NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 12

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Mar 31 2003 - 07:33:46 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
March 31, 2003 Vol. 2. No. 12
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

TABLE OF CONTENTS:

Widely Deployed Software
(Flash) CRITICAL: Sendmail Parseaddr Buffer Overflow

Moderately Deployed Software:
(1) MODERATE: Ximian Evolution Mail Client Multiple Vulnerabilities
(2) MODERATE: Mozilla Bonsai CGI Suite Command Execution Vulnerability
(3) LOW: Mutt IMAP Client Folder Buffer Overflow

Updates:
(4) Windows 2000 ntdll.dll Exploit Codes (Code Released)
(5) Windows SvcHost DoS (MS Patch Released)

************************* Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

Instantly stop DDoS attacks and port scans.
     Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA32
- ----------------------------------------------
Prevent the next Day-zero exploit! Receive a free security brief,
     "Buffer Overflows: The How and Why"
http://www.sans.org/cgi-bin/sanspromo/CVA33
- -----------------------------------------------
How Vulnerable is your Web Server? **FREE VULNERABILITY ASSESSMENT**
     from Gilian and eEye.
http://www.sans.org/cgi-bin/sanspromo/CVA34
***********************************************************************

**************************************************************
Widely Deployed Software
**************************************************************

(Flash) CRITICAL: Sendmail Parseaddr Buffer Overflow
[This vulnerability was discovered after the Council members provided
input, so no Council assessments or actions are available.]

=====================================================
Affected Products:
Sendmail open source versions prior to 8.12.9
Sendmail Pro (all versions)
Sendmail Switch 2.1 prior to 2.1.6
Sendmail 2.2 prior to 2.2.6
Sendmail Switch 3.0 prior to 3.0.4
Sendmail for NT 2.x prior to 2.6.3
Sendmail for NT 3.0 prior to 3.0.4

Description:
Michael Zalewski has discovered a remotely exploitable buffer overflow
in all current versions of Sendmail. By crafting a malicious email
message containing addresses constructed with 0xFF characters it
is possible to (repeatedly) bypass a security check for overlong
addresses in the prescan() function of parseaddr.c. The vulnerability
can be exploited to overflow stack variables and seize control of
program execution, allowing attackers to execute arbitrary code
with root privileges. Local exploitation of the vulnerability has
been demonstrated; remote exploitation is believed to be possible
and straightforward, especially on little endian (Intel-based)
platforms. Note that this vulnerability is message-based, rather than
connection-based; meaning that malicious messages can be forwarded to,
and thus compromise, mail handlers that are not Internet-facing.

Risk: Remote root compromise of systems running Sendmail.

Deployment: Widely deployed. Sendmail has been documented to handle
between 50% and 75% of all email traffic, and is the most common mail
transfer agent (MTA) used on the Internet.

Ease of Exploitation: Straightforward. Remote exploitation has not yet
been demonstrated, but the discoverer of the bug believes it would
be relatively easy to do so on little endian platforms. Big endian
(mainframe) platforms are believed to be more difficult (but not
impossible) to exploit. Attackers can inspect the Sendmail source
code to gain valuable information. Expect that a remote exploit will
be forthcoming.

Status: Vendor confirmed, patches and upgrades available from the
Sendmail Consortium.

Severity: CRITICAL (remote root server compromise, widely deployed,
vulnerability details available)

References:
- -------------
CERT Advisory and Vulnerability Note
http://www.cert.org/advisories/CA-2003-12.html
http://www.kb.cert.org/vuls/id/897604

Vendor Announcement
http://archives.neohapsis.com/archives/bugtraq/2003-03/0451.html
http://www.sendmail.org/8.12.9.html

Posting by Michael Zalewski
http://lists.netsys.com/pipermail/full-disclosure/2003-March/008973.html

Earlier Postings about Vulnerability Rumors
http://lists.netsys.com/pipermail/full-disclosure/2003-March/008972.html
http://lists.netsys.com/pipermail/full-disclosure/2003-March/008971.html

**************************************************************
Moderately Deployed Software
**************************************************************

(1) MODERATE: Ximian Evolution Mail Client Multiple Vulnerabilities

Affected Products:
Ximian Evolution version 1.2.2 and prior

Description:
Ximian Evolution is an integrated workgroup and personal information
management application for Unix/Linux systems. Researchers have
discovered multiple vulnerabilities in Evolution's mail user agent
that allows a malicious email message to bypass security restrictions,
crash the application or potentially execute arbitrary code. The CORE
advisory contains several example emails that can be used to trigger
the various flaws.

