Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: The SANS Institute (CriticalVulnerabilityAnalysis_at_sans.org)
Date: Mon Jan 13 2003 - 09:36:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

                       SANS Critical Vulnerability Analysis
    January 12, 2003 Vol. 2. No. 1

    Summary: Every week, the CVA prioritizes and summarizes the most
    important vulnerabilities identified during the past week and provides
    data on actions taken by security and systems managers at fifteen
    very large organizations (the Council) to protect their computers
    and networks from exploits of the reported vulnerabilities.

    See "About the CVA Process and Council" at the end of this note for
    information on how the report is compiled.

    Table of Contents
    - -------------------
    Widely Deployed Software
    (1) HIGH: CUPS (Common Unix Printing System) Multiple Vulnerabilities
    (2) HIGH: Cisco IOS SSH Denial of Service Vulnerability
    (3) MODERATE: Windows XP Shell Audio File Buffer Overflow

    Other Software
    (4) HIGH: TANne HTTP Session Management Package Format String

    Exploit Code Releases
    (5) zkfingerd Format String Exploit
    (6) Kerberos kadmind Buffer Overflow Exploit

    *********************** SPONSORED LINKS *******************************
    Privacy notice: These links redirect to non-SANS web pages.

    1. Can your network pass the SANS/FBI security test? Find out in
    minutes at http://www.sans.org/cgi-bin/sanspromo/CVA09

    2. Citadel's Hercules automatically remediates vulnerabilities
    identified by leading scanners. Download a FREE Hercules Evaluation:

    3. Anti-Vulnerability technology offers next generation
    security tools intelligence, accuracy, patching functions.
    Paper. http://www.sans.org/cgi-bin/sanspromo/CVA05

    4. ALERT! Outsmart Web Application Attackers - FREE 15 Day
    Product Trial, which delivers Comprehensive Vulnerability Report.

    5. ALERT: How a hacker launches a Web application attack step-by-step
    FREE white paper! http://www.sans.org/cgi-bin/sanspromo/CVA08


    Widely Deployed Software

    (1) HIGH: CUPS (Common Unix Printing System) Multiple Vulnerabilities

    Affected Products:
    CUPS prior to version 1.1.18

    The CUPS (Common Unix Printing System) contains multiple
    vulnerabilities, summarized below.
    - - An integer overflow exists in the CUPS HTTP interface, that
        allows a remote attacker to gain access as the 'lp' user.
    - - A negative-length memcpy problem exists in the HTTP interface,
        that allows a remote attacker to crash the CUPS daemon and
        potentially compromise the system.
    - - A remote attacker can add printers to the system by sending a
        specially crafted UDP packet to CUPS. By then submitting a
        job to the added printer, the attacker may be able to execute
        programs with root privileges.
    - - Image and PDF file handling problems allow attackers to gain
        'lp' privileges by submitting maliciously crafted files to CUPS.
    - - Local users who can add printers and/or have 'lp' account
        privileges can escalate their status to root.

    Risk: Remote attack.
    Remote attackers can crash CUPS, add printers, gain 'lp' account
    privileges and, by exploiting multiple vulnerabilities, can execute
    arbitrary code as root.

    Deployment: Significant.
    CUPS is a widely used printing system for Unix-like operating systems.
    The software is included in several operating system distributions
    including Apple, Debian, FreeBSD, Mandrake, NetBSD, RedHat, Slackware,
    SuSE, SCO and Turbolinux.

    Ease of Exploitation: Varies.
    Exploit code has been posted for the integer overflow (said to provide
    an 'lp' user shell) and for the trivial negative-length memcpy DoS.
    Proof-of-concept exploits have been developed for several other issues
    as well, but have not been released to the public.

    Status: These vulnerabilities have been confirmed by the vendor,
    and are fixed in version 1.1.18.

    iDefense Advisories:

    SuSE Advisory:

    SecurityFocus Vulnerability Information:
    BIDs 6433-6438,6440,6475 cover these vulnerabilities

    Exploit Code (Negative Length HTTP Content-Type DoS):

    Exploit Code (Integer Overflow):

    CUPS Vendor Site:

    Council Site Actions:
    Most of the Council Sites reported either that CUPS is not in use at
    their site or is used in a non-production manner. One of the sites
    with a limited production implementation reported they had vulnerable
    versions running on Mandrake Linux systems. They said there were no
    updated Mandrake Linux RPM files available at this time. They plan
    to delay notifying the owners of affected systems until Mandrake
    has the update available. At that point, they will notify affected
    parties that they must either complete the update, uninstall CUPS,
    or be disconnected from the network. If they hear that exploitation
    has started to occur, they will require that owners of the affected
    systems uninstall CUPS or reinstall from the patched source code,
    and if they do not, the systems will be disconnected from the network
    within a few days.

