SAINTwriter Assessment Report

July 8, 2009

1.0 Introduction

On June 29, 2009, at 3:01 PM, a heavy vulnerability assessment was conducted using the SAINT® 7.0 vulnerability scanner. The scan discovered a total of five live hosts, and detected 42 critical problems, 94 areas of concern, and 110 potential problems. The hosts and problems detected are discussed in greater detail in the following sections.

2.0 Summary

The following vulnerability severity levels are used to categorize the vulnerabilities:

CRITICAL PROBLEMS
Vulnerabilities which pose an immediate threat to the network by allowing a remote attacker to directly gain read or write access, execute commands on the target, or create a denial of service.
AREAS OF CONCERN
Vulnerabilities which do not directly allow remote access, but do allow privilege elevation attacks, attacks on other targets using the vulnerable host as an intermediary, or gathering of passwords or configuration information which could be used to plan an attack.
POTENTIAL PROBLEMS
Warnings which may or may not be vulnerabilities, depending upon the patch level or configuration of the target. Further investigation on the part of the system administrator may be necessary.
SERVICES
Network services which accept client connections on a given TCP or UDP port. This is simply a count of network services, and does not imply that the service is or is not vulnerable.

The sections below summarize the results of the scan.

2.1 Vulnerabilities by Severity

This section shows the overall number of vulnerabilities and services detected at each severity level.

2.2 Hosts by Severity

This section shows the overall number of hosts detected at each severity level. The severity level of a host is defined as the highest vulnerability severity level detected on that host.

2.3 Vulnerabilities by Class

This section shows the number of vulnerabilities detected in each of the following classes.

Class Description

Web Vulnerabilities in web servers, CGI programs, and any other software offering an HTTP interface

Mail Vulnerabilities in SMTP, IMAP, POP, or web-based mail services

File Transfer Vulnerabilities in FTP and TFTP services

Login/Shell Vulnerabilities in ssh, telnet, rlogin, rsh, or rexec services

Print Services Vulnerabilities in lpd and other print daemons

RPC Vulnerabilities in Remote Procedure Call services

DNS Vulnerabilities in Domain Name Services

Databases Vulnerabilities in database services

Networking/SNMP Vulnerabilities in routers, switches, firewalls, or any SNMP service

Windows OS Missing hotfixes or vulnerabilities in the registry or SMB shares

Passwords Missing or easily guessed user passwords

Other Any vulnerability which does not fit into one of the above classes

2.4 Vulnerabilities by Subnet

This section shows the number of vulnerabilities detected at each severity level for each subnet that was scanned.

2.5 Hosts by Subnet

This section shows the overall number of hosts detected at each severity level for each subnet that was scanned. The severity level of a host is defined as the highest vulnerability severity level detected on that host.

2.6 Vulnerabilities per Class by Subnet

This section shows the overall number of vulnerabilities detected in each vulnerability class for each subnet that was scanned.

172.16.0

172.16.1

3.0 Overview

The following tables present an overview of the hosts discovered on the network and the vulnerabilities contained therein.

3.1 Host List

This table presents an overview of the hosts discovered on the network.

Host Name Netbios Name IP Address Host Type Critical Problems Areas of Concern Potential Problems

host1.domain.com HOST1 172.16.0.1 Windows 2000 Service Pack 1 21 30 36

host2.domain.com HOST2 172.16.1.2 Windows Server 2003 8 29 31

host3.domain.com 172.16.1.3 Sun Solaris 2.5.1 - 9 (SunOS 5.9) 11 4 17

host4.domain.com HOST4 172.16.1.4 Windows XP Service Pack 2 0 20 19

host5.domain.com 172.16.1.5 Linux 2.4.20-28.7 - Red Hat 2 11 7

3.2 Vulnerability List

This table presents an overview of the vulnerabilities detected on the network.

Host Name Severity Vulnerability / Service Class CVE Exploit Available?

host1.domain.com critical Download.Ject detected on web server Other no

host1.domain.com critical Guessed password to windows account (foobar:foobar) Passwords no

host1.domain.com critical MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll Web CVE-2003-0824 no

host1.domain.com critical MS FrontPage Server Extension Vulnerability: remote debug Web CVE-2003-0822 yes

host1.domain.com critical Folder traversal in IIS (Double Decoding) Web CVE-2001-0333 yes

host1.domain.com critical Folder traversal in IIS (Unicode Translation) Web CVE-2000-0884 yes

host1.domain.com critical vulnerabilities in IIS 5 Web CVE-2000-0770 CVE-2001-0151 CVE-2001-0241 CVE-2001-0500 CVE-2001-0507 CVE-2002-0869 CVE-2002-1180 CVE-2002-1181 CVE-2002-1182 CVE-2003-0223 CVE-2003-0224 CVE-2003-0225 CVE-2003-0226 yes

host1.domain.com critical MailEnable HTTPMail vulnerability Mail CVE-2005-1348 CVE-2005-2222 CVE-2006-1338 yes

host1.domain.com critical MS Site Server default account Other CVE-2002-1769 CVE-2002-2073 CVE-2002-2081 no

host1.domain.com critical vulnerability in Windows Media Services (nsiislog.dll) Web CVE-2003-0227 CVE-2003-0349 no

host1.domain.com critical Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes

host1.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 no

host1.domain.com critical Windows 2000 ASN1 buffer overflow Windows OS CVE-2003-0818 no

host1.domain.com critical Windows 2000 RPC buffer overflow Windows OS CVE-2003-0352 yes

host1.domain.com critical Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 no

