-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                   SANS Critical Vulnerability Analysis
January 12, 2003 Vol. 2. No. 1
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
information on how the report is compiled.
***********************************************************************

Table of Contents
- -------------------
Widely Deployed Software
(1) HIGH: CUPS (Common Unix Printing System) Multiple Vulnerabilities
(2) HIGH: Cisco IOS SSH Denial of Service Vulnerability
(3) MODERATE: Windows XP Shell Audio File Buffer Overflow

Other Software
(4) HIGH: TANne HTTP Session Management Package Format String
    Vulnerability

Exploit Code Releases
(5) zkfingerd Format String Exploit
(6) Kerberos kadmind Buffer Overflow Exploit

*********************** SPONSORED LINKS *******************************
Privacy notice: These links redirect to non-SANS web pages.

1. Can your network pass the SANS/FBI security test? Find out in
minutes at http://www.sans.org/cgi-bin/sanspromo/CVA09

2. Citadel's Hercules automatically remediates vulnerabilities
identified by leading scanners. Download a FREE Hercules Evaluation:
http://www.sans.org/cgi-bin/sanspromo/CVA07

3. Anti-Vulnerability technology offers next generation
security tools intelligence, accuracy, patching functions.
Paper. http://www.sans.org/cgi-bin/sanspromo/CVA05

4. ALERT! Outsmart Web Application Attackers - FREE 15 Day
Product Trial, which delivers Comprehensive Vulnerability Report.
http://www.sans.org/cgi-bin/sanspromo/CVA06

5. ALERT: How a hacker launches a Web application attack step-by-step
FREE white paper! http://www.sans.org/cgi-bin/sanspromo/CVA08

***********************************************************************

*******************************************************
Widely Deployed Software
*******************************************************

(1) HIGH: CUPS (Common Unix Printing System) Multiple Vulnerabilities

Affected Products:
CUPS prior to version 1.1.18

Description:
The CUPS (Common Unix Printing System) contains multiple
vulnerabilities, summarized below.
- - An integer overflow exists in the CUPS HTTP interface, that
    allows a remote attacker to gain access as the 'lp' user.
- - A negative-length memcpy problem exists in the HTTP interface,
    that allows a remote attacker to crash the CUPS daemon and
    potentially compromise the system.
- - A remote attacker can add printers to the system by sending a
    specially crafted UDP packet to CUPS. By then submitting a
    job to the added printer, the attacker may be able to execute
    programs with root privileges.
- - Image and PDF file handling problems allow attackers to gain
    'lp' privileges by submitting maliciously crafted files to CUPS.
- - Local users who can add printers and/or have 'lp' account
    privileges can escalate their status to root.

Risk: Remote attack.
Remote attackers can crash CUPS, add printers, gain 'lp' account
privileges and, by exploiting multiple vulnerabilities, can execute
arbitrary code as root.

Deployment: Significant.
CUPS is a widely used printing system for Unix-like operating systems.
The software is included in several operating system distributions
including Apple, Debian, FreeBSD, Mandrake, NetBSD, RedHat, Slackware,
SuSE, SCO and Turbolinux.

Ease of Exploitation: Varies.
Exploit code has been posted for the integer overflow (said to provide
an 'lp' user shell) and for the trivial negative-length memcpy DoS.
Proof-of-concept exploits have been developed for several other issues
as well, but have not been released to the public.

Status: These vulnerabilities have been confirmed by the vendor,
and are fixed in version 1.1.18.

References:
iDefense Advisories:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0122.html

SuSE Advisory:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0001.html

SecurityFocus Vulnerability Information:
BIDs 6433-6438,6440,6475 cover these vulnerabilities

Exploit Code (Negative Length HTTP Content-Type DoS):
http://www.packetstormsecurity.nl/0212-exploits/shutdown_Cups.c

Exploit Code (Integer Overflow):
http://www.packetstormsecurity.nl/filedesc/sigcups.c.html

CUPS Vendor Site:
http://www.cups.org/

Council Site Actions:
Most of the Council Sites reported either that CUPS is not in use at
their site or is used in a non-production manner. One of the sites
with a limited production implementation reported they had vulnerable
versions running on Mandrake Linux systems. They said there were no
updated Mandrake Linux RPM files available at this time. They plan
to delay notifying the owners of affected systems until Mandrake
has the update available. At that point, they will notify affected
parties that they must either complete the update, uninstall CUPS,
or be disconnected from the network. If they hear that exploitation
has started to occur, they will require that owners of the affected
systems uninstall CUPS or reinstall from the patched source code,
and if they do not, the systems will be disconnected from the network
within a few days.

