mirror of
https://github.com/opsxcq/mirror-textfiles.com.git
synced 2025-08-24 18:32:49 +02:00
286 lines
13 KiB
Plaintext
286 lines
13 KiB
Plaintext
Date: Thu, 18 Feb 1999 14:44:48 -0800 (PST)
|
|
From: CIAC Mail User <ciac@rumpole.llnl.gov>
|
|
To: ciac-bulletin@rumpole.llnl.gov
|
|
Subject: CIAC Bulletin J-030: Microsoft BackOffice Vulnerability
|
|
|
|
[ For Public Release ]
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
__________________________________________________________
|
|
|
|
The U.S. Department of Energy
|
|
Computer Incident Advisory Capability
|
|
___ __ __ _ ___
|
|
/ | /_\ /
|
|
\___ __|__ / \ \___
|
|
__________________________________________________________
|
|
|
|
INFORMATION BULLETIN
|
|
|
|
Microsoft BackOffice Vulnerability
|
|
|
|
February 16, 1999 19:00 GMT Number J-030
|
|
______________________________________________________________________________
|
|
PROBLEM: Microsoft has identified a vulnerability in the installer for
|
|
BackOffice Server (R) 4.0.
|
|
PLATFORM: Microsoft BackOffice Server 4.0
|
|
DAMAGE: Users who can log into the server locally would be able to
|
|
access name and password for the accounts associated with the
|
|
services which are part of a BackOffice 4.0 installation.
|
|
SOLUTION: The fix for this problem is to delete the file \Program
|
|
Files\Microsoft Backoffice\Reboot.ini after each BackOffice 4.0
|
|
installation, whether successful or not.
|
|
______________________________________________________________________________
|
|
VULNERABILITY Risk is low. In most cases, the ability to access this file
|
|
ASSESSMENT: would be granted to selected users such as administrators.
|
|
______________________________________________________________________________
|
|
|
|
[ Start Microsoft Advisory ]
|
|
|
|
|
|
Microsoft Security Bulletin (MS99-005)
|
|
- --------------------------------------
|
|
|
|
BackOffice Server 4.0 Does Not Delete Installation Setup File
|
|
|
|
Originally Posted: February 12, 1999
|
|
|
|
Summary
|
|
=======
|
|
Microsoft (R) has learned of a potential vulnerability in the installer for
|
|
BackOffice Server (R) 4.0. The installer asks the user to provide the
|
|
account userid and password for selected services and writes these to a file
|
|
in order to automate the installation process. However, the file is not
|
|
deleted when the installation process completes. As detailed below,
|
|
Microsoft recommends that BackOffice 4.0 customers delete this file.
|
|
|
|
Microsoft has received no reports of customers being adversely affected by
|
|
this problem. However, it is releasing this security bulletin in order to
|
|
proactively provide customers with information about the problem in order to
|
|
allow them to take steps to ensure their safe computing.
|
|
|
|
Issue
|
|
=====
|
|
When a user chooses to install SQL Server (R), Exchange Server (R) or
|
|
Microsoft Transaction Server (R) as part of a BackOffice 4.0 installation,
|
|
the BackOffice installer program requests the name and password for the
|
|
accounts associated with these services. Specifically, it asks for the
|
|
account name and password for the SQL Executive Logon account, the Exchange
|
|
Services Account, and the MTS Remote Administration Account. These values
|
|
are stored in <systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini,
|
|
and used to install the associated services.
|
|
|
|
BackOffice Server does not erase this file when the installation process is
|
|
completed. This is true regardless of whether the installation process
|
|
completes successfully or unsuccessfully. By default, the Microsoft
|
|
BackOffice folder is not shared, so network access to reboot.ini generally
|
|
does not pose a risk. Users who can log onto the server locally would be
|
|
able to access the file, but in most cases this ability is granted only to
|
|
selected users such as administrators.
|
|
|
|
The fix for this problem is to delete the file <systemdrive>\Program
|
|
Files\Microsoft Backoffice\Reboot.ini after each BackOffice 4.0
|
|
installation, whether successful or not. The file is created only by the
|
|
installer, and, once deleted, will not be re-created unless BackOffice 4.0
|
|
is re-installed.
