almejam ao menos controlar parte das incertezas que cercam o tema", avalia Lemos. Neste caso, a solução contratual também é limitada. Primeiramente porque este tipo de contrato permite tudo. Como o mesmo é redigido, na maioria das vezes, unilateralmente, várias das disposições constantes podem s e tornar ineficazes por serem contrárias a outros preceitos jurídicos . A outra razão, segundo Lemos, é que a solução contratual apenas adia o problema. Como os contratos geralmente criam efeitos somente entre as partes, as grandes questões que precisam de respostas do Direito continuam em aberto. "Por isto, no momento atual, o contrato é a melhor forma de controlar riscos e incertezas, mas não é a mais adequada em termos de custos e de política pública", avalia o especialista. Lemos sugere para as pessoas que estão acostumadas a fazer transações virtuais que verifiquem, em primeiro lugar, se o site oferece um sistema de segurança eficiente. Para isto, basta verificar se o "http" que aparece na barra de endereços aparece como "https", o que indica que o site é protegido por criptografia. "Além disso, nunca envie o número do seu cartão de crédito por e-mail." Para a empresa que desrespeita o consumidor, o novo Código determina indenizações e medidas executórias como ordens judiciais para a cessação de determinada atividade. Entretanto, Lemos ressalta que a linguagem do Código é bastante abstrata e aberta, dificultando a definição do que é "desrespeitar os direitos na Internet". Com isso, o risco jurídico aumenta, afugentando investidores e novos negócios, bem como aumentando custos. Mas Lemos não acredita que o novo Código sirva como um mecanismo para coibir abusos. Na opinião do especialista, tudo dependerá de como o judiciário irá adotar o mesmo e do tipo de decisão que será embasada em seus dispositivos. "Podem existir boas e más decisões, mas o melhor caminho seria mesmo o de adotar uma legislação precisa, que definisse com clareza, e não abstratamente, o balanço de responsabilidade entre os diversos agentes e intermediários na Internet", conclui. Matéria originalmente publicada no jornal Estilo & Gestão RH Catho, sob autoria de Cristina Balerini, editora-assistente do jornal. CARREIRA & SUCESSO http://www.catho.com.br/jcs/ From mieko em ccuec.unicamp.br Tue Feb 18 12:19:27 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 18 Feb 2003 12:19:27 -0300 Subject: [SECURITY-L] PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 Message-ID: <3E524EFF.E8FB3D70@ccuec.unicamp.br> Subject: [Fwd: PHP Security Advisory: CGI vulnerability in PHP version 4.3.0] Date: Tue, 18 Feb 2003 11:55:37 -0300 From: Renato Murilo Langona Organization: LinuxSecurity Brasil Solutions (http://www.linuxsecurity.com.br) Jani Taskinen wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 Issued on: February 17, 2003 Software: PHP/CGI version 4.3.0 Platforms: All The PHP Group has learned of a serious security vulnerability in the CGI SAPI of PHP version 4.3.0. Description PHP contains code for preventing direct access to the CGI binary with configure option "--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these options useless. NOTE: This bug does NOT affect any of the other SAPI modules. (such as the Apache or ISAPI modules, etc.) Impact Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs. Solution The PHP Group has released a new PHP version, 4.3.1, which incorporates a fix for the vulnerability. All users of affected PHP versions are encouraged to upgrade to this latest version. The downloads web site at http://www.php.net/downloads.php has the new 4.3.1 source tarballs, Windows binaries and source patch from 4.3.0 available for download. You will only need to upgrade if you're using the CGI module of PHP 4.3.0. There are no other bugfixes contained in this release. Workaround None. Credits The PHP Group would like to thank Kosmas Skiadopoulos for discovering this vulnerability. Copyright (c) 2003 The PHP Group. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+USOr/HlsOzK2WlERAtLKAJ9GPbPt6Vg77zIcPTGKh78WofmmeACgneDV tUERfwp/RXtcH13vdv0CGGY= =rYm5 -----END PGP SIGNATURE----- -- [Renato Murilo Langona] - LinuxSecurity Brasil Solutions S/C Ltda. From mieko em ccuec.unicamp.br Tue Feb 18 12:20:45 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 18 Feb 2003 12:20:45 -0300 Subject: [SECURITY-L] Falha no PHP pode comprometer o sistema Message-ID: <3E524F4D.22E17644@ccuec.unicamp.br> Subject: Falha no PHP pode comprometer o sistema Date: Tue, 18 Feb 2003 12:06:39 -0300 (ART) From: Caio Souza Notícia :: Falha no PHP pode comprometer o sistema :: 18/02/2003 @ 12:19:25 Foi descoberta uma vulnerabilidade no PHP a qual pode permitir um atacante ganhar acesso a arquivos no sistema ou até mesmo inserir códigos PHP maliciosos. O PHP possui um código que previne o acesso direto aos binários CGI com a opção "--enable-force-cgi-redirect" e a opção no php.ini "cgi.force_redirect". No PHP 4.3.0 existe uma vulnerabilidade que pode tornar esta função inativa. Qualquer pessoa com acesso aos websites hospedados em um webserver que empregue o módulo de cgi pode explorar esta vulnerabilidade para ganhar acesso a todos arquivos que possuam permissões de leitura através do usuário que o webserver roda. Um atacante remoto pode também "enganar" o PHP e executar códigos arbitrários caso o atacante possa inserir códigos nos arquivos acessíveis pelo cgi. O grupo de desenvolvimento do PHP já disponibilizou uma nova versão, 4.3.1, que corrige o problema. Maiores informações podem ser obtidas através dos endereços abaixo. [PHP Security Advisory: CGI vulnerability in PHP version 4.3.0] http://www.php.net/release_4_3_1.php [Download PHP 4.3.1] http://www.php.net/downloads.php http://www.telsincsecurity.com.br/?menu=noticia¬id=261 From mieko em ccuec.unicamp.br Wed Feb 19 08:47:04 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 19 Feb 2003 08:47:04 -0300 Subject: [SECURITY-L] MXltiplas vulnerabilidades no Oracle 8 e 9 Message-ID: <3E536EB8.C3622DE8@ccuec.unicamp.br> Subject: MXltiplas vulnerabilidades no Oracle 8 e 9 Date: Tue, 18 Feb 2003 18:45:09 -0300 (ART) From: Caio Souza Notícia :: Múltiplas vulnerabilidades no Oracle 8 e 9 :: 18/02/2003 @ 18:56:01 Foram anunciadas múltiplas vulnerabilidades no Oracle Database Server 8i e 9i, onde é possível para um atacante executar comandos arbitrários no servidor. As vulnerabilidades encontradas no Oracle são do tipo buffer overflow, onde é possível um atacante executar comandos arbitrários no servidor. A outra é do tipo Denial-of-Service, a qual possibilita à um usuário mal intencionado negar o acesso ao serviço. As falhas descobertas no Oracle encontra-se na função TO_TIMESTAMP_TZ, TZ_OFFSET, no binário ORACLE.EXE, no diretório DAV_PUBLIC e em seus parametros e também no módulo MOD_ORADAV. Quatro falhas são do tipo buffer overflow e duas do tipo Denial-of-Service (DoS). A Oracle já disponibilizou as correções para todos os problemas. Maiores informações podem ser obtidas através dos endereços abaixo. [Oracle Security Alert #48] http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf [Oracle Security Alert #49] http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf [Oracle Security Alert #50] http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf [Oracle Security Alert #51] http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf [Oracle Security Alert #52] http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf http://www.telsincsecurity.com.br/?menu=noticia¬id=262 From mieko em ccuec.unicamp.br Thu Feb 20 09:00:15 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Feb 2003 09:00:15 -0300 Subject: [SECURITY-L] CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Message-ID: <3E54C34E.7A9E2D2A@ccuec.unicamp.br> ----- Forwarded message from CERT Coordination Center ----- Date: Wed, 19 Feb 2003 15:12:35 -0500 From: CERT Coordination Center Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Original release date: February 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running Oracle9i Database (Release 1 and 2) * Systems running Oracle8i Database v 8.1.7 * Systems running Oracle8 Database v 8.0.6 * Systems running Oracle9i Application