Security Incidents mailing list archives
RE: WINS CLient Service
From: "Gilmore, Corey (DPC)" <Corey_Gilmore () dpc senate gov>
Date: Mon, 8 Dec 2003 14:41:39 -0500
If you're asking about the files in %system%\wins, they're installed by Welchia/Nachia. You'll find them on any infected PC, workstation or server. http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm .html#technicaldetails You can remove them with the removal tool, http://www.symantec.com/avcenter/FixWelch.exe
-----Original Message----- From: Ziots, Edward [mailto:EZiots () Lifespan org] Sent: Monday, December 08, 2003 9:17 AM To: 'incidents () securityfocus com' Subject: RE: WINS CLient Service Has anyone seen a virus/worm or misconfiguration load the WINS ClientService on a Win2k Server? In all the servers I have built I have neverseenthis service, it basically had a dllhost.exe andsvchost.exe copy inthe c:\winnt\system32\wins directory, and svchost.exe was a renamed copy of tftp.exe, and dllhost.exe had a alternative streamof nc.exe in it.If anyone has run into this before let me know what solutions you mighthavefound, Edward Ziots Windows NT/Citrix Administrator Lifespan Network Services MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots () lifespan org Cell:401-639-3505 Pager:401-350-5284Edward Ziots Windows NT/Citrix Administrator Lifespan Network Services MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots () lifespan org Cell:401-639-3505 Pager:401-350-5284 ********************** Confidentiality Notice ********************** The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error, please contact the sender and delete the e-mail and any attached material immediately. Thank you. -----Original Message----- From: David Ahmad [mailto:da () securityfocus com] Sent: Friday, December 05, 2003 5:05 PM To: Ziots, Edward Subject: Re: WINS CLient Service Please post this to the INCIDENTS mailing list <incidents () securityfocus com>. On Fri, Dec 05, 2003 at 05:19:59PM -0500, Ziots, Edward wrote:Has anyone seen a virus/worm or misconfiguration load theWINS ClientService on a Win2k Server? In all the servers I have built I have neverseenthis service, it basically had a dllhost.exe andsvchost.exe copy inthe c:\winnt\system32\wins directory, and svchost.exe was a renamed copy of tftp.exe, and dllhost.exe had a alternative streamof nc.exe in it.If anyone has run into this before let me know what solutions you mighthavefound, Edward Ziots Windows NT/Citrix Administrator Lifespan Network Services MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots () lifespan org Cell:401-639-3505 Pager:401-350-5284 ********************** Confidentiality Notice ********************** The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may containconfidentialand/or privileged information. Any review, retransmission, dissemination or other use of or taking of any action inreliance uponthis information bypersonsor entities other than the intended recipient is prohibited. If you received this e-mail in error, please contact the sender and delete the e-mail and any attached material immediately. Thank you. -----Original Message----- From: Greg Meehan [mailto:GMeehan () LifeTimeFitness com] Sent: Friday, December 05, 2003 3:05 PM To: 3APA3A; Mr. P.Taylor Cc: aleph1 () securityfocus com; bugtraq () securityfocus com Subject: RE: Websense Blocked Sites XSS FYI: You can use a customized block page in /custom that does not display the URL, such as creating a "Sorry, This URL isBlocked" pagewith your company's logo. Heck, you can also just edit the "master.html" block pageinthe /default dir to remove the URL displayed field. -Greg -----Original Message----- From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] Sent: Friday, December 05, 2003 7:09 AM To: Mr. P.Taylor Cc: aleph1 () securityfocus com; bugtraq () securityfocus com Subject: Re: Websense Blocked Sites XSS Dear Mr. P.Taylor, It runs error message in context of blocked site. Now lets try to find out possible impacts: 1. It's possible to run javascript on the user hostin contextof blocked site. But it's most likely blocked site is not in list of trusted web sites on user's host, so it'simpossible to getsomething different from running same script on another webpage. 2. It possible to steal cookie, submit some forms, etc, onblocked site.But site is blocked. So, it's impossible to steal something or submit something to this site. Conclusion: there is no security impact Post Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs in John Doe's guest books, Read-Doc-from-CDRomservers, etc. Butplease think about _security_ impact before submittingthis to_security_ related lists. --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to dhubbard () websense com: MPT> Websense Blocked Sites XSS MPT> Risk: High MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybeothers we onlyMPT> tested this version) MPT> Product URL: http://www.websense.com MPT> Found By: PeterT - petert () imagine-sw com MPT> Problem: MPT> When Websense blocks a web site, it returns a web page to the MPT> browser stating that the site has been blocked. This error MPT> message contains the URL which MPT> was MPT> requested. Websense does not do any validation orencoding of theMPT> URL before MPT> returning it in the error message. This allows an attacker to MPT> supplyaURL MPT> that MPT> contains script <JavaScript, ActiveX, VB). This scriptwill runMPT> intheMPT> context MPT> of a server in the trusted domain and combined with other IE MPT> flawscanhave MPT> serious consequences. MPT> We have marked this as a High risk because we believe that MPT> allowing attackers to run arbitrary programs on yourdesktop atMPT> will, is a serious problem. MPT> Proof of Concept: MPT> A URL like MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT>will run script.MPT> Resolution: MPT> The vendor has come out with a patch. Notified on Nov 29, 2003. MPT> Thanks to Websense for fixing this issue. MPT> Disclaimer: MPT> Standard disclaimer applies. The opinions expressed in this MPT> advisory are MPT> our own and not of any company. The information within this MPT> advisory may MPT> change without notice. Use of this information constitutes MPT> acceptance for MPT> use in an AS IS condition. There are no warrantieswith regard to thisMPT> information. In no event shall the author be liable for any MPT> damages whatsoever arising out of or in connectionwith the useMPT> or spread of this MPT> information. Any use of this information is at theuser's own risk.-- ~/ZARAZA ??? ????? ???? ?????, ? ???????? ??? ???? ??? ????, ??????? ?????? ? ? ???????????. (????)-- David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war. -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: WINS CLient Service Ziots, Edward (Dec 08)
- <Possible follow-ups>
- RE: WINS CLient Service Gilmore, Corey (DPC) (Dec 08)
- RE: WINS CLient Service Ziots, Edward (Dec 08)
- RE: WINS CLient Service wyldchilde (Dec 12)