[This article was contributed by LWN reader Tom
Owen]
Last week, this
Extremetech
article
was the first press coverage of
Whitehat Security'swhitepaper
on a new type of cross site scripting attack.
Whitehat has called it "cross site tracing", or XST.
Cross-site scripting (XSS) is a simple idea at heart:
the attacker loads exploitative HTML, including a client-side script, into
a web site,
typically one which allows public submissions and which does not properly
quote HTML tags.
Any user of the site who reads the story loads the exploit into their browser.
The script uses the client browser's rights to cause mischief -- typically to
access information and send it to the attacker.
Recent XSS
vulnerability reports
focus on exposing cookie contents -- perhaps including session and
authentication details --
to the attacker.
Browser domain restrictions are supposed to stop clients from sending
cookie contents anywhere except back to the server that issued them,
but it's hard to enforce this restriction if scripts are allowed to access
those contents,
and many browsers have faults which allow scripts to bypass domain
restrictions.
Enter cross-site tracing, which is a new variety of XSS attack.
It uses the TRACE command, which is an obscure part of the
HTTP 1.1 protocol.
It substitutes for GET, except that instead of replying to the request
the server echoes it -- the TRACE string and the subsequent headers -- back to
the client
with a content type of message/http.
It's intended as a debugging aid.
Most web servers implement TRACE as part of the standard,
and, as it's never been implicated in security problems,
most sites leave it enabled.
In essence, Whitehat report that some browsers
can be scripted to send TRACE requests and return the echoed headers to the
script.
The report lists Mozilla (using XMLDOM) and IE (using XMLHTTP) as vulnerable.
HTTP headers seem like they would be innocous, but unfortunately
they carry cookies and HTTP authorization strings to the server.
With the aid of one of the available domain restriction breaches,
these data can be taken from the trace and sent to the attacker.
Whitehat was obviously pleased with this discovery.
The
press
release
uses words like "pandemic" and refers to
"a serious security flaw affecting all web server[s] world
wide."
The whitepaper is more tempered, but it implies
that the TRACE method has a defect
which compromises every web server.
Opinion on
Bugtraq (discussions
here
and
here)
and
Slashdot
ranges from
"hyped,
sensationalised snakeoil"
to
"a terrible
security hole."
The critics point out that there's no fault in TRACE,
and client domain restriction breaches already offer scripted ways ways to
read cookies.
On the whole they seem to have won the argument
as there's been little press coverage and no rebuttal from Whitehat.
There have been some more positive responses noting that script access
to the Authorization: header containing the HTTP Basic
authentication is new
and disturbing,
and that client problems are sometimes best fixed at the server.
Nobody is claiming that TRACE is needed on a production server --
it's as vestigial as HELP in Sendmail SMTP.
So, as it's certain that a server that can't do TRACE
won't ever allow its clients to be subverted through it,
removing it may be the way to go.
The Apache Limit directive can't suppress TRACE, so Whitehat and
Apacheweek
both suggest using mod_rewrite to force a forbidden (403) error in Apache:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteEngine On needs to be repeated in every
<VirtualHost> block.
Experiment suggests that there's more to it than this,
(no, I can't make it work ...)
but it has to be easier than iPlanet/Netscape,
which requires a binary edit.
Security consultants feel pressure to find and publicise security holes, and it's
inevitable that some of them will be less serious than the spin suggests. The
community's loud and direct quality control is necessary to keep the numbers
within limits.
However, even snake oil may have something to teach us, and at least one
Apache admin
will be spending a few hours this week figuring out just what secures the
DELETE method.
Recommended reading: this
posting by Karsten Self on the MS-SQL (aka "Sapphire" or "Slammer")
worm and why Linux users shouldn't be overly smug about this episode.
"This means that the infected hosts were on the order of 1% of all
potential hosts. That is, Microsoft users were attaining a 99%
patch and/or secure rate of systems publicly visible to the worm.
This is a pretty good compliance rate. It was also wholly
inadequate in preventing this attack."
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already.
MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile
client to crash the server process. Logging into the server is necessary
before this vulnerability can be exploited.
