NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 10

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Mar 17 2003 - 06:38:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
March 17, 2003 Vol. 2. No. 10
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents

Widely Deployed Software:
(1) MODERATE: IBM Lotus Notes NotesRPC Protocol Buffer Overflow
(2) MODERATE: PeopleSoft PeopleTools Remote Command Execution
(3) MODERATE: Qualcomm Qpopper Buffer Overflow
(4) MODERATE: ShopFactory CGI Price Manipulation Vulnerability
(5) MODERATE: PostNuke Multiple Vulnerabilities

Other Software:
(6) HIGH: Wordit Logbook CGI Remote Command Execution
(7) HIGH: Upload Lite CGI Remote Command Execution
(8) MODERATE: SunONE (iPlanet) Application Server Buffer Overflow
(9) MODERATE: Opera Browser Download Dialog Buffer Overflow

************************* Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

Stop attacks before the damage is done. ***FREE WHITEPAPER***
"The Foundation for Effective Incident Handling"
http://www.sans.org/cgi-bin/sanspromo/CVA26
- ----------------------------------------
Precise Bandwidth Management & Intrusion Prevention.
Predictable Network Availability with Automated, Real-time Control.
Live, hands-on demo: http://www.sans.org/cgi-bin/sanspromo/CVA27
- --------------------------------------
ALERT: Stop Viruses & Worms Before They Enter Your Network
**Free Whitepaper**
http://www.sans.org/cgi-bin/sanspromo/CVA28
***********************************************************************

***********************************************************
Widely Deployed Software
***********************************************************

(1) MODERATE: IBM Lotus Notes NotesRPC Protocol Buffer Overflow

Affected Products:
Lotus Notes R4
Lotus Notes R5 up to and including R5.0.11
Lotus Notes R6 betas and pre-releases
Potentially Lotus Notes R3 and earlier (not tested)

Description:
Lotus Notes clients and servers support a proprietary protocol known
as NotesRPC, which typically runs on port 1352/tcp. This protocol
provides a means for two endpoints to mutually authenticate via a
series of challenge-response exchanges. A malicious unauthenticated
client can manipulate the challenge-response data to cause a buffer
overflow on the server, resulting in a denial of service or potentially
the execution of attacker-supplied code.

Additional note: Various Lotus Notes/Domino products have also been
found vulnerable to a denial of service in the Web Retriever program
(can be triggered by a malicious web server). And some Notes/Domino
versions still contain vulnerabilities revealed by the PROTOS LDAP
test suite in 2001.

Risk: Lotus Notes server remote compromise.

Deployment: Significant.
Lotus Notes is widely used in business environments worldwide. Netcraft
reports that nearly 80,000 servers were running Lotus Domino as of
February 2003.

Ease of Exploitation: Unknown.
This is a heap overflow and, at present, code execution is only a
theoretical possibility.

Status: Vendor confirmed, software upgrades provided.

References:
Rapid7 Advisories
http://www.rapid7.com/advisories/R7-0010-info.html
http://www.rapid7.com/advisories/R7-0010.html
http://www.rapid7.com/advisories/R7-0011.html
http://www.rapid7.com/advisories/R7-0012.html

News Articles
http://www.silicon.com/news/500013/1/3271.html
http://zdnet.com.com/2100-1104-992216.html

SecurityFocus BIDs 7037, 7038, 7039
http://www.securityfocus.com/bid/7037
http://www.securityfocus.com/bid/7038
http://www.securityfocus.com/bid/7039

Netcraft February 2003 Web Server Survey Results
http://www.netcraft.com/Survey/Reports/0302/

Council Site Actions:
The affected software is in use at six of the reporting council sites;
although some of these sites have very small installations. Most of
the sites block the affected ports at their perimeter security control
points. All sites have either upgraded to the corrected version or are
planning to upgrade during the next regularly scheduled update cycle.

**************************************************************

(2) MODERATE: PeopleSoft PeopleTools Remote Command Execution

Affected Products:
PeopleSoft PeopleTools Suite versions 8.10-8.18, 8.40, 8.41
(included with most PeopleSoft installations)

Description:
By default, the PeopleTools web server runs a Java servlet named
"SchedulerTranfer". This servlet is responsible for migrating reports
to and from the web server's report repository via HTTP/HTTPS. By
design, the servlet allows remote anonymous users to upload arbitrary
files to the server, but only to a specific designated directory.
ISS X-Force has discovered that a directory traversal vulnerability
in the servlet allows files to be uploaded to locations outside
the designated directory. Attackers can exploit the flaw to upload
malicious files and execute them with the privileges of the web
server process.

Risk: PeopleTools web server remote compromise.

Deployment: Significant.
PeopleSoft enterprise software is used by many organizations to manage
sensitive information related to all aspects of business operation.
Affected products include PeopleSoft packages to manage human
resources, supply chains, customer relationships, and finance.

Ease of Exploitation: Straightforward.
Attackers are likely to be able to build an exploit.

Status: Vendor confirmed, patches available for PeopleTools 8.18.06
and 8.41.05. The problem is fixed in PeopleTools 8.19 and 8.42.