Server (Release 9.0.2 and 9.0.3) Overview Multiple vulnerabilities exist in Oracle software that may lead to execution of arbitrary code; the ability to read, modify, or delete information stored in underlying Oracle databases; or denial of service. All of these vulnerabilites were discovered by Next Generation Security Software Ltd. I. Description Multiple vulnerabilities exist in Oracle9i Application Server, Oracle9i Database, and Oracle8i Database. The majority of these vulnerabilities are buffer overflows. Oracle has published Security Alerts describing these vulnerabilities. If you use Oracle products listed in the "Systems Affected" section of this document, we strongly encourage you to review the following Oracle Security Alerts and apply patches as appropriate: * Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * Buffer Overflow in TZ_OFFSET function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * Buffer Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * Two Vulnerabilities in Oracle9i Application Server http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf NGSSoftware Insight Security Research Advisories describing these issues are listed below: * Oracle9i Application Server Format String Vulnerability http://www.nextgenss.com/advisories/ora-appservfmtst.txt * Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * ORACLE bfilename function buffer overflow vulnerability http://www.nextgenss.com/advisories/ora-bfilebo.txt * Oracle TZ_OFFSET Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tzofstbo.txt * Oracle unauthenticated remote system compromise http://www.nextgenss.com/advisories/ora-unauthrm.txt The CERT/CC has published vulnerability notes for each of these issues as well. The vulnerability in Oracle's mod_dav module (VU#849993) has been as assigned CVE ID CAN-2002-0842. II. Impact Depending on the vulnerability being exploited, an attacker may be able to execute arbitrary code; read, modify, or delete information stored in underlying Oracle databases; or cause a denial of service. The vulnerabilities in "ORACLE.EXE" (VU#953746) and the WebDAV modules (VU#849993, VU#511194) may be exploited prior to authentication. III. Solution Apply a patch Solutions for specific vulnerabilities can be found in the above referenced Oracle Security Alerts, NGSSoftware Insight Security Research Advisories, and individual CERT/CC Vulnerability Notes. Mitigation Strategies Until a patch can be applied, the CERT/CC recommends that vulnerable sites * disable unnecessary Oracle services * run Oracle services with the least privilege * restrict network access to Oracle services Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Oracle Corporation Please see the following Oracle Security Alerts: * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf Appendix B. References * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf * http://www.nextgenss.com/advisories/ora-appservfmtst.txt * http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * http://www.nextgenss.com/advisories/ora-bfilebo.txt * http://www.nextgenss.com/advisories/ora-tzofstbo.txt * http://www.nextgenss.com/advisories/ora-unauthrm.txt * http://www.kb.cert.org/vuls/id/743954 * http://www.kb.cert.org/vuls/id/953746 * http://www.kb.cert.org/vuls/id/663786 * http://www.kb.cert.org/vuls/id/840666 * http://www.kb.cert.org/vuls/id/511194 * http://www.kb.cert.org/vuls/id/849993 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0842 _________________________________________________________________ The CERT/CC acknowledges both Next Generation Security Software Ltd. and Oracle for providing information upon which this document is based. _________________________________________________________________ Feedback can be directed to the author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History February 19, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlPkcmjtSoHZUTs5AQGFkAQAmTTDL3Tyn818VW59c0Ec5Tt+N78TKs8y h6Mnp4gkZuFLaPXju8zw1oNat4HoR7JWefBo7Lj6QFMf9HANlg7NexYmmQZSupL/ TZrFF6Nisfg/jQ7H6hPH/kajm/siJO6BuPgQIyEWtHkrJ6ce4jgcPGmuJsLzuUW3 N4QKY3gFD2A= =nkbt -----END PGP SIGNATURE----- ----- End forwarded message ----- From mieko em ccuec.unicamp.br Thu Feb 20 11:56:05 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Feb 2003 11:56:05 -0300 Subject: [SECURITY-L] CAIS-Alerta: Multiplas Vulnerabilidades em Servidores Oracle Message-ID: <3E54EC85.BB15B0DC@ccuec.unicamp.br> Subject: CAIS-Alerta: Multiplas Vulnerabilidades em Servidores Oracle Date: Thu, 20 Feb 2003 11:00:21 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS está repassando o alerta divulgado pelo CERT/CC, CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers, tratando da identificacao de varias vulnerabilidades nos servidores Oracle, sendo que a maioria delas é de buffer overflow. A exploracao de tais vulnerabilidades pode permitir a um atacante: executar codigo arbitrario no sistema; ler, modificar ou remover informacoes armazenadas nas bases de dados Oracle; ou ainda, causar denial of service. Sistemas afetados: Sao afetados pelas vulnerabilidades citadas neste alerta, os sistemas que executam os seguintes software: . Oracle9i Database (Release 1 and 2) . Oracle8i Database v 8.1.7 . Oracle8 Database v 8.0.6 . Oracle9i Application Server (Release 9.0.2 and 9.0.3) Correções disponíveis: Para corrigir o problema, devem ser aplicados os patches recomendados de acordo com as orientacoes do fabricante. Solucoes especificas para cada uma das vulnerabilidades citadas, sao encontradas nos alertas de seguranca publicados pela Oracle, pela NGSSoftware e CERT Vulnerability Notes. Todas as referencias estao listadas abaixo. Mais informações: . http://www.cert.org/advisories/CA-2003-05.html . http://www.kb.cert.org/vuls/id/849993 . http://www.kb.cert.org/vuls/id/743954 . http://www.kb.cert.org/vuls/id/953746 . http://www.kb.cert.org/vuls/id/663786 . http://www.kb.cert.org/vuls/id/840666 . http://www.kb.cert.org/vuls/id/511194 . http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf . http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf . http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf . http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf . http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf . http://www.nextgenss.com/advisories/ora-appservfmtst.txt . http://www.nextgenss.com/advisories/ora-tmstmpbo.txt . http://www.nextgenss.com/advisories/ora-bfilebo.txt . http://www.nextgenss.com/advisories/ora-tzofstbo.txt . http://www.nextgenss.com/advisories/ora-unauthrm.txt Identificador do CVE: CAN-2002-0842 (http://cve.mitre.org) O CAIS recomenda aos administradores que atualizem seus sistemas Oracle, seguindo as recomendacoes descritas neste alerta. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Original release date: February 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running Oracle9i Database (Release 1 and 2) * Systems running Oracle8i Database v 8.1.7 * Systems running Oracle8 Database v 8.0.6 * Systems running Oracle9i Application Server (Release 9.0.2 and 9.0.3) Overview Multiple vulnerabilities exist in Oracle software that may lead to execution of arbitrary code; the ability to read, modify, or delete information stored in underlying Oracle databases; or denial of service. All of these vulnerabilites were discovered by Next Generation Security Software Ltd. I. Description Multiple vulnerabilities exist in Oracle9i Application Server, Oracle9i Database, and Oracle8i Database. The majority of these vulnerabilities are buffer overflows. Oracle has published Security Alerts describing these vulnerabilities. If you use Oracle products listed in the "Systems Affected" section of this document, we strongly encourage you to review the following Oracle Security Alerts and apply patches as appropriate: * Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * Buffer Overflow in TZ_OFFSET function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * Buffer Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * Two Vulnerabilities in Oracle9i Application Server http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf NGSSoftware Insight Security Research Advisories describing