Another Council Site has a small implementation of CUPS running on
Linux RedHat systems. Their systems will be patched soon via the RedHat
automated updates. Several other sites running the affected software
notified the appropriate system support groups. All sites running the
software stated the printer service ports are blocked at the security
perimeters, which greatly reduces the threat of this problem.

********************************************************e

(2) HIGH: Cisco IOS SSH Denial of Service Vulnerability

Affected Products:
Cisco IOS versions 12.0S, 12.0ST, 12.1T, 12.1E, 12.1EA, 12.2, 12.2T,
12.2S. All products running these versions of IOS are vulnerable if
the SSH server feature is enabled.

Description:
Cisco routers and Catalyst switches running affected versions of
IOS will reboot upon receiving malicious traffic sent by Rapid7's
SSHredder SSH test suite. Most Cisco devices will resume service
following the reboot, but can be rendered unavailable for several
minutes while the device reloads. The exception is the Cisco 3550,
which requires a manual reset following a successful attack.

Risk: Cisco routers and switches offering SSH services can be rebooted
(repeatedly) by a remote unauthenticated attacker.

Deployment: Significant.
The affected IOS versions are widely deployed throughout the Internet
infrastructure.

Ease of Exploitation: Trivial.
Exploit code exists and is publicly available.

Status: This vulnerability has been confirmed by Cisco. The Cisco
advisory provides a patch release schedule for the various IOS
versions.
References:
Cisco Advisory:
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml

Rapid7 SSHredder Test Suite:
http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666

Council Site Actions:
The majority of the council sites do not use the SSH feature of Cisco
IOS. Furthermore, many of these sites stated they block in-bound SSH
connections at their security perimeters. The few sites that run SSH
on affected devices plan to deploy the fixed version of the software
when it becomes available later this month.

One site has an extensive implementation of the SSH feature in IOS.
They block in-bound SSH at the perimeters but are concerned that
the vulnerability may be fodder for a new worm. Thus, they are
investigating the likelihood and difficulty factor of such a worm.
They do not have plans to turn off SSH or perform an immediate upgrade.
However, they are prepared with scripts that will turn off SSH,
if needed.

*********************************************************

(3) MODERATE: Windows XP Shell Audio File Buffer Overflow

Affected Products:
Windows XP

Description:
The Windows Shell framework included with Windows XP contains a buffer
overflow in the handling of large audio file attributes, allowing a
malicious MP3 or WMA file to execute arbitrary code. Because Windows
XP provides native support for parsing MP3 and WMA file attributes
via Explorer, a malicious file would not need to be opened/played in
order to exploit the vulnerability. If a user simply opens a folder
containing the file, Explorer will read the file attributes and the
buffer overflow will occur.

Similarly, an XP user browsing a hostile website using Internet
Explore could be remotely compromised simply by hovering their mouse
over an icon for a malicious file. Further, under some circumstances,
an HTML email can launch the attack automatically when the XP recipient
opens or previews the email.

Risk: Compromise of Windows XP machines at the privilege level of
the XP user encountering the hostile audio file.

Deployment: Widely deployed.

Ease of Exploitation: Unknown.
An attacker must create an audio file which carries a large, corrupt
custom attribute. Given that there are a limited number of ways to
manipulate attributes, an attacker may be able to gain substantial
information through experimentation.

Status: Vendor confirmed, patches available.

References:
Microsoft Advisory:
http://www.microsoft.com/technet/security/bulletin/MS02-072.asp

Foundstone Advisory:
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339

Council Site Actions:
Only a few of the Council sites reported use of the XP O/S within
their organizations, all of which are very limited deployments.
Several of the sites have notified their desktop support groups. One
site will be rolling out the patches (via SMS) during the next regular
patch update cycle.