host1.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 no

host1.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 no

host1.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 no

host1.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 yes

host1.domain.com critical pointer corruption vulnerability in WINS replication service Windows OS CVE-2004-0567 CVE-2004-1080 yes

host1.domain.com critical Worm detected (Code Red II) Other no

host1.domain.com concern Web server allows cross-site tracing Web no

host1.domain.com concern Windows DNS server allows cache poisoning DNS CVE-2001-1452 no

host1.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 no

host1.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes

host1.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 yes

host1.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no

host1.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 yes

host1.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 no

host1.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 yes

host1.domain.com concern Internet Explorer WMF handling vulnerability Windows OS CVE-2006-0020 no

host1.domain.com concern vulnerability in License Logging Service Windows OS CVE-2005-0050 no

host1.domain.com concern AxWebRemoveCtrl ActiveX control enabled Web CVE-2005-3693 no

host1.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 no

host1.domain.com concern null session access using alternate pipes Windows OS CVE-2005-2150 no

host1.domain.com concern Windows Plug and Play privilege elevation Windows OS CVE-2005-2120 no

host1.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no

host1.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no

host1.domain.com concern Windows telephony service vulnerability Windows OS CVE-2005-0058 yes

host1.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 no

host1.domain.com concern HTML Application Host vulnerability in Windows shell Windows OS CVE-2005-0063 no

host1.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 yes

host1.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes

host1.domain.com concern Windows DHTML Editing Component vulnerability Windows OS CVE-2004-1319 no

host1.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no

host1.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 no

host1.domain.com concern Windows Kernel privilege elevation vulnerability Windows OS CVE-2005-2827 no

host1.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 yes

host1.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 no

host1.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 no

host1.domain.com concern vulnerable WinZip version: 8.0 Other CVE-2001-0449 CVE-2004-1465 no

host1.domain.com potential guessable read community string Networking/SNMP CVE-1999-0516 CVE-1999-0517 no

host1.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no

host1.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 yes

host1.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no

host1.domain.com potential MailEnable Enterprise 1.04 may be vulnerable Mail CVE-2005-1013 CVE-2005-1781 CVE-2005-2223 yes

host1.domain.com potential possible vulnerability in MailEnable Enterprise IMAP 1.04 Mail CVE-2005-1014 CVE-2005-1015 CVE-2005-2278 CVE-2005-3155 CVE-2005-3690 CVE-2005-3691 CVE-2005-3813 CVE-2005-3993 CVE-2005-4402 CVE-2005-4456 CVE-2005-4457 CVE-2006-0504 yes

host1.domain.com potential possible vulnerability in MailEnable Enterprise POP3 1.04 Mail CVE-2006-1337 no

host1.domain.com potential possible vulnerability in MailEnable POP3 0 Mail no

host1.domain.com potential excessive null session access Windows OS CVE-2000-1200 no

host1.domain.com potential Possible ODBC RDS Vulnerability Web CVE-1999-1011 CVE-2002-1142 no

host1.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 no

host1.domain.com potential pop receives password in clear Mail no

host1.domain.com potential possible vulnerability in PPTP service Other CVE-2002-1214 no

host1.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 no

host1.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 no

host1.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 no

host1.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 no

host1.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no

host1.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 no

host1.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 no

host1.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 no

host1.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no

host1.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 no

host1.domain.com potential auditing is disabled Windows OS CVE-1999-0575 no

host1.domain.com potential Password never expires for user LDAP_Anonymous Windows OS no

host1.domain.com potential Password never expires for user foobar Windows OS no

host1.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 no

host1.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 no

host1.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 no

host1.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes

host1.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 no

host1.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 no

host1.domain.com potential Win2000 SP2 Security Rollup 1 not installed Windows OS CVE-1999-0662 no

host1.domain.com potential Windows 2000 SP4 Update Rollup 1 not applied Windows OS CVE-2005-3168 CVE-2005-3169 CVE-2005-3170 CVE-2005-3171 CVE-2005-3172 CVE-2005-3173 CVE-2005-3174 CVE-2005-3175 CVE-2005-3176 CVE-2005-3177 no

host1.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 no

host1.domain.com potential potential vulnerability in WINS Windows OS CVE-2003-0825 no

host2.domain.com critical Guessed password to windows account (foobar:foobar) Passwords no

host2.domain.com critical Windows print spooler vulnerability Print Services CVE-2005-1984 no

host2.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 no

host2.domain.com critical Win2003 RPC buffer overflow Windows OS CVE-2003-0352 yes

host2.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 no

host2.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 no

host2.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 no

host2.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 yes

host2.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 no

host2.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes

host2.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 yes

host2.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no

host2.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 yes

host2.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 no

host2.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 yes

host2.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 no

host2.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 no

host2.domain.com concern Sunncomm ActiveX control enabled Web no

host2.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes

host2.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no

host2.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no

host2.domain.com concern DACL privilege elevation Windows OS CVE-2006-0023 no

host2.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 no

host2.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 yes

host2.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes

host2.domain.com concern Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 no

host2.domain.com concern Windows EMF/WMF image file vulnerability Windows OS CVE-2005-0803 CVE-2005-2123 CVE-2005-2124 no

host2.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no

host2.domain.com concern Windows HTML Help integer overflow Windows OS CVE-2005-1208 no

host2.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 no

host2.domain.com concern Windows Media Player PNG image vulnerability Windows OS CVE-2004-1244 no

host2.domain.com concern Windows Media Player bmp buffer overflow Windows OS CVE-2006-0006 no

