by April 1, 1999 0 comments

 

The Happy99 Worm

Have you
gotten a mail from someone with a file “happy99.exe” as an attachment? And have
you run that file to see the fireworks display? Well then, brace up for the bad
news–your system is infected by the happy 99 worm. And you are unknowingly passing on
the infection to people you are sending e-mail to.

How do you find out if your system is infected?

Recently updated virus scanners should be able to detect and remove
the happy 99 worm. However, if you don’t have access to one, or are not sure,
here’s a brute force method for detection and cure.

Before that, let’s find out how happy works. When you run
happy99.exe, it replaces your wsock32.dll file (the winsock dll) with one of its own. So
next time you send out an e-mail, happy will send itself along to the recipient as an
attachment in a separate e-mail. Your system will not get infected just by reading the
e-mail. You have to run the exe file for that.

Go to your windows/system directory and do a dir ska*

If you see two files, ska.exe and ska.dll, then you are infected. To
be sure, you can do a dir wsock* also. Two of the files listed will be wsock32.dll and
wsock32.ska.

To remove the infection, first boot into the DOS prompt. Go to the
Windows/System directory and delete the ska.exe and ska.dll files. Now delete the file
wsock32.dll and rename the wsock32.ska file as wsock32.dll (ren wsock32.ska wsock32.dll).
Finally, delete the file liste.ska. Before that just try type liste.ska and you can
see the e-mail addresses to whom happy 99 has sent itself.

Now reboot the system, and you are through. Next time you get an
e-mail with the happy99 attachment, delete it immediately and empty the trash folder. And
do the sender a favor. Tell them about the infection, and how to clean the system.

 

Authentication processing error in Win NT 4 Service Pack 4

Problem: There is a logic error in Service Pack 4 for Win NT 4, which
under certain conditions allows a user to log on interactively and connect to network
shares using a blank password.

Who’s affected: This vulnerability primarily affects
Win NT Server 4 using Service Pack 4 (SP 4) that serves as a domain controller with
DOS, Win 3.1, Windows for Workgroups, OS/2 or Macintosh clients. However, this problem
doesn’t affect user accounts where the password change is initiated from Win 95/98/NT
systems. Also, only the user who knows the current password for the account can initiate
user account password changes.

Impact and solution: The Win NT Security Account Manager
(SAM) database stores the hashed password for each user account in two forms:
The Win NT Security Account Manager
(SAM) database stores the hashed password for each user account in two forms:

1. An “NT hash” form that’s used to authenticate
users on Win NT clients.

2. An “LM hash” form that’s used to authenticate
users on Win 3.1/95/98, DOS, OS/2, and Macintosh.

When a user changes his password via a Win NT/95/98 client,
both the “NT hash” and “LM hash” forms of the password are updated in
the SAM. However, when the user changes his password via a down-level client, only the
“LM hash” form of the password is stored; a null value is stored in the “NT
hash” field.

When a user attempts an interactive logon or a network share
connection from a Win NT system, the Win NT authentication process uses the
“NT hash” form of the password. If the “NT hash” is null, the “LM
hash” of the password is used for verification. The logic error in SP 4 incorrectly
allows a null “NT hash” value to be used for authentication from Win NT
systems. The result is that if a user account’s password was last changed from a DOS,
Win 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can log into that
account from a Win NT system using a blank password.

Any server or workstation running Win NT 4 SP 4 that contains a
SAM database with active users who communicate from down-level clients, is vulnerable to
this problem. However, even on a vulnerable network if a user performs a password change
via Win 95/98/NT, workstations will have a non-null “NT hash” value, and hence
will not be at risk.

Microsoft has posted patches for this vulnerability on x86 and Alpha
architectures on ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Msv1-fix.
The files are called msv-fixi.exe and msv-fixa.exe respectively.

Vulnerability in BackOffice
Server 4 installer

Problem: There’s a vulnerability in the installer for BackOffice Server
4. The installer asks the user to provide the account user ID and password for selected
services and writes these to a file to automate the installation process. However, the
file is not deleted when the installation process is completed.

Who’s affected: Microsoft BackOffice Server version 4.

Impact and solution: When a user chooses to install SQL
server, Exchange server or Microsoft Transaction server as part of a BackOffice 4
installation, the BackOffice installer program requests the name and password for the
accounts associated with these services. Specifically, it asks for the account name and
password for the SQL Executive logon account, the Exchange services account, and the MTS
remote administration account. This information is stored in \Program
Files\ Microsoft Backoffice\Reboot.ini file to automate the installation process.
When a user chooses to install SQL
server, Exchange server or Microsoft Transaction server as part of a BackOffice 4
installation, the BackOffice installer program requests the name and password for the
accounts associated with these services. Specifically, it asks for the account name and
password for the SQL Executive logon account, the Exchange services account, and the MTS
remote administration account. This information is stored in \Program
Files\ Microsoft Backoffice\Reboot.ini file to automate the installation process.

