November 11, 2009
This article was contributed by Nathan Willis
Word spread quickly earlier this week when the first known worms
targeting the Apple iPhone surfaced days apart in Australia and the
Netherlands. Neither inflicts serious harm on devices — though
perhaps the Australian "Ikee" worm is guilty of crimes against good taste,
as it swaps out the iPhone's wallpaper for a vintage photo of Rick Astley.
The events are notable, however, because they only affect jailbroken
iPhones, raising questions over whether the iPhone jailbreaking community
behaves responsibly when it frees the devices from Apple's factory
restrictions.
Ikee was created on November 4 by Ashley Towns, a programmer from
Wollongong, Australia. The worm propagates by scanning IP ranges in the
blocks used by the iPhone's Australian carrier, checking for iPhone OS
fingerprints, and looking for a running SSH daemon on any iPhones it finds.
Because all iPhones ship from the factory with the same default root
password, "alpine", the worm can connect, copy itself over to the new
device, install its signature wallpaper, and repeat. Ikee also deactivates
SSHd on the host phone as part of its payload, but it does not change the
root password. Thus, restarting SSH makes the phone vulnerable to
reinfection.
It attracted considerably less public attention than Ikee, but on
November 2, a worm surfaced in the Netherlands using the exact same attack
vector: IP range scanning of the approved 3G carrier, OS fingerprinting,
and connecting via SSH using the default password. The Dutch worm lacked
the campy sensibility of Ikee; rather than Rickrolling the
iPhone's wallpaper, it popped-up a message telling the user that the iPhone
was insecure and asking €4.95 for instructions on how to secure it.
That same day, however, the author changed his mind and posted both an
apology and free instructions for
securing the phone on the web site to which the worm pointed its
victims.
Jailbreaks are risky. Much like in real life.
"Jailbreaking" refers to hacks that enable full access to the iPhone's
operating system, and is distinct from SIM unlocking, which removes
carrier-restrictions that limit the device to registering on only approved
3G networks. The iPhone has multiple layers of security built into the
OS, including everything from boot loader restrictions to application code
signing. The term "jailbreak" originates from the fact that all iPhone
applications run inside a chroot jail; when connecting the iPhone to a Mac
or PC only the contents of the chroot jail are accessed by the iTunes
application for installing and removing media content and applications.
Consequently, breaking out of the chroot jail is required to perform any
real OS customization, and the popular jailbreaking utilities set up
niceties that most hackers will expect on a Unix-like system like OS X.
That includes SSH, which obviates the need to keep the phone attached to a
PC by cable while working on it.
It is Apple's decision to ship all models of its iPhone with the same
root password — a tactic common to embedded device makers, if not
particularly secure. The point of debate is whether the security hole left
open by the combination of a default root password and a running SSH daemon
is Apple's fault, the jailbreaking tool authors', or simply the users'.
Searching for solutions
Changing the password is simple enough; should PwnageTool, PurpleRa1n, and the other jailbreak
utilities do so upon installation, either by automatically generating a new
password or by prompting the user? An Australian blogger who interviewed
Towns about Ikee thinks so; he posted
an opinion piece following up on the interview in which he asks the
jailbreaking tool developers to to do just that.
From reading the various news sites' discussions, it is clear that
plenty of others disagree, noting that the responsibility for securing the
device stops with the end user. But is there any substantial risk to
changing the root password on the device, when measured against the risks
of a default password exploit? Default password exploits are well-known
enough that most end-user applications have moved away from them; other
than the fact that the iPhone is an embedded system, why should it be
measured by different standards than a desktop or server, or for that
matter, a PayPal account?
For comparison's sake, Android phones do not include a
password-enabled root account, and although changing this is
well-documented, it is a complicated process even for the comparatively
unlocked Android Dev Phone 1.
Similarly, installing a working
SSH daemon is not a straightforward process even on a rooted phone.
On the other hand, Maemo offers OpenSSH (both client and server) as a
one-click install,
but installing it automatically prompts the user to change the root
password from its default.
ComputerWorld's Robert McMillan speculates
that Apple cares little about the issue — jailbroken phones are not
covered by warranty, so there is no incentive for the company to close its
part of the security hole by changing its root password policy. In fact,
it may tacitly approve of the negative press generated around
jailbreaking.
On the other hand, as the author of the Dutch worm put it,
"the way I got access to your iPhone can be used by thousands of
others. And they can send text messages from your number (like I did..),
use it to call (or record your calls), and actually whatever they want
[...]" The next exploit taking advantage of the iPhone's default root
password may not require a jailbroken device. Apple will surely sit up and
take notice then. In the meantime, though, the question remains: should
the people who care about freeing a device from the factory's proprietary
lock-downs also care about putting it into a secure state once it is
free?
