Vulnerability Issues in ICMP packets with TCP payloads
Version Information
|
Advisory Reference |
841713/Hummingbird |
|
Release Date |
|
|
Last Revision |
|
|
Version Number |
1.0 |
What
is Affected?
These issues were found during testing of Hummingbird Connectivity 7.1 but has been
reproduced on version 9.0 (default install). The host operating systems were Windows
2000 Professional SP2 and Windows 2000 Advanced Server SP4 + all current HotFixes.
Severity
The issue with Hummingbird Inetd32 allows a user to run an application in the context
of the Local System user. The second issue, the buffer overflow in XCWD is a
denial-of-service condition that requires valid user credentials to invoke.
Summary
Hummingbird Inetd32 provides a number of network services including FTP, TFTP and
Telnet. Any user can enable and disable services, and crucially, change the
executables that run when the service receives a connection. These applications run
in the security context of the Local System user.
Additionally, the FTP service contains a buffer overrun in the XCWD command handler.
NISCC/841713/Hummingbird/1
The Hummingbird Inetd32 administration tool allows a user to configure which services
under Inetd are enabled, which ports they listen on, and interestingly, which
executables run when a connection is received. By simply replacing the normal daemon
with a command of our choice, that command is run as Local System. NISCC/841713/Hummingbird/2
The FTP service contains a buffer overrun in the XCWD command handler, which can be
triggered by a directory name of between between 256 and 259 characters.
Or, customers who have a valid maintenance contract can register for web support and
download patches from there:
Hummingbird Ltd. was initially founded in 1984 as a consulting business. They are headquartered in Toronto, Canada and operates from 40 offices in Canada, the United States, Australia, France, Germany, Italy, Japan, Korea, Netherlands, Singapore, Sweden, Switzerland, and the United Kingdom.
For more detail, please visit their webiste: http://www.hummingbird.com/index.html?cks=y. Contact
Information
The NISCC Vulnerability Management Team can
be contacted as follows: Email vulteam@niscc.gov.uk Telephone +44 (0)870 487 0748
Extension 4511 Fax +44 (0)870 487 0749 Post Vulnerability Management
Team
We encourage those who wish to communicate
via email to make use of our PGP key. This is available from http://www.uniras.gov.uk/UNIRAS.asc.
Please note that
If you wish to be added to our email distribution list, please email your
request to uniras@niscc.gov.uk.
What
is NISCC?
For further information regarding the UK National Infrastructure Security
Co-Ordination Centre, please visit the NISCC web site at: http://www.niscc.gov.uk/aboutniscc/index.htm
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer or otherwise, does not constitute or imply its endorsement,
recommendation, or favouring by NISCC. The views and opinions of authors
expressed within this notice shall not be used for advertising or product
endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this notice.
© 2004 Crown Copyright Initial
release (1.0)
Details
CVE number: No match
CVE number: No match
Mitigation
Hummingbird users are advised to apply the patches available from Hummingbird.
Solution
Hummingbird have produced patches to address the issues noted in this advisory.
Customers who require the patches should either contact their local Hummingbird
support centre, details available from
http://connectivity.hummingbird.com/support/nc/contact.html.
http://connectivity.hummingbird.com/support/nc/request.html.
Vendor Information
Acknowledgements
This issue was discovered by the CESG Network Defence Team, who reported the issue to NISCC. The NISCC vulnerability team would also like to thank Hummingbird for their
co-operation in handling this vulnerability.
(Please quote the advisory reference in the subject line.)
(Monday to Friday
NISCC
<End of NISCC Vulnerability Advisory>