OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The SANS Institute (CriticalVulnerabilityAnalysis_at_sans.org)
Date: Mon Nov 25 2002 - 08:01:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ***********************************************************************
                       SANS Critical Vulnerability Analysis
    November 25, 2002 Vol. 1. No. 18
    ***********************************************************************

    Summary: Every week, the CVA prioritizes and summarizes the most
    important vulnerabilities identified during the past week and provides
    data on actions taken by security and systems managers at fifteen
    very large organizations (the Council) to protect their computers
    and networks from exploits of the reported vulnerabilities.

    See "About the CVA Process and Council" at the end of this note for
    more data on how the report is compiled.
    ***********************************************************************

    ***NOTE*** The ranking scale has been updated to provide
    additional information and a proposed timetable for addressing the
    vulnerabilities.

    Table of Contents:
    - ------------------
    Widely Deployed Software
    (1) CRITICAL: IE/IIS Microsoft Data Access Components (MDAC) Buffer
        Overflow
    (2) HIGH: iPlanet Compromise via Cross-Site Scripting in Admin
        Log Files
    (3) HIGH: IE "Shortcut" ActiveX Control Restriction Bypass
    (4) MODERATE: Cisco PIX HTTP Authentication Buffer Overflow

    Other Software
    (5) HIGH: LibHTTPD Malformed POST Buffer Overflow
    (6) HIGH: Light HTTPd Malformed URI Buffer Overflow
    (7) HIGH: Zeroo HTTP Server Malformed URI Buffer Overflow
    (8) HIGH: TFTPD32 TFTP Server for Windows Multiple Vulnerabilities

    Exploit Code Releases
    (9) Linux Rsync Signed Array Index Vulnerability

    ************************ SPONSORED LINKS ******************************

    Protect your web servers from Microsoft vulnerabilities
    with eEye's SecureIIS. Click for Free Trial.
    http://www.eeye.com/ctrack.asp?ref=SANS112502

    If you like courses with small class sizes, firewalls and penetration
    testing courses at our Audit Immersion Symposium in sunny Orlando,
    Dec. 3 - 8, look like cozy classrooms. New Orleans and San Antonio
    also look good. http://www.sans.org

    ***********************************************************************

    *******************************
       Widely Deployed Software
    *******************************

    (1) CRITICAL: IE/IIS Microsoft Data Access Components (MDAC) Buffer
        Overflow

    Affected Products:
    MDAC 2.1, 2.5, 2.6 (virtually all versions of Windows except XP) IIS
    servers allowing remote access to vulnerable MDAC services Internet
    Explorer 5.01, 5.5, 6.0 (except for Windows XP)

    Description:
    MDAC is a technology present in nearly all Windows installations.
    Vulnerable versions contain a buffer overflow that can be remotely
    exploited to execute arbitrary code in two different ways. First,
    an attacker can compromise an IIS server by sending a malicious HTTP
    request. Second, a hostile web server can compromise a web client
    running Internet Explorer by sending a malicious HTTP response.
    Successful exploitation of IIS provides attackers with SYSTEM
    privileges by default. Web clients are compromised at the privilege
    level of the user running Internet Explorer.

    Risk: Remote Compromise.
    Remote SYSTEM-level compromise of IIS servers, or remote compromise
    of web client machines running Internet Explorer.

    Deployment: Huge.
    The vulnerable software is present in nearly all versions of Windows.

    Ease of Exploitation: Unknown.
    Foundstone's advisory provides some technical detail about how to
    trigger the heap overflow on IIS servers. Fewer details are available
    concerning how to exploit an IE client. Note that an attacker must
    entice an IE victim to visit a hostile webserver.

    Status: Vendor confirmed, patches available.

    References:
    Foundstone Advisory:
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html

    Microsoft Advisory and KnowledgeBase Article:
    http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

    Council Site Actions:
    All council sites reported action taken. They identified vulnerable
    Internet-facing servers and have either already patched them or
    have scheduled the patch to take place as soon as possible. One site
    reported a large number of vulnerable Internet-facing system which
    they have no access to. They are prepared to take these systems
    offline if patches are not available and/or the appropriate support
    groups cannot be identified.

    All council sites plan to patch internally facing machines during
    the next regular patch cycle.

