Many vendors backport the patches to packages based on earlier versions of openssh. The following packages have been reported to address this issue:
Solaris 9 SPARC: patch 113273-04 or later
Solaris 9 x86: patch 114858-03 or later
AIX-5.2 opensshi-aix52 3.6.1p2_52
AIX-5.1 opensshi-aix51 3.6.1p2_51
HP-UX B.11.22 T1471AA_A.03.61.002_HP-UX_B.11.22_IA.depot
HP-UX B.11.11 T1471AA_A.03.61.002_HP-UX_B.11.11_32+64.depot
HP-UX B.11.00 T1471AA_A.03.61.002_HP-UX_B.11.00_32+64.depot
redhat: openssh-3.1p1-14
fedora: openssh-3.6.1p2-19
mandrake: openssh-3.6.1p2-1.1
debian: openssh-krb5_3.4p1
suse-8.2: openssh-3.5p1-106
suse-8.1, 8-0: openssh-3.4p1-214
Mac OS X 10.2.8

As a workaround, configure OpenSSH to run with privilege separation. This configuration will reduce the impact of any latent vulnerabilities.

A vulnerability has been announced in some versions of OpenSSH. An off-by-one error exists in the channel code. It has been reported that a local user can exploit this vulnerability by connecting to a vulnerable server (valid credentials are required). Additionally, a malicious server may attack a vulnerable OpenSSH client.

diff -u -r1.170 -r1.171
--- channels.c 27 Feb 2002 21:23:13 -0000 1.170
+++ channels.c 4 Mar 2002 19:37:58 -0000 1.171
@@ -146,7 +146,7 @@<BR> {
Channel *c;

- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}


Updated versions are available at the following web site : www.openssh.com

A vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses.

OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. The SKEY and BSD_AUTH options are not enabled by default in many distributions. However, if these options are explicitly enabled, that build of OpenSSH may be vulnerable.

Note: Systems running with 'ChallengeResponseAuthentication no' are not affected.

You should do something like the following to prepare the privsep preauth environment:

# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd sshd

Set the following in your '/etc/ssh/sshd_config' file:

UsePrivilegeSeparation yes

PHP does not perform proper bounds checking on functions related to Form-based File Uploads in HTML (RFC1867). Specifically, this problem occurs in the functions used to decode MIME encoded files.

PHP is invoked through Web servers remotely. It may be possible for remote attackers to exploit this vulnerability to gain access to target systems. A vulnerable PHP interpreter module, which is available for Apache servers, is often enabled by default.

It is reported that it's possible to bypass the PHP strip_tags() function. By including ' 0' (NULL character) characters in HTML tags, it is reported that the PHP strip_tags() function will improperly leave tags in place. Although these tags are invalid HTML and are normally ignored by browsers, it is reported that Microsoft Internet Explorer and Apple Safari both discard the ' 0' (NULL) characters and interpret the tags.

This vulnerability may mean that previously presumed-safe Web applications could contain multiple cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari.

It is reported that "magic_quotes_gpc" must be off for PHP to be vulnerable to this issue.

Various errors within PHP's memory_limit request termination (for example, when allocating Zend HashTables before proper initialization) can be exploited to execute arbitrary code by corrupting the heap (for example, supplying arbitrary HashTable destructor pointers).

Successful exploitation requires that a resource limit has been set using the "memory_limit" configuration directive.

By exploiting "memory_limit", attackers may execute an arbitrary code.

PHP does not perform proper bounds checking on functions related to Form-based File Uploads in HTML (RFC1867). Specifically, this problem occurs in the functions used to decode MIME encoded files.

PHP is invoked through Web servers remotely. It may be possible for remote attackers to exploit this vulnerability to gain access to target systems. A vulnerable PHP interpreter module, which is available for Apache servers, is often enabled by default.

It is reported that it's possible to bypass the PHP strip_tags() function. By including ' 0' (NULL character) characters in HTML tags, it is reported that the PHP strip_tags() function will improperly leave tags in place. Although these tags are invalid HTML and are normally ignored by browsers, it is reported that Microsoft Internet Explorer and Apple Safari both discard the ' 0' (NULL) characters and interpret the tags.

This vulnerability may mean that previously presumed-safe Web applications could contain multiple cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari.

It is reported that "magic_quotes_gpc" must be off for PHP to be vulnerable to this issue.

Various errors within PHP's memory_limit request termination (for example, when allocating Zend HashTables before proper initialization) can be exploited to execute arbitrary code by corrupting the heap (for example, supplying arbitrary HashTable destructor pointers).

Successful exploitation requires that a resource limit has been set using the "memory_limit" configuration directive.

By exploiting "memory_limit", attackers may execute an arbitrary code.

A side-channel attack in the OpenSSL implementation has been published in a recent paper that may ultimately result in an active adversary gaining the RSA private key of a target server. The attack involves analysis of the timing of certain operations during client-server session key negotiation.

Session negotiation occurs using the RSA PKCS 1 type public key cryptography standard. During the client-server negotiation, the client constructs a proto-session-key using PKCS 1 formatted random bytes and encrypts it with the RSA public key of the server. The client then transmits this value to the server, which uses it to compute the shared session key. The server will generate a session key on its own and send an alert message to the client if the client-supplied proto-key decrypted by the server using its RSA private key is not properly PKCS 1 formatted.

It is possible for an adversary, acting as a client, to obtain bits of information about the server RSA private key by observing the time elapsed between the transmission of an invalid proto-key value and reception of the alert message from the server that is sent in response. The information is leaked during the decryption process and may, through successive observations, reveal the factorization of the private key to the adversary. An attacker may perform this attack by repeatedly establishing sessions with invalid proto-key values.

This problem affects many applications using OpenSSL. In particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications.

A problem has been discovered in OpenSSH that could allow local users to gain elevated privileges. OpenSSH allows for certain environment variables to be set when users log in with specific keys. When the server is configured to use 'login' via the 'UseLogin' config flag, these environment variables are set for the 'login' process.

If the 'UseLogin' flag is set, local users can gain root privileges. UseLogin is not enabled by default.

Apache content negotiation functionality has been reported prone to a denial of service vulnerability. The issue may present itself, if an attacker has the ability to create a malicious type-map file. The attacker may craft the type-map file in a manner sufficient to cause the vulnerable server to fall into an infinite loop.