these issues are listed below: * Oracle9i Application Server Format String Vulnerability http://www.nextgenss.com/advisories/ora-appservfmtst.txt * Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * ORACLE bfilename function buffer overflow vulnerability http://www.nextgenss.com/advisories/ora-bfilebo.txt * Oracle TZ_OFFSET Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tzofstbo.txt * Oracle unauthenticated remote system compromise http://www.nextgenss.com/advisories/ora-unauthrm.txt The CERT/CC has published vulnerability notes for each of these issues as well. The vulnerability in Oracle's mod_dav module (VU#849993) has been as assigned CVE ID CAN-2002-0842. II. Impact Depending on the vulnerability being exploited, an attacker may be able to execute arbitrary code; read, modify, or delete information stored in underlying Oracle databases; or cause a denial of service. The vulnerabilities in "ORACLE.EXE" (VU#953746) and the WebDAV modules (VU#849993, VU#511194) may be exploited prior to authentication. III. Solution Apply a patch Solutions for specific vulnerabilities can be found in the above referenced Oracle Security Alerts, NGSSoftware Insight Security Research Advisories, and individual CERT/CC Vulnerability Notes. Mitigation Strategies Until a patch can be applied, the CERT/CC recommends that vulnerable sites * disable unnecessary Oracle services * run Oracle services with the least privilege * restrict network access to Oracle services Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Oracle Corporation Please see the following Oracle Security Alerts: * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf Appendix B. References * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf * http://www.nextgenss.com/advisories/ora-appservfmtst.txt * http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * http://www.nextgenss.com/advisories/ora-bfilebo.txt * http://www.nextgenss.com/advisories/ora-tzofstbo.txt * http://www.nextgenss.com/advisories/ora-unauthrm.txt * http://www.kb.cert.org/vuls/id/743954 * http://www.kb.cert.org/vuls/id/953746 * http://www.kb.cert.org/vuls/id/663786 * http://www.kb.cert.org/vuls/id/840666 * http://www.kb.cert.org/vuls/id/511194 * http://www.kb.cert.org/vuls/id/849993 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0842 _________________________________________________________________ The CERT/CC acknowledges both Next Generation Security Software Ltd. and Oracle for providing information upon which this document is based. _________________________________________________________________ Feedback can be directed to the author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History February 19, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlTfgOkli63F4U8VAQH9igP5AdbBOVNckL/gHgGi3E1U1yyOij32AwhJ n/RdNNQag2dHnXM9s9003GVlHBGw2iV8JBEvVH7Lf+MA2NgniH+mGTuH6C0lCxYc BzTzvSQpBrkF6ExoD1+4T8j6lodmQk3JUYfov9kCwFeBtsznbH2CyrhkJ9JBVaE5 N3FCVZeVTec= =jd5+ -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Fri Feb 21 15:51:46 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Feb 2003 15:51:46 -0300 Subject: [SECURITY-L] Fwd: CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Message-ID: <3E567542.3B950779@ccuec.unicamp.br> Subject: CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Date: Fri, 21 Feb 2003 10:25:11 -0500 From: CERT Advisory Organization: CERT(R) Coordination Center - +1 412-268-7090 To: cert-advisory em cert.org ----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected SIP-enabled products from a wide variety of vendors are affected. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. Overview Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. Description The Session Initiation Protocol (SIP) is a developing and newly deployed protocol that is commonly used in Voice over IP (VoIP), Internet telephony, instant messaging, and various other applications. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying the PROTOS c07-sip test suite to a variety of popular SIP-enabled products, the OUSPG discovered impacts ranging from unexpected system behavior and denial of services to remote code execution. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SIP, ingress filtering of the following ports can prevent attackers outside of your network from accessing vulnerable devices in the local network that are not explicitly authorized to provide public SIP services: sip 5060/udp # Session Initiation Protocol (SIP) sip 5060/tcp # Session Initiation Protocol (SIP) sip 5061/tcp # Session Initiation Protocol (SIP) over TLS Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. Clavister No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert em hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. Session Initiation Protocol Torture Test Messages, Draft _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analysis, and for assisting us in preparing this advisory. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Fri Feb 21 15:52:39 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Feb 2003 15:52:39 -0300 Subject: [SECURITY-L] CAIS-Alerta: Multiplas Vulnerabilidades em Implementacoes do SIP Message-ID: <3E567577.DBA789AA@ccuec.unicamp.br> Subject: CAIS-Alerta: Multiplas Vulnerabilidades em Implementacoes do SIP Date: Fri, 21 Feb 2003 15:32:33 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS está repassando o alerta divulgado pelo CERT/CC, CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP), tratando da identificacao de vulnerabilidades em implementacoes do SIP, Session Initiation Protocol. A exploracao de tais vulnerabilidades pode permitir a um atacante: executar codigo arbitrario, causar instabilidade ou ainda, denial of service no sistema. O Session Initiation Protocol (SIP) e um protocolo usado em aplicacoes de voz sobre IP (VoIP), telefonia em Internet, mensagens instantaneas, dentre outras. Maiores informacoes sobre SIP podem ser encontradas em: . http://www.ietf.org/rfc/rfc3261.txt . http://www.ietf.org/html.charters/sip-charter.html Sistemas afetados: Grande parte de produtos com SIP estao afetados, porem nem todas as implementacoes do protocolo o sao. Uma lista de sistemas afetados pode ser encontrada no Apendice A do alerta em anexo. Correções disponíveis: Para corrigir o problema, devem ser aplicados os patches recomendados de acordo com as orientacoes do fabricante, como consta no Apendice A do alerta em anexo. Mais informações: . http://www.cert.org/advisories/CA-2003-06.html . http://www.kb.cert.org/vuls/id/528719 . http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ O CAIS recomenda aos administradores que verifiquem se seus sistemas estao vulneraveis, procedendo com as atualizacoes conforme orientacao do fabricante. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected SIP-enabled products from a wide variety of vendors are affected. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. Overview Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. Description The Session Initiation Protocol (SIP) is a developing and newly deployed protocol that is commonly used in Voice over IP (VoIP), Internet telephony, instant messaging, and various other applications. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying the PROTOS c07-sip test suite to a variety of popular SIP-enabled products, the OUSPG discovered impacts ranging from unexpected system behavior and denial of services to remote code execution. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SIP, ingress filtering of the following ports can prevent attackers outside of your network from accessing vulnerable devices in the local network that are not explicitly authorized to provide public SIP services: sip 5060/udp # Session Initiation Protocol (SIP) sip 5060/tcp # Session Initiation Protocol (SIP) sip 5061/tcp # Session Initiation Protocol (SIP) over TLS Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. Clavister No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert em hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. Session Initiation Protocol Torture Test Messages, Draft _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analysis, and for assisting us in preparing this advisory. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZwy+kli63F4U8VAQH8kwP/VVcqvcKAw3ONj0BcfeDlAC7PSqIR1pqE fm0IykhsJCGevutvq7H/3NirqEbcd3lT+ynJCpMS03ePjqZEDcuY+XRdcRcvqmX7 BdxGZrEa4UjN8h7uHnDj4+hkd3Uhkv2Wl8Cyc4CdC6AfWEgiR1QjwKlWOhrBRmzF wAWpQlQnO1k= =uY8h -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Fri Feb 21 17:20:30 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Feb 2003 17:20:30 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030221202029.GA1244@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 21/02/2003 ---------- CAIS-Alerta Assunto: Multiplas Vulnerabilidades em Implementacoes do SIP http://www.security.unicamp.br/docs/bugs/2003/02/v77.txt CERT Advisory (CA-2003-06) Assunto: Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) http://www.security.unicamp.br/docs/bugs/2003/02/v76.txt 20/02/2003 ---------- RHN Errata Alert (HSA-2003:057-06) Assunto: Updated shadow-utils packages fix exposure http://www.security.unicamp.br/docs/bugs/2003/02/v74.txt RHN Errata Alert (RHSA-2003:006-10) Assunto: Updated libpng packages fix buffer overflow http://www.security.unicamp.br/docs/bugs/2003/02/v73.txt Conectiva Linux Security Annoucement (CLA-2003:569) Assunto: Multiple vulnerabilities in KDE http://www.security.unicamp.br/docs/bugs/2003/02/v72.txt Anuncio de Seguranca do Conectiva Linux (CLA-2003:569) Assunto: Vulnerabilidades multiplas no KDE http://www.security.unicamp.br/docs/bugs/2003/02/v71.txt RHN Errata Alert (RHSA-2003:057-06) Assunto: Updated shadow-utils packages fix exposure http://www.security.unicamp.br/docs/bugs/2003/02/v70.txt Gentoo Linux Security Announcement(200302-11) Assunto: denial of service in bitchx http://www.security.unicamp.br/docs/bugs/2003/02/v69.txt Gentoo Linux Security Announcement(200302-10) Assunto: timing based attack in openssl http://www.security.unicamp.br/docs/bugs/2003/02/v68.txt EnGarde Secure Linux Security Advisory(ESA-20030220-005) Assunto: OpenSSL timing-based attack vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v67.txt EnGarde Secure Linux Security Advisory(ESA-20030220-004) Assunto: Vulnerabilidades de Seguranca nos pacotes MySQL, MySQL-client, MySQL-shared http://www.security.unicamp.br/docs/bugs/2003/02/v66.txt CAIS-Alerta Assunto: Multiplas Vulnerabilidades em Servidores Oracle http://www.security.unicamp.br/docs/bugs/2003/02/v65.txt RHN Errata Alert (RHSA-2003:037-09) Assunto: Updated Xpdf packages fix security vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v64.txt Debian Security Advisory (DSA 232-2) Assunto: Vulnerabilidades de Seguranca no pacote cupsys http://www.security.unicamp.br/docs/bugs/2003/02/v45.txt 19/02/2003 ---------- CERT Advisory (CA-2003-05) Assunto: Multiple Vulnerabilities in Oracle Servers http://www.security.unicamp.br/docs/bugs/2003/02/v75.txt RHN Errata Alert (RHSA-2003:043-12) Assunto: Updated WindowMaker packages fix vulnerability in theme-loading http://www.security.unicamp.br/docs/bugs/2003/02/v63.txt Mandrake Linux Security Update Advisory(MDKSA-2003:019 ) Assunto: Vulnerabilidade de Seguranca no pacote php http://www.security.unicamp.br/docs/bugs/2003/02/v62.txt OpenPKG Security Advisory(OpenPKG-SA-2003.013) Assunto: obtain plaintext of SSL/TLS communication in openssl http://www.security.unicamp.br/docs/bugs/2003/02/v61.txt EnGarde Secure Linux Security Advisory(ESA-20030219-003) Assunto: Several PHP vulnerabilities in php and mod_php http://www.security.unicamp.br/docs/bugs/2003/02/v60.txt Gentoo Linux Security Announcement(200302-09.1) Assunto: arbitrary code execution in mod_php http://www.security.unicamp.br/docs/bugs/2003/02/v59.txt OpenPKG Security Advisory(OpenPKG-SA-2003.012) Assunto: denial of service (packet storm) in dhcpd http://www.security.unicamp.br/docs/bugs/2003/02/v58.txt Gentoo Linux Security Announcement(200302-09) Assunto: arbitrary code execution in mod_php and php http://www.security.unicamp.br/docs/bugs/2003/02/v57.txt 18/02/2003 ---------- Mandrake Linux Security Update Advisory(MDKSA-2003:018) Assunto: Vulnerabilidade de Seguranca no pacote apcupsd http://www.security.unicamp.br/docs/bugs/2003/02/v56.txt Mandrake Linux Security Update Advisory(MDKSA-2003:017) Assunto: Vulnerabilidade de Seguranca no pacote pam http://www.security.unicamp.br/docs/bugs/2003/02/v55.txt SuSE Security Announcement(SuSE-SA:2003:0009) Assunto: remote system compromise in mod_php4 http://www.security.unicamp.br/docs/bugs/2003/02/v54.txt SuSE Security Announcement(SuSE-SA:2003:0008) Assunto: remote system compromise in imp http://www.security.unicamp.br/docs/bugs/2003/02/v53.txt OpenPKG Security Advisory(OpenPKG-SA-2003.011) Assunto: CRLF injection vulnerability in lynx http://www.security.unicamp.br/docs/bugs/2003/02/v52.txt OpenPKG Security Advisory(OpenPKG-SA-2003.010) Assunto: arbitrary file access and code execution in php, apache http://www.security.unicamp.br/docs/bugs/2003/02/v51.txt OpenPKG Security Advisory(OpenPKG-SA-2003.009) Assunto: cookie information leak in w3m http://www.security.unicamp.br/docs/bugs/2003/02/v50.txt Gentoo Linux Security Announcement(200302-08) Assunto: buffer overflow in nethack http://www.security.unicamp.br/docs/bugs/2003/02/v49.txt 17/02/2003 ---------- PHP Security Advisory Assunto: CGI vulnerability in PHP version 4.3.0 http://www.security.unicamp.br/docs/bugs/2003/02/v48.txt Gentoo Linux Security Announcement(200302-07) Assunto: missing HTML quoting in w3m http://www.security.unicamp.br/docs/bugs/2003/02/v47.txt Gentoo Linux Security Announcement(200302-06) Assunto: security issues in installer in syslinux http://www.security.unicamp.br/docs/bugs/2003/02/v46.txt Gentoo Linux Security Announcement(200302-05) Assunto: cross site scripting in mailman http://www.security.unicamp.br/docs/bugs/2003/02/v44.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Mon Feb 24 11:33:27 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 24 Feb 2003 11:33:27 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030224143327.GA307@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 24/02/2003 ---------- Red Hat Network(RHN) - Errata Alert (RHSA-2003:012-07) Assunto: Updated CVS packages available http://www.security.unicamp.br/docs/bugs/2003/02/v88.txt 23/02/2003 ---------- Red Hat Network(RHN) - Errata Alert (RHSA-2003:041-12) Assunto: Updated VNC packages fix replay and cookie vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/02/v87.txt Red Hat Network(RHN) - Errata Alert (RHSA-2003:011-07) Assunto: Updated dhcp packages fix security vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/02/v86.txt 22/02/2003 ---------- Gentoo Linux Security Announcement(200302-12) Assunto: Vulnerabilidade de Seguranca no pacote webmin http://www.security.unicamp.br/docs/bugs/2003/02/v85.txt 21/02/2003 ---------- Red Hat Network (RHN) - Errata Alert(RHSA-2003:025-20) Assunto: Updated 2.4 kernel fixes various vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/02/v84.txt Cisco Security Advisory Assunto: Multiple Product Vulnerabilities found by PROTOS SIP Test Suite http://www.security.unicamp.br/docs/bugs/2003/02/v83.txt Mandrake Linux Security Update Advisory(MDKSA-2003:021) Assunto: Vulnerabilidade de Seguranca no pacote krb5 http://www.security.unicamp.br/docs/bugs/2003/02/v82.txt Debian Security Advisory (DSA 252-1) Assunto: buffer overflow in slocate http://www.security.unicamp.br/docs/bugs/2003/02/v79.txt Mandrake Linux Security Update Advisory(MDKSA-2003:020) Assunto: Vulnerabilidade de Seguranca no pacote openssl http://www.security.unicamp.br/docs/bugs/2003/02/v81.txt 20/02/2003 ---------- Trustix Secure Linux Security Advisory (#2003-0005) Assunto: Vulnerabilidade de Seguranca no pacote openssl http://www.security.unicamp.br/docs/bugs/2003/02/v80.txt Red Hat Security Advisory(RHSA-2003:041-12) Assunto: Updated VNC packages fix replay and cookie vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/02/v78.