RE: WINS CLient Service

["Ziots, Edward" <EZiots () Lifespan org>]

Has anyone seen a virus/worm or misconfiguration load the WINS Client
> Service on a Win2k Server? In all the servers I have built I have never
seen
> this service, it basically had a dllhost.exe and svchost.exe copy in the
> c:\winnt\system32\wins directory, and svchost.exe was a renamed copy of
> tftp.exe, and dllhost.exe had a alternative stream of nc.exe in it. 
>
> If anyone has run into this before let me know what solutions you might
have
> found, 
>
>
> Edward Ziots
> Windows NT/Citrix Administrator
> Lifespan Network Services
> MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +
> eziots () lifespan org
> Cell:401-639-3505
> Pager:401-350-5284

Edward Ziots
Windows NT/Citrix Administrator
Lifespan Network Services
MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +
eziots () lifespan org
Cell:401-639-3505
Pager:401-350-5284

********************** 
Confidentiality Notice 
**********************
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed and may contain confidential and/or
privileged information. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons
or entities other than the intended recipient is prohibited. 
If you received this e-mail in error, please contact the sender and delete
the e-mail and any attached material immediately. Thank you.





-----Original Message-----
From: David Ahmad [mailto:da () securityfocus com]
Sent: Friday, December 05, 2003 5:05 PM
To: Ziots, Edward
Subject: Re: WINS CLient Service



Please post this to the INCIDENTS mailing list
<incidents () securityfocus com>.

On Fri, Dec 05, 2003 at 05:19:59PM -0500, Ziots, Edward wrote:
> Has anyone seen a virus/worm or misconfiguration load the WINS Client
> Service on a Win2k Server? In all the servers I have built I have never
seen
> this service, it basically had a dllhost.exe and svchost.exe copy in the
> c:\winnt\system32\wins directory, and svchost.exe was a renamed copy of
> tftp.exe, and dllhost.exe had a alternative stream of nc.exe in it. 
>
> If anyone has run into this before let me know what solutions you might
have
> found, 
>
>
> Edward Ziots
> Windows NT/Citrix Administrator
> Lifespan Network Services
> MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +
> eziots () lifespan org
> Cell:401-639-3505
> Pager:401-350-5284
>
> ********************** 
> Confidentiality Notice 
> **********************
> The information transmitted in this e-mail is intended only for the person
> or entity to which it is addressed and may contain confidential and/or
> privileged information. Any review, retransmission, dissemination or other
> use of or taking of any action in reliance upon this information by
persons
> or entities other than the intended recipient is prohibited. 
> If you received this e-mail in error, please contact the sender and delete
> the e-mail and any attached material immediately. Thank you.
>
>
>
>
>
> -----Original Message-----
> From: Greg Meehan [mailto:GMeehan () LifeTimeFitness com]
> Sent: Friday, December 05, 2003 3:05 PM
> To: 3APA3A; Mr. P.Taylor
> Cc: aleph1 () securityfocus com; bugtraq () securityfocus com
> Subject: RE: Websense Blocked Sites XSS
>
>
>
> FYI: You can use a customized block page in /custom that does not display
> the URL, such as creating a "Sorry, This URL is Blocked" page with your
> company's logo. Heck, you can also just edit the "master.html" block page
in
> the /default dir to remove the URL displayed field.
>
> -Greg
>
> -----Original Message-----
> From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU]
> Sent: Friday, December 05, 2003 7:09 AM
> To: Mr. P.Taylor
> Cc: aleph1 () securityfocus com; bugtraq () securityfocus com
> Subject: Re: Websense Blocked Sites XSS
>
>
> Dear Mr. P.Taylor,
>
> It  runs  error message in context of blocked site. Now lets try to find
> out possible impacts:
>
> 1.  It's  possible  to  run  javascript  on  the user host in context of
> blocked  site.  But  it's  most  likely  blocked  site is not in list of
> trusted  web  sites  on user's host, so it's impossible to get something
> different from running same script on another webpage.
>
> 2. It possible to steal cookie, submit some forms, etc, on blocked site.
> But  site  is  blocked. So, it's impossible to steal something or submit
> something to this site.
>
> Conclusion: there is no security impact
>
> Post  Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs
> in  John Doe's guest books, Read-Doc-from-CDRom servers, etc. But please
> think  about  _security_  impact  before  submitting  this to _security_
> related lists.
>
> --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to
> dhubbard () websense com:
>
>
> MPT> Websense Blocked Sites XSS
>
> MPT> Risk: High
>
> MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only
> MPT> tested this version)
>
> MPT> Product URL: http://www.websense.com
>
> MPT> Found By: PeterT - petert () imagine-sw com
>
> MPT> Problem:
> MPT> When Websense blocks a web site, it returns a web page to the browser
> MPT> stating
> MPT> that the site has been blocked. This error message contains the URL
> which
> MPT> was
> MPT> requested. Websense does not do any validation or encoding of the URL
> before
> MPT> returning it in the error message. This allows an attacker to supply
a
> URL
> MPT> that
> MPT> contains script <JavaScript, ActiveX, VB). This script will run in
the
> MPT> context
> MPT> of a server in the trusted domain and combined with other IE flaws
can
> have
> MPT> serious consequences.
>
> MPT> We have marked this as a High risk because we believe that allowing
> MPT> attackers
> MPT> to run arbitrary programs on your desktop at will, is a serious
> problem.
>
>
> MPT> Proof of Concept:
> MPT> A URL like
> MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script.
>
> MPT> Resolution:
> MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
>
> MPT> Thanks to Websense for fixing this issue.
>
> MPT> Disclaimer:
> MPT> Standard disclaimer applies. The opinions expressed in this advisory
> are
> MPT> our own and not of any company. The information within this advisory
> may
> MPT> change without notice. Use of this information constitutes acceptance
> for
> MPT> use in an AS IS condition. There are no warranties with regard to
this
> MPT> information. In no event shall the author be liable for any damages
> MPT> whatsoever arising out of or in connection with the use or spread of
> this
> MPT> information. Any use of this information is at the user's own risk.
>
>
>
> -- 
> ~/ZARAZA
> ??? ????? ???? ?????, ? ???????? ??? ???? ??? ????, ????? ?? ?????? ? ?
???
> ????????. (????)

-- 
David Mirza Ahmad
Symantec 

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

---------------------------------------------------------------------------
----------------------------------------------------------------------------