PHP released an upgrade to address multiple vulnerabilities, including integer overflow issues reported to affect PHP4 and bundled software. Vulnerable functions that were fixed include base64_encode(), bundled GD library functions, ibase_blob_get() etc. A complete list of security fixes can be found in the PHP4 ChangeLog for version 4.3.3. Exploitation of many of these issues may require third-party Web applications (that use the PHP4 web development suite) to directly accept input passed to internal functions in PHP.

Mod_SSL is an implementation of SSL (Secure Socket Layer) for the Apache Web server. Mod_SSL contains a buffer overflow vulnerability that could allow malicious users to execute arbitrary code. The overflow exists when Mod_SSL attempts to cache an SSL session. Vulnerable versions of Mod_SSL are incapable of handling large session representations.

To exploit this vulnerability, the malicious user must somehow increase the size of the data representing the session. This can be accomplished through the use of an extremely large client certificate. However, this is only possible if verification of client certificates is enabled, and if the certificates are verified by Certificate Authorities who are trusted by the Web server.

Mod_SSL Upgrade

Apache content negotiation functionality has been reported prone to a denial of service vulnerability. The issue may present itself, if an attacker has the ability to create a malicious type-map file. The attacker may craft the type-map file in a manner sufficient to cause the vulnerable server to fall into an infinite loop.

PHP released an upgrade to address multiple vulnerabilities, including integer overflow issues reported to affect PHP4 and bundled software. Vulnerable functions that were fixed include base64_encode(), bundled GD library functions, ibase_blob_get() etc. A complete list of security fixes can be found in the PHP4 ChangeLog for version 4.3.3. Exploitation of many of these issues may require third-party Web applications (that use the PHP4 web development suite) to directly accept input passed to internal functions in PHP.

A vulnerability has been reported for OpenSSH that may allow unauthorized access to an OpenSSH server's login mechanism. The vulnerability exists in the way OpenSSH restricts access. It's possible to configure OpenSSH to restrict access based on certain hostname or IP address patterns. When a connection is made to an OpenSSH server, a reverse DNS lookup is made to verify the hostname. Access to the login mechanism is then granted based on the lookup response.

An attacker who controls a malicious DNS server may be capable of spoofing a PTR record to mimic the hostname of an authorized user. Furthermore, by using a record containing an IP address of a trusted host, it may also be possible to bypass the access control.

• Enable "VerifyReverseMapping" on the sshd server. This is the vendor-recommended workaround. Note that this option may lead to slow logins when the client doesn't have a reverse DNS server.
• Consider using tcp-wrappers to restrict access by IP address.
• Consider using a packet filter or firewall in addition to the OpenSSH restrictions.

Apache HTTP Server Version 1.3.28 was released in response to multiple vulnerabilities. Apache is vulnerable to three potential security issues. The impact of these vulnerabilities includes denial of service, file descriptor leakage, and logging failures.

Attackers may also be able to send specially crafted requests that cause Apache to go into an internal loop and eventually crash.

Under certain circumstances, Apache may leak file descriptors from a parent process to a child process. This could result in varying degrees of unauthorized access.

Under Windows and OS/2 systems, it may be possible to cause Apache to send special control characters over a pipe. This could potentially cause Apache to cease logging and exit (CAN-2003-0460).

The vulnerability exists in the modules "mod_alias" and "mod_rewrite". These modules improperly handle regular expressions containing more than nine capturing parentheses. A local attacker could create a specially-crafted configuration file with such expressions to be used by the modules.

For Apache based IBM HTTP Servers, IBM has released a cumulative patch which fixes these issues as well as a few other issues. Please visit http://www-1.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg24006719 for information and the patch.

A potential buffer overflow with escaped characters in the SSI tag string is reported. The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This issue can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through an HTTP session.

Heap-based buffer overflow in "proxy_util.c" for "mod_proxy" in Apache allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.

PHP4 and PHP5 are reported prone to multiple remotely exploitable vulnerabilities. These issue result from insufficient sanitization of user-supplied data. A remote attacker may carry out directory traversal attacks to disclose arbitrary files and upload files to arbitrary locations.

The following issues were identified:

PHP4 is reported prone to a directory traversal vulnerability. It is reported that this issue arises in the default configuration, which is shipped with the "magic_quotes_gpc" directive set to "On". This setting invokes the "addslashes()" function to sanitize all user-supplied input. The issue presents itself as a NULL byte is not properly sanitized by the "addslashes()" function. This allows an attacker to bypass input restrictions and carry out directory traversal attacks by appending a NULL byte to an HTTP GET request containing "../" type directory traversal sequences.

PHP4 and PHP5 are reported prone to a vulnerability that allows an attacker to upload a file to an arbitrary location. This issue also arises when the "magic_quotes_gpc" directive set to "On". Reportedly, an attacker can upload a file to an arbitrary location by including a single quote "'" in the file name preceded by ".." type directory traversal sequences. Apparently the "addslashes()" function replaces the single quote with a back slash resulting in the file being placed in a lower level of the directory tree.

If successfully exploited, the second issue may allow the attacker to place files in arbitrary locations. This can potentially replace existing files and lead to data corruption or other attacks.

An issue has been reported with the mod_python publisher, which may allow a malicious user to access any function in any module that has been included by a previously called script. This includes the standard Python libraries.

The mod_python publisher can be used to map URL information directly into a Python module and function. Path information is used to locate the appropriate module and directory, and CGI parameters are passed directly as function parameters.

At a minimum, default Python libraries will allow a malicious user to create directories on the host system. Greater risks may result from additional modules or third-party code, which may be called in an unintended manner. For example, a database wrapper module may not perform authentication checking on the assumption that it would not be called by an untrusted source.

Exploitation of this vulnerability requires that a script has been previously imported. Reportedly, this is done on a per child process basis under Apache. As a result, exploitation may be sensitive to the ability to access the same child process multiple times.

Workaround: Including the following line at the top of sensitive modules will prevent direct access:

__auth__ = {}

The problem presents itself when the affected application attempts to parse a maliciously crafted JPEG file. This occurs due to a failure to properly validate image header data in the "php_handle_jpeg()" function defined in "ext/standard/image.c" prior to using it to control loop iteration.

