Published:
05 September 1999
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-1999.130 -- CERT Summary CS-99-03 CERT Summary 6 September 1999 =========================================================================== The CERT Coordination Centre has released the following summary concerning types of attacks currently being reported. AusCERT has noted similar trends reported within Australia and New Zealand. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-99-03 August 31, 1999 Each quarter, the CERT® Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ New CERT/CC PGP Key On October 4, 1999, the current PGP key for the CERT/CC will be replaced with a new PGP key. For more information, see http://www.cert.org/pgp/newpgp.html ______________________________________________________________________ New "CERT/CC Current Activity" Web Page The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html The information on the Current Activity page will be reviewed and updated as reporting trends change. ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in May 1999 (CS-99-02), we have noted several vulnerabilities in RPC services, and we have analyzed and published information regarding the ExploreZip worm. We also continue to see widespread scans for known vulnerabilites. Protect your systems. Use current software versions, install patches as they become available, and update your scanning tools and anti-virus software with the latest virus signatures or definitions. Be cautious of unsolicited documents or executable programs received in electronic mail. Be wary of software that comes from untrusted sources. 1. RPC Vulnerabilities We have received many reports of exploitations involving three RPC vulnerabilties. Such exploitations can lead to root compromise on systems that implement these RPC services. Analysis has shown that similar artifacts have been found on compromised systems. The vulnerable services are rpc.cmsd Remote and local users can execute arbitrary code with the privileges of the rpc.cmsd daemon, typically root. This vulnerability is being exploited in a significant number of incidents reported to the CERT/CC. For more information see CERT Incident Note 99-04 http://www.cert.org/incident_notes/IN-99-04.html CERT Advisory CA-99-08 http://www.cert.org/advisories/CA-99-08-cmsd.html statd and automoutd Vulnerabilities in these two services are being used together by intruders to gain access to vulnerable systems. The first vulnerability is in rpc.statd, a program used to communicate state changes among NFS clients and servers. The second vulnerability is in automountd, a program used to automatically mount certain types of file systems. The vulnerability in rpc.statd may allow a remote intruder to call arbitrary RPC services with the privileges of the rpc.statd process, typically root. The vulnerablility in automountd may allow a local intruder to execute arbitrary commands with the privileges of the automountd service. By combining attacks exploiting these two vulnerabilities, a remote intruder is able to execute arbitrary commands with the privileges of the automountd service. For more information see CERT Incident Note 99-04 http://www.cert.org/incident_notes/IN-99-04.html CERT Advisory CA-99-05 http://www.cert.org/advisories/CA-99-05-statd-automountd.html ttbserverd The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service that manages objects needed for the operation of the ToolTalk service. ToolTalk-enabled processes communicate with each other using RPC calls to this program, which runs on each ToolTalk-enabled host. This program is a standard component of CDE (Common Desktop Environment), which is a standard component of many commercial Unix operating systems. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that can lead to a buffer overflow. This buffer overflow can result in an attacker gaining total control of the ttdbserver process. An intruder may be able to use this control to gain root-level privileges. CERT Incident Note 99-04 http://www.cert.org/incident_notes/IN-99-04.html CERT Advisory CA-98-11 http://www.cert.org/advisories/CA-98.11.tooltalk.html 2. Virus and Trojan Horse Activity We continue to see reports of virus activity. Current versions of anti-virus software can help to protect your systems from these viruses. It is important to take great caution with any email or Usenet attachments that contain executable content. If you receive a message containing attachments, scan the message file with anti-virus software before you open or run the file. Doing this does not guarantee that the contents of the file are safe, but it lowers your risk of virus infection by checking for viruses and Trojan horses that your scanning software can detect. ExploreZip.exe The ExploreZip program is a Trojan horse affecting Windows 95/98/NT systems. It modifies system files and destroys files. For ExploreZip to work, a person must open or run an infected email attachment, which allows the program to install a copy of itself on the victim's computer and enables further propagation. ExploreZip may also behave as a worm, propagating to other network machines without human interaction. For more information see CERT Advisory CA-99-06 ExploreZip Trojan Horse Program http://www.cert.org/advisories/CA-99-06-explorezip.html CERT Advisory CA-99-02 Trojan Horses http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html 3. Continued Widespread Scans We are still receiving daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated, varying from scripted tools and stealth scanning techniques to a tool that incorporates probes for known vulnerabilities, remote operating system identification, and automated exploitation attempts. For more information, see "sscan" Scanning Tool http://www.cert.org/incident_notes/IN-99-01.html Automated Scanning and Exploitation http://www.cert.org/incident_notes/IN-98-06.html Probes with Spoofed IP Addresses http://www.cert.org/incident_notes/IN-98-05.html Advanced Scanning http://www.cert.org/incident_notes/IN-98.04.html New Tools Used for Widespread Scans http://www.cert.org/incident_notes/IN-98.02.html The most frequent reports involve well-known vulnerabilities in mountd, IMAP, POP3, and several RPC services. These services are installed and enabled by default in some operating systems. See the following advisories for more information: sunrpc (TCP port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html http://www.cert.org/incident_notes/IN-99-04.html IMAP (TCP port 143) http://www.cert.org/advisories/CA-98.09.imapd.html POP3 (TCP port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html DNS (TCP port 53 [domain]) http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.cert.org/advisories/CA-97.22.bind.html These scans involve known vulnerabilities for which patches are available. Protect your systems by making sure that they are properly secured. ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have developed new and updated * Advisories * Courses * Incident notes * Security improvement modules * Technical reports * Tech tips * Virus resources There are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-99-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN8w6BnVP+x0t4w7BAQGylgP/ctRDVTvhzO4AFMuUwsENOrCfUh1iYVq8 UBRRtXhuDbnqxt/cTctDG2Z9OplV2ZIx/i7X05rKDiP2PxVd1xR6/kZVNPvCUSnQ 79NFdXb4lWC8QXVaIFyDHX25BBxkcsWKUnMN18mgcWyuft8Bdb4lr02eK4Q4CKX0 85nNFQHbLPA= =4dqM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBN+dwDih9+71yA2DNAQEw2gP/ZDIQWEs0UETHE3fYCdsYXactNE29OLwu FESFZJKMksa+Z2FEB0aqYkAZrHHWN+V8bDwg3Xn3rDSNXng0OzTpIHivpKp3UHo9 VBIGpgv75HyjZN0UJzpJxWlF6Ll/Yi6JCZ8l5a5/40FyWK/ZYt7RU5nhpEgLw3U8 lmJhsVitZag= =+nZd -----END PGP SIGNATURE-----