NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 22

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Jun 09 2003 - 09:44:04 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
June 9, 2003 Vol. 2. No. 22
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and provides
guidance on appropriate actions to protect your systems.
Details on the CVA process: http://www.sans.org/newsletters/cva/#process

***********************************************************************

Table of Contents:
Widely Deployed Software
(1) HIGH: Internet Explorer Object Type Property Overflow
(2) HIGH: Internet Explorer File Download Flood Vulnerability
(3) HIGH: Yahoo! Audio Conferencing ActiveX Control Buffer Overflow
(4) LOW: Sun Solaris 8 syslogd Buffer Overflow

Other Software
(5) HIGH: MERCUR Mail IMAP4 Server Multiple Buffer Overflows
(6) MODERATE: Apache mod_gzip Debug Mode Vulnerabilities
(7) LOW: JBoss JSP Source Code Disclosure

*************** Sponsored Links For This Week *************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA60
- --------------------------------------------------------
(2) VeriSign's whitepaper shows you how to expose vulnerabilities and
identify weaknesses with state-of-the-art security testing.
http://www.sans.org/cgi-bin/sanspromo/CVA61

***********************************************************************
Three Highlighted Training Programs!
(1) London, June 23-28: Five of SANS most popular tracks right in London
at Hammersmith. Details: http://www.sans.org/hammersmith03
- --------------------------------------------------------
(2)SANSFire 2003: The largest security training conference in Washington
this year. Nine great tracks, plus a major exposition, plus five extra
programs: Securing Apache, Honeypots, Business Law and Security,
Securing Windows With The Gold Standard, and Reverse Engineering
Malware, plus the National Information Assurance Leadership Conference
- - focusing on new development in security standards. Details:
http://www.sans.org/sansfire03/index.php
- --------------------------------------------------------
(3) The Local Mentor program has been expanded. It now offers Track 2:
Firewalls, VPNs, and Perimeter Protection. Programs beginning in June
and July in twelve cities: Allentown, PA, Portland, OR, Boston, MA ,
Sao Paulo, BR, Brisbane, AU, Scardale, NY, Harrisburg, PA, Singapore,
Lexington, KY; St. Louis, MO; North Ryde, AU; and Tulsa, OK
Please contact Scott Weil, sweilsans.org for registration instructions
or more details on the course in your area.
***********************************************************************

****************************
Widely Deployed Software
****************************

(1) HIGH: Internet Explorer Object Type Property Overflow

Affected Products:
Microsoft Internet Explorer 5.01, 5.5, 6.0
Microsoft Internet Explorer 6.0 for Windows 2003

Description:
Microsoft Internet Explorer (IE) contains a buffer overflow
vulnerability in handling specially crafted HTML "object" tags. IE
expands a special character supplied in an object tag's "type" property
without properly checking the length of the expanded string.
Specifically, each "/" character found in the "type" property data is
converted into the three characters: "_/_". If many of these characters
are provided by a specially crafted HTML page, a stack buffer will be
overflowed when IE performs the expansion. Malicious HTML content
supplied by a website, email message, or other source can exploit the
vulnerability to execute arbitrary code on a victim system running IE.

Council Site Actions:
All but one of the reporting council sites are responding to this
vulnerability. Several sites began the patch rollout over the weekend.
Other sites are rolling the patch into the normal system update cycle
either as a standalone patch or as part of the IE roll-up hot fix.

The site not taking any action is currently less affected by IE
vulnerabilities because their central IT department supports non-IE
browsers exclusively, and they have very widespread use of non-IE
browsers.

Risk: Remote compromise of systems running Internet Explorer with the
privileges of the currently logged in user.

Deployment: Very widely deployed.
This vulnerability affects the most widely deployed versions of Internet
Explorer. Users running IE under the Windows 2003 "Enhanced Security
Configuration" are not at risk unless the ability to view active content
has been re-enabled for untrusted pages.

Ease of Exploitation: Straightforward.
This is a stack-based buffer overflow, and many technical exploitation
details have been posted. The attacker must trick a victim into viewing
a malicious HTML page (could be supplied by a web server, delivered as
part of an email message, provided via file sharing, etc.), and the
attack would execute automatically without user intervention.