Apparently, when a file contains an invalid marker value the process can be forced into an infinite loop. The application will read an invalid marker, determine that it is invalid, and call the "php_skip_variable()" function to bypass it. If the marker causes the "php_skip_variable()" function to read to the end of the JPEG file, flawed file stream pointer manipulation will cause the file stream pointer to be placed two bytes from the end of the file. When the application attempts to read the next marker, it finds it to be invalid, and the process repeats, triggering an infinite loop. Note that this vulnerability can only be exploited remotely if a Web-based PHP application allows user-supplied images to be processed by the "getimagesize()" function. This function is commonly implemented in PHP Web applications that allow the display of images.

Apache HTTP Server Version 1.3.28 was released in response to multiple vulnerabilities. Apache is vulnerable to three potential security issues. The impact of these vulnerabilities includes denial of service, file descriptor leakage, and logging failures.

Attackers may also be able to send specially crafted requests that cause Apache to go into an internal loop and eventually crash.

Under certain circumstances, Apache may leak file descriptors from a parent process to a child process. This could result in varying degrees of unauthorized access.

Under Windows and OS/2 systems, it may be possible to cause Apache to send special control characters over a pipe. This could potentially cause Apache to cease logging and exit (CAN-2003-0460).

The vulnerability exists in the modules "mod_alias" and "mod_rewrite". These modules improperly handle regular expressions containing more than nine capturing parentheses. A local attacker could create a specially-crafted configuration file with such expressions to be used by the modules.

For Apache based IBM HTTP Servers, IBM has released a cumulative patch which fixes these issues as well as a few other issues. Please visit http://www-1.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg24006719 for information and the patch.

A potential buffer overflow with escaped characters in the SSI tag string is reported. The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This issue can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through an HTTP session.

Heap-based buffer overflow in "proxy_util.c" for "mod_proxy" in Apache allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.

mod_ssl is affected by a format string vulnerability within its logging function. This issue is due to a failure of the application to properly implement a formatted string function. The problem is reported to present itself due to an improperly implemented call to the "ssl_log()" function. Apparently, user input is provided as the format string to the affected function, facilitating attacker control of format specifiers. The offending call is located within the "mod_proxy" hook functions. It is currently not known where the user input is derived.

PHP4 and PHP5 are reported prone to multiple remotely exploitable vulnerabilities. These issue result from insufficient sanitization of user-supplied data. A remote attacker may carry out directory traversal attacks to disclose arbitrary files and upload files to arbitrary locations.

The following issues were identified:

PHP4 is reported prone to a directory traversal vulnerability. It is reported that this issue arises in the default configuration, which is shipped with the "magic_quotes_gpc" directive set to "On". This setting invokes the "addslashes()" function to sanitize all user-supplied input. The issue presents itself as a NULL byte is not properly sanitized by the "addslashes()" function. This allows an attacker to bypass input restrictions and carry out directory traversal attacks by appending a NULL byte to an HTTP GET request containing "../" type directory traversal sequences.

PHP4 and PHP5 are reported prone to a vulnerability that allows an attacker to upload a file to an arbitrary location. This issue also arises when the "magic_quotes_gpc" directive set to "On". Reportedly, an attacker can upload a file to an arbitrary location by including a single quote "'" in the file name preceded by ".." type directory traversal sequences. Apparently the "addslashes()" function replaces the single quote with a back slash resulting in the file being placed in a lower level of the directory tree.

If successfully exploited, the second issue may allow the attacker to place files in arbitrary locations. This can potentially replace existing files and lead to data corruption or other attacks.

An issue has been reported with the mod_python publisher, which may allow a malicious user to access any function in any module that has been included by a previously called script. This includes the standard Python libraries.

The mod_python publisher can be used to map URL information directly into a Python module and function. Path information is used to locate the appropriate module and directory, and CGI parameters are passed directly as function parameters.

At a minimum, default Python libraries will allow a malicious user to create directories on the host system. Greater risks may result from additional modules or third-party code, which may be called in an unintended manner. For example, a database wrapper module may not perform authentication checking on the assumption that it would not be called by an untrusted source.

Exploitation of this vulnerability requires that a script has been previously imported. Reportedly, this is done on a per child process basis under Apache. As a result, exploitation may be sensitive to the ability to access the same child process multiple times.

Workaround: Including the following line at the top of sensitive modules will prevent direct access:

__auth__ = {}

The problem presents itself when the affected application attempts to parse a maliciously crafted JPEG file. This occurs due to a failure to properly validate image header data in the "php_handle_jpeg()" function defined in "ext/standard/image.c" prior to using it to control loop iteration.

Apparently, when a file contains an invalid marker value the process can be forced into an infinite loop. The application will read an invalid marker, determine that it is invalid, and call the "php_skip_variable()" function to bypass it. If the marker causes the "php_skip_variable()" function to read to the end of the JPEG file, flawed file stream pointer manipulation will cause the file stream pointer to be placed two bytes from the end of the file. When the application attempts to read the next marker, it finds it to be invalid, and the process repeats, triggering an infinite loop. Note that this vulnerability can only be exploited remotely if a Web-based PHP application allows user-supplied images to be processed by the "getimagesize()" function. This function is commonly implemented in PHP Web applications that allow the display of images.

A side-channel attack against some implementations of SSL exists that, through analysis of the timing of certain operations, can reveal sensitive information to an active adversary.

The weakness in the OpenSSL implementation is that it did not compute message authentication codes for packets with invalid block cipher padding. By analyzing the time it takes for the server to transmit an error response to ciphertext blocks injected into a session by an attacker, adversaries could feasibly infer whether the block error is due to invalid block cipher padding or invalid MAC.

The OpenSSL development team has reduced the information leakage by calculating MACs for packets with invalid block cipher padding in Version 0.9.6i and 0.9.7a. It is not known if other implementations are vulnerable to this or similar weaknesses.

This vulnerability was addressed in OpenSSL Versions 0.9.6d and 0.9.7.

Any application dynamically linked to OpenSSL libraries should be restarted after applying fixes. Applications that are statically linked to OpenSSL libraries should be recompiled after upgrading OpenSSL.

A buffer overflow vulnerability exists in the "htdigest" utility included with Apache. The vulnerability is due to improper bounds checking when copying user-supplied realm data into local buffers.

