Brought to our organization by our friends at the SANS Institute.***********************************************************************
SANS Critical Vulnerability Analysis
January 27, 2003 Vol. 2. No. 3

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides data on appropriate actions to protect your systems.


Table of Contents

Special report:
(0) MS-SQL Server Worm (SQL

Vulnerabilities With Significant Deployment
(1) HIGH: Windows RPC Locator Service Buffer Overflow
(2) MODERATE: CVS Directory Double-Free Vulnerability
(3) MODERATE: PeopleSoft XXE Information Disclosure Vulnerability
(4) LOW: CuteFTP Large LIST Response Buffer Overflow
(5) LOW: Cross-Site Tracing Vulnerability

Exploit Code Releases:
(6) ISC DHCPv3 nsupdate Exploit

*********** Sponsored by SANS 2003 and the NIAL Conference
If your boss won't let you come to SANS2003 in San Diego (and wants
you to attend one closer to home), tell her about the special NIAL
(National Information Assurance Leadership) Conference held the two
days before the SANS2003 training tracks start. You can attend NIAL and
bring your boss along, too. NIAL has the amazing SANS Internet Threat
Briefing - updated, How to Give A Winning Security Presentation, The
Future of Security, CyberWarfare, Choosing the Right Security Tools,
and a full slate of other sessions you cannot find at any other
conference. It is different from every other security conference
because it uses only the people who have been rated "best speaker"
at the other conferences. So you don't have to worry about sitting
through marketing pitches or listening to weak speakers. And if you
are concerned that SANS courses are too technical for you, either
select Track 9 (Basic ISO plus Security + certification) or come to
NIAL. You'll find it stays at the management level, and San Diego is
great in March.
SANS 2003:

(0) MS-SQL Server Worm (also called Sapphire, SQL Slammer, SQL Hell)

A worm launched Saturday morning January 25, about 12:30 AM (EST),
takes advantage of a buffer overflow vulnerability in Microsoft SQL
Server 2000. The SQL vulnerability was initially reported in July
of 2002. The worm is also being called Sapphire, SQL Slammer, and
SQL Hell.

Microsoft reports that the worm also infects MSDE 2000 systems,
typically used by software developers.

The worm attempts to infect systems at (approximately) randomly
generated IP addresses. The worm has no back doors or code for
flooding like other worms (Code Red). However, by using UDP packets
for infection, the worm allows infected machines to generate huge
amounts of traffic - even greater than that produced by most code
written specifically for flooding. Thus, in attempting to infect
other systems, the worm has powerful denial of service capabilities.

The worm resides in memory, and not on disk, so it can be eliminated
using a system reboot. However, if the defensive perimeter is not
upgraded to block offending udp packets or the system is not patched,
it will be quickly reinfected.

The worm uses UDP port 1434, so the impact of the worm can be
reduced by blocking inbound and outbound traffic destined for UDP port
1434. Sites should use caution when blocking all traffic to this port,
since it is legitimately used by Microsoft SQL services. Some sites
have reported high levels of UDP traffic to port 1433 as well.

A CERT Advisory said the worm has caused various levels of network
degradation across the Internet. One news story reported that
ATMs of Bank of America were impacted by the worm. According to the
various reports, about 35,000 hosts had been infected as of Saturday.
Incidents.Org reports 120,000 IP addresses infected by Sunday at 10 AM
(EST). preliminary analysis of worm (includes a packet trace):

Original Vulnerability Analysis by David Litchfield:

CERT Advisory:

Microsoft Advisory:

Cisco Security Notice (Recommendations):

Cisco Security Advisory:

Microsoft Security Bulletin (originally posted July 24, 2002):

Council Site Actions:
Due to the late-braking nature of this item, we were unable to solicit
input specifically from the Council Sites, but most sites patched
their systems and filtered traffic to and from the affected ports.

Widely Deployed Software

(1) HIGH: Windows RPC Locator Service Buffer Overflow

Affected Products:
Windows NT 4.0
Windows NT 4.0 Terminal Server
Windows 2000
Windows XP

The RPC Locator service, enabled by default in Windows NT4/2000 domain
controllers, contains an exploitable buffer overflow in the handling
of malformed RPC calls. Unauthenticated remote attackers can exploit
the flaw to execute arbitrary code with SYSTEM privileges.

Risk: Remote SYSTEM-level compromise of Windows hosts offering the
RPC Locator service.

Deployment: Significant.
Only domain controllers have the RPC Locator service enabled by
default, but the service can be enabled on any Windows NT4/2000/XP

Ease of Exploitation: Unknown.
Few technical details were provided. The overflow can be triggered by
making an RPC call to the Locator service with a specially malformed

Status: Vendor confirmed, patches available. Firewalls can be
configured to block access to the NetBIOS ports (135/tcp, 139/tcp,
445/tcp) on affected systems to provide protection.

Microsoft Security Bulletin MS03-001:

CERT Advisory:

SecurityFocus Vulnerability Information:

Council Site Actions:
Due to the late-braking nature of this item, we were unable to solicit
input from the Council Sites.


(2) MODERATE: CVS Directory Double-Free Vulnerability

Affected Products:
CVS version 1.11.4 and earlier

CVS contains a "double-free" vulnerability in the handling of
malformed directory names. A remote attacker with read-only access
to CVS resources can exploit the flaw to execute arbitrary code with
root privileges on the CVS server.

Risk: Remote root compromise of CVS servers.

Deployment: Significant.
Many companies use CVS to manage proprietary source code. Open-source
projects that allow anonymous read-only access from the Internet are
especially at risk.

Ease of Exploitation: Challenging.
This is a heap corruption vulnerability that arises due to the CVS
server attempting to free the same memory reference more than once.
Exploits are known to exist but have not been released to the public.