Status: Vendor confirmed, cumulative patch available.

References:
eEye Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-06/0030.html
http://www.eeye.com/html/Research/Advisories/AD20030604.html

CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/679556

Microsoft Advisory (Vulnerability #1)
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp

Exploit Code by Sir Alumni
http://www.securityfocus.com/archive/1/324265/2003-06-05/2003-06-11/0
http://downloads.securityfocus.com/vulnerabilities/exploits/ie-object-ex.pl

SecurityFocus BID
http://www.securityfocus.com/bid/7806

****************************************************************

(2) HIGH: Internet Explorer File Download Flood Vulnerability

Affected Products:
Microsoft Internet Explorer 5.01, 5.5, 6.0
Microsoft Internet Explorer 6.0 for Windows 2003

Description:
Microsoft Internet Explorer (IE) contains a vulnerability in handling
large numbers of file download requests received in rapid succession.
Each time IE encounters a request, a download confirmation dialog box
is presented to the user. In attacking the vulnerability, a malicious
HTML page attempts to open hundreds of executable files, causing
hundreds of dialog boxes to be presented to the user in rapid
succession. Eventually IE becomes overwhelmed and fails to adequately
screen the requests, and simply executes the requested file. Using this
attack, malicious HTML content supplied by a website, email, or other
source can execute arbitrary code on a victim system running IE.

Council Site Actions:
All but one of the reporting council sites are responding to this
problem. Several sites began the patch rollout over the weekend. Other
sites are rolling the patch into the normal system update cycle, either
as a standalone patch or as part of the IE roll-up hot fix. One site
commented that the risk is mitigated for their site since their Standard
Outlook Configuration is set to open email in the "Restricted Sites
Zone".

Risk: Remote compromise of systems running Internet Explorer with the
privileges of the currently logged in user.

Deployment: Very widely deployed.
Remote exploitation appears to be most effective against IE 6, but
affects IE 5.x versions as well. Users running IE under the Windows 2003
"Enhanced Security Configuration" are not at risk unless file downloads
have been re-enabled for untrusted pages.

Ease of Exploitation: Simple.
Sufficient details have been posted for an attacker to easily build a
working exploit. The attacker must trick a victim into viewing a
malicious HTML page (could be supplied by a web server, delivered as
part of an email message, provided via file sharing, etc.), and the
attack would execute automatically without user intervention. Mitigating
factor: the attack does not always work reliably and the victim user
will see hundreds of dialog boxes appearing, alerting them to a problem
and giving them a chance to intervene.

Status: Vendor confirmed, cumulative patch available. Risk can also be
mitigated by only opening email in the Restricted Sites Zone (file
downloads are disabled by default here) and disabling file downloads in
the security zone IE uses to browse untrusted sites on the Internet.

References:
Postings by Marek Bialoglowy (discovered the bug)
http://www.securityfocus.com/archive/1/320981/2003-05-06/2003-05-12/0
http://www.securityfocus.com/archive/1/321532/2003-05-13/2003-05-19/0

CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/251788

Microsoft Advisory (Vulnerability #2)
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp

Workaround Suggested by Pawel Golen
http://www.securityfocus.com/archive/1/321663

Secunia Advisory
http://www.secunia.com/advisories/8807/

SecurityFocus BID
http://www.securityfocus.com/bid/7539

****************************************************************

(3) HIGH: Yahoo! Audio Conferencing ActiveX Control Buffer Overflow

Affected Products:
Yahoo! Audio Conferencing ActiveX Control for Chat and Messenger
versions prior to 1,0,0,45

Description:
The Yahoo! Audio Conferencing ActiveX control included with Yahoo! Chat
and Yahoo! Messenger contains a buffer overflow vulnerability in
handling an over-long "hostname" property setting. Malicious HTML
content supplied by a website, email message, or other source can
exploit the vulnerability to execute arbitrary code on a victim system
running the affected Yahoo! software.

Council Site Actions:
Only two of the reporting council sites are responding to this problem.
They have notified the appropriate support group and the patch will be
rolled out during the next regularly scheduled system update. One of
these sites commented that they block ActiveX controls at the network
perimeter and thus the problem is somewhat mitigated.

