[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 593/04 - 26.10.04



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 593/04 dated 26.10.04  Time: 12:00  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

NISCC Vulnerability Advisory 841713/Hummingbird

Detail
====== 

The Hummingbird Inetd32 administration tool allows a user to configure which services 
under Inetd are enabled, which ports they listen on, and interestingly, which 
executables run when a connection is received. By simply replacing the normal daemon 
with a command of our choice, that command is run as Local System. 




NISCC Vulnerability Advisory 841713/Hummingbird
- -----------------------------------------------

Vulnerability Issues in ICMP packets with TCP payloads

Version Information
- ------------------- 
Advisory Reference	841713/Hummingbird   
Release Date		26 October 2004   
Last Revision		19 October 2004
Version Number		1.0	 

What is Affected?
- -----------------
These issues were found during testing of Hummingbird Connectivity 7.1 but has been
reproduced on version 9.0 (default install). The host operating systems were Windows 
2000 Professional SP2 and Windows 2000 Advanced Server SP4 + all current HotFixes.

Severity
- --------
The issue with Hummingbird Inetd32 allows a user to run an application in the context 
of the Local System user. The second issue, the buffer overflow in XCWD is a 
denial-of-service condition that requires valid user credentials to invoke.

Summary
- -------

Hummingbird Inetd32 provides a number of network services including FTP, TFTP and 
Telnet. Any user can enable and disable services, and crucially, change the 
executables that run when the service receives a connection. These applications run 
in the security context of the Local System user.

Additionally, the FTP service contains a buffer overrun in the XCWD command handler. 

Details
- -------
NISCC/841713/Hummingbird/1
CVE number: No match

The Hummingbird Inetd32 administration tool allows a user to configure which services 
under Inetd are enabled, which ports they listen on, and interestingly, which 
executables run when a connection is received. By simply replacing the normal daemon 
with a command of our choice, that command is run as Local System. 

NISCC/841713/Hummingbird/2
CVE number: No match

The FTP service contains a buffer overrun in the XCWD command handler, which can be
triggered by a directory name of between between 256 and 259 characters.

Mitigation
- ----------
Hummingbird users are advised to apply the patches available from Hummingbird.

Solution
- --------
Hummingbird have produced patches to address the issues noted in this advisory. 
Customers who require the patches should either contact their local Hummingbird 
support centre, details available from
http://connectivity.hummingbird.com/support/nc/contact.html
 
Or, customers who have a valid maintenance contract can register for web support and 
download patches from there:
http://connectivity.hummingbird.com/support/nc/request.html

Credits
- -------
This issue was discovered by the CESG Network Defence Team, who reported the issue to NISCC. 
The NISCC vulnerability team would also like to thank Hummingbird for their co-operation in
handling this vulnerability.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
 
Email		vulteam@xxxxxxxxxxxx 
		(Please quote the advisory reference in the subject line.)	   
Telephone	+44 (0)870 487 0748 Ext 4511 
		(Monday to Friday 08:30 - 17:00)	   
Fax		+44 (0)870 487 0749	   
Post		Vulnerability Management Team
		NISCC
		PO Box 832
		London
		SW1P 1BG	 

We encourage those who wish to communicate via email to make use of our PGP key. This
is available from http://www.uniras.gov.uk/UNIRAS.asc.

Please note that UK government protectively marked material should not be sent to the
email address above.

If you wish to be added to our email distribution list, please email your request to
uniras@xxxxxxxxxxxxx

What is NISCC?
- --------------
For further information regarding the UK National Infrastructure Security 
Co-Ordination Centre, please visit the NISCC web site at: 
http://www.niscc.gov.uk/aboutniscc/index.htm

Reference to any specific commercial product, process or service by trade name, 
trademark manufacturer or otherwise, does not constitute or imply its endorsement, 
recommendation, or favouring by NISCC. The views and opinions of authors expressed 
within this notice shall not be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained 
within this advisory. In particular, they shall not be liable for any loss or damage 
whatsoever, arising from or in connection with the usage of information contained 
within this notice.

C 2004 Crown Copyright
 

<End of NISCC Vulnerability Advisory>


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of NISCC & CESG for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQX4me4pao72zK539AQEg3gP+NYzr4iiO+zeeyQIScgKSWo/NB7WhC+02
6nWGyIDqw/ntHYq4NP9TH4sHz3gcrO1Y7sRlac4nsKaRRYAJEj0mizTe2bLWVQEw
fptWMd3TE/n0Ouv0dwBrePweQ85WjS8n28Hu2BXo4PIhgryBrZ2KcmrP7DO0BpPK
DXs47K1Loqs=
=MrB2
-----END PGP SIGNATURE-----