|
|
|
|
Affected Software Versions
|
|
==========================
|
|
The following software versions are affected:
|
|
- Microsoft BackOffice Server 4.0
|
|
|
|
What Microsoft is Doing
|
|
=======================
|
|
On February 12th, Microsoft sent this security
|
|
bulletin to customers subscribing to the Microsoft
|
|
Product Security Notification Service
|
|
(see http://www.microsoft.com/security/services/bulletin.asp
|
|
for more information about this free customer service).
|
|
|
|
Microsoft has published the following Knowledge Base (KB) article on this
|
|
issue:
|
|
- Microsoft Knowledge Base (KB) article Q217004,
|
|
BackOffice Installer Tool Does Not Delete Password Cache File.
|
|
http://support.microsoft.com/support/kb/articles/q217/0/04.asp
|
|
(Note: It might take 24 hours from the original posting of this
|
|
bulletin for the KB article to be visible in the Web-based
|
|
Knowledge Base.)
|
|
|
|
What customers Should Do
|
|
========================
|
|
Microsoft recommends that customers ensure that they delete the file
|
|
<systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini after the
|
|
installation program for BackOffice 4.0 completes
|
|
|
|
More Information
|
|
================
|
|
Please see the following references for more information related to this
|
|
issue.
|
|
- Microsoft Security Bulletin MS99-005,
|
|
BackOffice 4.0 Does Not Delete Installation Setup File
|
|
(the Web-posted version of this bulletin),
|
|
http://www.microsoft.com/security/bulletins/ms99-005.asp.
|
|
- Microsoft Knowledge Base (KB) article Q217004,
|
|
BackOffice Installer Tool Does Not Delete Password Cache File.
|
|
http://support.microsoft.com/support/kb/articles/q217/0/04.asp
|
|
(Note: It might take 24 hours from the original posting of this
|
|
bulletin for the KB article to be visible in the Web-based
|
|
Knowledge Base.)
|
|
|
|
Obtaining Support on this Issue
|
|
===============================
|
|
If you require technical assistance with this issue, please contact
|
|
Microsoft Technical Support. For information on contacting Microsoft
|
|
Technical Support, please see
|
|
http://support.microsoft.com/support/contact/default.asp.
|
|
|
|
Revisions
|
|
=========
|
|
- February 12, 1999: Bulletin Created
|
|
|
|
|
|
For additional security-related information about Microsoft products, please
|
|
visit http://www.microsoft.com/security
|
|
|
|
|
|
- ----------------------------------------------------------------------------
|
|
- ----
|
|
|
|
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
|
|
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
|
|
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
|
|
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
|
|
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
|
|
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
|
|
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
|
|
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
|
|
FOREGOING LIMITATION MAY NOT APPLY.
|
|
|
|
(C) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
|
|
|
|
|
|
[ End Microsoft Advisory ]
|
|
______________________________________________________________________________
|
|
|
|
CIAC wishes to acknowledge the contributions of Microsoft for the
|
|
information contained in this bulletin.
|
|
______________________________________________________________________________
|
|
|
|
|
|
CIAC, the Computer Incident Advisory Capability, is the computer
|
|
security incident response team for the U.S. Department of Energy
|
|
(DOE) and the emergency backup response team for the National
|
|
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
|
|
National Laboratory in Livermore, California. CIAC is also a founding
|
|
member of FIRST, the Forum of Incident Response and Security Teams, a
|
|
global organization established to foster cooperation and coordination
|
|
among computer security teams worldwide.
|
|
|
|
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
|
|
can be contacted at:
|
|
Voice: +1 925-422-8193
|
|
FAX: +1 925-423-8002
|
|
STU-III: +1 925-423-2604
|
|
E-mail: ciac@llnl.gov
|
|
|
|
For emergencies and off-hour assistance, DOE, DOE contractor sites,
|
|
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
|
|
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
|
|
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
|
|
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
|
|
duty person, and the secondary PIN number, 8550074 is for the CIAC
|
|
Project Leader.
|
|
|
|
Previous CIAC notices, anti-virus software, and other information are
|
|
available from the CIAC Computer Security Archive.