By supplying an overly long realm value to command line options of "htdigest", it's possible to trigger an overflow condition. This may cause memory to be corrupted with attacker-specified values.

However, this may be an issue if "htdigest" is called from a CGI script. An attacker may be able to supply malformed data to the program which will cause the overflow to occur.

Workaround:
Exposure to this and other security issues may be reduced if administrators avoid situations that require "htdigest" to be called from a CGI script.

A weakness has been reported to exist in the Apache mod_php module that may allow remote attackers to disclose sensitive information by influencing global variables. The issue reportedly presents itself when the php.ini configuration file has the parameter setting "register_globals = on".

emerge sync
emerge -pv ">=dev-php/mod_php-4.3.4-r4"
emerge ">=dev-php/mod_php-4.3.4-r4"

A buffer overflow vulnerability exists in the "htdigest" utility included with Apache. The vulnerability is due to improper bounds checking when copying user-supplied realm data into local buffers.

By supplying an overly long realm value to command line options of "htdigest", it's possible to trigger an overflow condition. This may cause memory to be corrupted with attacker-specified values.

However, this may be an issue if "htdigest" is called from a CGI script. An attacker may be able to supply malformed data to the program which will cause the overflow to occur.

Workaround:
Exposure to this and other security issues may be reduced if administrators avoid situations that require "htdigest" to be called from a CGI script.

A weakness has been reported to exist in the Apache mod_php module that may allow remote attackers to disclose sensitive information by influencing global variables. The issue reportedly presents itself when the php.ini configuration file has the parameter setting "register_globals = on".

emerge sync
emerge -pv ">=dev-php/mod_php-4.3.4-r4"
emerge ">=dev-php/mod_php-4.3.4-r4"

1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below.

Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned.

2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB).

3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.

4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system.

Some operating systems (e.g., MacOS, OpenBSD) use a non-zero, probably random, initial value for the timestamp. For these operating systems, the uptime obtained does not reflect the actual uptime of the host; the former is always larger than the latter.

Per this paper by Daniel Roelker that was presented at Defcon 11, popular Web servers like Microsoft IIS support a variety of encoding schemes for the URLs. These include Percent-escaped Hex Encoding, Double-percent Escaped Hex Encoding, Microsoft's %U Encoding, Percent-escaped 2-Byte UTF-8 Encoding, and Raw 2-Byte UTF-8 Encoding.

For a sample HTTP GET request, GET /. HTTP/1.0, the following illustrates the encoded URI under these schemes:

Percent-escaped Hex Encoding: GET /%2e HTTP/1.0
Double-percent Escaped Hex Encoding: GET /%252e HTTP/1.0
Percent-escaped 2-Byte UTF-8 Encoding: GET /%C0%AE HTTP/1.0
Raw 2-Byte UTF-8 Encoding: GET /\xC0\xAE HTTP/1.0 (Actual raw 0xC0 and 0xAE bytes)
Microsoft's %U Encoding: GET /%u002e HTTP/1.0

The supported encoding schemes are listed in the Results section.

URI encoding is relevant to Web server security since, as mentioned in the paper above, attackers could launch HTTP attacks while at the same time obfuscating the URIs to evade detection by Intrusion Detection Systems that are not capable of decoding the URIs.

Per this paper by Daniel Roelker that was presented at Defcon 11, popular Web servers like Microsoft IIS support a variety of encoding schemes for the URLs. These include Percent-escaped Hex Encoding, Double-percent Escaped Hex Encoding, Microsoft's %U Encoding, Percent-escaped 2-Byte UTF-8 Encoding, and Raw 2-Byte UTF-8 Encoding.

For a sample HTTP GET request, GET /. HTTP/1.0, the following illustrates the encoded URI under these schemes:

Percent-escaped Hex Encoding: GET /%2e HTTP/1.0
Double-percent Escaped Hex Encoding: GET /%252e HTTP/1.0
Percent-escaped 2-Byte UTF-8 Encoding: GET /%C0%AE HTTP/1.0
Raw 2-Byte UTF-8 Encoding: GET /\xC0\xAE HTTP/1.0 (Actual raw 0xC0 and 0xAE bytes)
Microsoft's %U Encoding: GET /%u002e HTTP/1.0

The supported encoding schemes are listed in the Results section.

URI encoding is relevant to Web server security since, as mentioned in the paper above, attackers could launch HTTP attacks while at the same time obfuscating the URIs to evade detection by Intrusion Detection Systems that are not capable of decoding the URIs.

We have sent the following types of packets to trigger the host to send us ICMP replies:

Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply)
Address Mask Request (to trigger Address Mask Reply)
UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)

Listed in the "Result" section are the ICMP replies that we have received.

The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.

Note that if the host is behind a firewall, there is a small chance that the list includes a few ports that are filtered or blocked by the firewall but are not actually open on the target host. This (false positive on UDP open ports) may happen when the firewall is configured to reject UDP packets for most (but not all) ports with an ICMP Port Unreachable packet. This may also happen when the firewall is configured to allow UDP packets for most (but not all) ports through and filter/block/drop UDP packets for only a few ports. Both cases are uncommon.

The following is a list of supported SSL ciphers. Note: If a cipher is included in this list it means that it was possible to establish a SSL connection using that cipher. There are some web servers setups that allow connections to be established using a LOW grade cipher, only to provide a web page stating that the URL is accessible only through a non-LOW grade cipher. In this case even though LOW grade cipher will be listed here QID 38140 will not be reported.

This test determines if SSL session caching is enabled on the host.

The exact method(s) used are shown in the Results section.

The exact method(s) used are shown in the Results section.

Microsoft SMB request handler has been reported prone to a buffer overflow vulnerability. It's possible to craft a malicious SMB request packet containing parameters that will trigger the assignment of an insufficient buffer in memory. A remote authenticated attacker may create an insufficient bounds checking condition in the affected handler. In this way, an attacker may corrupt memory adjacent to the affected buffer with excessive attacker-supplied data.

Note that the attacker must be authenticated by the target SMB server to successfully exploit this vulnerability.

This capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension nsiislog.dll. When Windows Media Services are installed in Windows NT 4.0 Server or added through add/remove programs to Windows 2000, nsiislog.dll is installed to the Internet Information Services (IIS) Scripts directory on the server.

There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker may send specially formed communications to the server. This may cause IIS to stop responding to Internet requests or execute attacker's code on the host.