    **************************************************************

    (2) HIGH: iPlanet Compromise via Cross-Site Scripting in Admin
        Log Files

    Affected Products:
    Sun Microsystems' iPlanet Webserver version 4.x SP11 and prior

    Description:
    iPlanet WebServer version 4.x SP11 and prior contain two
    vulnerabilities which could be used together to cause an unsuspecting
    admin to execute attacker-supplied commands. The two vulnerabilities
    are a logfile cross-site scripting bug, and insecure use of Perl open()
    calls in the Administrative Server CGIs.

    Risk: Remote Compromise.
    Remote root compromise of systems running the iPlanet web server.

    Deployment: Significant.
    Netcraft lists iPlanet as one of the four most widely deployed web
    servers, with over 200,000 installations worldwide.

    Ease of Exploitation: Straightforward.
    An example exploit was distributed with the advisory. An attacker
    must send a malicious HTTP request to the webserver that causes active
    web content (script) to be written to the server log. Later, when an
    administrator uses iPlanet's Admin Server tool (a web-based interface)
    to view the log file, the script content is executed. If the script is
    crafted to take advantage of the additional perl open() vulnerability,
    arbitrary shell commands can be executed with the privileges of the
    Admin Server, typically root.

    Status: No patch is currently available. Upgrade to iPlanet version
    6.x, or do not use the Admin Server web-based interface to view
    log files.

    References:
    - --------------
    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0078.html

    Exploit Code:
    http://www.ngsec.com/ngresearch/ngadvisories/
    http://www.packetstormsecurity.nl/filedesc/iplanet-ngxss.sh.html

    Council Site Actions:
    Only a few council sites reported iPlanet installations. These sites
    plan to roll out the patches (along with other iPlanet patches)
    as soon as they are available.

    The other council sites report the affected software is not in
    production or widespread use.

    ****************************************************************

    (3) HIGH: IE "Shortcut" ActiveX Control Restriction Bypass

    Affected Products:
    Microsoft Internet Explorer 5.5 and 6.0 (fully patched)

    Description:
    - -------------
    Andreas Sandblad has published an advisory showing how a new
    technique may be combined with an exploit for any of the unpatched
    Internet Explorer "Cross-Zone Scripting" vulnerabilities to allow a
    hostile website to execute arbitrary commands, including arguments,
    on a victim web client machine. "Cross-Zone Scripting" refers to any
    technique that allows active web content (script) supplied by a website
    to break out of IE's restrictive "Internet Zone" and execute in the
    much more permissive "Local Computer Zone" context. Over the past
    year, many Cross-Zone Scripting vulnerabilities have been disclosed,
    several remain unpatched.

    Mr. Sandblad's advisory addresses the case where an attacking website
    has already gained access to the "Local Computer Zone", and shows how
    the webserver may leverage this position to take complete, unrestricted
    control over the victim client. The advisory provides sample code
    showing how malicious script can invoke the "Shortcut" ActiveX control,
    which is only supposed to be available to compiled help (.chm) files.
    "Shortcut" allows the caller to invoke any program on the client system
    with arguments. For example, code has been posted that demonstrates
    how a web server can use the technique to issue the command "format
    a:", which formats any media residing on the client's local a: drive.
    Similarly, a website can execute any arbitrary command on the victim
    machine.

    Risk: Web client compromise.
    Compromise of a web client running Internet Explorer when visiting
    a hostile web site.

    Deployment: Huge.
    The vulnerabilities affect all current versions of Internet Explorer.

    Ease of Exploitation: Trivial.
    Example exploits have been posted. The attacker must lure the victim
    to visit the malicious site. The attack could be executed as soon as
    the victim clicks on a hyperlink, for example.

    Status: Vendor contacted but no patches available. Users must disable
    active scripting in Internet Explorer to be protected.

    References:
    Andreas Sandblad Bugtraq Postings:
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0041.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0114.html

    Additional Demonstration Exploit (format a:):
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0209.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0219.html

    Liu Die Yu Cross-Zone Scripting Vulnerabilities:
    http://online.securityfocus.com/bid/5841 (method used by Sandblad)
    http://online.securityfocus.com/bid/6205

    Grey Magic Cross-Zone Scripting Vulnerabilities:
    http://sec.greymagic.com/adv/gm012-ie/

    SecurityFocus Commentary:
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0254.html

    Shortcut ActiveX Control Reference:
    http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconocxshortcut.asp

    Related Yahoo News Article:
    http://story.news.yahoo.com/news?tmpl=story&u=/nf/20021120/bs_nf/20035

    Council Site Actions:
    This item was a late addition. Only a few council sites have reported
    their actions. One site does not plan to take any action. They rely
    on their defense-in-depth strategy to mitigate this vulnerability.
    The second site will roll out patches as soon as they are available.
    They also rely on their defense-in-depth strategy to mitigate this
    vulnerability.