Most of the council sites use automatic AV signature updating software
and are actively blocking MP3's (and other file types) at the network
perimeters via web proxies. These actions greatly reduce the risk
created by this vulnerability.

*********************************************************
Other Software
*********************************************************

(4) HIGH: TANne HTTP Session Management Package Format String
    Vulnerability

Affected Products:
TANne version 0.6.17 and possibly earlier versions

Description:
The TANne program used for secure HTTP session management contains two
format string vulnerabilities in the handling of syslog() parameters.
A remote attacker can exploit these vulnerabilities to execute
arbitrary code as root.

Risk: Remote root compromise of web servers running TANne.

Deployment: Unknown.
TANne is a secure HTTP session management solution developed
specifically for high security web-based applications such as online
banking. The software is distributed by the German company FluxNetz.

Ease of Exploitation: Straightforward.
Exploit code said to provide a root shell has been posted for TANne
0.6.17 running on RedHat Linux 6.1, 7.0 and 8.0. The author of the
exploit, You Dong-hun, is credited with discovering the vulnerability
by the TANne developers.

Status: Vendor confirmed. The problem is fixed in versions 0.6.19
and greater.

References:
Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0011.html

Exploit Code:
http://www.packetstormsecurity.nl/filedesc/0x82-Remote.tannehehe.xpl.c.html

TANne Project Pages:
http://tanne.fluxnetz.de/
http://freshmeat.net/projects/tanne/?topic_id=90

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

*********************************************************
Exploit Code Releases
*********************************************************

(5) zkfingerd Format String Exploit

This vulnerability was discussed in the December 22, 2002 CVA.
The zkfingerd daemon contains multiple format string vulnerabilities
in the handling of user-supplied data. Successful exploitation allows
remote attackers to execute arbitrary code with the privileges of
the daemon (typically 'nobody').

Exploit:
http://www.securiteam.com/exploits/6A00P1F6AI.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

*********************************************************

(6) Kerberos kadmind Buffer Overflow Exploit

This vulnerability was discussed in the November 4, 2002 CVA.
The kadmind daemon shipped with multiple versions of KTH and MIT
Kerberos contains a buffer overflow that can allow remote attackers
to gain root access. kadmind provides remote administrative access to
the Kerberos authentication database, and runs on the Key Distribution
Center (KDC) server of a Kerberos realm. The problem lies in the code
that provides legacy version 4 compatibility.

Exploit:
http://www.packetstormsecurity.nl/filedesc/kadmin.html

The usage information given at the command line provides a list of
potential targets:
- --------------
[roottest exploits]# ./kadmin
 - usage: ./kadmin <target#[-]> <host> [port]
 - available targets:
   #0 default [heimdal 0.3a] & krb-4.1.2 kadmind OpenBSD 3.0
   #1 default kadmind OpenBSD 2.9
   #2 krb 4-1.2 kadmind Slackware Linux 8.0 & OpenWall 0.10
   #3 heimdal 0.4e & krb 4-1.2 kadmind SuSE 8.0
   #4 default kadmind FreeBSD 4.x
   #5 krb 4-1.2 kadmind BSD/OS 4.2
   #6 base target for brute-forcing Linux
   #7 base target for brute-forcing OpenBSD
   #8 base target for brute-forcing FreeBSD
   #9 base target for brute-forcing BSD/OS
- ------------

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

*********************************************************
About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: Michele Guel of Cisco compiles the responses and identifies
the items on which the Council members took or are taking action,
produces the weekly CVA, and then SANS distributes it via email to
all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************

Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers,
to GIAC certified security professionals, and to recent alumni of
SANS courses. Recipients may forward the CVA to other technical and
managerial security staff in their organizations, but not to people
outside their organizations.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Ir6K+LUG5KFpTkYRAnJjAJ9bOoyiOfyGtLlz0qch/vOQxzL/0gCfZ3zC
CynzWr67Mdtu1g+BlbnHRoA=
=rWdT
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]