NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 13

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Apr 07 2003 - 10:30:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
April 7, 2003 Vol. 2. No. 13
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:

Widely Deployed Software
(1) MODERATE: RealPlayer PNG Image Decompression Buffer Overflow
(2) MODERATE: Quicktime Player quicktime:// URL Buffer Overflow
(3) MODERATE: SETIhome Client Buffer Overflow

Other Software
(4) HIGH: Passlogd Remote Buffer Overflow

************************* Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Do you have 128-bit SSL encryption? Get VeriSign's FREE Guide
http://www.sans.org/cgi-bin/sanspromo/CVA35
- ----------------------------------------------
(2) Instantly stop DDoS attacks and port scans.
Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA36
- -----------------------------------------------
(3) Simplifying security for your network, while cutting costs and
improving management flexibility. **FREE WHITEPAPER**
http://www.sans.org/cgi-bin/sanspromo/CVA37
***********************************************************************

************************************
Widely Deployed Software
************************************
(1) MODERATE: RealPlayer PNG Image Decompression Buffer Overflow

Affected Products:
RealOne Player and RealOne Player v2 for Windows (all languages)
RealOne Player for Mac OS X
RealOne Enterprise Desktop Manager
RealOne Enterprise Desktop (all versions)
RealPlayer 8 for Windows (all languages)
RealPlayer 8 for Mac OS 9
Possibly RealPlayer 8 for Unix (reported by SecurityFocus only)

Description:
Various versions of RealPlayer and RealOne Player are vulnerable to a
heap-based buffer overflow when decompressing PNG graphics. A malicious
PNG image supplied by an email or web server can exploit the flaw to
execute arbitrary code on the system running RealPlayer/RealOne.

Risk: Remote client compromise at the privilege level of the user
running RealPlayer/RealOne.

Deployment: Widely Deployed.
According to the RealNetworks web site, RealPlayer is the second most
widely used Internet-based software application in the world, and the
RealOne user base grows by hundreds of thousands of new users per day.

Ease of Exploitation: Unknown.
Core has crafted a working exploit and is providing an associated
module for the Core Impact penetration testing product. Some technical
vulnerability details have been posted.

Status: Vendor confirmed, fixed software is available for Windows
and Mac OS platforms.

References:
Core Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0156.html

SecurityFocus BID
http://www.securityfocus.com/bid/7177

Vendor Security Update
http://service.real.com/help/faq/security/securityupdate_march2003.html

Background Info About Real Software Deployment
http://www.realnetworks.com/company/index.html

Council Site Actions:
All council sites reported that while this software is not officially
supported or distributed by any of their central support groups, they
are aware of potentially wide-spread use within their organizations.
Most council sites have notified their desktop support groups of the
vulnerability, but several said that it is unlikely the support groups
will take any action. For most sites, the basic stance is that if
the support groups don't distribute and support the software, they
won't patch the software. One council site did state that a number
of systems had already been patched at their sites.

Some council sites view this as a low risk problem since the user
must be enticed to visit a malicious website before the attack can
take place. A few other council sites are continuing to watch activity
regarding these vulnerabilities.

***************************************************************

(2) MODERATE: Quicktime Player URL Buffer Overflow

Affected Products:
Apple QuickTime Player 6 for Windows
Apple QuickTime Player 5.x for Windows
Possibly QuickTime for Mac OS (reported by SecurityFocus only)

Description:
Apple's Quicktime player contains a remotely exploitable buffer
overflow in the handling of malformed quicktime:// URLs. A malicious
web page or email could trick a user into loading a specially crafted
URL, and thereby exploit the vulnerability to execute arbitrary code
on the user's system.

Risk: Remote client compromise at the privilege level of the user
running QuickTime.

Deployment: Widely deployed.
According to the Apple website, QuickTime has over 100 million users
worldwide, and the application is downloaded more than 300,000 times
per day.

Ease of Exploitation: Straightforward.
This is a stack-based buffer overflow that can be triggered by a very
long quicktime URL. Example: quicktime://127.0.0.1/AAAAA...[400 chars]

Status: Vendor confirmed, fixed in QuickTime version 6.1.

References:
iDefense Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0166.html

SecurityFocus BID
http://www.securityfocus.com/bid/7247

Vendor Security Update
http://docs.info.apple.com/article.html?artnum=61798

Background Info About QuickTime Deployment
http://www.apple.com/quicktime/whyqt/

Council Site Actions:
All council sites reported that their action for this item was the
same as item (1) above.

***************************************************************

(3) MODERATE: SETIhome Client Buffer Overflow

Affected Products:
SETIhome screensaver versions prior to 3.08

Description:
SETIhome is a popular screen saver that uses a computer's idle time
to process radio telescope data collected by the Search for Extra-
Terrestrial Intelligence (SETI) project at UC Berkeley. The screen
saver communicates with the Berkeley data servers to fetch new data and
perform various maintenance tasks, and will only communicate with the
specific server hostnames hard-coded into the screen saver application.

A buffer overflow vulnerability has been found in the client code used
to process server responses, making clients vulnerable to attack by
malicious servers. An attacker could exploit the hole if they could
spoof or compromise a SETIhome data server. Under such circumstances
the attacking server could excute arbitrary code on the client with
the privileges of the user running the screen saver. It is worthwhile
to note that a similar overflow bug may exist in the SETIhome server
code, and an attacker able to compromise a server would be able to
leverage the position to compromise all SETIhome clients.

Risk: Remote compromise of systems running the SETIhome client,
with the privileges of the user running the vulnerable program.

Deployment: Widely deployed. According to the project's website,
there are currently over 4 million SETIhome users.

Ease of Exploitation: Straightforward, but the attacker must find
some way to direct the client traffic that is meant for the SETIhome
server to a hostile server under the attacker's control. A server that
sends a very long newline-terminated string will trigger the overflow
on the client. An example exploit for SETIhome Linux clients has
been published.

Status: Vendor confirmed, the problems are fixed in version 3.08.

References:
Vendor Website and Software Fixes
http://setiathome.ssl.berkeley.edu/
http://setiathome.ssl.berkeley.edu/version308.html

Security Advisory and Exploit by Berend-Jan Wever
http://spoor12.edup.tudelft.nl/

Council Site Actions:
Due to the late breaking nature of this vulnerability, we were unable
to solicit input from the council sites.

**********************************************************
Other Software
**********************************************************

(4) HIGH: Passlogd Remote Buffer Overflow

Affected Products:
passlogd (Passive Syslog Capture Daemon) versions prior to 0.1e

Description:
Passlogd is a libpcap-based sniffer program that passively monitors
syslog messages sent across the network. This scheme allows backup
logging to be performed by a machine that has no open ports and
possibly no IP address. The daemon contains a remotely exploitable
buffer overflow that allows attackers to execute arbitrary code on
the host running passlogd with root privileges. The vulnerability can
be exploited by placing a malicious packet on the wire that passlogd
will attempt to parse.

Risk: Remote root compromise of systems running passlogd.

Deployment: Small.
Passlogd is specifically deployed as a backup logger in environments
where syslog audit trails are carefully monitored. The software is
typically run on Linux and OpenBSD systems, and is said to be in the
alpha development stage.

Ease of Exploitation: Exploit available.
The attacker must be able to send a packet that passlogd will attempt
to log. The published exploit requires that the vulnerable system
have a known IP address. The exploit works by sending a packet to
port 514/udp carrying a very long string including shellcode. If
successful, the exploit binds a root shell to port 36864/tcp on the
host running passlogd.

Status: Vendor confirmed, fixed software available from the vendor's
website.

References:
INetCop Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0001.html

Exploit by Xpl017Elz
http://www.packetstormsecurity.nl/filedesc/0x82-Remote.passlogd_sniff.xpl.c.html

Vendor Website
http://www.morphine.com/src/passlogd.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

**********************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+kYGp+LUG5KFpTkYRAjwzAJ4xfNByvzi35FFaQ3gJGQs45UQVbgCfY8e4
cFelXU0AKzFPehMRuoUoz0E=
=8sXy
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]