    ******************************************************************

    (4) MODERATE: Cisco PIX HTTP Authentication Buffer Overflow and
        Man-In-The-Middle attack for VPN sessions.

    Affected Products:
    Cisco PIX 5.2.8, 6.0.3, 6.1.3, 6.2.1

    Description:
    Two vulnerabilities has been discovered and fixed for the PIX firewall.
    For the first vulnerability, RADIUS and TACACS+ authentication
    may be performed for FTP, Telnet, and HTTP connections through the
    PIX firewall. Due to a buffer overflow vulnerability in the PIX,
    malicious HTTP requests for TACACS+ or RADIUS authentication can
    cause the firewall to crash and reload.

    The second vulnerability involved the ISAKMP negotiation for a
    VPN connection. If an attacker is now able to block the logged-in
    user's connection and establish a connection to the PIX using the
    same IP address as that of the user, he will be able to establish a
    VPN session with the PIX, using only peer authentication, provided
    he already has access to the peer authentication key also known as
    the group pre-shared key (PSK) or group password key.

    Risk: Remote Compromise.
    Remotely reboot the PIX (denial of service).
    Man-In-The-Middle attack to gain access to the PIX via a VPN session.

    Deployment: Significant.
    Cisco's PIX firewall is one of the leaders in the firewall industry.

    Ease of Exploitation: Unknown.
    Few technical details were provided. The overflow is evidently
    triggered in processing an authentication request containing a username
    and password provided by an attacker.

    Status: Vendor confirmed, patch available.

    References:
    - -------------
    Cisco Security Advisory:
    http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml

    Cisco background information on the authentication process:
    http://www.cisco.com/warp/public/110/atp52.html

    Council Site Actions:
    Only two of the reporting council sites were affected by this
    vulnerability. Both plan to roll out patches at the next scheduled
    network outage or patch cycle. One of the sites said that due to the
    large number of PIX devices at their site, they plan to monitor for
    potential denial of service attacks and will move the patch cycle
    date sooner if necessary.

    ***************************
         Other Software
    ***************************

    (5) HIGH: LibHTTPD Malformed POST Buffer Overflow

    Affected Products:
    LibHTTPD 1.2

    Description: LibHTTPD is a library used to add HTTP server
    functionality to embedded devices and standalone applications. The
    library has been reported to contain a buffer overflow vulnerability
    in processing malicious POST requests. Successful exploitation allows
    a remote attacker to execute arbitrary code with the privileges of
    the server process.

    Risk: Remote Compromise.
    Remote compromise of systems running LibHTTPD-based web servers.

    Deployment: Small.
    LibHTTPD is a relatively new offering, first released in March 2002.
    Source code is available for download.

    Ease of Exploitation: Trivial.
    An example exploit was distributed with the advisory. The exploit
    binds a shell to an externally accessible TCP port.

    Status: Vendor has not confirmed. The advisory contains a source
    code patch.

    References:
    Advisory and Exploit code:
    http://www.securiteam.com/unixfocus/6H00I2060I.html

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/6172

    LibHTTPD Home Page:
    http://www.hughes.com.au/products/libhttpd/

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    ***************************************************************

    (6) HIGH: Light HTTPd Malformed URI Buffer Overflow

    Affected Products:
    Light HTTPd (lhttpd) 0.1

    Description:
    Light HTTPd has been reported to contain a buffer overflow in handling
    malformed HTTP requests, allowing remote attacker-supplied code
    execution with the privileges of the web server process, typically
    "nobody".

    Risk: Remote Compromise.
    Remote compromise of systems running the Light HTTPD web server.

    Deployment: Small.
    Light HTTPd is a free open source web server and content management
    system.

    Ease of Exploitation: Trivial.
    An example exploit for lhttpd running on Red Hat Linux was posted with
    the advisory. The exploit binds a shell to an externally accessible
    TCP port.

    Status: Vendor has not confirmed, the advisory contains a source
    code patch.

    References:
    Advisory and Exploit Code:
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/6162

    Light HTTPD Home Page:
    http://lhttpd.sourceforge.net/

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites.