host2.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 yes

host2.domain.com concern Windows OLE input validation vulnerability Windows OS CVE-2005-0044 CVE-2005-0047 no

host2.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 no

host2.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 no

host2.domain.com concern Windows telnet client session variable disclosure Windows OS CVE-2005-1205 no

host2.domain.com potential Internet Explorer ADODB.Stream object enabled Windows OS no

host2.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no

host2.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 yes

host2.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no

host2.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 yes

host2.domain.com potential User newuser has never logged in Windows OS no

host2.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 no

host2.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 no

host2.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no

host2.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 no

host2.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 no

host2.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no

host2.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 no

host2.domain.com potential account management auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential account management failure auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential logon failure auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential object access auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential object access failure auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential policy change auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential policy change failure auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential system event auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential system event failure auditing disabled Windows OS CVE-1999-0575 no

host2.domain.com potential Password never expires for user foobar Windows OS no

host2.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 no

host2.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 no

host2.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 no

host2.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 no

host2.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes

host2.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 no

host2.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 no

host2.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 no

host3.domain.com critical cachefsd may be vulnerable RPC CVE-2002-0033 CVE-2002-0084 yes

host3.domain.com critical Calendar Manager service may be vulnerable RPC CVE-1999-0320 CVE-1999-0696 no

host3.domain.com critical possible buffer overflow in dtspcd Other CVE-2001-0803 no

host3.domain.com critical rpc.walld service may be vulnerable RPC CVE-2002-0573 no

host3.domain.com critical sadmind may be vulnerable to buffer overflow RPC CVE-1999-0977 no

host3.domain.com critical Vulnerable Sendmail version: 8.6 Mail CVE-1999-0129 CVE-1999-0131 CVE-1999-0203 CVE-1999-0204 CVE-1999-1109 CVE-1999-1309 CVE-2000-0319 CVE-2002-1337 CVE-2003-0161 CVE-2003-0681 CVE-2003-0694 CVE-2006-0058 no

host3.domain.com critical SNMP to DMI mapper may be vulnerable Networking/SNMP CVE-2001-0236 yes

host3.domain.com critical possible vulnerability in Sun lpd Print Services CVE-2001-0353 no

host3.domain.com critical possible format string vulnerability in tooltalk RPC CVE-2001-0717 no

host3.domain.com critical possible input validation error in tooltalk RPC CVE-2002-0677 CVE-2002-0678 no

host3.domain.com critical tooltalk version may be vulnerable to buffer overflow RPC CVE-1999-0003 CVE-1999-0693 CVE-2002-0679 no

host3.domain.com concern Excessive finger information Other CVE-1999-0612 no

host3.domain.com concern Solaris fingerd user list disclosure Other CVE-2001-1503 no

host3.domain.com concern Information from rusersd could help hacker RPC CVE-1999-0626 no

host3.domain.com concern signal handling race condition in Sendmail Mail CVE-2001-1349 no

host3.domain.com potential possible vulnerability in dtlogin Other CVE-2004-0368 no

host3.domain.com potential Possible globbing vulnerability in SunOS ftpd File Transfer CVE-2001-0249 no

host3.domain.com potential KCMS server may be vulnerable RPC CVE-2003-0027 no

host3.domain.com potential possible vulnerability in login Login/Shell CVE-2001-0797 yes

host3.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 no

host3.domain.com potential rlogin is enabled Login/Shell CVE-1999-0651 no

host3.domain.com potential rshd is enabled Login/Shell CVE-1999-0651 no

host3.domain.com potential rexec is enabled and could help attacker Login/Shell CVE-1999-0618 no

host3.domain.com potential rpc.statd is enabled and may be vulnerable RPC CVE-1999-0018 CVE-1999-0019 CVE-1999-0210 CVE-1999-0493 CVE-2000-0666 no

host3.domain.com potential Information from rstatd could help hacker RPC CVE-1999-0624 no

host3.domain.com potential Sendmail command EXPN is enabled Mail CVE-1999-0531 no

host3.domain.com potential Sendmail command VRFY is enabled Mail CVE-1999-0531 no

host3.domain.com potential SMTP may be a mail relay Mail CVE-1999-0512 no

host3.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 no

host3.domain.com potential sunrpc services may be vulnerable RPC CVE-2002-0391 CVE-2003-0028 no

host3.domain.com potential possible buffer overflow in telnetd telrcv Login/Shell CVE-2001-0554 no

host3.domain.com potential Possible vulnerability in X font server Other CVE-2002-1317 no

host4.domain.com concern vulnerable Eudora version: 6.2 Mail no

host4.domain.com concern vulnerability in Macromedia Flash Player: 8.0.22.0 Other CVE-2006-0024 no

host4.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes

host4.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no

host4.domain.com concern vulnerable iTunes version: 6 Other no

host4.domain.com concern Microsoft Excel and Office routing slip vulnerabilities Windows OS CVE-2005-4131 CVE-2006-0009 CVE-2006-0028 CVE-2006-0029 CVE-2006-0030 CVE-2006-0031 no

host4.domain.com concern vulnerable Mozilla Thunderbird version: 0.7.2 Mail CVE-2004-0902 CVE-2004-0903 CVE-2004-0904 CVE-2004-0905 CVE-2004-0906 CVE-2004-0907 CVE-2004-0908 CVE-2004-0909 CVE-2004-1316 CVE-2005-0142 CVE-2005-0148 CVE-2005-0149 CVE-2005-0255 CVE-2005-0399 CVE-2005-0590 CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270 yes