When executables run 'in-process', they run as part of the main IIS process. It's important to restrict which executables can run 'in-process' because as part of the main IIS process, they execute in the Local System security context.

IIS Version 5.0 ships with a table of executables that will run 'in-process' when requested remotely by a Web client. Even though all of these binaries are shipped with IIS, they are listed in the table using relative paths. A user who can create files on an IIS server can place an executable on the Web root filesystem with a relative path and filename that matches an entry in the table. When the executable is requested, the path and filename match causes it to be executed 'in-process'. The executable may provide administrative access to the unprivileged user.

By default, unprivileged users do not have permission to upload content to an IIS server.

This bug may also be exploited remotely in the unlikely event that a remote user has managed to get write access to the Web site. Note, however, that such a remote user would already (and without this bug) be able to change the Web site content, leading to a possible defacement of the site, or be able to place custom CGI scripts on the site, leading to arbitrary code execution on the server.

Note: As with any local security hole, TreutlerGuard cannot perform active testing to determine whether or not your machine is vulnerable. Therefore, if you have already applied the appropriate patch, you can safely ignore this warning.

When executables run 'in-process', they run as part of the main IIS process. It's important to restrict which executables can run 'in-process' because as part of the main IIS process, they execute in the Local System security context.

IIS Version 5.0 ships with a table of executables that will run 'in-process' when requested remotely by a Web client. Even though all of these binaries are shipped with IIS, they are listed in the table using relative paths. A user who can create files on an IIS server can place an executable on the Web root filesystem with a relative path and filename that matches an entry in the table. When the executable is requested, the path and filename match causes it to be executed 'in-process'. The executable may provide administrative access to the unprivileged user.

By default, unprivileged users do not have permission to upload content to an IIS server.

This bug may also be exploited remotely in the unlikely event that a remote user has managed to get write access to the Web site. Note, however, that such a remote user would already (and without this bug) be able to change the Web site content, leading to a possible defacement of the site, or be able to place custom CGI scripts on the site, leading to arbitrary code execution on the server.

Note: As with any local security hole, TreutlerGuard cannot perform active testing to determine whether or not your machine is vulnerable. Therefore, if you have already applied the appropriate patch, you can safely ignore this warning.

To exploit this vulnerability, a remote malicious able to connect to a vulnerable system could send a specially constructed SMB request packet. It may be possible to corrupt sensitive process memory to cause the underlying system to crash. If this occurs, then a reboot is required in order to regain normal functionality.

This vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.

A flaw exists in the way that the Windows 2000 SMTP service and Microsoft Exchange Server 5.5 interact with the NTLM authentication layer. Due to a failure of these services to perform adequate checks, it may be possible for a user who has authenticated via the NTLM authentication layer to gain unauthorized access to the SMTP service itself with the privileges of a non-administrative user.

The expected behavior is that users can only access the SMTP service if privileges were explicitly given to them.

If you are running Microsoft Windows 2000 Advanced Server 0.0SP2, Microsoft Windows 2000 Server 0.0SP2, or Microsoft Windows 2000 Professional 0.0SP2, then apply the following patch:
Microsoft Patch Q313450_W2K_SP3_X86_EN.exe

If you are running Microsoft Exchange Server 5.5 Service Pack 4, then apply the following patch:
Microsoft Patch Q289258engi386.EXE

Specifically, when the WebDAV "PROPFIND" and "SEARCH" methods receive a request containing more than 49,153 bytes, the IIS service will fail. This occurs because the unusually long request causes the error handling for XML requests to occur out of sequence.

This patch also addresses these vulnerabilities:
- Redirection Cross Site Scripting (CAN-2003-0223)
- Server Side Include Web Pages Buffer Overrun (CAN-2003-0224)
- ASP Headers Denial of Service (CAN-2003-0225)

Important note: Apply the patch for MS03-018 after applying the patch for Microsoft Security Bulletin MS02-050. If you do not apply the patch for MS02-050 first, the patch for MS03-018 will cause client-side certificates to be rejected.

Workaround:

1. Completely disable WebDAV by setting the value of the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVCParametersDisableWebDAV registry key to 1.

2. Limit the length of requests (the url and any headers) by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesw3svcparameters MaxClientRequestBuffer to something like 16k.

3. Block the following WebDAV HTTP verbs using URLScan (either by specifically blocking them or by not listing them as allowed): OPTIONS, PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK, UNLOCK, OPTIONS, and SEARCH. Note that FrontPage does require the OPTIONS method to work properly.

4. Block the following WebDAV-related headers using the [DenyHeaders] section of URLScan.ini:
[DenyHeaders]
DAV:
Depth:
Destination:
If:
Label:
Lock-Token:
Overwrite:
TimeOut:
TimeType:
DAVTimeOutVal:
Other:
Translate:

5. If you require WebDAV, you can limit the length of each individual header with these entries in the [RequestLimits] section (the exact values are obviously pretty generic and may need to be increased or decreased based on your particular configuration):
[RequestLimits]
Max-DAV=250
Max-Depth=250
Max-Destination=250
Max-If=250
Max-Label=250
Max-Lock-Token=250
Max-Overwrite=250
Max-TimeOut=250
Max-TimeType=250
Max-DAVTimeOutVal=250
Max-Other=250
Max-Translate=250

This condition is due to an unchecked buffer, which is dynamically allocated by the ISAPI extension that implements HTR. HTR scripting has largely been abandoned in favor of ASP (Active Server Pages). This vulnerability is only a problem on systems that have the HTR ISAPI filter enabled.

This vulnerability affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. An attacker can possibly initiate a malicious session capable of overwriting static global variables, stored function pointers, process management structures, memory management structures, and other data types with attacker-supplied instructions.

On IIS 4.0, arbitrary code execution may result in a full compromise. On IIS 5.0, this issue may allow an attacker to gain fewer yet still significant privileges.

This vulnerability is similar to the issue described in Bugtraq ID 4485 and Microsoft Security Bulletin MS02-018. The difference is that this issue specifically affects the HTR ISAPI extension.