    **************************************************************

    (7) HIGH: Zeroo HTTP Server Malformed URI Buffer Overflow

    Affected Products:
    Zeroo HTTP server version 1.5

    Description:
    The Zeroo HTTP server has been reported to contain a buffer overflow
    in handling malformed HTTP requests, allowing remote attacker-supplied
    code execution with the privileges of the web server process, typically
    "nobody".

    Risk: Remote Compromise.
    Remote compromise of systems running the Zeroo web server.

    Deployment: Small.
    Zeroo is a small, fast open source webserver that runs on Windows
    and Linux.

    Ease of Exploitation: Trivial.
    An example exploit for Zeroo running on Linux was distributed with
    the advisory. The exploit binds a shell to an externally accessible
    TCP port.

    Status: Vendor has not confirmed, the advisory contains a source
    code patch.

    References:
    Advisory and Exploit Code:
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0226.html
    http://www.packetstormsecurity.nl/filedesc/zeroobug.txt.html

    Vendor Home Page:
    http://lonerunner.cfxweb.net/

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites.

    **************************************************************

    (8) HIGH: TFTPD32 TFTP Server for Windows Multiple Vulnerabilities

    Affected Products:
    TFTPD32 versions 2.21 and prior (buffer overflow)
    TFTPD32 versions 2.50.2 and prior (file read/write)

    Description:
    The TFTPD32 TFTP server contains a buffer overflow in the handling of
    large filenames, allowing remote execution of attacker-supplied code.
    Further, the server contains another vulnerability that allows remote
    attackers to read or write any file on the system. TFTPD32 runs with
    the privileges of the user that launches the server executable.

    Risk: Remote system compromise.

    Deployment: Small.
    TFTPD32 is a freeware TFTP server for Windows 9x/ME/NT/2000/XP
    (executable only).

    Ease of Exploitation: Straightforward.
    The advisory contains example exploit code that causes the server to
    launch "notepad.exe" if successful.

    Status: Vendor confirmed, updated software available.

    References:
    Buffer Overflow Vulnerability:
    http://www.securiteam.com/windowsntfocus/6C00C2061A.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0077.html

    Arbitrary File Read/Write Vulnerability:
    http://www.securiteam.com/windowsntfocus/6D00D2061G.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0076.html

    Vendor Home Page:
    http://tftpd32.jounin.net/

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    ***************************
       Exploit Code Release
    ***************************

    (9) Linux Rsync Signed Array Index Vulnerability

    "Sorbo" has publicly released exploit code for a vulnerability in Linux
    rsync discovered by SuSE's security audit team around January 2002.
    Rsync is typically used to synchronize files and directory structures
    on different machines, and listens on port 873/tcp by default. The
    published exploit binds a shell to port 30464/tcp, potentially
    providing a remote attacker with root privileges depending on how
    the server is configured (rsync runs as root to bind port 873, but
    may drop privileges later). Patches have been available for months
    from many Linux vendors. This is believed to be the first published
    exploit for the vulnerability.

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/3958/info/

    Exploit Code:
    http://www.securiteam.com/exploits/6A00A2061O.html
    http://www.packetstormsecurity.nl/filedesc/sorsync.c.html
    http://www.securitybugware.org/mUNIXes/5034.html

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    *******************************************************************

    About the CVA Process and Council
    =================================
    The CVA is produced in four phases:

    Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
    Forristal and the Neohapsis team scour all of the major vendor web
    sites as well as bugtraq and other sources of new vulnerability
    information and compile what they believe to be a complete list of
    all new vulnerabilities and major vulnerability announcements made
    during the week. The SANS Institute and Network Computing Magazine vet
    the list through the major system manufacturers and jointly publish
    it every week as the Security Alert Consensus. (SAC) Anyone may
    subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

    Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
    vulnerabilities and announcements that demand immediate action. This
    reduces the list from 30-50 each week down under 10. Vicki has been
    on the front lines of intrusion detection and vulnerability testing
    for nearly five years and her work in the field is legendary.

    Phase 3: Very technical security managers at fifteen of the largest
    user organizations in the United States each review the "immediate
    action" vulnerabilities and describe what they did or did not do
    to protect their organizations. Council members include banks and
    other financial organizations, government agencies, universities,
    major research laboratories, ISPs, health care, manufacturers,
    insurance companies and a couple more. The individual members have
    direct responsibility for security for their systems and networks. All
    were concerned that information about their security configuration
    would leak out, and agreed to serve only if their identities were
    not revealed.

