Application Security Inc. - Database Security, Monitoring, Assessment, Auditing, Encryption, and Regulatory Compliance.
 
 
 
home client login partner login purchasing info contact us
search:
Solutions Products Partners Support News & Events About Us
add this
AppSec Inc Support

Security Updates - ASAP™ Updates
(Application Security Automatic Protection)

AppDetective™ Update 2.5.59 - 29 July 2002

NEW CHECKS

Lotus Domino Groupware Server

Title: Easily-guessable Internet password
Description: Attempt to guess the password used to authenticate to the web server by comparing the hash against the hashes of words in a dictionary.

Summary: Providing credentials to a Lotus Domino web server is accomplished using single sign-on or basic HTTP authentication. When access to a secured page is attempted, the web server requests a username and password from the client. If a weak password is being used, an attacker could guess the credentials of the user and connect to the server. Passwords found in a dictionary are considered weak and are susceptible to being cracked.

Microsoft SQL Server

Title: Default password for well-known login
Description: Determines if any well-known logins has a default password.

Summary: A default password for a well-known login creates a security hole in SQL Server. If a default password is left, an attacker can gain access to the database as the login with the default password.

Title: DBCC INDEXDEFRAG buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC INDEXDEFRAG function.

Summary: The built-in function DBCC INDEXDEFRAG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. NOTE: Team HATTER Security Alert

Tile: DBCC SHOWCONTIG buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC SHOWCONTIG function.

Summary: The built-in function DBCC SHOWCONTIG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. NOTE: Team HATTER Security Alert

Title: DBCC addextendedproc buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC addextendedproc function.

Summary: The built-in function DBCC addextendedproc contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. NOTE: Team SHATTER Security Alert

Title: DBCC CHECKCONSTRAINTS buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC CHECKCONSTRAINTS function.

Summary: The built-in function DBCC CHECKCONSTRAINTS contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. NOTE: Team SHATTER Security Alert

Title: DBCC CLEANTABLE buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC CLEANTABLE function.

Summary: The built-in function DBCC CLEANTABLE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. NOTE: Team SHATTER Security Alert

Title: DBCC UPDATEUSAGE buffer overflow
Description: Determines if the server contains a buffer overflow in the DBCC UPDATEUSAGE function.

Summary: The built-in function DBCC UPDATEUSAGE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. NOTE: Team SHATTER Security Alert

Title: Resolution service DoS
Description: Checks if the server is vulnerable to a network denial of service by spoofing a SQL Server UDP packet.

Summary: The SQL Server resolution service accepts packets on UDP port 1434. This service supports an echo capability that can be used to flood an network with traffic. If an attacker is able to send a UDP packet to a SQL Server spoofed from another SQL Server, the two SQL Servers will be placed in an endless loop of echo the packet back and forth.

Title: Resolution service heap overflow
Description: Checks if the server is vulnerable to a heap-based buffer overflow in the resolution service.

Summary: The SQL Server resolution service accepts packets on UDP port 1434. A buffer overflow occurs on the heap area of memory when a maliciously-crafted packet is sent to the port. This allows an attacker to inject arbitrary code onto the heap. The malicious code would then be executed under the security context of the SQL Server service.

Title: Resolution service stack overflow
Description: Checks if the server is vulnerable to a stack-based buffer overflow in the resolution service.

Summary: The SQL Server resolution service accepts packets on UDP port 1434. A buffer overflow occurs on the stack area of memory when a maliciously-crafted packet is sent to the port. This allows an attacker to inject arbitrary code onto the heap. The malicious code would then be executed under the security context of the SQL Server service.

NEW FEATURE

Task Scheduler
Description: Functionality added to schedule tasks using Microsoft Windows Scheduler Service "at"

Return to ASAP™ Updates Listing
 
Contact Us | Privacy | Sitemap | Legal
sales@appsecinc.com | support@appsecinc.com 		Call us toll free at: 1-866-927-7732 | FAX: 1-212-947-8788
. Application Security, Inc. All Rights Reserved