    Another Council Site has a small implementation of CUPS running on
    Linux RedHat systems. Their systems will be patched soon via the RedHat
    automated updates. Several other sites running the affected software
    notified the appropriate system support groups. All sites running the
    software stated the printer service ports are blocked at the security
    perimeters, which greatly reduces the threat of this problem.


    (2) HIGH: Cisco IOS SSH Denial of Service Vulnerability

    Affected Products:
    Cisco IOS versions 12.0S, 12.0ST, 12.1T, 12.1E, 12.1EA, 12.2, 12.2T,
    12.2S. All products running these versions of IOS are vulnerable if
    the SSH server feature is enabled.

    Cisco routers and Catalyst switches running affected versions of
    IOS will reboot upon receiving malicious traffic sent by Rapid7's
    SSHredder SSH test suite. Most Cisco devices will resume service
    following the reboot, but can be rendered unavailable for several
    minutes while the device reloads. The exception is the Cisco 3550,
    which requires a manual reset following a successful attack.

    Risk: Cisco routers and switches offering SSH services can be rebooted
    (repeatedly) by a remote unauthenticated attacker.

    Deployment: Significant.
    The affected IOS versions are widely deployed throughout the Internet

    Ease of Exploitation: Trivial.
    Exploit code exists and is publicly available.

    Status: This vulnerability has been confirmed by Cisco. The Cisco
    advisory provides a patch release schedule for the various IOS
    Cisco Advisory:

    Rapid7 SSHredder Test Suite:

    Council Site Actions:
    The majority of the council sites do not use the SSH feature of Cisco
    IOS. Furthermore, many of these sites stated they block in-bound SSH
    connections at their security perimeters. The few sites that run SSH
    on affected devices plan to deploy the fixed version of the software
    when it becomes available later this month.

    One site has an extensive implementation of the SSH feature in IOS.
    They block in-bound SSH at the perimeters but are concerned that
    the vulnerability may be fodder for a new worm. Thus, they are
    investigating the likelihood and difficulty factor of such a worm.
    They do not have plans to turn off SSH or perform an immediate upgrade.
    However, they are prepared with scripts that will turn off SSH,
    if needed.


    (3) MODERATE: Windows XP Shell Audio File Buffer Overflow

    Affected Products:
    Windows XP

    The Windows Shell framework included with Windows XP contains a buffer
    overflow in the handling of large audio file attributes, allowing a
    malicious MP3 or WMA file to execute arbitrary code. Because Windows
    XP provides native support for parsing MP3 and WMA file attributes
    via Explorer, a malicious file would not need to be opened/played in
    order to exploit the vulnerability. If a user simply opens a folder
    containing the file, Explorer will read the file attributes and the
    buffer overflow will occur.

    Similarly, an XP user browsing a hostile website using Internet
    Explore could be remotely compromised simply by hovering their mouse
    over an icon for a malicious file. Further, under some circumstances,
    an HTML email can launch the attack automatically when the XP recipient
    opens or previews the email.

    Risk: Compromise of Windows XP machines at the privilege level of
    the XP user encountering the hostile audio file.

    Deployment: Widely deployed.

    Ease of Exploitation: Unknown.
    An attacker must create an audio file which carries a large, corrupt
    custom attribute. Given that there are a limited number of ways to
    manipulate attributes, an attacker may be able to gain substantial
    information through experimentation.

    Status: Vendor confirmed, patches available.

    Microsoft Advisory:

    Foundstone Advisory:

    Council Site Actions:
    Only a few of the Council sites reported use of the XP O/S within
    their organizations, all of which are very limited deployments.
    Several of the sites have notified their desktop support groups. One
    site will be rolling out the patches (via SMS) during the next regular
    patch update cycle.