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 25 08:41:14 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 08:41:14 -0300 Subject: [SECURITY-L] Cisco alerta para falhas em roteadores Message-ID: <3E5B565A.11A75E@ccuec.unicamp.br> Subject: Cisco alerta para falhas em roteadores Date: Mon, 24 Feb 2003 18:32:50 -0300 (ART) From: Caio Souza Cisco alerta para falhas em roteadores Segunda-feira, 24 de fevereiro de 2003 - 16h17 SÃO PAULO – A Cisco publicou em seu site um alerta informando que vários de seus roteadores, firewalls e telefones apresentam falhas de segurança que podem ser exploradas para provocar negação de serviço nos sistemas. A vulnerabilidade se manifesta quando os produtos executam o protocolo SIP (Session Initiation Protocol, um padrão para conferências multimídia sobre IP) ou oferecem serviços de conversão de endereços (NAT) para aquele protocolo. Os produtos afetados são os roteadores Cisco IOS 12.2T e 12.2 ‘X’; os firewalls Cisco PIX com suporte a SIP, nas versões 5.2 e superiores, exceto 6.2(2) , 6.1(4), 6.0(4) e 5.2(9); e, por fim, os telefones Cisco IP Phone, modelos 7940/7960 com imagens SIP anteriores à versão 4.2. Para mais informações técnicas, consulte o alerta da Cisco neste endereço. Carlos Machado, da INFO http://info.abril.com.br/aberto/infonews/022003/24022003-6.shl From mieko em ccuec.unicamp.br Tue Feb 25 08:46:22 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 08:46:22 -0300 Subject: [SECURITY-L] Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability Message-ID: <3E5B578E.4F2CC314@ccuec.unicamp.br> Subject: Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability Date: Fri, 21 Feb 2003 22:46:55 -0300 (ART) From: Caio Souza To: mieko em ccuec.unicamp.br To: BugTraq Subject: [SNS Advisory No.61] Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability Date: Feb 19 2003 5:00AM Author: snsadv em lac.co.jp Message-ID: <20030219135621.B7E1.SNSADV em lac.co.jp> [Moderator note: This post was withheld, with permission from SNS, to ensure that the issue was resolved completely. ] ---------------------------------------------------------------------- SNS Advisory No.61 Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability Problem first discovered: Thu, 26 Dec 2002 Published: Wed, 19 Feb 2003 Reference: http://www.lac.co.jp/security/english/snsadv_e/61_e.html ---------------------------------------------------------------------- Overview: --------- The e-mail scanning function in Symantec Norton AntiVirus 2002 may cause a Buffer Overflow. Problem Description: -------------------- The e-mail scanning function in Symantec Norton AntiVirus 2002 will cause a Buffer Overflow when it receives an e-mail message with a compressed file which includes a file with an unusually long filename. An attacker could exploit this problem to execute arbitrary code with the privilege of the currently logged on user. Tested Versions: ---------------- Symantec Norton AntiVirus 2002 (version 8.07.17C) Tested OS: ---------- Windows 2000 Professional Japanese Edition + Windows 2000 Service Pack 3 Solution: --------- Update AntiVirus 2002 by using LiveUpdate. Discovered by: -------------- ARAI Yuu y.arai em lac.co.jp Acknowledgements: ----------------- Thanks to: Symantec Security Response Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/ Want to link to this message? Use this URL: Disclaimer, Terms & Conditions Privacy Statement Copyright © 1999-2003 SecurityFocus From mieko em ccuec.unicamp.br Tue Feb 25 08:53:26 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 08:53:26 -0300 Subject: [SECURITY-L] Nessus 2.0 is out Message-ID: <3E5B5936.A5881253@ccuec.unicamp.br> Subject: Nessus 2.0 is out Date: Mon, 24 Feb 2003 20:45:46 +0100 From: Renaud Deraison To: bugtraq em securityfocus.com I'm pleased to announce the availability of Nessus 2.0. What is Nessus -------------- Nessus is a vulnerability assessment tool available under the GNU General Public Licence (GPL). It runs on many Unix-like systems (Linux/FreeBSD/OpenBSD/ Solaris/IRIX/MacOSX and probably others) but can audit a wide range of hosts, ranging from HP printers to Windows XP. Its complete list of features is available at http://www.nessus.org/features.html What is new in Nessus 2.0 ------------------------- The focus of Nessus 2.0 was to clean up the code and greatly improve the speed of nessusd. As a result, the major changes are : - Brand new NASL interpretor, totally re-written from scratch - Extended the NASL language to support new operators and functions - Smarter plugin scheduling algorithms, for better parallelism - New ways to perform service detection - each plugin which positively identifies a service registers it in the knowledge base. At the end of the scan, services which have not been recognized are flagged and appear in the report - Greatly reduced memory usage - Support for multiple CVE ids per plugin - Support for Bugtraq IDs in the plugins - New port scanner (synscan.nes) which computes the round trip time to the remote host. As a result, scanning firewalled hosts is faster - Slightly improved the HTML reporting What is *not* new in Nessus 2.0 -------------------------------- We did not change the GUI, so if you expect shiny new buttons, they're not there. We prefered to focus on the engine for this release, the rest will follow during the 2.1.x developement cycle. Availability ------------ Nessus 2.0 is available at http://www.nessus.org/download.html Talk ---- I will briefly present the speed improvements of Nessus 2.0 during the talk Ron Gula and I will do about distributed scanning and IDS correlation at CanSecWest (www.cansecwest.com) Release notes ------------ These are platform-specific release notes : o Linux synscan.nes does not work against localhost, because of the way the libpcap-0.4.x performs packet capture on the loopback interface. o FreeBSD / OpenBSD / NetBSD Be sure to create a lot of /dev/bpf on your system before installing Nessus. You may want to check http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-libraries/README.BPF before installing Nessus o Mac OS X MacOS X is supported, provided you installed the developer tools, Apple's X11 server and optionally GTK. Because of the very limited number of BPFs, you may want to disable the 'ping host' plugin and use the tcp connect() port scanner, as there is no easy way to increase those. Nessus includes a workaround but we suggest you avoid using it at this time. o Solaris Be sure to use Bison 1.75 and gnu M4 when compiling Nessus o IRIX Packet capture does not work, so the 'ping host' plugin will always return every host as being dead. Disable it, and use the tcp connect() port scanner. Thanks ------ I would like to thank everyone who took part to the developement process of Nessus 2.0, and in particular : Michel Arboi (who did the NASL rewriting) Javier Fernandez-Sanguino Jay(@kinetic.org) Erik Anderson Michael Scheidell and to everyone who reported bugs, made suggestions, and sent feedback during the whole 1.3.x developement cycle. -- Renaud Deraison Director of Research Tenable Network Security http://www.tenablesecurity.com From mieko em ccuec.unicamp.br Tue Feb 25 11:07:42 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 11:07:42 -0300 Subject: [SECURITY-L] Securing Windows 2000 Server Documentation Message-ID: <3E5B78AE.E0C48F16@ccuec.unicamp.br> Subject: Securing Windows 2000 Server Documentation Date: Mon, 24 Feb 2003 11:12:20 -0800 From: "Michael Howard" To: The Microsoft Solutions for Security team has released 'Securing Windows 2000 Server'. This is the first of several prescriptive security solutions planned for release this year. These new security solutions are designed to provide customers with authoritative, proven, and tested solutions that address today's security challenges and business requirements. The contents include: Chapter 1: Introduction to Securing Windows 2000 Server This chapter introduces the Securing Windows 2000 Server guide. It includes a brief overview of each of the other chapters. Chapter 2: Defining the Security Landscape This chapter focuses on defining security components that need to be understood to perform a security analysis of your organization. General guidance on how to perform a preliminary asset analysis for your organization is offered. The relationship between threats, exposures, vulnerabilities, and countermeasures is also explained. Chapter 3: Understanding the Security Risk Management Discipline Proven