References:

ISS Advisory
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21999
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0119.html

Vendor Website
http://www.peoplesoft.com/corp/en/public_index.asp

SecurityFocus BID 7053
http://www.securityfocus.com/bid/7053

Council Site Actions:
The affected software is in use at three of the reporting council
sites. All three sites have informed their database support groups
and have plans to upgrade to the corrected version of the software. One
site reported that it restricts access to the SchedulerTransfer servlet
from within the "Configure Application Security" menu in WebSphere.

**************************************************************

(3) MODERATE: Qualcomm Qpopper Buffer Overflow

Affected Products:
QPopper 4.0.x

Description:
The QPopper Qvnsprintf() function has been found to not properly
null terminate strings, leading to a remotely exploitable buffer
overflow vulnerability. Malicious users possessing valid POP3 account
credentials can exploit the flaw to execute arbitrary code with the
privileges of the QPopper process. This vulnerability is of greatest
concern to administrators providing POP, but not shell, access to
users. The advisory includes an example exploit.

Risk: Attackers possessing valid POP account credentials can gain
shell access on the system running QPopper.

Deployment: Significant.
According to vendor website, QPopper is the most widely used POP3
server for Unix/Linux.

Ease of Exploitation: Simple.
The advisory includes an example exploit.

Status: The vendor has confirmed and has released version 4.0.5 in
response to this issue.

References:
Bugtraq Posting and Example Exploit by Florian Heinz
http://archives.neohapsis.com/archives/bugtraq/2003-03/0152.html
http://nstx.dereference.de/snippets/qex.c

Follow-up Third Party Confirmations
http://archives.neohapsis.com/archives/bugtraq/2003-03/0167.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0176.html

Vendor Statement
http://archives.neohapsis.com/archives/bugtraq/2003-03/0178.html

Vendor Website
http://www.eudora.com/qpopper/

QPopper 4.0.5 Download
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.5.tar.gz

SecurityFocus BID 7068
http://www.securityfocus.com/bid/7058

Council Site actions:
Only one council site reported use (limited) of the affected software.
None of the installations are maintained by that site's central IT
support department. In the majority of the cases, the users who have
POP3 accounts also have shell accounts on the same machine, and thus
the vulnerability is not relevant. In other cases, some users with POP3
accounts do not have shell accounts, but it is not a major concern
if these users gain shell access. Nevertheless, most of the Qpopper
installations will probably be upgraded within the next few months.

*************************************************************

(4) MODERATE: ShopFactory CGI Price Manipulation Vulnerability

Affected Products:
3D3.com ShopFactory e-commerce CGI Suite version 5.8 and prior

Description:
ShopFactory is a online shopping cart solution that is deployed by
thousands of e-commerce sites world wide. The software has been found
to be inherently insecure due to the fact that maintenance of critical
shopping cart data (such as price information for selected products)
is entrusted to the client. Malicious customers can manipulate the
client-side data to set arbitrary prices for products they wish
to purchase.

Risk: E-commerce customers can pick arbitrary prices for items they
purchase from ShopFactory-based online shops.

Deployment: Significant.
According to the vendor web site, more than 100,000 online shops
worldwide have deployed the ShopFactory shopping cart software. Santu
is an "online mall" that links to thousands of shops using ShopFactory
software, providing one-stop-shopping for attackers.

Ease of Exploitation: Straightforward.
Attackers should have no problems building an exploit.

Status: The advisory indicates vendor confirmation, but no fix is
currently available.

References:
Advisory by Maarten Hartsuijker
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0109.html

Vendor Website
http://www.shopfactory.com

SecurityFocus BID
http://www.securityfocus.com/bid/6296

Santu Online Mall (linked from www.3D3.com)
http://www.santu.com/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

*************************************************************

(5) MODERATE: PostNuke Multiple Vulnerabilities

Affected Products:
PostNuke version 0.723

Description:
PostNuke is a popular open source web content management system that
runs on a wide range of platforms, including Windows and Linux. The
program is written in PHP and uses a MySQL database backend. Two
vulnerabilities have been discovered that, taken together, allow a
remote attacker to execute arbitrary commands on the server running
PostNuke. First, an SQL injection vulnerability allows attackers to
write arbitrary data, such as PHP script, to the server filesystem.
Second, a directory traversal vulnerability can be exploited to make
the server execute the PHP script file written by the attacker. The
advisory provides precise exploit details.

Risk: Remote compromise of web servers running PostNuke.

Deployment: Significant.
The PostNuke website claims 37,000+ users.

Ease of Exploitation: Trivial.
The advisory provides precise exploit details. However, an attacker
must be able to register a user account on the PostNuke server in
order to take advantage of the exploitation scenario described in
the advisory.

Status: Vendor confirmed, fixes available.