The following threats are present in Microsoft SQL Server 8 (MS-SQL-8):

1) Microsoft SQL Server/Data Engine various xp_ Buffer Overflow Vulnerabilities. The API Srv_paraminfo() function is implemented by Extended Stored Procedures (XPs). XPs are DLL files that perform high-level functions. When called, they invoke a function called Srv_paraminfo(), which parses the input parameters. Srv_paraminfo() does not check the length of the parameter string that an XP passes to it. The following XPs are affected: xp_displayparamstmt, xp_enumresultset, xp_showcolv, xp_updatecolvbm, xp_peekqueue, xp_printstatements, xp_proxiedmetadata and xp_SetSQLSecurity.

2) Microsoft SQL Server Multiple Overflow and Format String Vulnerabilities. SQL Server provides built-in functions for the formatting of error messages based on C-style format specifiers. These built-in functions are accessible to all users. Providing specially-crafted input to these functions results in exploitable error conditions in the SQL Server process. To mount this attack, the malicious user must have permission to execute SQL queries either directly or by leveraging SQL Command Injection flaws.

3) Microsoft SQL Server Provider Name Buffer Overflow Vulnerability . SQL Server does not perform proper bounds checking of the provider arguments to the OpenDataSource and OpenRowset functions. These functions may be used by an ordinary user to reference OLE DB data sources. As a result, it's possible to cause a buffer overflow condition to occur by providing an excessively long string as a provider name in a query.

4) Microsoft SQL Server xp_dirtree Buffer Overflow Vulnerability . A vulnerability has been reported in the xp_dirtree function. If an extremely large parameter is passed to the stored procedure xp_dirtree, a buffer overflow condition will occur. This issue may be related to an older known problem with unsafe usage of the Srv_paraminfo() function call. This issue is discussed in BIDs 2030, 2031, 2038, 2039, 2040, 2041, 2042, and 2043. This relationship has not been confirmed.

5) Microsoft SQL Server Administrator Cached Connection Vulnerability. Query methods are SQL Server commands used to request information from the database. A flaw exists in the handling of specially-structured ad hoc queries, which could enable a normal user to gain administrative privileges. In order to gain access to information in the database, a user must make a connection to the server. Once access to the database is no longer required, the user logging off will terminate the connection. However, by design SQL Server will store the connection used by the user in cache for a certain amount of time. This is done to improve the server's performance. Next time that particular user logs in, SQL Server can reinstate the cached connection rather than creating a new one.

6) Microsoft SQL Server SQLXML Script Injection Vulnerability. SQLXML is a component that enables SQL servers to receive and send database queries via XML format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a Web server and are not enabled by default. It is possible to include script code in an XML database request via the Root parameter, and as a result SQLXML would include the attacker's script in the response. When the response is rendered by a Web browser, the attacker's script will execute.

2) By exploiting this vulnerability, it may be possible for malicious users to execute arbitrary code on a host running a vulnerable version of Microsoft's SQL Server.

3) Successful exploitation of this vulnerability could allow a malicious user to execute arbitrary code with the privileges of the database. There is a possibility that this issue may be exploited remotely, either via distributed SQL queries or potentially via an SQL injection attack.

4) If an extremely large parameter is passed to a vulnerable stored procedure, a buffer overflow condition will occur. Depending on the data supplied, this could cause a denial of service condition, or result in the execution of arbitrary code as the SQL Server process.

5) By exploiting this vulnerability, logged-in users can gain administrative privileges to the database.

6) It's possible, under some circumstances, to inject arbitrary script code via XML tags. This may allow an attacker to execute script code in the context of the Internet Explorer Security Zone associated with the IIS server running the vulnerable components. This may result in a malicious script running with a higher privilege, such as in the context of the Intranet Zone.

2) Microsoft released the following fix for SQL Server 2000 SP2: Microsoft Patch Q316333.

3) Microsoft released the following fix for SQL Server 2000 SP2: Microsoft Patch Q316333.

4) Microsoft released the following fix for SQL Server 2000 SP1, and SQL Server 2000: Microsoft Patch Q299717.

5) Microsoft released patches to fix this issue. Download a patch from the Microsoft SQL Web site.

If you are using Veritas' BackUp Exec, follow these recommandations.

We recommend upgrading to the latest SQL Server Service Pack which is SP4. Please refer the Microsoft SQL Server Product Page for more details and instructions on downloading and installing the latest Service Pack.

The following threats are present in MS-SQL-8:

1) Microsoft SQL Server SQLXML Buffer Overflow Vulnerability. SQLXML is a component that enables SQL servers to receive and send database queries via XML format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a Web server and are not enabled by default. SQLXML ISAPI extensions run with LocalSystem privileges. It is possible for a user to initiate the overflow by connecting to a host via HTTP and submitting malformed data directly to the SQLXML HTTP component.

2) Microsoft SQL Server 2000 PWDEncrypt Buffer Overflow Vulnerability. This vulnerability is due to insufficient bounds checking of data supplied to the built-in pwdencrypt() hashing function. The attacker must be able to execute a database query using the pwdencrypt() function to exploit this vulnerability, which implies that the attacker must either have legitimate access to the database server or obtain unauthorized access through some other means. For example, it may be possible to exploit this issue via an SQL injection attack in another application.

3) Multiple Microsoft SQLServer 2000 Vulnerabilities. The first buffer overrun condition exists in the procedure used to encrypt SQL Server credential information. If a parameter passed to the procedure from within a query is of excessive length, the overrun occurs.

The second buffer overrun condition is related to the "bulk-input" feature. This feature allows administrators to import data into a database table or view directly from data files with a custom format. Attackers may exploit this vulnerability by invoking a bulk input procedure with maliciously constructed arguments.

By default, the permissions of the registry key used to specify the account used by the SQL server process are insecure. Through SQL queries, the key may be modified without administrative privileges.

4) Microsoft SQL Server Installation Password Caching Vulnerability. During the initial installation of SQL Server 2000, or the installation of service packs, information is gathered and stored in a special file, setup.iss, which may contain passwords supplied during the installation process. The log file documenting the installation process will also contain passwords entered. The passwords are first encrypted and then stored. A Microsoft released bulletin notes that the encryption may be weak. During the installation process, passwords may be stored in either of the following two cases:

• If the SQL Server is being set up in "Mixed Mode", a password for the SQL Server administrator (the ?sa? account) must be supplied.
• Whether in Mixed Mode or Windows Authentication Mode, a User ID and password can optionally be supplied for the purpose of starting up SQL Server service accounts.