practices are drawn upon in this chapter, from security analysis methodologies in use today that leverage the MSF and MOF. The SRMD also is defined in detail in this chapter, which provides learning that can be applied to assess and determine the level of risk in your own environment. Chapter 4: Applying the Security Risk Management Discipline The SRMD is put into practice throughout this chapter to determine which threats and vulnerabilities have the most potential impact on a particular organization. This chapter applies this process to a generic scenario in which a fictitious company is used to illustrate how a set of common implementation decisions, and, therefore, a significant number of real-world vulnerabilities, should be determined. At the conclusion of this chapter, the specific risks addressed are fully defined, described, and analyzed. Chapter 5: Securing the Domain Infrastructure Determining the criteria on which to base decisions that impact the organization at a domain level is the focus of this chapter. A high level overview of the Microsoft(r) Active Directory(r) service design, the organizational unit (OU) design, and domain policy is provided. In addition, specific domain policies that are implemented at Contoso, the fictional customer scenario used in this guide, are discussed in detail. Chapter 6: Hardening the Base Windows 2000 Server The base settings applied to the member servers at Contoso are explained in this chapter. Group Policy was used to apply as many of the changes to the default Windows 2000 Server configuration as possible. For the member servers in this scenario, the Group Policy settings described are stored in the security template, MSS Baseline.inf. This template was imported into the Member Server Baseline Policy group policy, which is linked to the Member Server OU. Chapter 7: Hardening Specific Server Roles The domain controllers, file servers, network infrastructure servers, and Web servers in any organization require different settings to maximize their security. This chapter focuses on the domain controllers and the other primary member server roles to show the steps that you should take to ensure that each of these roles is as secure as possible. Chapter 8: Patch Management This chapter shows how to ensure that an environment is kept up to date with all the necessary security patches; how to find out about new patches in a timely manner, how to implement them quickly and reliably, and how to monitor to ensure that they are deployed consistently. Chapter 9: Auditing and Intrusion Detection This chapter shows how to audit an environment to provide the best chances of spotting attacks. It also looks at intrusion detection systems - software that is specifically designed to detect behavior that indicates an attack is occurring. Chapter 10: Responding to Incidents This chapter covers the best ways to respond to different types of attack and includes the steps that you should take to report the incidents effectively. It also includes a case study to illustrate a typical response to an incident. Chapter 11: Conclusion This chapter closes out the solution guide by providing a brief overview of everything that has been discussed. The guides are available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/prodtech/Windows/SecWin2k/Default.asp PDF versions of the guides as well as the scripts, security templates, and job aids can be downloaded at: http://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4 d73-aef4-7b4fdc0a25f6&DisplayLang=en Cheers, Michael Secure Windows Initiative Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp From mieko em ccuec.unicamp.br Tue Feb 25 10:31:58 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 10:31:58 -0300 Subject: [SECURITY-L] Boletins de Noticias Message-ID: <20030225133157.GA2098@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicais: 24/02/2003 ---------- SANS Free Webcast - Legal Liability for Security Breaches Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b21.txt SecurityFocus Newsletter #185 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2003/02/b20.txt No.283 : Seguranca e o novo Codigo Civil Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/02/b19.txt SANS Critical Vulnerability Analysis Vol 2 No 07 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b18.txt 22/02/2003 ---------- SANS/GIAC Update Version 9 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b17.txt 21/02/2003 ---------- LinuxSecurity Brasil Edicao Especial Semanal(21/02/03) Fonte: LinuxSecurity Brasil http://www.security.unicamp.br/docs/informativos/2003/02/b16.txt 19/02/2003 ---------- SANS NewsBites Vol. 5 Num. 07 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b15.txt 17/02/2003 ---------- SecurityFocus Newsletter #184 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2003/02/b14.txt No.282 : Seguranca e o novo Codigo Civil Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/02/b13.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Feb 25 11:20:02 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Feb 2003 11:20:02 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030225142002.GA2147@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 24/02/2003 ---------- Red Hat Network(RHN) - Errata Alert (RHSA-2003:053-10) Assunto: Updated vte packages fix gnome-terminal vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v99.txt Conectiva Linux Security Annoucement (CLA-2003:570) Assunto: Information leak in encrypted connections in openssl http://www.security.unicamp.br/docs/bugs/2003/02/v98.txt Anuncio de Seguranca do Conectiva Linux (CLA-2003:570) Assunto: Vazamento de informa\xe7\xf5es em conex\xf5es criptografadas no pacote openssl http://www.security.unicamp.br/docs/bugs/2003/02/v97.txt Secure Windows Initiative Assunto: Securing Windows 2000 Server Documentation http://www.security.unicamp.br/docs/bugs/2003/02/v96.txt Debian Security Advisory (DSA 253-1) Assunto: information leak in openssl http://www.security.unicamp.br/docs/bugs/2003/02/v95.txt FreeBSD Security Advisory (FreeBSD-SA-03:03) Assunto: Brute force attack on SYN cookies http://www.security.unicamp.br/docs/bugs/2003/02/v94.txt Gentoo Linux Security Announcement(200302-16) Assunto: insecure cookie generation in vnc http://www.security.unicamp.br/docs/bugs/2003/02/v93.txt Gentoo Linux Security Announcement(200302-15) Assunto: insecure cookie generation in tightvnc http://www.security.unicamp.br/docs/bugs/2003/02/v92.txt Gentoo Linux Security Announcement(200302-14) Assunto: unauthorized access in usermin http://www.security.unicamp.br/docs/bugs/2003/02/v91.txt Gentoo Linux Security Announcement(200302-13) Assunto: remote root vulnerability and buffer overflows http://www.security.unicamp.br/docs/bugs/2003/02/v90.txt SNS Advisory (No.62) Assunto: Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" http://www.security.unicamp.br/docs/bugs/2003/02/v89.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Feb 26 10:17:41 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 26 Feb 2003 10:17:41 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030226131741.GA3812@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 25/02/2003 ---------- EnGarde Secure Linux Security Advisory(ESA-20030225-006) Assunto: WebTool session ID spoofing vulnerability. http://www.security.unicamp.br/docs/bugs/2003/02/v103.txt 24/02/2003 ---------- Red Hat Security Advisory(RHSA-2003:053-10) Assunto: Updated vte packages fix gnome-terminal vulnerability http://www.security.unicamp.br/docs/bugs/2003/02/v102.txt Mandrake Linux Security Update Advisory(MDKSA-2003:023) Assunto: Vulnerabilidade de Seguranca no pacote lynx http://www.security.unicamp.br/docs/bugs/2003/02/v101.txt Mandrake Linux Security Update Advisory(MDKSA-2003:022) Assunto: Vulnerabilidades de Seguranca no pacote vnc http://www.security.unicamp.br/docs/bugs/2003/02/v100.