Scott Crosby and Dan Wallach have announced
a paper describing a new class of security problem that they call
"algorithmic complexity attacks." The basic idea is simple: predictable
behavior in certain application algorithms can be exploited by attackers to
create denial of service problems; these attacks can be easy to mount and
require very low amounts of bandwidth. The full
paper describes this sort of attack in detail, with a strong emphasis
on hash tables. The authors promote a particular class of hashing
algorithm ("universal hash") as a way of fixing the problem.
The networking hash
vulnerability described here two weeks ago clearly falls into this
category of problem. (This vulnerability, incidentally, is still unfixed
by any distributors beyond Red Hat and EnGarde). Mr. Crosby has also found
a similar problem in the Linux kernel
directory entry cache code; an attacker who has control over file names can
force behavior which slows the system to a crawl.
The interesting thing is that, once one starts looking, this sort of
vulnerability is widespread. For example:
Languages like Perl and Python provide hashed data structures
(associative arrays and dictionaries). If an application uses user
input as a key for such a structure, that application can be
vulnerable to attack. The paper demonstrates the degree to which Perl
arrays can degrade with carefully chosen input.
Regular expressions are widely used in applications. Anybody who
has programmed with non-trivial regular expressions knows that they
can be hard to get right in the first place. But writing regular
expressions which do not bring the application down in flames when
confronted with the wrong input is even harder.
Chances are many applications suffer from this sort of vulnerability. It
may soon be that distributed denial of service attacks pass out of favor;
if an algorithmic complexity attack is available, there is no real point in
going to the effort of assembling the attack network.
Sadly, it may well turn out that free software applications are uniquely
vulnerable to algorithmic complexity attacks - at least, in the short term.
Mounting such an attack requires a reasonably well advanced understanding
of which algorithms an application is using, and how it is using them.
Closed-source applications will certainly have (at least) as many
algorithmic complexity vulnerabilities as free applications, but the lack
of source will make those vulnerabilities hard to exploit. In the longer
term, of course, the situation may reverse itself; the vulnerabilities in
free programs will have been found and fixed, while those in proprietary
code lurk on, waiting for an exploit to be developed.
gPS is a graphical application to watch system processes. In release
1.1.0 of the gps package, several security vulnerabilities were fixed,
including several buffer overflows and a problem where any host could
connect to the server.
KON is a Kanji emulator for the console. There is a buffer overflow
vulnerability in the command line parsing code portion of the kon program
up to and including version 0.3.9b. This vulnerability, if appropriately
exploited, can lead to local users being able to gain elevated (root)
privileges.
uw-imapd: vulnerabilities in IMAP clients written with C and C++
Package(s):
uw-imapd
CVE #(s):
Created:
June 2, 2003
Updated:
June 3, 2003
Description:
There are two common vulnerabilities in IMAP clients written with C and
C++:
1. Handling huge literal sizes. Many clients do malloc(literal_size+1) and
then read the literal into it. Problem is that if literal_size is
UINT_MAX-1, the +1 overflows it into malloc(0) but server is still allowed
to write UINT_MAX-1 bytes of data there. There may also be similiar
problems if literal size is read into signed integer which causes it to
become negative. Some clients use atoi(), so giving -1 as literal size is
equilevant to giving UINT_MAX-1.
IMAP servers can also be vulnerable to this one if they're not careful.
2. Handling huge mailbox sizes (ie. huge value in EXISTS reply). Many
clients do malloc(messages_count * sizeof(struct message)) and read data
into it.
A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
(Internet Printing Protocol) implementation. The IPP implementation is
single-threaded, which means only one request can be serviced at a time.
An attacker could make a partial request that does not time out and
therefore creates a denial of service. In order to exploit this bug, an
attacker must have the ability to make a TCP connection to the IPP port (by
default 631).
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk.
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem.
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means.
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
A vulnerability was discovered in versions of kopete
prior to 0.6.2. Kopete is a KDE instant messenger client. This
vulnerabiliy is in the GnuPG plugin that allows for users to send each
other GPG-encrypted instant messages. The plugin passes encrypted messages
to gpg, but does no checking to sanitize the commandline passed to gpg.
This can allow remote users to execute arbitrary code, with the permissions
of the user running kopete, on the local system.
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon.
The lprm command of the printing package lprold contains a buffer
overflow. This buffer overflow can be exploited by a local user, if the
printer system is set up correctly, to gain root privileges.
Leonard Stiles discovered that lv, a multilingual file viewer, would
read options from a configuration file in the current directory.
Because such a file could be placed there by a malicious user, and lv
configuration options can be used to execute commands, this
represented a security vulnerability. An attacker could gain the
privileges of the user invoking lv, including root.
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade."
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker.
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08.
SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities
have been found which affect versions of SquirrelMail shipped with Red Hat
Linux 8.0 and Red Hat Linux 9.
Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and
earlier allow remote attackers to execute script as other Web users via
mailbox displays, message displays, or search results displays. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0160 to these issues.
All users are advised to upgrade to these errata packages containing
SquirrelMail version 1.2.11, which is not vulnerable to these issues.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
A problem has been discovered in the typespeed, a game that lets you
measure your typematic speed. By overflowing a buffer a local
attacker could execute arbitrary commands under the group id games.
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed.
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page.
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues.
The CERT Summary for June, 2003 is out; problems highlighted this time
include the XDR integer overflow, the sendmail buffer overflow, and the
snort vulnerabilities.
A group called the Organization for Internet Safety has surfaced with a
draft proposal describing a process for reporting (and responding to)
vulnerabilities. It is a
lengthy and detailed document which attempts to program what should happen
at every stage of the vulnerability resolution process. Public comments
are being accepted on the draft through July 7.
The call for papers for PHRACK #61 has gone out; submissions are due by
July 18. "Dont bother us with
lame articles -- only the elite papers will make it."
