Michal Zalewski recently decided to look for exploitable vulnerabilities in
web browsers. So he write a little CGI script which generates random HTML
and feeds it to the browser; a refresh tag is used so that the browser will
repeatedly request new pages - until things come to a crashing halt.
Mr. Zalewski reported his results on
Bugtraq as "a mini-farce." It seems that most of the browsers he tested
fared rather poorly.
The key word here is "most." One browser was able to absorb noisy input
indefinitely without crashing; that browser was Internet Explorer.
There has been quite a bit of talk recently about Internet Explorer's
security problems, and how the alternatives - both free and proprietary -
are more secure. So this kind of result is somewhat embarrassing. As
Mr. Zalewski put it:
It appears that the overall quality of code, and more importantly,
the amount of QA, on various browsers touted as "secure", is not up
to par with MSIE; the type of a test I performed requires no human
interaction and involves nearly no effort. Only MSIE appears to be
able to consistently handle malformed input well, suggesting
this is the only program that underwent rudimentary security QA
testing with a similar fuzz utility.
So what sort of HTML turned out to be problematic? A few examples have
been posted - but all you smug, free-software-using folks might want to
think twice before clicking on them. Use of a tool like wget is
probably more appropriate. One of the examples, which, as your smug,
free-software-using editor can attest, kills Firefox is, in its entirety:
<HTML><INPUT
The post notes that this bug is probably exploitable, and that many others
certainly exist. The tester also does nothing involving either cascading
style sheets or JavaScript - one suspect that those areas might, just
maybe, be the source of a bug or two themselves.
The Mozilla project has been quick to capitalize on the recent bout of
Internet Explorer security problems. This incident demonstrates, however,
that the free software community can, at times, be a little too quick to
claim better security. Testing against malformed input has been a standard
quality assurance technique for decades; the fact that Mozilla, seemingly,
has not done this testing is a little discouraging. Security can be a
winning point for free software, but it doesn't happen automatically. If
we're going to claim to have a more secure product, we should be sure we've
done the homework first. Meanwhile, expect a new set of Mozilla patches
sometime soon.
Alan Cox has sent out an announcement regarding a couple of tty-related
security fixes which were included in the 2.6.9 kernel release. One of
them is, conceivably, remotely exploitable, though it appears to be
impossible to exploit in most cases. 2.4 and 2.2 kernels are also
vulnerable; expect distributor updates shortly. Click below for the details.
CVS (prior to version 1.1.17) contains an undocumented switch which may be used by an attacker to verify the existence of files and whether the CVS process can access them.
A new set of integer overflows has been found in the libpng library; these overflows could perhaps be exploited (by way of a malicious image file) to execute arbitrary code.
phpMyAdmin: Vulnerability in MIME-based transformation
Package(s):
phpMyAdmin
CVE #(s):
Created:
October 18, 2004
Updated:
October 19, 2004
Description:
A defect was found in phpMyAdmin's MIME-based transformation system,
when used with "external" transformations. A remote attacker could exploit
this vulnerability to execute arbitrary commands on the server with the
rights of the HTTP server user.
The make_oidjoins_check script insecurely creates temporary files in
world-writeable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When make_oidjoins_check is called, this
would result in file overwrite with the rights of the user running the
utility, which could be the root user.
WordPress: HTTP response splitting and XSS vulnerabilities
Package(s):
wordpress
CVE #(s):
Created:
October 14, 2004
Updated:
December 20, 2004
Description:
WordPress is vulnerable to HTTP response splitting and cross-site scripting
attacks, due to the lack of input validation in the administration panel
scripts. A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
compress and uncompress do not properly check bounds on command line
options, including the filename. Large parameters would trigger a buffer
overflow. By supplying a carefully crafted filename or other option, an
attacker could execute arbitrary code on the system. A local attacker could
only execute code with his own rights, but since compress and uncompress
are called by various daemon programs, this might also allow a remote
attacker to execute code with the rights of the daemon making use of
ncompress.
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable.
ed insecurely creates temporary files in world-writeable directories with
predictable names. Given that ed is used in various system shell scripts,
they are by extension affected by the same vulnerability. A local attacker
could create symbolic links in the temporary files directory, pointing to a
valid file somewhere on the filesystem. When ed is called, this would
result in file access with the rights of the user running the utility,
which could be the root user.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user).
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written.
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session.
A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and
Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files
which exist outside of the share's defined path. Such files must still be
readable by the account used for the connection.
According to this errata only Samba 3.0.x
<= 3.0.2a contains the exploitable code.
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Bruce Schneier's CRYPTO-GRAM newsletter for October is out, with articles
on disclosing network outage information, license plate scanners, academic
freedom, and RFID passports. "Normally I am very careful before I ascribe such sinister motives to a
government agency. Incompetence is the norm, and malevolence is much
rarer. But this seems like a clear case of the government putting its
own interests above the security and privacy of its citizens, and then
lying about it."