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Thu Feb 27 09:01:27 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 09:01:27 -0300 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-006: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) Message-ID: <3E5DFE17.EE4A21EF@ccuec.unicamp.br> Subject: Microsoft Security Bulletin MS03-006: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) Date: Wed, 26 Feb 2003 13:08:03 -0800 From: "Microsoft" <0_44819_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Reply-To: <3_44819_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> To: -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------- Title: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) Date: 26 February, 2003 Software: Microsoft Windows Me Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS03-006 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-006.asp http://www.microsoft.com/security/security_bulletins/ms03-006.asp - ----------------------------------------------------------------- Issue: ====== Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://". A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer. An attacker could exploit the vulnerability by constructing a URL that,when clicked on by the user, would execute code of the attacker's choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. Mitigating Factors: ==================== - The Help and Support Center function could not be started automatically in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1. - For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker. - Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-006.asp http://www.microsoft.com/security/security_bulletins/ms03-006.asp for information on obtaining this patch. - ----------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPl0MJo0ZSRQxA/UrAQGXswgAg+ZZ1oCiFD6ktITFi7Q3Oc44txdU927I MRwZq6y6HHAD+hjcAbDyT5X9Djc36tYEB5CaDbq/qCWgSUJa6qopf11PCuxd9XS7 7XoI73ofAoVSnRB9x9wknRAoTRtffNwmyW8ILuVVCK3y0JP+ThgYS6DinY9OCY5Q Fa7X4aojh5kwV5nQt4cyPKk7C9arVLJ0ww6c66J8XdF+/p7kILItrSqsqUDe1gz1 ES4ib7MnAnGPNlB/elSRuDYU4YkgBEEVgC5od28VcaBAq+GHn4KEYWDkpRNQozQj azo+D8/Y+v3zdFau9oTrqV6MgKR2yULCeKQidcOrU2QLxmWW5cw/bA== =jA6C -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. From mieko em ccuec.unicamp.br Thu Feb 27 09:21:06 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 09:21:06 -0300 Subject: [SECURITY-L] Vulnerabilidade na Ajuda do Windows Me abre PC para invasores Message-ID: <3E5E02B2.6B84E8FE@ccuec.unicamp.br> Subject: Vulnerabilidade na Ajuda do Windows Me abre PC para invasores Date: Wed, 26 Feb 2003 19:14:15 -0300 (ART) From: Caio Souza 26/02/2003 - 17h51 Vulnerabilidade na Ajuda do Windows Me abre PC para invasores da Folha Online Em novo boletim de segurança emitido hoje, a Microsoft alerta os usuários de seu sistema operacional Windows Me (Millenium) para uma vulnerabilidade que expõe o computador a hackers. Segundo a gigante do software, o brecha de segurança está na Ajuda (Help and Support Center) do Windows Me. A Ajuda é uma espécie de banco de dados, que centraliza informações sobre uma série de temas. Por exemplo, lá o usuário consegue documentação do produto, ajuda sobre compatibilidade de determinado hardware, acesso ao Windows Update, assistência on-line e outros tipos de ajuda. Além disso, os usuários podem executar links de URL que levam ao Help and Support Center. Para isso, têm que trocar o "http://" por "hcp://". É justamente aqui que está a vulnerabilidade. O bug acontece por causa de um buffer (registro) não-checado no prefixo "hcp://". Um pirata pode explorar a vulnerabilidade construindo uma URL que, quando clicada pelo usuário, executa o código que ele tiver determinado. A URL pode estar hospedada em uma página de internet, ou enviada diretamente ao usuário por e-mail. Uma vez que o usuário clicou sobre a URL maliciosa, o hacker ganha acesso a todos os documentos no PC da vítima. A Microsoft disponibiliza em seu site um arquivo de correção para a vulnerabilidade. Para saber mais sobre o bug ou baixar a correção, clique aqui. http://www1.folha.uol.com.br/folha/informatica/ult124u12376.shtml From mieko em ccuec.unicamp.br Thu Feb 27 09:26:58 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 09:26:58 -0300 Subject: [SECURITY-L] Windows Update captura dados pessoais Message-ID: <3E5E0412.769EE44A@ccuec.unicamp.br> Subject: Windows Update captura dados pessoais Date: Wed, 26 Feb 2003 19:17:29 -0300 (ART) From: Caio Souza Windows Update captura dados pessoais Quarta-feira, 26 de Fevereiro de 2003 - 12h31 IDG Now! A política de privacidade do Windows Update costumava se resumir a um grande banner informando que as atualizações de software eram feitas "sem o envio de informações à Microsoft", assegurando a privacidade do usuário, em caso de atividades suspeitas na rede. No entanto, os tempos são outros. Novas versões do Windows Update enviam um significativo montante de dados para o servidor de atualizações da Microsoft. Infelizmente, o conteúdo exato transmitido — por meio de uma conexão encriptada em SSL (Secure Sockets Layer) — e sua relevância para a privacidade do usuário não foram revelados, até o momento. O Windows Update consiste em algumas páginas HTML com uma grande quantidade de códigos embutidos em Java Script e um componente chamado COM. Estes "blocos"são baixados quando o usuário abre a página do Windows Update (http://v4.windowsupdate.microsoft.com/default.asp) no Internet Explorer. A principal tarefa do código em Java Script — que é fácil de analisar já que o código-fonte do Java pode ser examinado — é interagir com o usuário. A funcionalidade mais interessante, no entanto, esconde-se no componente COM. Utilizando uma ferramenta chamada tecDump é possível saber que o Windows Update usa solicitações POST para transmitir mensagens em SOAP (Simple Object Access Protocol) para o servidor da Microsoft. O SOAP é o protocolo-padrão no qual se baseia a linguagem XML (eXtesible Markup Language) para comunicações em serviços Web — bloco elementar de desenvolvimento da plataforma .Net, da Microsoft. O fator mais preocupante em relação à privacidade envolve a capacidade de listagem de componentes da máquina do usuário pelo Windows Uptade. Esta lista transferida ao servidor da Microsoft pode revelar o fabricante e o modelo de todos os cartões PCI instalados no computador, bem como de dispositivos de armazenamento e componentes de hardware. A abordagem de versões mais antigas do Windows Update era fazer o download de uma lista completa de atualizações e então filtrar os dados relevantes no computador do usuário — isso sem transferir qualquer informação significativa à Microsoft. O problema não se aplica apenas às atualizações de drivers. O sistema de filtragem de servidores também poderia determinar quais softwares estão instalados na máquina do usuário. Imagine que a Micrisoft pode saber se você usa um browser Mozilla 1.0, criar uma categoria de produto chamada mo10, adicionar uma regra para determinar se o Mozilla 1.0 está instalado e depois retornar esta categoria de produto quando o Windows Uptade enviar uma solicitação ao servidor da Microsoft. Categorias de produtos mais recentes também poderiam ser utilizadas para motivos mais nobres, tornando tecnicamente simples a abertura do Windows Update para outros fornecedores de software, contando com a habilidade do componente COM para listar os fornecedores de todos os pacotes de software instalados nas máquinas dos usuários. A prática não é utilizada, atualmente, mas pode tornar-se um grande problema de privacidade no futuro. Para ler a versão completa deste artigo, em inglês clique aqui. [ Mike Hartmann - tecChannel, Alemanha ] Notícias relacionadas: · Microsoft desenvolve tecnologia para reforçar segurança · Microsoft aproxima Windows do Macintosh · Versão beta do Office 2003 vaza na Web From mieko em ccuec.unicamp.br Thu Feb 27 09:29:48 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 09:29:48 -0300 Subject: [SECURITY-L] VXrus AQL abre comandos do computador Message-ID: <3E5E04BC.C6234F0C@ccuec.unicamp.br> Subject: VXrus AQL abre comandos do computador Date: Wed, 26 Feb 2003 19:18:34 -0300 (ART) From: Caio Souza To: mieko em ccuec.unicamp.br Notícias São Paulo, 26 de Fevereiro de 2003 Vírus AQL abre comandos do computador CSO Online Informações da McAfee alertam para a descoberta do Cavalo de Tróia Backdoor-AQL, ainda de origem desconhecida. A ameaça de acesso remoto contém dois componentes: um