Risk: A specially crafted email message could execute arbitrary code
on the system running Evolution, with the privileges of the user
running the program.

Deployment: Moderate.
Evolution is a popular GNOME-based software package for Unix/Linux
that has won multiple industry awards.

Ease of Exploitation: Unknown.
The CORE research team has provided several example email messages that
can be used to crash or destabilize Evolution, or cause the application
to ignore configuration settings. The team states that further research
is required to demonstrate the execution of arbitrary code.

Status: Vendor confirmed, Evolution version 1.2.3 contains the fixes.

References:
Red Hat Advisory
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0079.html

CORE Security Technologies Advisory
http://www.securityfocus.com/advisories/5134

SecurityFocus BIDs
http://www.securityfocus.com/bid/7117/discussion/
http://www.securityfocus.com/bid/7118/discussion/
http://www.securityfocus.com/bid/7119/discussion/

Vendor Homepage
http://ximian.com/products/evolution/

Council Site Actions:
Three council sites are using the affected software.
The first site has a large deployment (several thousand users). They
are treating this as a low priority problem and plan to update the
software within a few months. The second site has recently started to
use Evolution as an alternate client for their Exchange Users. Their
Open Source support group will either be upgrading the older versions
of the affected software or they will strongly recommend that the
users upgrade themselves. The third site has a pilot project underway
for Ximian with a site-specific build. They have contacted the Ximian
developers and requested them to change this build to 1.2.3.

**************************************************************

(2) MODERATE: Mozilla Bonsai CGI Suite Command Execution Vulnerability

Affected Products:
Mozilla Bonsai 1.3

Description:
The Bonsai CGI suite provides a web-based query interface to a CVS
source code repository. Debian has reported that Bonsai contains
multiple vulnerabilities; the most severe problem allows remote
attackers to execute arbitrary commands on the server running Bonsai
with the privileges of the www-data user. Specific technical details
have not been released.

Risk: Remote compromise of web servers running Mozilla Bonzai with
the privileges of the www-data user.

Deployment: Moderate.
Bonzai is open-source Mozilla software written in Perl. The program is
deployed by organizations to provide web-based access to CVS resources.
Debian Linux is known to include the vulnerable software.

Ease of Exploitation: Unknown.
No technical details have been released. However, an attacker can
inspect the Bonsai source code changes to gain information that may
be useful in crafting an exploit.

Status: Vendor confirmed, Debian has released updated packages.

References:
Debian Advisory
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0893.html

SecurityFocus BID (Command Execution Vulnerability)
http://www.securityfocus.com/bid/7162

CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0152

Bonzai Website
http://www.mozilla.org/bonsai.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

**************************************************************

(3) LOW: Mutt IMAP Client Folder Buffer Overflow

Affected Products:
Mutt versions up to and including 1.4.0 (stable)
Mutt versions up to and including 1.5.3 (unstable)

Description:
The Mutt mail client contains a buffer overflow in an internal function
used to convert between UTF-8 and UTF-7 (international) encoding. A
malicious IMAP server can exploit the flaw by constructing a specially
crafted folder name that will be processed by the client. Researchers
have demonstrated that the vulnerability can be used to crash a
Mutt client, and believe that the flaw can be exploited to execute
arbitrary code.

Risk: A malicious IMAP server can execute arbitrary code on a client
system with the privileges of the user running Mutt.

Deployment: Moderate.
Mutt is a popular open source mail client for Unix/Linux systems,
providing support for IMAP and POP3 with a number of user-friendly
features. SuSE, Debian and Conectiva Linux are known to include the
vulnerable software.

Ease of Exploitation: Unknown.
CORE has provided an example of how to trigger the flaw to crash
Mutt, but states that further research is required to find a reliable
exploitation method that can be used to execute attacker-supplied code.