|
|
|
|
World Wide Web: http://www.ciac.org/
|
|
(or http://ciac.llnl.gov -- they're the same machine)
|
|
Anonymous FTP: ftp.ciac.org
|
|
(or ciac.llnl.gov -- they're the same machine)
|
|
Modem access: +1 (925) 423-4753 (28.8K baud)
|
|
+1 (925) 423-3331 (28.8K baud)
|
|
|
|
CIAC has several self-subscribing mailing lists for electronic
|
|
publications:
|
|
1. CIAC-BULLETIN for Advisories, highest priority - time critical
|
|
information and Bulletins, important computer security information;
|
|
2. SPI-ANNOUNCE for official news about Security Profile Inspector
|
|
(SPI) software updates, new features, distribution and
|
|
availability;
|
|
3. SPI-NOTES, for discussion of problems and solutions regarding the
|
|
use of SPI products.
|
|
|
|
Our mailing lists are managed by a public domain software package
|
|
called Majordomo, which ignores E-mail header subject lines. To
|
|
subscribe (add yourself) to one of our mailing lists, send the
|
|
following request as the E-mail message body, substituting
|
|
ciac-bulletin, spi-announce OR spi-notes for list-name:
|
|
|
|
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
|
|
subscribe list-name
|
|
e.g., subscribe ciac-bulletin
|
|
|
|
You will receive an acknowledgment email immediately with a confirmation
|
|
that you will need to mail back to the addresses above, as per the
|
|
instructions in the email. This is a partial protection to make sure
|
|
you are really the one who asked to be signed up for the list in question.
|
|
|
|
If you include the word 'help' in the body of an email to the above address,
|
|
it will also send back an information file on how to subscribe/unsubscribe,
|
|
get past issues of CIAC bulletins via email, etc.
|
|
|
|
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
|
|
communities receive CIAC bulletins. If you are not part of these
|
|
communities, please contact your agency's response team to report
|
|
incidents. Your agency's team will coordinate with CIAC. The Forum of
|
|
Incident Response and Security Teams (FIRST) is a world-wide
|
|
organization. A list of FIRST member organizations and their
|
|
constituencies can be obtained via WWW at http://www.first.org/.
|
|
|
|
This document was prepared as an account of work sponsored by an
|
|
agency of the United States Government. Neither the United States
|
|
Government nor the University of California nor any of their
|
|
employees, makes any warranty, express or implied, or assumes any
|
|
legal liability or responsibility for the accuracy, completeness, or
|
|
usefulness of any information, apparatus, product, or process
|
|
disclosed, or represents that its use would not infringe privately
|
|
owned rights. Reference herein to any specific commercial products,
|
|
process, or service by trade name, trademark, manufacturer, or
|
|
otherwise, does not necessarily constitute or imply its endorsement,
|
|
recommendation or favoring by the United States Government or the
|
|
University of California. The views and opinions of authors expressed
|
|
herein do not necessarily state or reflect those of the United States
|
|
Government or the University of California, and shall not be used for
|
|
advertising or product endorsement purposes.
|
|
|
|
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
|
|
|
|
J-020: SGI IRIX fcagent daemon Vulnerability
|
|
J-021: Sun Solaris Vulnerabilities ( dtmail, passwd )
|
|
J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
|
|
J-023: Cisco IOS Syslog Denial-of-Service Vulnerability
|
|
J-024: Windows NT Remote Explorer
|
|
J-025: W97M.Footprint Macro Virus Detected
|
|
J-026: HP-UX rpc.pcnfsd Vulnerability
|
|
J-027: Digital Unix Vulnerabilities ( at , inc )
|
|
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
|
|
J-029: Buffer Overflows in Various FTP Servers
|
|
|
|
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 4.0 Business Edition
|
|
|
|
iQCVAwUBNsntTbnzJzdsy3QZAQFF4QQAlcsUV0UfKVWCUu2mMgw099LyDg6hM28D
|
|
NeME8HPjwTzSxOuIyLBt2ipLZwEAN/m7CskA8L+XY1FlNK+745Y8qK+++XdDPH80
|
|
V8GPduOpaDP6lLFE1z6jjbl4CVzx7Nu+hKIjwgG61rtsMWa3MwFG9FuVPSReSkfM
|
|
YLUSBofBqOQ=
|
|
=yXG3
|
|
-----END PGP SIGNATURE-----
|
|
|
|
|
|
|