host4.domain.com concern vulnerable Mozilla Firefox version: 1.0.3 Web CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-3089 no

host4.domain.com concern vulnerable Mozilla version: 1.7.7 Web CVE-2005-1476 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-4134 CVE-2006-0292 no

host4.domain.com concern vulnerable Netscape Navigator version: 4.78 Web CVE-2004-0718 CVE-2004-0722 CVE-2004-1160 CVE-2005-0399 CVE-2005-0989 CVE-2005-1156 CVE-2005-1157 CVE-2005-1160 yes

host4.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 no

host4.domain.com concern vulnerable QuickTime version: 7.0.3 Other CVE-2005-2340 CVE-2005-3707 CVE-2005-3708 CVE-2005-3709 CVE-2005-3710 CVE-2005-3711 CVE-2005-3713 CVE-2005-4092 CVE-2005-4128 yes

host4.domain.com concern Sunncomm ActiveX control enabled Web no

host4.domain.com concern vulnerable Winamp version: 5.13 Other CVE-2006-0708 CVE-2006-0720 no

host4.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes

host4.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no

host4.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no

host4.domain.com concern HTML Help cross-domain vulnerability Windows OS CVE-2004-1043 no

host4.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes

host4.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no

host4.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no

host4.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no

host4.domain.com potential application uses vulnerable libpng version: Thunderbird 0.7.2 Other CVE-2004-0597 CVE-2004-0598 CVE-2004-0599 no

host4.domain.com potential Possible vulnerability in Microsoft UPnP Windows OS CVE-2001-0876 CVE-2001-0877 no

host4.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 yes

host4.domain.com potential Outlook Express default news server account disclosure Mail CVE-2005-2226 no

host4.domain.com potential User DoeJ has never logged in Windows OS no

host4.domain.com potential User sainttest has never logged in Windows OS no

host4.domain.com potential weak maximum password age policy (730 days) Windows OS CVE-1999-0535 no

host4.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no

host4.domain.com potential weak password history policy (3) Windows OS CVE-1999-0535 no

host4.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 no

host4.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no

host4.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 no

host4.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 no

host4.domain.com potential Password never expires for user DoeJ Windows OS no

host4.domain.com potential Password never expires for user foobars Windows OS no

host4.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 no

host4.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes

host5.domain.com critical Anthill 0.1.6.1 is vulnerable Web CVE-2002-0548 CVE-2002-0549 no

host5.domain.com critical OpenSSH 3.1p1 may be vulnerable Login/Shell CVE-2002-0575 CVE-2002-0639 CVE-2002-0640 CVE-2003-0190 CVE-2003-0682 CVE-2003-0693 CVE-2003-0695 CVE-2005-2798 no

host5.domain.com concern Web server allows cross-site tracing Web no

host5.domain.com concern vulnerable Horde Accounts version: 2.1 Web CVE-2005-1316 no

host5.domain.com concern vulnerable Horde Forwards version: 2.2 Web CVE-2005-1318 no

host5.domain.com concern vulnerable Horde Kronolith version: 1.1 Web CVE-2005-1314 no

host5.domain.com concern vulnerable Horde Mnemo version: 1.1 Web CVE-2005-1320 no

host5.domain.com concern vulnerable Horde Nag version: 1.1 Web CVE-2005-1322 no

host5.domain.com concern vulnerable Horde Passwd version: 2.2 Web CVE-2005-1313 no

host5.domain.com concern vulnerable Horde Turba version: 1.2 Web CVE-2005-1315 no

host5.domain.com concern vulnerable Horde Vacation version: 2.2 Web CVE-2005-1321 no

host5.domain.com concern vulnerable Horde IMP version: 3.2.1 Mail CVE-2004-0584 CVE-2004-1443 CVE-2005-1319 CVE-2005-4080 no

host5.domain.com concern vulnerable Horde version: 2.2.3 Web CVE-2003-0728 CVE-2005-0378 CVE-2005-0961 CVE-2005-3570 no

host5.domain.com potential possible vulnerability in wu-ftpd 2.6.2 File Transfer CVE-2003-0466 CVE-2004-0185 no

host5.domain.com potential possible vulnerability in OpenSSL 0.9.7d Other CVE-2005-2969 no

host5.domain.com potential possible RSA SecurID Web Agent redirect buffer overflow Other no

host5.domain.com potential possible heap overflow in RSA SecurID Web Agent Other CVE-2005-1471 CVE-2005-4734 yes

host5.domain.com potential SSL server accepts SSLv2 protocol Other no

host5.domain.com potential SSL server accepts weak ciphers Other no

host5.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 no

4.0 Details

The following sections provide details on the specific vulnerabilities detected on each host.

4.1 host1.domain.com

IP Address: 172.16.0.1		Host type: Windows 2000 Service Pack 1
Scan time: Jun 29 14:31:35 2009		Netbios Name: HOST1

Download.Ject detected on web server

Severity: Critical Problem

Impact

For web servers, a remote attacker has gained access to the server and added malicious content to the web site. For web clients, the web browser may have installed a keystroke logger when visiting a compromised web site. The keystroke logs are automatically sent to a remote web site.

Resolution

Run a virus scan and delete or repair any files infected with Download.Ject or JS.Scob. On IIS web servers, disable the document footer or ensure that the footer is valid in the Documents tab of the Web Site Properties.

To avoid becoming infected, install the fix for the Internet Explorer Modal Dialog Zone Bypass and ADODB.Stream Object File Installation vulnerabilities when available. Until the fix is installed, disable client-side scripting and active content in the Internet zone in Microsoft Internet Explorer.