servidor e um cliente. Uma vez que o componente servidor é executado na máquina, o hacker (cliente) é capaz de se conectar e administrar o computador da vítima. Tecnicamente, o AQL obtém uma comunicação via TCP, para que receba comandos enviados pelo componente cliente, através da porta 2003. Ao contrário de outros Cavalos de Tróia de acesso remoto, a ameaça não se copia para pastas de sistema nem adiciona chamadas no registro. Entre as funções enviadas pelo hacker estão: envia mensagens; executa quaisquer comandos no ambiente DOS; abre, fecha e toca um CD, caso tenha no drive de CD-ROM; desabilita a função de "double-click" na máquina da vítima; e abre sites específicos O AQL pode chegar à vítima através de canais de chat e grupos de notícias. Por enquanto, é considerado de baixo risco devido ao pequeno número de casos registrados. http://www.csoonline.com.br/adCmsDocumentoShow.aspx?documento=22389&Area=2 From mieko em ccuec.unicamp.br Thu Feb 27 11:43:36 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 11:43:36 -0300 Subject: [SECURITY-L] Boletim de Noticia Message-ID: <20030227144335.GA5670@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com o seguinte boletim de noticia e/ou revista eletronica: 26/02/2003 ---------- SANS NewsBites Vol. 5 Num. 08 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/02/b22.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Thu Feb 27 11:44:24 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 11:44:24 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030227144423.GB5670@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 26/02/2003 ---------- Microsoft Security Bulletin (MS03-006) Assunto: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) http://www.security.unicamp.br/docs/bugs/2003/02/v107.txt SuSE Security Announcement(SuSE-SA:2003:011) Assunto: remote attack on encryption in openssl http://www.security.unicamp.br/docs/bugs/2003/02/v106.txt Secunia Research(26/02/2003) Assunto: Opera browser Cross Site Scripting http://www.security.unicamp.br/docs/bugs/2003/02/v105.txt SuSE Security Announcement(SuSE-SA:2003:0010) Assunto: Vulnerabilidade de Seguranca no pacote libmcrypt http://www.security.unicamp.br/docs/bugs/2003/02/v104.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Thu Feb 27 14:57:20 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Feb 2003 14:57:20 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Help do Windows Me (812709) Message-ID: <3E5E5180.318395E9@ccuec.unicamp.br> Subject: CAIS-Alerta: Vulnerabilidade no Help do Windows Me (812709) Date: Thu, 27 Feb 2003 14:50:19 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft Security Bulletin MS03-006: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709), que trata de uma vulnerabilidade existente na implementacao do Help e do Support Center do Windows Me que pode permitir a um atacante remoto a execucao de codigo arbitrario. Sistemas Afetados: . Microsoft Windows Me Correções disponíveis: A correção consiste na aplicação do patch recomendado pela Microsoft e disponível na URL listada abaixo. . Windows Me http://windowsupdate.microsoft.com Maiores informações: http://www.microsoft.com/technet/security/bulletin/ms03-006.asp Identificador do CVE: CAN-2003-0009 (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------------------------------------------------------------- Title: Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) Date: 26 February, 2003 Software: Microsoft Windows Me Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS03-006 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-006.asp http://www.microsoft.com/security/security_bulletins/ms03-006.asp - ----------------------------------------------------------------- Issue: ====== Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://". A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer. An attacker could exploit the vulnerability by constructing a URL that,when clicked on by the user, would execute code of the attacker's choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. Mitigating Factors: ==================== - The Help and Support Center function could not be started automatically in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1. - For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker. - Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-006.asp http://www.microsoft.com/security/security_bulletins/ms03-006.asp for information on obtaining this patch. - ----------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPl5P4+kli63F4U8VAQG8ygQAjcFMIqLAn9/iSvLsJEwtP7CS0UYT+i3Y eULGBmzDlpySofBIkjWCbmJCtOw3R74kiitlS6HBwIlnriaESQ63UJUmpdWNLXkv t8xSL/g5AhEvuyr5tgc4ZcjEqAr1PJ9dJ7WrGbL8DK8UGbvaJhBPn+z5dldDH/dX wvqcraigP1c= =gjgO -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Fri Feb 28 11:26:49 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 28 Feb 2003 11:26:49 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030228142649.GA7270@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 27/02/2003 ---------- NGSSoftware Insight Security Research Advisory(#NISR27022003) Assunto: Remote Buffer Overrun in ISMAIL http://www.security.unicamp.br/docs/bugs/2003/02/v116.txt Debian Security Advisory (DSA 255-1) Assunto: infinite loop in tcpdump http://www.security.unicamp.br/docs/bugs/2003/02/v115.txt iDEFENSE Security Advisory (02.27.03) Assunto: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing http://www.security.unicamp.br/docs/bugs/2003/02/v114.txt SuSE Security Announcement(SuSE-SA:2003:0012) Assunto: remote system compromise in hypermail http://www.security.unicamp.br/docs/bugs/2003/02/v113.txt CAIS-Alerta Assunto: Vulnerabilidade no Help do Windows Me (812709) http://www.security.unicamp.br/docs/bugs/2003/02/v112.txt Debian Security Advisory (DSA 254-1) Assunto: buffer overflow in traceroute-nanog http://www.security.unicamp.br/docs/bugs/2003/02/v111.txt Mandrake Linux Security Update Advisory(MDKSA-2003:026) Assunto: Vulnerabilidade de Seguranca no pacote shadow-utils http://www.security.unicamp.br/docs/bugs/2003/02/v110.txt 26/02/2003 ---------- SGI Security Advisory(20030202-01-I) Assunto: Buffer Overrun Vulnerability in /sbin/ps http://www.security.unicamp.br/docs/bugs/2003/02/v109.txt Mandrake Linux Security Update Advisory(MDKSA-2003:025) Assunto: Vulnerabilidade de Seguranca no pacote webmin http://www.security.unicamp.br/docs/bugs/2003/02/v108.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em unicamp.br Fri Feb 28 14:06:12 2003 From: mieko em unicamp.br (Silvana Mieko Misuta) Date: Fri, 28 Feb 2003 14:06:12 -0300 Subject: [SECURITY-L] WindowsUpdate V4 vaza =?iso-8859-1?Q?informa=E7=E3o?= privada para MS Message-ID: <3E5F9704.1CF06C7E@unicamp.br> Subject: WindowsUpdate V4 vaza informação privada para MS Date: Fri, 28 Feb 2003 11:39:32 -0300 From: Andre Aparecido Nogueira Para variar um pouquinho a Microsoft sempre está querendo saber um pouquinho mais dos usuários Windows, Segundo este artigo do TechChannel.de , desde a versão 4, o programa WindowsUpdate passou a enviar informação privada sobre o que está instalado nos computadores com Windows. Nas versões anteriores era prometido que isso não aconteceria, mas depois de ter convencido tantos desavisados a usar o Windows Update alegadamente para corrigir problemas de segurança, finalmente se revelaram as intenções da Microsoft de saber mais sobre o que cada um tem no seu computador, sabe-se lá para quê. A verdade é que a maioria das pessoas que usam o WindowsUpdate regularmente já deve ter actualizado para a versão 4 e já deve estar a dar informação privada à Microsoft desde há algum tempo sem ter a noção de que isso está a acontecer. O mais curioso nesta história é saber o potencial desta "armadilha" para obter indícios do uso de versões piratas do Windows e doutro software da Microsoft. Penso que a informação passada não poderá servir como prova de crime de pirataria, mas concerteza poderá dar muito melhores indícios sobre empresas ou instituições que estejam a usar um elevado número de cópias piratas. Fonte:GilDot -- Andre Aparecido Nogueira Faculdade de Eng. Agricola/UNICAMP °v° E-mail: mailto:andre em agr.unicamp.br /(_)\ Seja livre, use Linux! ^ ^