5) Microsoft SQL Server 2000 Database Consistency Checkers Buffer Overflow Vulnerability. SQL Server and Microsoft Desktop Engine ship with Database Consistency Checkers (DBCCs). Several of the DBCCs contain identical buffer overflow vulnerabilities in areas of the code that handle user input. Most DBCCs can only be executed by database administrator users, however, users who have been assigned either the 'db_owners' or 'db_ddladmin' fixed server roles can also execute one or more of these DBCCs.

2) This vulnerability may be exploited to execute arbitrary instructions as the SQL Server.

3) Two of the vulnerabilities are buffer overrun conditions that may result in the execution of code supplied by remote attackers. The buffer overrun condition related to the "bulk-input" feature is mitigated by the default access restrictions on the bulk input procedure. Only members of the "Bulk Administrators" group may run the vulnerable procedure. The final vulnerability is due to a weak default configuration that could allow attackers to change the user account of the SQL Server process. If the server has been configured to run with non-administrative privileges, an attacker may exploit this vulnerability to configure the server so that it runs with higher privileges when it is next started.

4) If exploited by a malicious user, passwords stored in setup.iss, which are supplied during the installation process, may be stolen.

5) Successfully exploiting this vulnerability could lead to arbitrary code execution with the privilege level of the SQL Server service account.

2) Read Microsoft Security Bulletin MS02-034 for more information about these vulnerabilities and for instructions for obtaining a patch.

3) Microsoft has stated that SQL Server 7.0 is not affected by any of the reported vulnerabilities. Microsoft has released a patch for SQL Server 2000 SP2. It will be included in SP3. Check Microsoft's Download site for updates.

4) Microsoft has provided a utility, killpwd.exe, which will remove the passwords from any accessible directories. Check Microsoft's Download site for updates.

5) Microsoft has released a patch to address this vulnerability. Check Microsoft's Download site for updates.

We recommend upgrading to the latest SQL Server Service Pack which is SP4. Please refer the Microsoft SQL Server Product Page for more details and instructions on downloading and installing the latest Service Pack.

The following threats are present in MS-SQL-8:

1) Microsoft SQL Server 2000 Replication Stored Procedures Injection Vulnerability. It's possible to inject operating system commands into the SQL Server database due to a vulnerability in two stored procedures used during replication. These stored procedures do not validate input passed to them, thus allowing a user to inject custom SQL and potentially operating system commands.

2) Microsoft SQL Server 2000 Resolution Service Denial of Service Vulnerability. SQL Server 2000 uses a keep-alive mechanism that operates through the Resolution Service. If the keep-alive function receives a specially-crafted data packet, it will reply with an identical packet. Therefore, if one SQL Server sends a data packet that was specially crafted to another SQL Server's keep-alive function, the second SQL Server would respond with an identical packet, causing the two servers to enter an endless loop.

3) Microsoft SQL Server 2000 Resolution Service Stack Overflow and Heap Overflow Vulnerability. A stack-based and heap-based overflow in the resolution service could be exploited by a malicious user by sending specially-crafted UDP packets to port 1434. If the packet consists of data not specifically designed to cause code execution, a denial of service may result.

4) Microsoft SQL Server Remote Buffer Overflow Vulnerability. This vulnerability allegedly occurs even before authentication can proceed. Reportedly, this is due to a default system configuration. Microsoft SQL Server listens for connections on TCP port 1433. An attacker can exploit this vulnerability by sending specially crafted packets to TCP port 1433 which causes SQL Server to crash and possibly execute attacker supplied code.

5) Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability. This condition occurs when the OpenDataSource function is used with MS Jet Engine. The OpenDataSource function is used for referencing heterogeneous OLE DB data sources in Transact-SQL statements. Microsoft Jet Engine is the database engine for Microsoft SQL Server. This condition may be triggered if an overly long string is passed to the Microsoft Jet Engine component via the OpenDataSource function.

6) Microsoft SQL Agent Jobs Privilege Elevation Vulnerability. SQL Server 2000 uses an Agent, which is responsible for restarting the SQL Server service, replication, and running scheduled jobs. Some of the jobs supplied by Microsoft as stored procedures on the SQL Server contain weak permissions. The following procedures are affected: sp_add_job, sp_add_jobstep, sp_add_jobserver, and sp_start_job.

The Agent typically runs in the security context of the SQL Server Service Account. Under normal circumstances, when a T-SQL job is submitted to the Agent, it will drop its privilege level by performing the following command: SETUSER N'guest' WITH NORESET. This can be bypassed by causing the Agent to reconnect after it has performed the privilege lowering command.

7) Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability. Some of the extended stored procedures contain weak permissions. The extended stored procedures typically connect to the database in the security context of the SQL Server Service Account. A user with low privileges could pass certain arguments to the vulnerable extended stored procedures, allowing them to perform actions on the database in the security context of the SQL Server Service Account.

2) When this vulnerability is exploited, both servers will eventually consume all available resources, resulting in a denial of service condition. It is important to note that an SQL Server will never send the particular packet needed to exploit this vulnerability to another SQL Server under normal operating conditions. An attacker would have to send one SQL Server the packet with a spoofed source address belonging to a second SQL Server.

3) It may be possible to craft the exploit code to execute arbitrary instructions in the security context of the SQL server. This may provide a remote malicious user with local access to the underlying host.

4) The nature of these issues suggests that memory corruption may be occurring. If that is the case, it is possible that these issues may be remotely exploitable to execute arbitrary code as a system process, possibly leading to local access to the vulnerable system.

5) This issue may be exploited to execute attacker-supplied instructions with the privileges of the SQL Server process. If the SQL Server process is running in the SYSTEM context, this may lead to a full compromise. This issue requires that the attacker is capable of passing maliciously crafted data to the OpenDataSource function. Under normal circumstances, this would require the attacker to have access to the database server. However, this may be exploitable remotely via SQL injection vulnerabilities in any Web-based software that accesses a vulnerable database. Due to this being an issue in the MS Jet Engine component itself, other products that rely on Jet Engine may also be affected by this vulnerability.

6) A malicious user can achieve this using the extended stored procedures discussed in the Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability. By exploiting this vulnerability, a malicious user would be able to execute other extended stored procedures, such as xp_cmdshell, on the SQL Server with the security context of the SQL Server Service Account.