Where can I read more about this?

For more information, see the Microsoft, and Symantec.

Technical Details

Service: http

Guessed password to windows account (foobar:foobar)

Severity: Critical Problem

Impact

An attacker who is able to guess the password to a user account could gain shell access to the system with the privileges of the user. From there it is often trivial to gain complete control of the system.

Resolution

Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight characters long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. Enforce this policy using a utility such as npasswd in place of the default UNIX passwd program. Check the strength of all account passwords periodically using a password cracking utility such as Crack for Unix.

For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in cisco-air-20061013-wla.

Where can I read more about this?

Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.

The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID 20490.

The IBM Totalstorage DS400 default password was posted to Full Disclosure.

Technical Details

Service: netbios-ssn
foobar:foobar

MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll

Severity: Critical Problem

CVE:

CVE-2003-0824

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Resolutions

To fix the Front Page Service Extensions Cross-site scripting vulnerability and the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, apply the patch indicated in Microsoft Security Bulletin 06-017.

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

Find the file in Windows Explorer
Click on the file with the right mouse button
Select Properties
Click on the Security Tab
Click on the Permissions button
Change or remove permissions on the file as necessary.

On Unix systems:

Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/shtml.dll HTTP/1.0
Host: host1.domain.com:80

Received:
HTTP/1.1 200 OK
And:
<HTML><BODY>Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: ""</BODY></HTML>

MS FrontPage Server Extension Vulnerability: remote debug

Severity: Critical Problem

CVE:

CVE-2003-0822

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Resolutions

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

On Windows NT systems:

Find the file in Windows Explorer
Click on the file with the right mouse button
Select Properties
Click on the Security Tab
Click on the Permissions button
Change or remove permissions on the file as necessary.

On Unix systems:

Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.0
Host: host1.domain.com:80
Transfer-Encoding: chunked

1

X
0

Received:
HTTP/1.1 400 Bad Request

Folder traversal in IIS (Double Decoding)

Severity: Critical Problem

CVE:

CVE-2001-0333

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http
Sent:
GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: host1.domain.com:80

Received:
HTTP/1.1 200 OK
And:
05/08/2001 04:52p <DIR> WINNT

Folder traversal in IIS (Unicode Translation)

Severity: Critical Problem

CVE:

CVE-2000-0884

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http
Sent:
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: host1.domain.com:80

Received:
HTTP/1.1 200 OK
And:
05/08/2001 04:52p <DIR> WINNT

vulnerabilities in IIS 5

Severity: Critical Problem

CVE:

CVE-2000-0770 CVE-2001-0151 CVE-2001-0241 CVE-2001-0500 CVE-2001-0507 CVE-2002-0869 CVE-2002-1180 CVE-2002-1181 CVE-2002-1182 CVE-2003-0223 CVE-2003-0224 CVE-2003-0225 CVE-2003-0226

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http

MailEnable HTTPMail vulnerability

Severity: Critical Problem

CVE:

CVE-2005-1348 CVE-2005-2222 CVE-2006-1338

Impact

A remote attacker could create a denial of service, or possibly execute arbitrary commands with System privileges.

Resolution

Upgrade to MailEnable Professional 3.53 or higher, MailEnable Enterprise 3.53 or higher, or MailEnable Standard 1.98 when available, or apply all needed hotfixes.

Where can I read more about this?

Additional information can be located at the hotfixes page.

The MailEnable 3.52 IMAP Remote Denial of Service vulnerability was reported in Secunia Advisory SA31325.

The IMAP Service APPEND Command buffer overflow was reported in Secunia Advisory SA24361.

The NTLM denial of service was reported in Secunia Advisory SA24139.

The POP PASS vulnerability was reported in Secunia Advisory SA23127.

The pre-authentication buffer overflow vulnerability was reported at Bugtraq ID 21492.

The IMAP Buffer Overflow and Denial of Service vulnerabilities were reported in Secunia Advisory SA23080.

The invalid command buffer overflow was reported in Bugtraq ID 21252.

The NTLM signature field buffer overflow was reported in Bugtraq ID 20290.

The SPF lookup buffer overflow was reported in Bugtraq ID 20091.

The SMTP HELO denial of service was reported in Secunia Advisory SA20790.

The admin authentication bypass and WebMail vulnerabilities were reported in Secunia Advisory SA20556.

The quoted-printable denial of service vulnerability was reported in Enterprise History.

The unspecified POP authentication bypass was reported in Standard History.

The IMAP buffer overflow and denial-of-service vulnerabilities were reported in Full Disclosure, Full Disclosure, Bugtraq archive 417589, and Secunia Research Advisory 2005-59.

The IMAP directory traversal vulnerability was reported in Secunia Research Advisory 2005-59.

The W3C logging overflow was reported in Secunia Advisory SA17010.

The IMAP STATUS command buffer overflow was reported in a Secunia Advisory SA15986.

The SMTP Authentication denial of service (buffer overflow) vulnerability is described in Bugtraq ID 13772.

The HTTPMail Authorization buffer overflow was posted to Bugtraq archive 396826.

The mailto: format string vulnerability was posted to Bugtraq archive 393566.

The IMAP buffer overflows were reported in a Hat-Squad advisory, Full Disclosure, and Full Disclosure.

The EHLO denial of service was reported in Bugtraq ID 12994.

The DNS response and IMAP denial of service was reported by the vendor.

The Content-length buffer overflow was reported in Bugtraq ID 10838.

The heap overflow was reported in SecurityTracker alert 1010107.