Status: Vendor confirmed, fixed packages available.

References:
CORE Security Technologies Advisory
http://www1.corest.com/common/showdoc.php?idx=310&idxseccion=10

Vendor Statement
http://archives.neohapsis.com/archives/bugtraq/2003-03/0293.html

Vendor Website
http://www.mutt.org/

SecurityFocus BID
http://www.securityfocus.com/bid/7120

Council Site Actions:
Only two of the reporting council sites are using the affected
software. One site does not officially support the software, but
they have a few hundred users who use it as their primary e-mail
client. For most of those users, the installation of Mutt is on a
Red Hat Linux or Debian GNU/Linux system that frequently get updated
Linux packages. The second site determined the vulnerability was not
important enough to deserve special attention. They feel that it is
unlikely that users will connect to an unknown mail server

*************************************************************
Updates
*************************************************************

(4) Windows 2000 ntdll.dll Exploit Codes (Code Released)

Multiple exploit codes have been released for the Windows 2000
ntdll.dll vulnerability reported in last weeks newsletter (item #2). To
date, all published exploits utilize an IIS WebDAV attack vector, where
a HTTP request using the SEACH method and a very long URL is sent to
a vulnerable server. This vulnerability allows remote attackers to
execute arbitrary code with SYSTEM privileges on vulnerable Windows
2000 systems.

Previous CVA Report (item #2):
http://www.sans.org/newsletters/cva/vol2_11.php

Exploit Code by Roman Medina (provides remote shell):
http://archives.neohapsis.com/archives/bugtraq/2003-03/0372.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0405.html

FateLabs Analysis of Roman Medina's Exploit:
http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf

Additional Exploit Codes by kralor and Matrix:
http://www.packetstormsecurity.nl/filedesc/wb.c.html
http://www.securiteam.com/exploits/5SP0L159FC.html

Council Site Actions:
Several council sites reported they have been using the exploit
code to test for potentially vulnerable systems at their sites. In
some cases, the exploit code helped identify additional vulnerable
systems. Several sites also updated their IDS signatures to include
this exploit signature.

In terms of response to the initial vulnerability, the council sites
didn't report any new actions. However, several sites said they will
escalate the process of patching internal servers now that exploit
code as been released.

**************************************************************

(5) Windows SvcHost DoS (MS Patch Released)

Microsoft has released an advisory and a patch for the Windows SvcHost
DoS discovered by Immunity Security last October. Malformed RPC
requests sent to port 135/tcp can crash svchost.exe on vulnerable
Windows NT/2000/XP systems. This crash causes the Windows RPC
services to fail, and therefore any programs that depend on RPC to
fail. Typically the victim system must be rebooted to be restored to
a usable state.

Microsoft Bulletin and Patches for Win 2000/XP
http://www.microsoft.com/technet/security/bulletin/MS03-010.asp

Immunity Security Advisory
http://www.immunitysec.com/vulnerabilities/Immunity_svchost_DoS.txt

Exploit Codes for Windows 2000:
- ---------------------------------
Running SPIKE 2.7's msrpcfuzz program triggers the flaw.
A standalone linux binary is also available (derived from SPIKE):
http://www.immunitysec.com/vulnerabilities/Immunity_scvhostkill.tar.gz

Another exploit by lion is posted to SecuriTeam:
http://www.securiteam.com/exploits/6V00P0K5SE.html

Council Site Actions:
Several council sites reported plans to patch this vulnerability now
that an exploit program has been released. Most sites are not treating
this as an urgent problem and plan to roll out the patches during the
next regularly scheduled system update. Several sites said they have
been blocking, or plan to block, port 135 at their security perimeters.
One site is discussing whether to recommend that every Windows NT
4.0 user obtain a personal-firewall program and configure it to block
port 135/tcp from all, or nearly all, source IP addresses.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.
==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+iCpr+LUG5KFpTkYRAjkTAJ96UZddA0hi0mNnwPs8gwIylQHCxgCfVhCu
DLEWsKazXQSRQOt49IsfRdI=
=xY7e
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]