[Following reprinted with permission from SANS Network Security Digest, Vol. 1, No. 6., August 10, 1997. For subscription information, send e-mail to: sans@clark.net ]
NT/WIN95 SECURITY PROBLEMS AND BUG FIXES
The Microsoft Security page is located at: http://www.microsoft.com/security/
Additional NT Security Related web pages may be found at: http://ntbugtraq.rc.on.ca/index.html http://www.ntsecurity.net/
A) Denial of Service Attack in Microsoft IIS for NT 4.0 - (6/30)
By sending a request with a URL of a certain length (typically between 4 and 8K) you can cause an access server violation which requires a reboot to fix. Unsaved data may be lost. Microsoft has provided a patch for this problem. Exploits for this problem have been published on the Internet.
This problem effects Versions 2.0 and 3.0 on NT systems running 4.0.
For more information see the CIAC bulletin at: http://ciac.llnl.gov/ciac/bulletins/h-77.shtml
This problem is similar to the Ping of Death attacks discussed earlier this year. By sending a corrupt ICMP packet you can cause a Windows/NT system to freeze and require a reboot.
Patches are available at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ fixes/usa/NT40/hotfixes-postSP3/icmp-fix
For more information see the CIAC bulletin at: http://ciac.llnl.gov/ciac/bulletins/h-78.shtml
Patches fix two known security problems [Q143474 - Anonymous login user (Red Button) and Q161372 - SMB signing to prevent "Man in the middle" attacks.] Fixes are available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/ usa/NT351/hotfixes-postSP5/sec-fix
A program called getadmin.exe, which has been distributed on the Internet, grants administrative privileges to normal users. The program takes advantage of a bug in a low-level kernel routine.
Microsoft has published a fix for this problem: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/getadmin-fix
Later discussions on bugtraq revealed this patch did not fix the
problem entirely. Additional information on the vulnerability can be
found at:
The latest version of Communicator (4.0.1a) was supposed to correct
a security bug discovered in June. However, there is a flaw in the
way LiveConnect has been implemented in 4.0.1a. The end result is
similar to the situation with the previous bug: a malicious user can
monitor all of your web activity. For more information, see the
article at:
http://www5.zdnet.com/zdnn/content/zdnn/0725/zdnn0005.html
When reassembling a fragmented IP packet, the Microsoft implementation
does not require the first fragment to have an offset value of zero.
It merely checks whether the sum of the lengths of the collected
fragments equals the total length of the original unfragmented IP
packet. If enough fragments have been received so that this condition
holds, the NT stack will happily reassemble what it has accumulated so
far. This problem has been fixed with Service Pack 3. For more
information see:
http://www.dataprotect.com/ntfrag/
E) Yet Another Netscape Communicator Bug (7/25)
F) A New Fragmentation Attack (Win NT)