Technical Details

Service: 8080
MailEnable HTTPMail enabled and either MailEnable Enterprise before version 1.21 or MailEnable Professional before version 1.73

MS Site Server default account

Severity: Critical Problem

CVE:

CVE-2002-1769 CVE-2002-2073 CVE-2002-2081

Impact

A remote attacker could view configuration information, create a denial of service, or upload and execute arbitrary ASP code.

Resolution

Get the latest version or service pack from Microsoft Commerce Server. Then apply or reapply Windows NT Service Pack 6a.

Where can I read more about this?

This vulnerability was reported in Rain Forest Puppy advisory RFP2201.

Technical Details

Service: netbios-ssn

vulnerability in Windows Media Services (nsiislog.dll)

Severity: Critical Problem

CVE:

CVE-2003-0227 CVE-2003-0349

Impact

A remote attacker could cause the web service to stop responding or execute arbitrary commands with the privileges of the IIS service.

Resolution

Install the patch referenced in Microsoft Security Bulletin 03-022 to correct both vulnerabilities.

Where can I read more about this?

The first vulnerability was reported in Microsoft Security Bulletin 03-019, the second in Microsoft Security Bulletin 03-022.

Technical Details

Service: http

Windows Plug and Play vulnerability

Severity: Critical Problem

CVE:

CVE-2005-1983

Impact

On Windows 2000, a remote anonymous user could execute arbitrary commands with administrative privileges. On Windows XP Service Pack 1, a remote authenticated user could execute arbitrary commands with administrative privileges. On Windows XP Service Pack 2 and Windows Server 2003, a user who is logged on locally could execute arbitrary commands with administrative privileges.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 05-047.

Where can I read more about this?

These vulnerabilities were reported in Microsoft Security Bulletins 05-039 and 05-047.

Technical Details

Service: netbios
Plug and Play service running and KB899588 not installed

RPC runtime library vulnerability

Severity: Critical Problem

CVE:

CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin

RPC runtime library vulnerability Fixes a race condition which could allow an attacker to take control of a system, and fixes three other RPC vulnerabilities. (CVE 2003-0807 CVE 2003-0813 CVE 2004-0116 CVE 2004-0124) NT: 828741
2000: 828741 or SP4 Update Rollup 1
XP: 828741 or SP2
2003: 828741 or SP1 04-012 TA04-104A

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828741 not found

Windows 2000 ASN1 buffer overflow

Severity: Critical Problem

CVE:

CVE-2003-0818

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

ASN.1 buffer overflow Fixes a vulnerability in ASN.1 which could allow remote code execution. (CVE 2003-0818) NT: 828028
2000: 828028 or SP4 Update Rollup 1
XP: 828028 or SP2
2003: 828028 or SP1 04-007

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828028 not found

Windows 2000 RPC buffer overflow

Severity: Critical Problem

CVE:

CVE-2003-0352

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

RPC buffer overflow fix Fixes a buffer overflow in the DCOM interface to RPC which could allow a remote attacker to execute arbitrary commands. (CVE 2003-0352) NT: 823980
2000: 823980 or SP4 Update Rollup 1
XP: 32-bit: 823980 or SP2
64-bit: 823980 or SP2
2003: 32-bit: 823980 or SP1
64-bit: 823980 or SP1 03-026 CA-2003-16

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980 not found

Windows COM+ command execution vulnerability

Severity: Critical Problem

CVE:

CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

Windows COM+ command execution vulnerability Fixes vulnerabilities which could allow remote command execution on Windows 2000 and XP SP1, or privilege elevation on Windows XP SP2 and 2003. (CVE 2005-1978 CVE 2005-1979 CVE 2005-1980 CVE 2005-2119) 2000: 902400
XP: 902400
2003: 902400 or SP2 05-051

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB902400 not found

Windows SMB Transaction response buffer overflow

Severity: Critical Problem

CVE:

CVE-2005-0045

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

SMB Transaction response buffer overflow Fixes command execution vulnerability in processing of responses to Transaction commands by the SMB client driver. (CVE 2005-0045) 2000: 885250 or SP4 Update Rollup 1
XP: 885250
2003: 885250 or SP1 05-011

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB885250 not found

Windows SMB input validation vulnerability

Severity: Critical Problem

CVE:

CVE-2005-1206

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

SMB input validation vulnerability Fixes a vulnerability which could allow remote code execution. (CVE 2005-1206) 2000: 896422
XP: 896422
2003: 896422 or SP2 05-027

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB896422 not found

Windows TCP/IP vulnerabilities

Severity: Critical Problem

CVE:

CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

Windows TCP/IP Vulnerabilities Fixes vulnerabilities which could allow a remote attacker to cause a denial of service, or possibly execute commands. (CVE 2004-0230 CVE 2004-0790 CVE 2004-1060 CVE 2005-0048 CVE 2005-0688) 2000: 893066 or SP4 Update Rollup 1
XP: 893066
2003: 893066 or SP1 05-019

Where can I read more about this?

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB893066 not found

Windows WMF gdi32.dll vulnerability

Severity: Critical Problem

CVE:

CVE-2005-4560

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

Update Name Description Fix Bulletin

Windows WMF gdi32.dll vulnerability Fixes a remote code execution vulnerability which exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability to take complete control of the affected system by constructing a specially crafted WMF image which is read by a user on the system. (CVE 2005-4560) 2000: 912919
XP: 912919
2003: 912919 or SP2 06-001

Where can I read more about this?