    Phase 4: SANS compiles the responses and identifies the items on which
    the Council members took or are taking action, produces the weekly CVA,
    and distributes it via email to all eligible persons

    **********************************************************************
    Critical Vulnerability Analysis Scale Ratings

    In ranking vulnerabilities several factors are taken into account,
    such as:
       
    - - Is this a server or client compromise? At what privilege level?
    - - Is the affected product widely deployed?
    - - Is the problem found in default configurations/installations?
    - - Are the affected assets high value (e.g. databases, e-commerce
      servers)?
    - - Is the network infrastructure affected (DNS, routers, firewalls)?
    - - Is exploit code publicly available?
    - - Are technical vulnerability details available?
    - - How difficult is it to exploit the vulnerability?
    - - Does the attacker need to lure victims to a hostile server?
     
    Based on the answers to these questions, vulnerabilities are ranked
    as Critical, High, Moderate, or Low.

    CRITICAL vulnerabilities are those where essentially all planets
    align in favor of the attacker. These vulnerabilities typically
    affect default installations of very widely deployed software, result
    in root compromise of servers or infrastructure devices, and the
    information required for exploitation (such as example exploit code)
    is widely available to attackers. Further, exploitation is usually
    straightforward, in the sense that the attacker does not need any
    special knowledge about individual victims, and does not need to lure
    a target user into performing any special functions.

    HIGH vulnerabilities are usually issues that have the potential to
    become CRITICAL, but have one or a few mitigating factors that make
    exploitation less attractive to attackers. For example, vulnerabilities
    that have many CRITICAL characteristics but are difficult to exploit,
    do not result in elevated privileges, or have a minimally sized victim
    pool are usually rated HIGH. Note that HIGH vulnerabilities where the
    mitigating factor arises from a lack of technical exploit details will
    become CRITICAL if these details are later made available. Thus, the
    paranoid administrator will want to treat such HIGH vulnerabilities as
    CRITICAL, if it is assumed that attackers always possess the necessary
    exploit information.

    MODERATE vulnerabilities are those where the scales are slightly tipped
    in favor of the potential victim. Denial of service vulnerabilities
    are typically rated MODERATE, since they do not result in compromise
    of a target. Exploits that require an attacker to reside on the same
    local network as a victim, only affect nonstandard configurations
    or obscure applications, require the attacker to social engineer
    individual victims, or where exploitation only provides very limited
    access are likely to be rated MODERATE.

    LOW vulnerabilities usually do not affect most administrators, and
    exploitation is largely unattractive to attackers. Often these issues
    require the attacker to already have some level of access to a target
    (e.g. be able to execute arbitrary SQL queries, or be able to pop mail
    from a mail server), require elaborate specialized attack scenarios,
    and only result in limited damage to a target. Alternatively, a LOW
    ranking may be applied when there is not enough information to fully
    assess the implications of a vulnerability. For example, vendors often
    imply that exploitation of a buffer overflow will only result in a
    denial of service. However, many times such flaws are later shown
    to allow for execution of attacker-supplied code. In these cases,
    the issues are reported in order to alert security professionals to
    the potential for deeper problems, but are ranked as LOW due to the
    element of speculation.

    Remediation Timescale
    ===================================
    A vulnerability rating corresponds to the "threat level" of a
    particular issue. Critical threats must be responded to most quickly,
    as the potential for exploitation is high. Recommended response times
    corresponding to each of the ratings is below. These recommendations
    should be tailored according to the level of deployment of the affected
    product at your organization.

    CRITICAL: 48 hours
    HIGH: 5 business days
    MODERATE: 15 business days
    LOW: At the administrator's discretion

    ******************************************************************
    Subscriptions: The CVA is distributed free of charge to chief
    information security officers and technical security managers, to
    GIAC certified security professionals, and to recent alumni of SANS
    courses. Eligible recipients may register all other technical and
    managerial security staff in their organizations, or may forward it
    to any such persons in their organizations, but not to people outside
    their organizations.

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number (from the
    headers.) You will receive your personal URL via email.

    Copyright 2002. No copying or forwarding allowed except by registered
    subscribers.
                             ==end==

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE94iD++LUG5KFpTkYRArIWAJ9ZLU7KzwbgJNUPciBqOfg0lfsdXgCfcDb3
    UVuRmUGs8sTYrP46ievP7j8=
    =wzBZ
    -----END PGP SIGNATURE-----