The world is full of books on how to secure systems, how to write secure
code, and how to deal with breakins. There are rather fewer books that go
into details of how to compromise software and carry out breakins. That
gap has now been filled by Exploiting Software: How To Break Code by
Greg Hoglund and Gary McGraw. This book's purpose is not to help the
crackers; those people, according to the authors, already know about the
techniques described here. Instead, the authors wish to help programmers
and system administrators achieve better security through an understanding
of how security failures happen.
To that end, this book covers a number of ways of attacking software.
Direct reverse engineering gets a full chapter, much of which is dedicated
to things you can do with the Windows debugger. There is a chapter on
server attacks; it looks at carefully crafted input, configuration attacks,
filesystem browsing, poor authentication schemes, etc. The chapter on
client-side attacks covers cross-site scripting, embedded control
characters, and more. The creation of malicious input gets a chapter of
its own, where issues of how to track what a server does with input, tricks
with character encodings, and more are discussed; this chapter also looks
at how to get malicious input past intrusion detection systems. Buffer
overflows and format string vulnerabilities are discussed in detail;
interestingly, the authors claim that format string vulnerabilities were
known to the "black hats" for years before being more widely "discovered"
and, mostly, fixed. The book finishes with a discussion of root kits.
If you are a cracker wannabe looking to learn the trade, this book might
provide a good start - though you will still have to fill in a lot of the
details yourself. This book is not a simple cookbook for crackers, though
some of its advice ("Also, remember that a Web server will create log
files of all injection activity, which tends to stick out like a sore
thumb. If this pattern is used, clean the log files as soon as
possible.") is not necessarily useful for anybody else. The
coverage of the book is not entirely complete either; it has little space
for kernel attacks, SQL injection, or exploit generation tools, for
example. While Linux is often mentioned, the bulk of the discussion uses
Windows for its examples (though almost all of the concepts discussed apply
equally to either system). Even so, Exploiting Software is a
worthwhile addition to the bookshelf of anybody interested in security
issues - as most of us should be.
One other book that recently showed up in our mailbox is Secure
Architectures With OpenBSD by Brandon Palmer and Jose Nazario. This
book is, primarily, a system administration manual, but, since it's for
OpenBSD, it is strongly oriented toward running secure systems. It covers
all of the usual topics, though often a bit more superficially than one
might like. The range of topics is wide, however, extending into
firewalling, Kerberos, S/Key, IPSec, IPv6, intrusion detection, etc. If
you're looking for a pure BSD administration manual, you may want to
supplement this one with the Unix Administration Handbook or
something similar. This book, however, is a good, thorough overview of how
the OpenBSD variant of BSD is put together and how to keep it secure.
Jack <jack -AT- rapturesecurity.org> discovered a buffer overflow in
ident2, an implementation of the ident protocol (RFC1413), where a
buffer in the child_service function was slightly too small to hold
all of the data which could be written into it. This vulnerability
could be exploited by a remote attacker to execute arbitrary code with
the privileges of the ident2 daemon (by default, the "identd" user).
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges.
LCDproc: Buffer overflows and format string vulnerabilities
Package(s):
LCDproc
CVE #(s):
Created:
April 27, 2004
Updated:
April 28, 2004
Description:
Due to insufficient checking of client-supplied data, the LCDd server
is susceptible to two buffer overflows and one string buffer
vulnerability. If the server is configured to listen on all network
interfaces (see the Bind parameter in LCDproc configuration), these
vulnerabilities can be triggered remotely.
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details.
XFree86 is an implementation of the X Window System, providing the core
graphical user interface and video drivers.
Flaws in XFree86 4.1.0 allow local or remote attackers who are able to
connect to the X server to cause a denial of service via an out-of-bounds
array index or integer signedness error when using the GLX extension and
Direct Rendering Infrastructure (DRI).
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49.
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue.
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release.
Solar Designer turned up a bug in the ext3 filesystem where blocks allocated to the journal file are not properly cleaned prior to use. This failure could expose some (random) kernel memory to an attacker, but only if that attacker can perform raw I/O to the device.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Max Vozeler discovered two format string vulnerabilities in ssmtp, a
simple mail transport agent. Untrusted values in the functions die()
and log_event() were passed to printf-like functions as format
strings. These vulnerabilities could potentially be exploited by a
remote mail relay to gain the privileges of the ssmtp process
(including potentially root).
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Steve Grubb discovered two potential issues in the utempter program:
If the path to the device contained /../ or /./ or //, the program
was not exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to
another important file, programs that have root privileges that do no
further validation can then overwrite whatever the symlink pointed to.
Several calls to strncpy without a manual termination of the string.
This would most likely crash utempter.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Steve Kemp discovered a vulnerability in xonix, a game, where an
external program was invoked while retaining setgid privileges. A
local attacker could exploit this vulnerability to gain gid "games".
![[Cover]](/images/ns/exploiting-software.png)
The world is full of books on how to secure systems, how to write secure
code, and how to deal with breakins. There are rather fewer books that go
into details of how to compromise software and carry out breakins. That
gap has now been filled by Exploiting Software: How To Break Code by
Greg Hoglund and Gary McGraw. This book's purpose is not to help the
crackers; those people, according to the authors, already know about the
techniques described here. Instead, the authors wish to help programmers
and system administrators achieve better security through an understanding
of how security failures happen.
![[Cover]](/images/ns/openbsd-cover.png)
Architectures With OpenBSD by Brandon Palmer and Jose Nazario. This
book is, primarily, a system administration manual, but, since it's for
OpenBSD, it is strongly oriented toward running secure systems. It covers
all of the usual topics, though often a bit more superficially than one
might like. The range of topics is wide, however, extending into
firewalling, Kerberos, S/Key, IPSec, IPv6, intrusion detection, etc. If
you're looking for a pure BSD administration manual, you may want to
supplement this one with the Unix Administration Handbook or
something similar. This book, however, is a good, thorough overview of how
the OpenBSD variant of BSD is put together and how to keep it secure.