Status: Vendor confirmed, patches available.

e-matters Vulnerability Advisory:

CERT Advisory:

Patch from e-matters:

Vendor Patches (RedHat, Mandrake, Debian, Conectiva, OpenBSD):

Council Site Actions:
Several of the council sites reported limited deployments of CVS. These
sites plan to upgrade to a non-vulnerable version of the software
during their next regularly scheduled patch cycle. Several sites have
CVS deployed on Internet-facing systems. One site patched their system
the day the vulnerability announcement came out. The other sites plan
to accelerate the upgrades on their Internet-facing systems as well.


(3) MODERATE: PeopleSoft XXE Information Disclosure Vulnerability

Affected Products:
PeopleSoft PeopleTools versions 8.1x prior to 8.19 (included with
most PeopleSoft installations)

An XML external entities (XXE) vulnerability exists in the PeopleSoft
Application Messaging Gateway. A remote attacker can exploit the
flaw to gain unauthorized access to arbitrary files on the PeopleSoft
server, potentially exposing highly sensitive information.

Risk: Remote attackers can access arbitrary files readable by the
PeopleSoft server.

Deployment: Significant.
PeopleSoft enterprise software is used by many organizations to manage
sensitive information related to all aspects of business operation.
Affected products include PeopleSoft packages to manage human
resources, supply chains, customer relationships, and finance.

Ease of Exploitation: Straightforward.
The attacker must be able to access the Gateway Administration
Servlet (accessible to all by default) in order to enable the
SimpleFileHandler. Then the attacker can submit XML documents to the
web interface via a POST request. If the XML is written to include
external entity references to files the attacker wishes to view,
the server returns the unauthorized files in its response to the POST.

ISS Vulnerability Advisory:

Background on XXE Attacks:

Vendor Home Page:

Council Site Actions:
The vulnerable PeopleSoft software is only in use at two of the
Council Sites. One site already has plan to patch during the next
regularly scheduled patch update cycle. The second site is still
investigating if they are vulnerable, but stated they will most likely
upgrade the software during the next patch update cycle.


(4) LOW: CuteFTP Large LIST Response Buffer Overflow

Affected Products:
CuteFTP client 5.0 XP, build and possibly earlier

The CuteFTP client for Windows contains a buffer overflow in the
handling of large LIST responses. A malicious FTP server can exploit
the flaw to execute arbitrary code on the client system.

Risk: FTP client compromise with the privileges of the user running

Deployment: Widely deployed.
According to the CuteFTP home page, the vulnerable software has
millions of users worldwide. Download statistics available from show that the package has been downloaded more than 12
million times.

Ease of Exploitation: Straightforward.
The overflow appears to be stack-based and easily exploitable. However,
the attacker must entice a victim to visit a malicious FTP server.

Status: The advisory indicates vendor confirmation, and states that
a fixed software release was planned for January 20th. However,
the vendor web page makes no reference to the vulnerability.

Bugtraq Posting by Lance Fitz-Herbert:

Vendor Home Page: CuteFTP Download Page:

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.


(5) LOW: Cross-Site Tracing Vulnerability

Affected Products:
Any web server supporting the TRACE or TRACK method.

Researchers from WhiteHat Security have demonstrated a technique that
enables an attacker to use a web server in a cross-site scripting
(XSS) attack, even if the server does not have a XSS vulnerability. An
attacker can craft a malicious HTML page that, when rendered by a
victim's browser, sends a TRACE/TRACK request to the server. If the
server supports TRACE/TRACK, it will echo the potentially sensitive or
malicious information contained in the request back to the client. Note
that, if the attacker wishes to utilize a server outside the domain
hosting the malicious web page (e.g. to steal cookies), additional
domain restriction bypass vulnerabilities must be exploited in the
browser. However, because nearly all webservers support TRACE/TRACK,
and because several suitable IE vulnerabilities remain unpatched,
this attack is generally more viable than traditional XSS.

Risk: Cross site scripting attacks using any webserver supporting
the TRACE or TRACK methods.

Deployment: Huge.
Nearly all web servers support TRACE/TRACK by default, and some have
no mechanism to disable it.

Ease of Exploitation: Straightforward.
Crafting a malicious web page that takes advantage of the problem is
trivial, example code was included in the WhiteHat paper. However,
the attacker must still trick the victim into loading the page, and
the most serious attack scenarios rely on the presence of additional
browser vulnerabilities.

Status: Confirmed by several security researchers, but opinions
regarding the severity of the problem differ widely. The attack will
be thwarted if the server does not respond to TRACE/TRACK requests.

WhiteHat Security Announcement:

WhiteHat Press Release:

Commentary posted to Bugtraq and VulnWatch:

News Article:,841047,00.asp

Unpatched Internet Explorer Vulnerabilities:

Council Site Actions:
Most of the council sites have chosen to monitor this vulnerability at
the current time, rather than take action. They based their action on
the low rating of the vulnerability and the effort required to take
advantage of it. Several sites are still investigating the impact
to their web sites and reported they will most likely turn off the
TRACE/TRACK options.

Exploit Code Releases

(6) ISC DHCPv3 nsupdate Exploit

As reported in last week's newsletter, ISC DHCPd contains multiple
vulnerabilities that allow a remote attacker to execute arbitrary code
with root privileges. A proof of concept exploit has been released. In
fact, the exploit code was sent to Bugtraq prior to the release of
the CERT advisory.

Exploit code:

CERT advisory:

Council Site Actions:
As reported last week, several of the council sites are using this
software to provide their site-wide DHCP service. However, in all
cases, they do not have the 'nsupdate' feature enabled. Several other
sites have already upgraded to the corrected version.


About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis ( director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked as
Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion