lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <.169.254.120.4.1060461855.squirrel@lupetto.mine.nu>
From: daniele at muscetta.com (Daniele Muscetta)
Subject: MS03-029 / Q823803 and not-only-RRAS Problems

>> Microsoft is aware of a problem with the recently released
>> security patch MS03-029 [...]
>> Specifically there is a problem with the patch when installed
>> on systems that are also running RRAS (Routing and Remote
>> Access Service) that causes the RRAS Service to fail when the
>> system is rebooted after applying the patch.



I have actually reported to Microsoft a similar flaw with the same
patch. In my case, tough, the service that does not start is the "Web
Proxy" component of Microsoft Proxy Server 2.0, when running in IIS3 (it
actually looks like the problem is indeed IIS3, which is not supported
anymore, while it does not happen with IIS4).

Microsoft Support gave me the hotfix released for the RRAS problem, and
that fixed this issue too. Thanks!

I would not be surprised of seeing them releasing an updated bullettin
stating that RRAS is not anymore the only service affected, but Proxy is
affected too. I actually hope they would do that soon, since I notified
them that the hotfix works.

Here is a description of the problem that was happening - AGAIN, the
hotfix released for the RRAS problem has fixed this problem too!


On a machine with Microsoft Proxy Server 2.0 running into IIS3, the "Web
Proxy" service would not start.
I am talking of NT Server 4.0 SP6a with most security hotfixes, and
Microsoft Proxy Server 2.0 SP1.

The "World Wide Web Publishing Service" starts, but from Internet
service manager the "Web Proxy" module appears as Not Running, and the
EventLog reports an Event ID 100 stating that it cannot logon user
"". I looked at the property of the WWW Service in Internet Service
Manager, where the field "User" (for Anonymous Authentication) is indeed
EMPTY, instead of containing the usual IUSR_SERVERNAME (here is the ""
user!). But, funny enough, the value with the correct user name IS
written in the registry
(HKLM/System/CurrentControlSet/Services/W3SVC/Parameters ....). It's
still IIS3, then it is in the registry, it does not have a
metabase. But this value DOES not get read !!
Uninstalling the original patch (as for the RRAS issue - btw there is no
need to manually replace the file, since there is an UNINSTALL
feature...), the service works again, and the user is correctly
displayed.

I KNOW that the vulnerability is considered "Moderate" since no native
service can expose it remotely.
On the other hand, on the very same machine a third-party SMTP
Virus-Scanning product is also installed, which MIGHT make use of the
"dangerous" API, and expose the flaw remotely.... very remote
possibility, but still I like to have my systems patched.... maybe a
maliciously crafted mail could trigger the vulnerability (?worst case
scenario?), like in a bug of sendmail of some time ago.....


Hope this might be interesting for you to know. Anyway, in my case the
hotfix from PSS solved the problem, and it looks stable, thus I am
expecting to see soon the "final" patch being released.

With Best Regards,

Daniele Muscetta




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