Technical Details

Service: netbios
gdi32.dll older than 2005-12-25

pointer corruption vulnerability in WINS replication service

Severity: Critical Problem

CVE:

CVE-2004-0567 CVE-2004-1080

Impact

A remote attacker could execute arbitrary code on the WINS server.

Resolution

Install the fix referenced in Microsoft Security Bulletin 09-008.

It is also advisable to use IPsec, block port 42 at the firewall, or disable WINS if it is not needed. These workarounds are addressed in Microsoft Knowledge Base Article 890710.

Where can I read more about this?

The WPAD registration vulnerability was reported in Microsoft Security Bulletin 09-008.

The WINS local privilege elevation was reported in Microsoft Security Bulletin 08-034.

The pointer corruption vulnerability in WINS replication was reported in Secunia Advisory SA13328. and Microsoft Security Bulletin 04-045.

The name validation buffer overflow was reported in Microsoft Security Bulletin 04-045.

The stack buffer overflow was reported in Microsoft Security Bulletin 04-006.

Technical Details

Service: wins

Worm detected (Code Red II)

Severity: Critical Problem

Impact

There is evidence that the system has been penetrated by an Internet worm. Files or system information may have been transmitted to remote parties, unauthorized file modifications may have taken place, and backdoors allowing unauthorized access may be present. Furthermore, it is likely that the system is being used as a potential launching point for further propogation of the worm across the network.

Resolution

The paragraphs below explain how to remove a worm from an infected system. However, removal of the worm does not solve the problem at its roots. The presence of the worm is evidence that a critical vulnerability exists on the host. The system should be taken offline until it is certain that the vulnerable services are upgraded to the latest, patched versions.

To remove the Code Red worm, simply reboot the computer.

Unlike the Code Red worm, the Code Red II worm cannot be remedied simply by rebooting the computer. Although the worm itself is entirely memory-resident, the backdoors which it creates remain on the system after a reboot. To remove the backdoors, delete the root.exe files from both the \inetpub\scripts directory and the \progra~1\common~1\system\MSADC directory. Also delete the explorer.exe files from both C:\ and D:\ before rebooting the system, because those are Trojan Horse programs which run after a reboot. If the system has already been rebooted, remove the virtual roots /c and /d from your IIS web server configuration, and reset the affected registry keys as described in SecurityFocus Incidents.

Where can I read more about this?

More information about the Code Red worm is available in an alert from eEye and in CERT Advisories 2001-19 and 2001-23.

The Code Red II worm was analyzed by SecurityFocus ARIS.

For general information about worms and how they differ from viruses, see the Symantec AntiVirus Research Center.

Technical Details

Service: http
Sent:
GET /msadc/root.exe?/c+dir+\ HTTP/1.0
Host: host1.domain.com:80

Received:
HTTP/1.1 200 OK

Web server allows cross-site tracing

Severity: Area of Concern

Impact

A malicious web site could cause a user to reveal sensitive information through a specially crafted link to the vulnerable server.

Resolution

Cross-site tracing can be fixed by disabling the TRACE request method. If this is not an option for your web server, install a vendor fix or use one of the following workarounds:

Microsoft IIS: Use URL Scan to filter both TRACE and TRACK requests.
Apache: Enable the mod_rewrite module, and add the following lines to the configuration file:
```
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
```
iPlanet: Disabling the TRACE request method currently requires making a change to a shared object library. See the White Paper for details.
BEA WebLogic Server and Express: Upgrade and apply the appropriate patch described in the BEA Advisory BEA04-48.01.

Where can I read more about this?

Cross-site tracing was reported in a White Paper from White Hat Security.

Technical Details

Service: http
Sent:
TRACE /<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0
Cookie: SAINTtest

Received:
TRACE /<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0

Windows DNS server allows cache poisoning

Severity: Area of Concern

CVE:

CVE-2001-1452

Impact

An attacker could direct requests for a legitimate web site to his or her own server. This could be used to trick users into revealing sensitive personal information or installing malicious code on their computer.

Resolution

Upgrade to Windows 2000 service pack 3 or higher, or to Windows XP or Windows Server 2003. Alternatively, except on Windows NT prior to service pack 4, cache poisoning can be prevented with the following registry value:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1

BIND forwarding servers should upgrade to BIND 9 or higher.

Where can I read more about this?

More information on DNS cache poisoning attacks is available from the Internet Storm Center.

The Windows registry fix was reported in Microsoft Knowledge Base Article 241352.

Technical Details

Service: domain
runs DNS and SYSTEM\CurrentControlSet\Services\DNS\Parameters\SecureResponses < 1

Internet Explorer COM object memory corruption

Severity: Area of Concern

CVE:

CVE-2005-2127

Impact

A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious web site hosted by the attacker.

Resolution

To use Internet Explorer securely, take the following steps:

(The vulnerabilities in IE 8, Beta 1 have not yet been patched)

(The response splitting and smuggling related to setRequestHeader() has not yet been patched)

(The file focus stealing vulnerability has not yet been patched)

(The stack overflow vulnerability has not yet been patched.)

(The document.open spoofing vulnerability has not yet been patched.)

Install the appropriate cumulative patch for your version of Internet Explorer as outlined in Microsoft Security Bulletin 07-009, Microsoft Security Bulletin 07-061, Microsoft Security Bulletin 08-022, Microsoft Security Bulletin 08-032, Microsoft Security Bulletin 08-052, and Microsoft Security Bulletin 09-019.
Prevent WPAD proxy server interception as described in Microsoft Knowledge Base Article 934864
Disable the Javaprxy.dll object
Disable the ADODB.Stream object
Disable the Shell.Explorer object

Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article 870669. To disable the Shell.Explorer object, set the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2} Compatibility Flags = 400 (type dword, radix hex)

To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.

