One would think that an organization would be grateful to someone who found
a vulnerability in their web application and provided them with the
information needed to fix it. A recent
episode where a
security researcher has been charged with breaching
the security of an online database makes it clear that this gratitude
cannot be counted upon, however.
Eric McCarty
found a flaw in the University of Southern California (USC) online application
system that would allow a
SQL injection attack
to extract the contents of a database which included some 275,000 records
of both current students and applicants.
According to the original SecurityFocus
article, the
researcher discovered the flaw when using the system to apply
to USC. The username and password text fields could be used to feed
SQL commands to the database, allowing the entire contents
to be read and/or modified. He then anonymously contacted
SecurityFocus to disclose the flaw.
Other than corresponding with SecurityFocus anonymously, McCarty did little,
if anything, to cover his tracks; believing he was acting in good
faith.
SecurityFocus contacted USC; the administrators of the web site claimed
that only two records could be accessed via the SQL injection. When
confronted with additional records, they admitted that the entire database
was vulnerable and shut down the site for ten days in order to fix it. In
addition, the administrators found the entries in the logfiles corresponding
to the 'attack' and provided the IP address to law enforcement.
The IP address allowed the FBI to determine his identity and to
execute a search warrant against him and his Gmail accounts. On his computer
they evidently found seven records from the USC database and his Gmail account
provided copies of the emails that he sent to SecurityFocus describing
the vulnerability. The charges do not claim that he did anything with
the seven records, just that he possessed them and had gotten them via 'misuse'.
The affidavit filed in the case claims that McCarty caused $140,000 in
damages by causing USC to shut down its system for 10 days. It is
somewhat difficult to see how telling someone about a flaw in their
system makes one responsible for the time it takes them to fix it. It
would seem that the original programmers of the system would be the ones
who are culpable here.
Computer misuse statutes are typically written in such a way that any
access, other than what is intended by the site owner, could be considered
a crime. The intent of the 'perpetrator' rarely seems to be examined
and this case is reminiscent of the
conviction of a
British security consultant last year. Daniel Cuthbert was concerned that
he had been phished at a tsunami relief website and he did two simple tests
to see if the site was for real. These tests set off alarms in an
Intrusion Detection System and ultimately led to his conviction. In addition,
his arrest caused him to lose his job as a security consultant.
It is very difficult to see how these kinds of prosecutions will lead to
a safer internet and, in fact, would seem likely to cause just the
opposite. Even checking for the existence of a flaw is criminal (at least
in some jurisdictions) and actually finding a flaw and disclosing it (not
in a public way, but privately to the affected organization) can lead
to charges in other jurisdictions.
Anyone who thinks they may have
spotted a potential problem area in a web application would be risking a
great deal by probing it further. In addition, administrators of these
sites are unlikely to even look at a flaw unless one can show them an exploit.
Even then, as the first USC response shows, they may be unwilling or unable
to see the implications of the flaw. The sad fact is that the best
response to the discovery of a web site vulnerability may be to keep it to
one's self.
[Editor's note: anybody who informs LWN of a vulnerability in the LWN.net
code will, assuming they have not exploited that vulnerability for their
own gain, be thanked, publicly if desired.]
There is a vulnerability in the X.Org
server; it is a buffer overflow which can enable local root access by
way of an X client. If you allow access to your X server from the net as a
whole, this could be a remote root vulnerability - but, presumably, nobody
has done that for years. As of this writing, updates are available from
Gentoo, Mandriva, and SUSE; see the LWN vulnerability entry for
the current list.
Note that this is not the vulnerability so loudly proclaimed recently by
Coverity. That is an older bug which LWN readers knew about last March.
Several problems have been discovered in Asterisk, an open source
private branch exchange (telephone control center).
Adam Pointon discovered that due to missing input sanitizing it is
possible to retrieve recorded phone messages for a different extension.
(CVE-2005-3559)
Emmanouel Kellinis discovered an integer signedness error that could
trigger a buffer overflow and hence allow the execution of arbitrary code.
(CVE-2006-1827)
A buffer overflow in the get_database function in the HTTP client in
Freshclam in ClamAV 0.80 to 0.88.1 might allow remote web servers sites to
execute arbitrary code via long HTTP headers.
Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent
attackers to cause a denial of service via a TIFF image that triggers
errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2)
certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and
(d) tif_zip.c; (3) and improper restoration of setfield and getfield
methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f)
tif_fax3.c, and tif_zip.c.
Versions of phpWebSite prior to 0.10.2 have an input validation vulnerability which can enable the inclusion of (and execution of arbitrary code from) local files.
A problem has been discovered in resmgr, a resource manager library
daemon and PAM module, that allows local users to bypass access
control rules and open any USB device when access to one device was
granted.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
xine-ui has multiple format string vulnerabilities.
Remote attackers can maliciously create a playlist file
and execute arbitrary code with the privileges of the
user who is running xine.
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Erik Sjölund discovered that abc2ps, a translator for ABC music
description files into PostScript, does not check the boundaries when
reading in ABC music files resulting in buffer overflows.
The abcmidi-yaps utility suffers from similar problems.
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Chris Evans discovered that while indexing, Beagle will build certain
command lines in an insecure manner. When Beagle executes external
helper applications, it is possible to cause beagle to execute
arbitrary commands as the user running beagle.
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path.
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate.
Three buffer overflows were discovered in the Xfig file format importer.
By tricking a user into opening a specially crafted .fig file with dia, an
attacker could exploit this to execute arbitrary code with the user's
privileges.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
There are multiple vulnerabilities in Ethereal version up to 0.10.14,
including various dissector crashes and an off-by-one error in the OID
printing routine.
The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment
variable is not defined, allows local users to overwrite arbitrary files
via a symlink attack on temporary files in /var/tmp/fbps-[PID].
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode.
There are multiple
vulnerabilities in Firefox and related products including Thunderbird,
SeaMonkey and the Mozilla Suite. This CERT
Advisory contains additional information.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data."
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons.
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Multiple kernel vulnerabilities have been fixed, including
an x87 information leak between processes, an ip_route_input panic,
a MADV_REMOVE vulnerability, an mprotect write permission problem,
insecure MPBL0010 driver sysfs permissions, an x86_64 force IRET issue,
RCU signal handling, a key addition oops, a sysfs write buffer issue
and more.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped.
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run.
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail.
MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities.
Remote attackers can maliciously craft an ASF file or an AVI file
in order to cause a denial of service.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update.
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute
arbitrary code on the client by using setenv with the LD_PRELOAD
environment variable.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
There are several vulnerabilities in PHP v5.1.2 and earlier.
A cross-site scripting (XSS) vulnerability in phpinfo (info.c) allows
remote attackers to inject arbitrary web script or HTML via long array
variables. (CVE-2006-0996)
A directory traversal vulnerability in file.c allows local users to
bypass open_basedir restrictions and allows remote attackers to create
files in arbitrary directories via the tempnam function. (CVE-2006-1494)
The copy function in file.c allows local users to bypass safe mode and
read arbitrary files via a source argument containing a compress.zlib://
URI. (CVE-2006-1608)
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem.
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches.
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.
The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which
allows attackers to cause a denial of service (blocked connections) via a
large amount of data.
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user.
Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to
1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks
via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2)
a newline in a "url" specifier, which is processed by certain web browsers
including Internet Explorer. (CVE-2006-0195)
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary IMAP commands via newline characters in the
mailbox parameter of the sqimap_mailbox_select command, aka "IMAP
injection." (CVE-2006-0377)
The teTeX PDF parsing library has an integer overflow vulnerability.
A carefully crafted PDF file can be used by an attacker to crash
teTeX and possibly execute arbitrary code.
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982).
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened.
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin.
In some cases, xscreensaver did not properly grab the keyboard when
reading the password for unlocking the screen, so that the password
was typed into the currently active application window. The only known
vulnerable case was when xscreensaver activated while an rdesktop session
was currently active.
Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate
insufficient memory when rendering images with more than 3 output
components, such as images using the YCCK or CMYK colour space. When
xzgv or zgv attempt to render the image, data from the image overruns a
heap allocated buffer.