The remaining council reported that they either prohibit the use of this
type of software or they block ActiveX controls at the network perimeter
or the software is not in production or widespread use. One of these
sites commented that they use Yahoo's auto-update function to update
vulnerable systems.

Risk: Remote compromise of systems running Yahoo! Chat (a web-based
service) or Yahoo! Messenger (a win32 client application). Attackers
gain the privileges of the currently logged in user.

Deployment: Widely deployed.
The ZDNet Downloads site reports over 38 million downloads for Yahoo
Messenger.

Ease of Exploitation: Straightforward.
This is a stack-based buffer overflow, and sufficient details have been
posted for an attacker to begin crafting an exploit. The attacker must
trick a victim into viewing a malicious HTML page (could be supplied by
a web server, delivered as part of an email message, provided via file
sharing, etc.), and the attack would execute automatically without user
intervention. Note that the affected ActiveX control is marked as safe.

Status: Vendor confirmed. Updated software is available. According to
the Yahoo advisory, Messenger users will be prompted to update their
software upon sign-in, and Chat users will be served the new ActiveX
control when entering a chat room.

References:
Advisory by Cesar Cerrudo
http://lists.netsys.com/pipermail/full-disclosure/2003-June/009944.html

Advisory by Yahoo!
http://archives.neohapsis.com/archives/bugtraq/2003-05/0353.html

Yahoo! Messenger ZDNet Download Page
http://downloads-zdnet.com.com/3000-2150-10029188.html

SecurityFocus BID
http://www.securityfocus.com/bid/7561

****************************************************************
(4) LOW: Sun Solaris 8 syslogd Buffer Overflow

Affected Products:
Solaris 8 running on x86 or SPARC

Description:
The Solaris 8 syslog daemon contains a buffer overflow vulnerability
that can be triggered by a UDP packet carrying more than 1024 bytes of
data. Attackers can exploit the flaw to crash syslogd (may be used to
hide evidence during an intrusion) and potentially to execute arbitrary
code (unconfirmed).

Council Site Actions:
Six of the reporting council sites are responding to this vulnerability.
Several sites do not have any Internet facing systems that are running
the syslogd daemon and they block inbound syslogd traffic at the network
perimeters. These sites plan to roll out the patches during the next
regularly scheduled system update.

The other sites do have Internet facing systems with syslogd running.
One site commented they have about 1000 systems that are directly
exposed. They will deploy the patch via their automated system update
process in one to two weeks. If exploit code is released, they will
deploy the updates within 24 hours. Another site disabled syslogd on
their Internet facing (DMZ) systems until they are able to patch all
affected systems.

Risk: Remote attackers can crash syslogd and potentially compromise
systems running the vulnerable daemon. In the case of compromise,
attackers would gain the privileges of the syslogd process.

Deployment: Moderate.
Many networks running syslogd do not have the service exposed to the
Internet, but the daemon may be accessible to internal networks.

Ease of Exploitation:
DoS -- Simple.
An attacker can easily craft a long UDP packet and experiment with
causing the DoS.

Code Execution -- Unknown, likely to be difficult.
The discoverer of the bug states that he was unable to craft a working
code execution exploit.

Status: Vendor confirmed, patch available.

References:
Advisory by David Thiel
http://archives.neohapsis.com/archives/bugtraq/2003-06/0039.html

Patch from Sun
http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=110945&rev=08

SecurityFocus BID
http://www.securityfocus.com/bid/7820

****************************
Other Software
****************************

(5) HIGH: MERCUR Mail IMAP4 Server Multiple Buffer Overflows

Affected Products:
Atrium Software MERCUR Mailserver 4.2 (SP2) Fileversion 4.2.14.0 running
on Windows NT4/2000/XP, and possibly earlier versions

Description:
The IMAP4 service provided by MERCUR Mailserver is vulnerable to buffer
overflow attacks in multiple IMAP commands, including commands that may
be issued prior to authentication. An overflow can be triggered by
supplying a large amount of data as a parameter to a vulnerable command.
Remote attackers can exploit the flaws to crash the IMAP server or to
execute arbitrary code with SYSTEM-level privileges.

Council Site Actions:
Due to the late-breaking nature of this issue, we were unable to solicit
input from the council members.