References:
Bugtraq Posting by Pokleyzz
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0117.html

Vendor Advisory
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2378

SecurityFocus BIDs 7047 and 7048
http://www.securityfocus.com/bid/7047
http://www.securityfocus.com/bid/7048

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

***********************************************************
Other Software
***********************************************************

(6) HIGH: Wordit Logbook CGI Remote Command Execution

Affected Products:
Wordit Logbook 0.98b3

Description:
The Wordit Logbook CGI script does not properly sanitize data
passed to the "file" parameter, allowing remote attackers to execute
arbitrary command-line commands on the hosting web server. The problem
arises due to an insecure call to the perl open() function, and the
advisory shows how the flaw can be trivially exploited. For example,
a web request for the following resource will display the logbook.pl
script source:
/logbook.pl?file=../../../../../../../bin/cat%20logbook.pl%00|

Risk: Remote compromise of web servers running Wordit Logbook.

Deployment: Small.
Logbook is an open source program deployed by a relatively small
group of users.

Ease of Exploitation: Trivial.
The advisory provides precise exploit details.

Status: The bug has been confirmed. No solution (other than custom
source code modification) is currently available.

References:
Bugtraq Posting by Aleksey Sintsov
http://archives.neohapsis.com/archives/bugtraq/2003-03/0123.html

Secunia Advisory
http://www.secunia.com/advisories/8255/

Vendor Website
http://scripts.wordit.com/ (taken offline 3/13/03)

SecurityFocus BID 7043
http://www.securityfocus.com/bid/7043

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

*************************************************************

(7) HIGH: Upload Lite CGI Remote Command Execution

Affected Products:
PerlScriptsJavaScripts.com Upload Lite CGI v. 3.22 for Windows

Description:
The Upload Lite CGI program does not properly delete temporary files
when handling a client request to upload two files with the same name.
Remote attackers can exploit the flaw to upload an arbitrary file
(e.g. containing script) that will be created as a temporary file
but never deleted. The attacker can then execute the uploaded file
on the server by accessing it via HTTP.

Risk: Remote compromise of web servers running Upload Lite.

Deployment: Moderate.
According to the vendor website, Upload Lite has been downloaded more
than 9000 times.

Ease of Exploitation: Trivial.
The advisory provides precise exploit details.

Status: This vulnerability has not been confirmed. No solution is
currently available.

Severity: HIGH (server compromise, exploit available)

References:

Bugtraq Posting by Sil
http://archives.neohapsis.com/archives/bugtraq/2003-03/0141.html

Vendor Website
http://www.perlscriptsjavascripts.com/perl/upload_lite/

SecurityFocus BID 7051
http://www.securityfocus.com/bid/7051

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

**************************************************************

(8) MODERATE: SunONE (iPlanet) Application Server Buffer Overflow

Affected Products:
SunONE (iPlanet) Application Server 6.x for Windows NT4/2000

Description:
The SunONE Application Server ships with an NSAPI "connector-module"
plugin (gxnsapi6.dll) that is vulnerable to a stack-based buffer
overflow when handling malformed HTTP requests. An attacker can send
an over-long request URI of the form:
/[AppServerPrefix]/[long buffer]
to exploit the flaw and force the server to execute attacker-supplied
code.

Risk: SunONE Application Server remote compromise.

Deployment: Moderate.
The SunONE Application Server is designed to support rapid development
and delivery of Java web services.

Ease of Exploitation: Straightforward.
Attackers should be able to build an exploit.

Status: The vendor has supplied a fix for version 6.5 but not for
version 6.0. The stake advisory suggests workaround options for
6.0 users.

References:
stake Security Advisory
http://www.atstake.com/research/advisories/2003/a031303-1.txt
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0128.html

SunONE Application Server SP1 (includes fix for version 6.5)
http://wwws.sun.com/software/download/products/3e3afb89.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. A few of the sites sent a notification to the
appropriate support group to ensure awareness of the problem.

**************************************************************

(9) MODERATE: Opera Browser Download Dialog Buffer Overflow

Affected Products:
Opera versions 7.02, 7.01 and 6.05 for Windows 9x/2000/XP

Description:
The Opera browser contains a buffer overflow in the code responsible
for handling file download dialog. The browser does not check the
length of the name of the file to be downloaded before writing the
name into a buffer on the stack. A malicious website can exploit the
vulnerability to execute arbitrary code on the system running Opera.
The advisory contains example exploit code.

Risk: Remote compromise of systems running Opera by malicious web
servers.

Deployment: Moderate.
The Opera browser is ranked third among browsers worldwide behind
Internet Explorer and Netscape. The software was designed to be
compact, making it a popular browser solution for embedded devices.
Opera runs on Windows, OS/2, Linux, BeOS, BelA, Symbian OS, and QNX.

Ease of Exploitation: Straightforward.
The advisory contains example exploit code.

Status: The advisory indicates vendor confirmation and that a fix
will be forthcoming.

References:
Bugtraq Posting by nesumin:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0173.html

SecurityFocus BID 7056
http://www.securityfocus.com/bid/7056

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+dUF++LUG5KFpTkYRAnvKAKCD1CAHlnMEHJTCuqxYxHXdinn30wCfbD7v
n6sk7yi6idVUjDNb5NruqEo=
=tQZZ
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]