Dan Jacobson noticed a problem in noffle, an offline news server, that
leads to a segmentation fault. It is not yet clear whether this
problem is exploitable. However, if it is, a remote attacker could
trigger arbitrary code execution under the user that calls noffle,
probably news.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
Two vulnerabilities have been discovered in Bugzilla, a web-based bug
tracking system, by its authors. The Common Vulnerabilities and
Exposures Project identifies the following vulnerabilities:
CAN-2003-0012 (BugTraq ID 6502): The provided data collection
script intended to be run as a nightly cron job changes the
permissions of the data/mining directory to be world-writable every
time it runs. This would enable local users to alter or delete the
collected data.
CAN-2003-0013 (BugTraq ID 6501): The default .htaccess scripts
provided by checksetup.pl do not block access to backups of the
localconfig file that might be created by editors such as vi or
emacs (typically these will have a .swp or ~ suffix). This allows
an end user to download one of the backup copies and potentially
obtain your database password.
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
Exploitation of multiple CUPS vulnerabilities allow local and remote
attackers in the worst of the scenarios to gain root privileges. See the
iDEFENSE
advisory for more information.
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to erratum packages which contain
patches to correct the double-free bug.
The Internet Software Consortium (ISC) has discovered several buffer
overflow vulnerabilities in their implementation of DHCP (ISC DHCPD).
These vulnerabilities may allow remote attackers to execute arbitrary code
on affected systems. There are no known exploits at this time.
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
Ralf Wildenhues has discovered a buffer overrun in the CGI code in fnord
1.6. This function does not return, so this does not appear to be
exploitable. fnord - yet another small
httpd has an update to fix the problem in any case.
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem.
In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions
passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an e-mail,
a webpage or files on a network filesystem or other untrusted source.
By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable sytem using the victim's account and
privileges.
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt
All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and
2.5.47 contain a vulnerability which allows any local user to crash the
system. This LWN article describes how the
exploit works in detail. The vulnerability affects only x86 systems.
libmcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from improper or lacking input validation. By
passing a longer than expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.
Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated
requests at an application utilizing the mcrypt library.
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
RĂ¼diger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash.
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
The wordwrap() function on user-supplied input may allow a
specially-crafted input to overflow the allocated buffer and overwrite the
heap. There are no known exploits, but an exploit is theoretically possible.
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems.
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended.
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions.
Karol Wiesek and iDefense disovered three vulnerabilities in the
printer-drivers package and tools it installs. These vulnerabilities
allow a local attacker to empty or create any file on the filesystem.
The first vulnerability is in the mtink binary, which has a buffer
overflow in its handling of the HOME environment variable.
The second vulnerability is in the escputil binary, which has a buffer
overflow in the parsing of the --printer-name command line argument.
This is only possible when esputil is suid or sgid; in Mandrake Linux
9.0 it was sgid "sys". Successful exploitation will provide the
attacker with the privilege of the group "sys".
The third vulnerability is in the ml85p binary which contains a race
condition in the opening of a temporary file. By default this file is
installed suid root so it can be used to gain root privilege. The only
caveat is that this file is not executable by other, only by root or
group "sys". Using either of the two previous vulnerabilities, an
attacker can exploit one of them to obtain "sys" privilege" and then
use that to exploit this vulnerability to gain root privilege.
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08.
During a code review of the susehelp package the SuSE Security Team
recognized that the security checks done by the susehelp CGI scripts are
insufficient. Remote attackers can insert certain characters in CGI
queries to the susehelp system tricking it into executing arbitrary code as
the "wwwrun" user. Please note that this is only a vulnerability if you
have a web server running and configured to allow access to the susehelp
system by remote sites.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
traceroute-nanog: buffer overflow and root exploit
Package(s):
traceroute-nanog/nkitb
CVE #(s):
Created:
November 12, 2002
Updated:
February 27, 2003
Description:
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point.
A problem has been discovered in the typespeed, a game that lets you
measure your typematic speed. By overflowing a buffer a local
attacker could execute arbitrary commands under the group id games.
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed.
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
Al Viro found a problem in the image handling code used in Window Maker,
a popular NEXTSTEP like window manager. When creating an image it would
allocate a buffer by multiplying the image width and height, but did not
check for an overflow. This makes it possible to overflow the buffer.
This could be exploited by using specially crafted image files (for
example when previewing themes).
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
- From iDEFENSE advisory:
The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target user
or in some cases the increased privileges of the 'lp' user if installed
setuid. There are multiple ways of exploiting this vulnerability.