While some FOSS-based phones may not require jailbreaking — or
not enable SSHd as part of the process — there are warnings here for Google,
Nokia, Palm, and others. By forcing users to perform dodgy operations on
their phones, in order to enable the functionality they want, phone
makers may very well be putting those users at risk. Whether the
underlying code is open source or proprietary doesn't alter that risk.
Comments (15 posted)
Brief items
Over at the ACM Queue, Paul Vixie
writes about what he calls "
stupid DNS tricks". These include various schemes by ISPs and others to "monetize" DNS traffic in some way. "
Not all misuses of DNS take the form of lying. Another frequently seen abuse is to treat DNS as a directory system, which it is not. In a directory system one can ask approximate questions and get approximate answers. Think of a printed telephone white pages directory here: users often find what they want in the printed directory not by knowing exactly what the listing is but by starting with a guess or a general idea. DNS has nothing like that: all questions and all answers are exact. But DNS has at least two mechanisms that can be misused to support approximate matching at some considerable cost to everybody else, and a lot of that goes on."
(thanks to Jay R. Ashworth).
Comments (none posted)
New vulnerabilities
alienarena: buffer overflow
| Package(s): | alienarena |
CVE #(s): | CVE-2009-3637
|
| Created: | November 6, 2009 |
Updated: | November 11, 2009 |
| Description: |
From the Red Hat bugzilla:
Buffer overflow flaw was found in the way used to validate remote game servers
to be added into the server list. A remote attacker sending a specially-crafted
UDP reply from game server could execute arbitrary code on the side
and with the privileges of alienarena game client.
|
| Alerts: |
|
Comments (none posted)
apache: man-in-the-middle/SSL injection
| Package(s): | apache |
CVE #(s): | CVE-2009-3555
|
| Created: | November 9, 2009 |
Updated: | March 8, 2013 |
| Description: |
From the Mandriva advisory:
Apache is affected by SSL injection or man-in-the-middle attacks
due to a design flaw in the SSL and/or TLS protocols. A short term
solution was released Sat Nov 07 2009 by the ASF team to mitigate
these problems. Apache will now reject in-session renegotiation
(CVE-2009-3555).
|
| Alerts: |
|
Comments (none posted)
cups: cross-site scripting
| Package(s): | cups |
CVE #(s): | CVE-2009-2820
|
| Created: | November 10, 2009 |
Updated: | April 14, 2010 |
| Description: |
From the Debian advisory:
Aaron Siegel discovered that the web interface of cups, the Common UNIX
Printing System, is prone to cross-site scripting attacks.
|
| Alerts: |
|
Comments (none posted)
drupal6: multiple vulnerabilities
| Package(s): | drupal6 |
CVE #(s): | CVE-2009-2372
CVE-2009-2373
CVE-2009-2374
|
| Created: | November 9, 2009 |
Updated: | November 11, 2009 |
| Description: |
From the Debian advisory:
CVE-2009-2372:
Gerhard Killesreiter discovered a flaw in the way user signatures are
handled. It is possible for a user to inject arbitrary code via a
crafted user signature. (SA-CORE-2009-007)
CVE-2009-2373:
Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site
scripting issue in the forum module, which could be exploited via the
tid parameter. (SA-CORE-2009-007)
CVE-2009-2374:
Sumit Datta discovered that certain drupal6 pages leak sensible
information such as user credentials. (SA-CORE-2009-007)
Several design flaws in the OpenID module have been fixed, which could
lead to cross-site request forgeries or privilege escalations. Also, the
file upload function does not process all extensions properly leading
to the possible execution of arbitrary code.
