Categories
Lotus Domino

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

HTTP TRACE / TRACK Methods
Synopsis : Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

 

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution : Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output : Nessus sent the following TRACE request :

—————————— snip ——————————
TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

—————————— snip ——————————

and received the following response from the remote server :

—————————— snip ——————————
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 11 Sep 2009 17:13:13 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 11 Sep 2009 17:13:13 GMT
Content-Type: message/http
Content-Length: 294

TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
—————————— snip ——————————

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485

Nessus ID : 11213

How to Disable HTTP TRACE/TRACK for IBM Lotus Domino Server

Option 1:

If you are using Internet Sites, you have to edit Web Site document.

1. Go to Web Site document – Configuration tab

2. Un-check TRACE and OPTIONS

Option 2:

If you are using the Web Configuration view instead of Internet Site, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. 

Append the command below in to Notes.ini for LotusDomino Server

HTTPDisableMethods=TRACE

Restart HTTP Service:

Restart your HTTP service for the setting to take effect by the running the command below in Domino console:

Tell http restart

Option 3:

Run the following command from the Domino Console:

set configuration HTTPDisableMethods=TRACE

tell http restart

Remark: Do not disable CONNECT and OPTIONS method because it will be used by Lotus Traveler

Resouce and Reference: 

http://www-01.ibm.com/support/docview.wss?uid=swg21201202

Categories
Windows

AutoEnrollment Problem

AutoEnrollment Problem

Event Viewer show error below after activated/installed Ceritifcate Authority service:

Event ID: 13
Source: AutoEnrollment
Type: Error
Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

EventID 13

Solution:

1
Run the below command from command prompt:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
2 Add “Domain Controllers” as the member for CERTSVC_DCOM_ACCESS under the Users OU in your Active Directory

Reference and Resouce:

http://support.microsoft.com/kb/903220

http://technet.microsoft.com/en-us/library/cc700804.aspx

Categories
Apache

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

HTTP TRACE / TRACK Methods
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus sent the following TRACE request :

—————————— snip ——————————
TRACE /Nessus1594872495.html HTTP/1.1
Connection: Close
Host: 192.168.1.1
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

—————————— snip ——————————

and received the following response from the remote server :

—————————— snip ——————————
HTTP/1.1 200 OK
Date: Fri, 04 Sep 2009 06:27:29 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

TRACE /Nessus1594872495.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Close
Host: 10.118.1.39
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

—————————— snip ——————————

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485

How to disable HTTP TRACE / TRACK Methods

1. Modify C:\oracle\10gappr2\Apache\Apache\conf\httpd.conf (your installation location might be different) with the follow configuration.

### Add to under “Dynamic Shared Object (DSO) Support” ###

LoadModule rewrite_module modules/ApacheModuleRewrite.dll
AddModule mod_rewrite.c

### Append to end of the file ###

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* – [F]

2. Restart the Oracle10GAPPR2ProcessManager service or server

 

Categories
Windows

Windows Server 2008 Foundation Edition

Windows Server 2008 Foundation Edition

Microsoft Windows Server 2008 Foundation is a new operating system edition to be released by Microsoft that is targeted at SOHO,Micro Businesses and Small Businesses. It’s a Linux-Replacement that fit to small business IT budget . Below are the features and limitation you might need to consider before purchase this edition:

  • Cheap (You don’t need CALs to connect to Foundation except for Terminal Service and Windows Right Management)
  • Subset of the Windows Server 2008 roles and features
  • OEM license (pre-installed on new server)
  • 15 User Limit
  • 50 TS Connections
  • 50 RRAS Connections
  • 10 TAS Connections
  • 30 SMB Connections
  • 1 socket systems only
  • 8GB maximum memory support
  • No virtualization use rights

For more detail:

http://www.microsoft.com/windowsserver2008/en/us/foundation.aspx
http://windowsitpro.com/mobile/pda/Article.cfm?ArticleID=101841&FAQ=1

Categories
Antivirus

Trojan: winntR1.exe, winntR2.exe, winnt2.exe, winnt3.exe, winnt4.exe, winnt5.exe, winnt.6.exe

 

Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus

 

Infection Method: Email

User received email from his friend or colleague with various subject (e.g. Fotos Data: 17/06) with then content similar to below:

Imagens anexadas: DSC_252.jpg DSC_326.jpg DSC_417.jpg

User clicked and open the Hyperlink because they thought it just a photo from his/her friend.

Note: Please do not click on the jpg link above because it lead you to the actual trojan location

User just ignore the warning prompt:

2009-07-17_150349.jpg

User clicked on “Run”

Windows shown below with “Arquivo Corrompido!” mean you are infected by trojan.

Background Process after Infection:

You would notice the processes below in task manager:

  • winntR1.exe
  • winntR2.exe
  • winnt2.exe
  • winnt3.exe
  • winnt4.exe
  • winnt5.exe
  • winnt.6.exe

Network Activity after Infection:

The infected system will try spread out by sending smtp and http mail as shown below:

200.226.249.3:80

201.76.62.3:25

According to the user experience, the Trojan/Virus will try to spead out by sending email using user’s hotmail account with the contact list in user’s hotmail.

Registry Modification

The following Registry Key was created:

    • HKEY_CURRENT_USER\dark
  • The newly created Registry Value in either location below is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • winntR1 = “C:\winnt_\winntR1.exe”
      • winntR2 = “C:\winnt_\winntR2.exe”
      • winnt2 = “C:\winnt_\winnt2.exe”
      • winnt3 = “C:\winnt_\winnt3.exe”
      • winnt4 = “C:\winnt_\winnt4.exe”
      • winnt5 = “C:\winnt_\winnt5.exe”
      • winnt6 = “C:\winnt_\winnt6.exe”

File System Modifications:

The following directory was created:

c:\winnt_

Removal Method:

Note: The trojan might affected to the particular user only

  1. Login as the user name that infected by the Trojan
  2. Kill (End Task) all the process start with winnt*.exe in task manager
  3. Empty Internet Temporary files.
  4. Delete all the winnt* entries in the registry key below: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  5. Delete HKEY_CURRENT_USER\dark in the registry
  6. Restart the computer
  7. Login in as administrator
  8. Delete “c:\winnt_” folder
  9. Download and run the removal tool from http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe (This tools only able to remove certain infected files only. That’s the reason we have to do some manual clean up before running this tool.)

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by Brain-Cluster.com.
Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.