To mitigate the impact of the ActiveX instantiation heap memory corruption, set the kill bit for the following CLSIDs:

3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D
4682C82A-B2FF-11D0-95A8-00A0C92B77A9
8E71888A-423F-11D2-876E-00A0C9082467
E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29
233A9694-667E-11D1-9DFB-006097D50408
BE4191FB-59EF-4825-AEFC-109727951E42
6E3197A3-BBC3-11D4-84C0-00C04F7A06E5
606EF130-9852-11D3-97C6-0060084856D4
F849164D-9863-11D3-97C6-0060084856D4

To fix the ADODB.connection vulnerability, install the fix at MS07-009. or mitigate the impact by setting the kill bit for the following CLSID: 00000514-0000-0010-8000-00AA006D2EA4.

Where can I read more about this?

For more information on all Internet Explorer security fixes, see the Internet Explorer Critical Updates page.

For more information on specific vulnerabilities, see Microsoft Security Bulletins 03-004, 03-015, 03-020, 03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052, 05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027, 07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045, 08-052, 08-058, 08-073, 08-078, 09-002, 09-014, and 09-019.

Also see CERT advisories CA-2003-22, TA04-033A, TA04-163A, TA04-212A, TA04-293A, TA04-315A, TA04-336A, TA05-165A, TA05-221A, and US-CERT Vulnerability Note VU#378604.

The IE 8, Beta 1 vulnerabilities were reported in Bugtraq ID 28580 and Bugtraq ID 28581.

The setRequestHeader() related vulnerabilities were reported in Secunia Advisory SA29453.

The URL handling vulnerability in IE7 was reported in Microsoft Security Advisory 943521 and Secunia Advisory SA27007.

The document.open spoofing vulnerability was reported in Secunia Advisory SA26069.

More information on the race condition building DOM objects vulnerability was reported in Secunia Advisory SA25564.

More information on the WPAD proxy server interception vulnerability was reported in NIST Vulnerability Database (CVE-2007-1692).

More information on the navcancl.htm cross-site scripting vulnerability may be found at Phishing using IE7 and Secunia Advisory SA24535.

More information on the Unload JavaScript vulnerabilities may be found at Bugtraq ID 22678 and Bugtraq ID 22680.

More information on the DirectAnimation ActiveX remote integer overflow may be found at XSec Security Advisory XSec-06-10.

More information on the ActiveX instantiation heap memory corruption may be found at XSec Security Advisories: XSec-06-02, XSec-06-03, XSec-06-04, XSec-06-06, XSec-06-08.

More information on the IsComponentInstalled buffer overflow may be found in Bugtraq ID 16870.

More information on the Stack overflow vulnerability may be found in Bugtraq ID 16687.

Information on the createTextRange vulnerability may be found in Bugtraq ID 17196.

More information on the object tag, modal dialog, and information disclosure vulnerabilities may be found in Bugtraq ID 17658, Bugtraq ID 17713, and Bugtraq ID 17717.

More information on the VML buffer overflow may be found in Bugtraq ID 20096.

The ADODB.Steam object vulnerability was reported in US-CERT alert 04-184A.

Unfixed variants of the drag and drop vulnerability and the Shell.Explorer object were discussed in NTBugtraq and Full Disclosure.

The three vulnerabilities which are exploited by the Download.Ject trojan were reported in Bugtraq ID 10472, Bugtraq ID 10473, and Bugtraq ID 10514.

The memory overflow error on the window() function is reported in a Computer Terrorism article.

More information on the ADODB.connection vulnerability is reported in US-CERT Vulnerability Note VU#589272 and Bugtraq ID 20704.

Technical Details

Service: netbios
mshtml.dll older than 2005-9-30

Internet Explorer Create Text Range code injection

Severity: Area of Concern

CVE:

CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388

Impact

A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious web site hosted by the attacker.

Resolution

To use Internet Explorer securely, take the following steps:

(The vulnerabilities in IE 8, Beta 1 have not yet been patched)

(The response splitting and smuggling related to setRequestHeader() has not yet been patched)

(The file focus stealing vulnerability has not yet been patched)

(The stack overflow vulnerability has not yet been patched.)

(The document.open spoofing vulnerability has not yet been patched.)

Install the appropriate cumulative patch for your version of Internet Explorer as outlined in Microsoft Security Bulletin 07-009, Microsoft Security Bulletin 07-061, Microsoft Security Bulletin 08-022, Microsoft Security Bulletin 08-032, Microsoft Security Bulletin 08-052, and Microsoft Security Bulletin 09-019.
Prevent WPAD proxy server interception as described in Microsoft Knowledge Base Article 934864
Disable the Javaprxy.dll object
Disable the ADODB.Stream object
Disable the Shell.Explorer object

Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article 870669. To disable the Shell.Explorer object, set the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2} Compatibility Flags = 400 (type dword, radix hex)

To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.

To mitigate the impact of the ActiveX instantiation heap memory corruption, set the kill bit for the following CLSIDs:

3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D
4682C82A-B2FF-11D0-95A8-00A0C92B77A9
8E71888A-423F-11D2-876E-00A0C9082467
E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29
233A9694-667E-11D1-9DFB-006097D50408
BE4191FB-59EF-4825-AEFC-109727951E42
6E3197A3-BBC3-11D4-84C0-00C04F7A06E5
606EF130-9852-11D3-97C6-0060084856D4
F849164D-9863-11D3-97C6-0060084856D4