    Most of the council sites use automatic AV signature updating software
    and are actively blocking MP3's (and other file types) at the network
    perimeters via web proxies. These actions greatly reduce the risk
    created by this vulnerability.

    Other Software

    (4) HIGH: TANne HTTP Session Management Package Format String

    Affected Products:
    TANne version 0.6.17 and possibly earlier versions

    The TANne program used for secure HTTP session management contains two
    format string vulnerabilities in the handling of syslog() parameters.
    A remote attacker can exploit these vulnerabilities to execute
    arbitrary code as root.

    Risk: Remote root compromise of web servers running TANne.

    Deployment: Unknown.
    TANne is a secure HTTP session management solution developed
    specifically for high security web-based applications such as online
    banking. The software is distributed by the German company FluxNetz.

    Ease of Exploitation: Straightforward.
    Exploit code said to provide a root shell has been posted for TANne
    0.6.17 running on RedHat Linux 6.1, 7.0 and 8.0. The author of the
    exploit, You Dong-hun, is credited with discovering the vulnerability
    by the TANne developers.

    Status: Vendor confirmed. The problem is fixed in versions 0.6.19
    and greater.


    Exploit Code:

    TANne Project Pages:

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites.

    Exploit Code Releases

    (5) zkfingerd Format String Exploit

    This vulnerability was discussed in the December 22, 2002 CVA.
    The zkfingerd daemon contains multiple format string vulnerabilities
    in the handling of user-supplied data. Successful exploitation allows
    remote attackers to execute arbitrary code with the privileges of
    the daemon (typically 'nobody').


    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.


    (6) Kerberos kadmind Buffer Overflow Exploit

    This vulnerability was discussed in the November 4, 2002 CVA.
    The kadmind daemon shipped with multiple versions of KTH and MIT
    Kerberos contains a buffer overflow that can allow remote attackers
    to gain root access. kadmind provides remote administrative access to
    the Kerberos authentication database, and runs on the Key Distribution
    Center (KDC) server of a Kerberos realm. The problem lies in the code
    that provides legacy version 4 compatibility.


    The usage information given at the command line provides a list of
    potential targets:
    - --------------
    [roottest exploits]# ./kadmin
     - usage: ./kadmin <target#[-]> <host> [port]
     - available targets:
       #0 default [heimdal 0.3a] & krb-4.1.2 kadmind OpenBSD 3.0
       #1 default kadmind OpenBSD 2.9
       #2 krb 4-1.2 kadmind Slackware Linux 8.0 & OpenWall 0.10
       #3 heimdal 0.4e & krb 4-1.2 kadmind SuSE 8.0
       #4 default kadmind FreeBSD 4.x
       #5 krb 4-1.2 kadmind BSD/OS 4.2
       #6 base target for brute-forcing Linux
       #7 base target for brute-forcing OpenBSD
       #8 base target for brute-forcing FreeBSD
       #9 base target for brute-forcing BSD/OS
    - ------------

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    About the CVA Process and Council

    The CVA is produced in four phases:
    Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
    Forristal and the Neohapsis team scour all of the major vendor
    web sites as well as bugtraq and other sources of new vulnerability
    information and compile what they believe to be a complete list of all
    new vulnerabilities and major vulnerability announcements made during
    the week. The SANS Institute and Network Computing Magazine vet the
    list through the major system manufacturers and jointly publish it
    every week as the Security Alert Consensus. (SAC) Anyone may subscribe
    to the SAC at http://www.sans.org/newlook/digests/SAC.htm

    Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
    vulnerabilities and announcements that demand immediate action. This
    reduces the list from 30-50 each week down under 10. Vicki has been
    on the front lines of intrusion detection and vulnerability testing
    for nearly five years and her work in the field is legendary.

    Phase 3: Very technical security managers at fifteen of the largest
    user organizations in the United States each review the "immediate
    action" vulnerabilities and describe what they did or did not do
    to protect their organizations. Council members include banks and
    other financial organizations, government agencies, universities,
    major research laboratories, ISPs, health care, manufacturers,
    insurance companies and a couple more. The individual members have
    direct responsibility for security for their systems and networks. All
    were concerned that information about their security configuration
    would leak out, and agreed to serve only if their identities were
    not revealed.

    Phase 4: Michele Guel of Cisco compiles the responses and identifies
    the items on which the Council members took or are taking action,
    produces the weekly CVA, and then SANS distributes it via email to
    all eligible persons.