7) The vulnerability could also be exploited by an attacker visiting a Web site that uses one of these extended stored procedures as part of a search engine for the database. The database-driven Web application would need to be prone to existing input validation vulnerabilities for this type of exploitation to occur. If this vulnerability is exploited, a user with low privileges may perform actions on the database in the security context of the SQL Server Service Account.

4) No solution is available at this time. Check for upgrades at Microsoft's Download site.

5) Microsoft advises affected users to obtain the latest version of Microsoft Jet Engine from Microsoft Knowledge Base Article Q282010.

6) It is not currently clear if this issue was addressed in Microsoft Security Bulletin MS02-043. However, applying the patch for that issue will significantly mitigate potential exploitation of this vulnerability by preventing attackers from using the vulnerable extended stored procedures to cause the SQL Server Agent to reconnect to the database with a higher privilege level. The bulletin includes instructions for obtaining the patch. Check for upgrades at Microsoft's Download site.

7) Microsoft has released the following patch for SQL Server 2000: Patch Q316333

We recommend upgrading to the latest SQL Server Service Pack which is SP4. Please refer the Microsoft SQL Server Product Page for more details and instructions on downloading and installing the latest Service Pack.

Note: You are only vulnerable if you run Windows 2000 and didn't patch your server against this vulnerability.

Remote Desktop Protocol (RDP) enables remote users to communicate through applications over the network using keystrokes and mouse-clicks. Windows 2000 Server and Advanced Server are subject to a denial of service condition. Submitting multiple malformed packets to the RDP services port will cause the server to crash, and any unsaved data will be lost.

As a result of this vulnerability being exploited, the Terminal Server application will stop responding. Therefore, you must manually restart the server in order to regain normal functionality. Other processes running on the Windows 2000 Server will continue to work normally.

Malicious users could also use the denial of service condition to assist them in further attack against this host.

Microsoft Windows Terminal Server centralizes management of user applications for each client connected to the server. User applications and desktops are transmitted over the network and displayed via a terminal emulation program.

Due to a flaw in the Microsoft Terminal Server service, it's possible for a host to be led to consume all available memory resources. This behavior is the result of flaws in the server's memory management.

Malformed data packets submitted repeatedly to an affected host on port 3389 will result in the accumulation of allocated memory that is not freed after use. It's possible to exhaust the memory resources of the target system, potentially impacting the Terminal service, as well as other applications running on the affected host.

Note: Microsoft Windows Terminal Server contains another Denial of Service vulnerability. For information on this issue, read Microsoft Security Bulletin MS01-006.

Submitting malformed data to port 445 could cause the Lanman service to consume high CPU and Kernel mode memory usage.

IMPORTANT: The configuration in the first method may not be supported in an environment where programs that require NetBIOS support are being used.

Method 1: Disable NetBIOS over TCP/IP (which also disables port 445).

1. Go to Start-->Settings-->Network and Dial-up Connections.
2. Right-click Local Area Connection, and select Properties.
3. Select Internet Protocol (TCP/IP), and click Properties.
4. Click Advanced.
5. Under the WINS tab, select the Disable NetBIOS over TCP/IP check box, and then click OK.

Method 2: Create and then set the MaxWorkItems value in the registry to a value that the computer can support.

1. Start Registry Editor (Regedt32.exe).
2. Locate the Parameters value under the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer
   
3. On the Edit menu, click Add Value, and type MaxWorkItems.
4. Click REG_DWORD, and then click OK.
5. Set the data to the one of the following:
   • 1024 for computers with a large amount of memory (greater than 2 gigabytes of memory)
   • 512 for computers with a medium amount of memory (512 megabytes to -2 gigabytes)
   • 256 for computers with a small amount of memory (less than 512 megabytes).
6. Quit Registry Editor.

The CIFS Browser Protocol generates a list of network resources and is used in services such as My Neighborhood or My Network Places. It also defines a number of Browse Frames encapsulated within a NetBIOS datagram. Information contained in a NetBIOS datagram is extracted and inserted into the NetBIOS cache when a Browse Frame request is received on UDP port 138. This information includes a source and destination NetBIOS name, second source IP address, and IP headers.

A remote malicious user can transmit unicast or broadcast UDP datagrams, which can result in the redirection of NetBIOS name resolution to IP address resolution forwarding to an arbitrary IP address under their control. Once the cache is corrupted with a UDP datagram, it is no longer a prerequisite to predict Transaction IDs (which is reportedly an easily predictable 16-bit ID to begin with).

To flush a dynamic entry in the cache, one can send a Postive Name Query response that provides a different IP address to NetBIOS name mapping.

Workarounds provided by COVERT Labs:

1. If running Windows 2000, disable NetBIOS over TCP/IP.
2. Block ports 135-139 and 445, both UDP and TCP, at your network perimeter to protect from external attackers.
3. Because NetBIOS name resolution (either through broadcast or WINS) is subject to this cache corruption attack, it should not be relied upon to perform hostname to IP address resolution.
4. Disable the "WINS Client" binding including the NetBIOS Interface, Server and Workstation services. It is important to disable all services that register a NetBIOS name as shown by nbtstat -n. Selectively unbinding the "NetBIOS interface" or other specific services such as Server or Workstation will still allow attackers to talk to a NetBIOS name and corrupt the NetBIOS cache.
5. It is important to note the Computer Browser Service is independent of Browse Frame processing and generation (at least within the bounds of this vulnerability). Disabling the service has no impact upon this vulnerability.

We do not perform active tests for this vulnerability; therefore, if you know that you've already applied the appropriate patch (see the Solution field below), you can safely disregard this notice.

Microsoft IIS Version 4.0 Update

Microsoft IIS Version 5.0 Update

Note: To avoid causing a denial of service on your server, we don't perform active tests for this vulnerability. Therefore, if you've already applied the appropriate patches, you can safely ignore this warning. (For information on patches, see the Solution field below.)

By sending multiple requests with a malformed URL (as described in the Description field), responsiveness of your Web server, and eventually other services on it, may decrease significantly.

For more information on this vulnerability, refer to Microsoft's Security Bulletin MS00-023.

A patch for Internet Information Server (IIS) Version 4.0 is available at the following location:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292

A patch for Internet Information Server(IIS) Version 5.0 is available at the following location:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286