BackOffice server does not erase this file when the installation
process is completed. By default, the Microsoft BackOffice folder is not shared, so
network access doesn’t pose a risk. However, users who can log onto the server
locally are able to access the file.

The fix for this problem is to delete the file
\Program Files \Microsoft Backoffice\Reboot.ini after each BackOffice 4
installation, whether successful or not.

Remote buffer overflows in
FTP servers

Problem: A remote buffer-overflow in an FTP server allows intruders to get
root privileges.

Who’s affected: Any server running the latest version of
ProFTPD (1.2.0pre1) or the latest version of Wuarchive ftpd (2.4.2-academ [BETA-18]) is
affected. wu-ftpd is installed and enabled by default on most Linux variants such as Red
Hat and Slackware.

Impact and solution: Software that implements FTP is called
an “ftp server”, “ftp daemon”, or “ftpd”. On most vulnerable
systems, the ftpd software is enabled and installed by default.
Software that implements FTP is called
an “ftp server”, “ftp daemon”, or “ftpd”. On most vulnerable
systems, the ftpd software is enabled and installed by default.

There’s a general class of vulnerability that exists in several
FTP servers. Due to insufficient bounds checking, it’s possible to subvert an FTP
server by corrupting its internal stack space. By supplying carefully designed commands to
the FTP server, intruders can force the server to execute arbitrary commands with root
privilege.

Intruders who are able to exploit this vulnerability can ultimately
gain interactive access to the remote FTP server with root privilege.

A temporary workaround is possible by disabling any world-writeable
directories the user may have access to by making them read only. This will prevent an
attacker from building an unusually large path, which is required in order to execute
these particular attacks. The following patches are available for various “ftpd”
software and platforms:

ProFTPD: All versions prior to 1.2.0pre1 are vulnerable. A
user can apply the version 1.2.0pre1 patch found at ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit2.patch.
All versions prior to 1.2.0pre1 are vulnerable. A
user can apply the version 1.2.0pre1 patch found at ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit2.patch.

wu-ftpd: All versions through 2.4.2 (beta 18) are vulnerable.
The vulnerability depends upon the target platform. At present no patches are available
for this vulnerability. The currently recommended action is to upgrade to wu-ftpd VR
series.
All versions through 2.4.2 (beta 18) are vulnerable.
The vulnerability depends upon the target platform. At present no patches are available
for this vulnerability. The currently recommended action is to upgrade to wu-ftpd VR
series.

wu-ftpd VR series: All versions prior to 2.4.2 (beta 18) VR10
are vulnerable. Fix for this vulnerability is available at ftp://ftp.vr.net/pub/wu-ftpd/.
All versions prior to 2.4.2 (beta 18) VR10
are vulnerable. Fix for this vulnerability is available at ftp://ftp.vr.net/pub/wu-ftpd/.

The following files have to be downloaded:

  • wu-ftpd-2.4.2-beta-18-vr13.tar.Z
  • wu-ftpd-2.4.2-beta-18-vr13.tar.gz

BeroFTPD 1.3.3 and NcFTPd 2.4.0 are not vulnerable.

Red Hat Linux: Version 5.2 and versions prior to it are
vulnerable. Updates are available from ftp://updates.redhat.com/5.2/.
Version 5.2 and versions prior to it are
vulnerable. Updates are available from ftp://updates.redhat.com/5.2/.

You have to download the file
“wu-ftpd-2.4.2b18-2.1..rpm”.

Slackware Linux: All the versions are vulnerable. Updates are
available at:
All the versions are vulnerable. Updates are
available at:

Files are “tcpip1.tgz (3.6)” and “tcpip1.tgz
(current)”.

Caldera OpenLinux: The latest version is vulnerable. Updates
are available at ftp://ftp.calderasystems.com/pub/OpenLinux/updates/.
The latest version is vulnerable. Updates
are available at ftp://ftp.calderasystems.com/pub/OpenLinux/updates/.

SCO: UnixWare ver 7.0.1 and earlier (except 2.1.x), and
OpenServer Ver 5.0.5 and earlier are vulnerable. CMW+ ver 3.0 and Open Desktop/Server ver
3.0 are not vulnerable.
UnixWare ver 7.0.1 and earlier (except 2.1.x), and
OpenServer Ver 5.0.5 and earlier are vulnerable. CMW+ ver 3.0 and Open Desktop/Server ver
3.0 are not vulnerable.

Binary versions of ftpd are available from the SCO ftp site:

IBM AIX ver 4.x.x, HPUX ver 10.x and 11.x, SunOS, Sun Solaris, MS
IIS ver 3.0 and 4.0, Digital Unix v40b-v40e, OpenVMS v4.1-v5.0, and NetBSD are not
vulnerable.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<