Risk: Remote SYSTEM-level compromise of Windows NT4/2000/XP machines
running the MERCUR Mail IMAP4 service.

Deployment: Moderate. The MERCUR Mailserver supports POP3, SMTP and
IMAP4, and provides a scalable solution that can be used by small
organizations and enterprise environments alike.

Ease of Exploitation: Straightforward.
Stack-based buffer overflow vulnerabilities are said to exist in the
following commands: EXAMINE, DELETE, SUBSCRIBE, RENAME, UNSUBSCRIBE,
LIST, LSUB, STATUS, LOGIN, CREATE, SELECT. The advisory indicates that
an exploit has been written, but has not yet been released to the
public. A remote attacker does not need to authenticate to the IMAP
server to exploit this hole.

Status: The advisory indicates vendor confirmation, and that the
problems are fixed in MERCUR Mailserver 4.2 (SP2) Fileversion 4.2.15.0
and higher.

References:
Advisory by Dennis Rand
http://archives.neohapsis.com/archives/bugtraq/2003-06/0049.html

Vendor Web Page
http://www.atrium-softwareusa.com/EN/mercur_products.html
http://www.sav25.com/mercur/

SecurityFocus BID
Not yet available.

****************************************************************
(6) MODERATE: Apache mod_gzip Debug Mode Vulnerabilities

Affected Products:
mod_gzip 1.3.26.1a and prior compiled with debugging enabled

Description:
The mod_gzip Apache module version 1.3.26.1a contains multiple
vulnerabilities if the module is compiled with debugging enabled. The
most severe problem is a stack-based buffer overflow that can be
triggered by sending a HTTP request with an overlong filename that is
handled by the vulnerable module. Attackers can exploit the flaw to
execute arbitrary code on server running Apache.

Council Site Actions:
None of the reporting council sites are responding to this
vulnerability. They are either not using the software/feature or the
debugging feature is not enabled. Several of the sites stated they did
notify their web support group per their standard operating procedure.

Risk: Remote compromise of Apache servers running mod_gzip, with the
privileges of the web server process (typically non-privileged user).

Deployment: Small.
This issue only affects a specific non-default configuration of Apache
that is unlikely to be implemented on production systems. The server
must be running a version of mod_gzip compiled with debugging enabled
to be vulnerable.

Ease of Exploitation: Straightforward.
This is a stack-based buffer overflow, and sufficient details have been
posted for an attacker to begin crafting an exploit.

Status: The advisory indicates vendor confirmation, but that mod_gzip
is currently not under development, and that the problems will not be
addressed until the next release of the module. Users should run a
version of mod_gzip that does not have debugging enabled.

References:
Advisory by Matthew Murphy
http://lists.netsys.com/pipermail/full-disclosure/2003-June/009943.html

SecurityFocus BID
http://www.securityfocus.com/bid/7769

****************************************************************

(7) LOW: JBoss JSP Source Code Disclosure

Affected Products:
JBoss version 3.2.1

Description:
JBoss is an open source, free J2EE server developed and fully supported
by the JBoss Group LLC. JBoss has been reported to contain a
vulnerability whereby a remote attacker can retrieve the source code to
JSP pages by appending '%00' to the end of the JSP filename in the
request URL. Attackers able to obtain source code can inspect the code
for more serious vulnerabilities that may be used to compromise the
system.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Information exposure. Remote attackers can obtain JSP source code
and inspect the code for vulnerabilities that may be leveraged in
subsequent attacks.

Deployment: Moderate.
According to the vendor website, JBoss is downloaded more than 150,000
times per month.

Ease of Exploitation: Trivial.
Exploitation can be accomplished using only a web browser or a telnet
client. According to the advisory, requesting "filename.jsp%00" reveals
the source code of "filename.jsp".

Status: This vulnerability has not been confirmed.

References:
Advisory by Marc Schoenefeld
http://archives.neohapsis.com/archives/bugtraq/2003-05/0347.html

SecurityFocus BID
http://www.securityfocus.com/bid/7764

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+5HzR+LUG5KFpTkYRAuoTAKCTYNnaZ/2iCA76JgLR1XZJEK9IAgCgl4Pz
ScWhgolPqnTb4yq20XPGRiY=
=A4p8
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]