(SA-CORE-2009-008)
|
| Alerts: |
|
Comments (none posted)
horde: cross-site scripting
| Package(s): | horde |
CVE #(s): | CVE-2009-3237
|
| Created: | November 6, 2009 |
Updated: | April 1, 2010 |
| Description: |
From the Gentoo advisory:
Martin Geisler and David Wharton reported that an error exists in
the MIME viewer library when viewing unknown text parts and the
preferences system in services/prefs.php when handling number
preferences. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.6.0-sun |
CVE #(s): | CVE-2009-3728
CVE-2009-3729
CVE-2009-3865
CVE-2009-3866
CVE-2009-3867
CVE-2009-3868
CVE-2009-3869
CVE-2009-3871
CVE-2009-3872
CVE-2009-3873
CVE-2009-3874
CVE-2009-3875
CVE-2009-3876
CVE-2009-3877
CVE-2009-3879
CVE-2009-3880
CVE-2009-3881
CVE-2009-3882
CVE-2009-3883
CVE-2009-3884
CVE-2009-3886
|
| Created: | November 9, 2009 |
Updated: | April 28, 2010 |
| Description: |
From the Red Hat advisory (starting with bugzilla bug numbers):
530053 - CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)
530057 - CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities
(6863503)
530061 - CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911)
CVE-2009-3877
530062 - CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)
530063 - CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)
530067 - CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643)
530098 - CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533)
530173 - CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650)
530175 - CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables
(6657026,6657138)
530296 - CVE-2009-3880 OpenJDK UI logging information leakage(6664512)
530297 - CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)
530300 - CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)
532904 - CVE-2009-3729 JRE TrueType font parsing crash (6815780)
532906 - CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969)
532914 - CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar
files (6870531)
533211 - CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752)
533212 - CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer
(6872824)
533214 - CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file:
URL argument (6854303)
533215 - CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file
due improper color profiles parsing (6862970)
|
| Alerts: |
|
Comments (none posted)
kernel: integer overflow
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2009-3638
|
| Created: | November 6, 2009 |
Updated: | December 23, 2009 |
| Description: |
From the Debian advisory:
David Wagner reported an overflow in the KVM subsystem on i386
systems. This issue is exploitable by local users with access to
the /dev/kvm device file.
|
| Alerts: |
|
Comments (none posted)
libvorbis: arbitrary code execution
| Package(s): | libvorbis |
CVE #(s): | CVE-2009-3379
|
| Created: | November 9, 2009 |
Updated: | April 3, 2012 |
| Description: |
From the Red Hat advisory:
Multiple flaws were found in the libvorbis library. A specially-crafted Ogg
Vorbis media format file (Ogg) could cause an application using libvorbis
to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3379)
|
| Alerts: |
|
Comments (none posted)
qtwebkit: arbitrary local file access
| Package(s): | qtwebkit |
CVE #(s): | CVE-2009-1699
CVE-2009-1713
|
| Created: | November 10, 2009 |
Updated: | January 25, 2011 |
| Description: |
From the Ubuntu advisory:
It was discovered that QtWebKit did not properly handle certain XSL
stylesheets. If a user were tricked into viewing a malicious website,
an attacker could exploit this to read arbitrary local files, and possibly
files from different security zones. (CVE-2009-1699, CVE-2009-1713)
|
| Alerts: |
|
Comments (none posted)
typo3: multiple vulnerabilities
| Package(s): | typo3 |
CVE #(s): | CVE-2009-3628
CVE-2009-3629
CVE-2009-3630
CVE-2009-3631
CVE-2009-3632
CVE-2009-3633
CVE-2009-3634
CVE-2009-3635
CVE-2009-3636
|
| Created: | November 5, 2009 |
Updated: | November 11, 2009 |
| Description: |
From the Debian alert:
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-3628:
The Backend subcomponent allows remote authenticated users to
determine an encryption key via crafted input to a form field.
CVE-2009-3629:
Multiple cross-site scripting (XSS) vulnerabilities in the
Backend subcomponent allow remote authenticated users to inject
arbitrary web script or HTML.
CVE-2009-3630:
The Backend subcomponent allows remote authenticated users to
place arbitrary web sites in TYPO3 backend framesets via
crafted parameters.
CVE-2009-3631:
The Backend subcomponent, when the DAM extension or ftp upload
is enabled, allows remote authenticated users to execute
arbitrary commands via shell metacharacters in a filename.
CVE-2009-3632:
SQL injection vulnerability in the traditional frontend editing
feature in the Frontend Editing subcomponent allows remote
authenticated users to execute arbitrary SQL commands.
CVE-2009-3633:
Cross-site scripting (XSS) vulnerability in allows remote
attackers to inject arbitrary web script.
CVE-2009-3634:
Cross-site scripting (XSS) vulnerability in the Frontend Login Box
(aka felogin) subcomponent allows remote attackers to inject
arbitrary web script or HTML.
CVE-2009-3635:
The Install Tool subcomponent allows remote attackers to gain access
by using only the password's md5 hash as a credential.
CVE-2009-3636:
Cross-site scripting (XSS) vulnerability in the Install Tool
subcomponen allows remote attackers to inject arbitrary web script
or HTML. |
| Alerts: |
|
Comments (none posted)
wordpress-mu: denial of service
| Package(s): | wordpress-mu |
CVE #(s): | |
| Created: | November 10, 2009 |
Updated: | November 11, 2009 |
| Description: |
From the Red
Hat bugzilla: A denial of service (resource exhaustion) flaw was found
in the way WordPress used to handle HTTP headers, contained in the
"trackback" message, sent to WordPress. A local, unprivileged user could
sent a specially-crafted trackback message to running instance of
WordPress, leading to its crash. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