    Critical Vulnerability Analysis Scale Ratings

    In ranking vulnerabilities several factors are taken into account,
    such as:

    - - Is this a server or client compromise? At what privilege level?
    - - Is the affected product widely deployed?
    - - Is the problem found in default configurations/installations?
    - - Are the affected assets high value (e.g. databases, e-commerce
    - - Is the network infrastructure affected (DNS, routers, firewalls)?
    - - Is exploit code publicly available?
    - - Are technical vulnerability details available?
    - - How difficult is it to exploit the vulnerability?
    - - Does the attacker need to lure victims to a hostile server?

    Based on the answers to these questions, vulnerabilities are ranked
    as Critical, High, Moderate, or Low.

    CRITICAL vulnerabilities are those where essentially all planets
    align in favor of the attacker. These vulnerabilities typically
    affect default installations of very widely deployed software, result
    in root compromise of servers or infrastructure devices, and the
    information required for exploitation (such as example exploit code)
    is widely available to attackers. Further, exploitation is usually
    straightforward, in the sense that the attacker does not need any
    special knowledge about individual victims, and does not need to lure
    a target user into performing any special functions.

    HIGH vulnerabilities are usually issues that have the potential to
    become CRITICAL, but have one or a few mitigating factors that make
    exploitation less attractive to attackers. For example, vulnerabilities
    that have many CRITICAL characteristics but are difficult to exploit,
    do not result in elevated privileges, or have a minimally sized victim
    pool are usually rated HIGH. Note that HIGH vulnerabilities where the
    mitigating factor arises from a lack of technical exploit details will
    become CRITICAL if these details are later made available. Thus, the
    paranoid administrator will want to treat such HIGH vulnerabilities as
    CRITICAL, if it is assumed that attackers always possess the necessary
    exploit information.

    MODERATE vulnerabilities are those where the scales are slightly tipped
    in favor of the potential victim. Denial of service vulnerabilities
    are typically rated MODERATE, since they do not result in compromise
    of a target. Exploits that require an attacker to reside on the same
    local network as a victim, only affect nonstandard configurations
    or obscure applications, require the attacker to social engineer
    individual victims, or where exploitation only provides very limited
    access are likely to be rated MODERATE.

    LOW vulnerabilities usually do not affect most administrators, and
    exploitation is largely unattractive to attackers. Often these issues
    require the attacker to already have some level of access to a target
    (e.g. be able to execute arbitrary SQL queries, or be able to pop mail
    from a mail server), require elaborate specialized attack scenarios,
    and only result in limited damage to a target. Alternatively, a LOW
    ranking may be applied when there is not enough information to fully
    assess the implications of a vulnerability. For example, vendors often
    imply that exploitation of a buffer overflow will only result in a
    denial of service. However, many times such flaws are later shown
    to allow for execution of attacker-supplied code. In these cases,
    the issues are reported in order to alert security professionals to
    the potential for deeper problems, but are ranked as LOW due to the
    element of speculation.

    Remediation Timescale
    A vulnerability rating corresponds to the "threat level" of a
    particular issue. Critical threats must be responded to most quickly,
    as the potential for exploitation is high. Recommended response times
    corresponding to each of the ratings is below. These recommendations
    should be tailored according to the level of deployment of the affected
    product at your organization.

    CRITICAL: 48 hours
    HIGH: 5 business days
    MODERATE: 15 business days
    LOW: At the administrator's discretion


    Subscriptions: The CVA is distributed free of charge to chief
    information security officers and technical security managers,
    to GIAC certified security professionals, and to recent alumni of
    SANS courses. Recipients may forward the CVA to other technical and
    managerial security staff in their organizations, but not to people
    outside their organizations.

    Copyright 2003. All rights reserved. No copying, forwarding, or reuse
    allowed, other than those listed in the preceding paragraph, without
    written permission from the SANS Institute. Email sansrosans.org
    for permission.

    To subscribe, at no cost, go to https://www.sans.org/sansnews/
    where you may also request subscriptions to any of SANS other free

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number or email address
    (from the headers.) You will receive your personal URL via email.


    Version: GnuPG v1.2.1 (GNU/Linux)

    -----END PGP SIGNATURE-----