Many people interested in security issues fear the first big security
breach which
affects mobile wireless devices. A large, destructive cell phone worm would
make for a bad day in many quarters. The "Mosquitos" trojan does not quite
live up to those fears, but there are lessons to be learned from it anyway.
Mosquitos is a game for Symbian-based wireless handsets. According to
early reports, a version of the game had been "cracked" and circulated
through the usual channels. Users who picked it up and ran it found out,
sooner or later, that it had a bad habit of sending text messages to
expensive, premium phone numbers. That was almost certainly not the
experience the users had in mind when they loaded the game.
While many outlets reported the existence of a Symbian trojan, rather fewer
followed up with the truth of the matter became clear: the "trojan"
functionality was an intentional feature added by the manufacturer of the
game. It is, in essence, an attempt at a copy protection mechanism; if the
game finds itself running outside of its intended geographical area, it
sends a bunch of expensive messages in retaliation. This behavior is a
feature, not a trojan.
Then again, that might depend on your definition of "trojan." It is an
undocumented behavior hidden within a program; certainly nobody who bought
this game intended to purchase a function which sends unwanted messages if
it decides things are not right. Most users might be forgiven for feeling
that they had, indeed, been trojaned after all.
It would be out of character for us to fail to point out that this sort of
behavior is almost exclusively associated with closed-source, proprietary
software. The author of a free software program is certainly capable of
inserting trojan-like behavior; consider the
mICQ incident from February, 2003. But it would be surprising indeed
for any such code to last for long. Free software means that hostile code
can be found and ripped out in a hurry. Now if we only had mobile phones built with
free software...
News.com reports from Crypto 2004, where researchers are presenting findings on weaknesses in secure hash algorithms.
"Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives.
Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It is certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard."
acroread contains two errors in the handling of UUEncoded filenames.
First, it fails to check the length of a filename before copying it
into a fixed size buffer and, secondly, it fails to check for the
backtick shell metacharacter in the filename before executing a command
with a shell. By enticing a user to open a PDF with a specially crafted
filename, an attacker could execute arbitrary code or programs with the
permissions of the user running acroread.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf()
function. An attacker can execute arbitrary code with the
permission of the user running gv.
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains.
The nessus security scanner has a temporary file vulnerability that allows a
user to perform a privilege escalation attack by way of an adduser
race condition.
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written.
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session.
xine-lib contains a bug where it is possible to overflow the vcd:// input
source identifier management buffer through carefully crafted playlists.
An attacker may construct a carefully-crafted playlist file which will
cause xine-lib to execute arbitrary code with the permissions of the
user. In order to conform with the generic naming standards of most
Unix-like systems, playlists can have extensions other than .asx (the
standard xine playlist format), and made to look like another file
(MP3, AVI, or MPEG for example). If an attacker crafts a playlist with
a valid header, they can insert a VCD playlist line that can cause a
buffer overflow and possible shellcode execution.
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
Two vulnerabilities have been found in cfservd. One is a buffer overflow in
the AuthenticationDialogue function and the other is a failure to check the
proper return value of the ReceiveTransaction function. An attacker could
use the buffer overflow to execute arbitrary code with the permissions of
the user running cfservd, which is usually the root user. However, before
such an attack could be mounted, the IP-based ACL would have to be
bypassed. With the second vulnerability, an attacker could cause a denial
of service attack.
Richard Ngo
reported on BugTraq that a vulnerability has been discovered in the CVS
repository web browsing tool CVSTrac. If properly exploited an
attacker can execute arbitrary code on the CVSTrac host with the privileges
of the associated web server.
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it
could cause a crash.
* A malformed or missing community string could cause the SNMP
dissector to crash.
See this
advisory for more information.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS.
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
MoinMoin contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attacker creates a
user with the same name as an administrative group. This flaw may lead to a
loss of integrity. See this osvdb
entry for additional information.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to
support the "mangling method = hash" functionality. The default setting for
this parameter is "mangling method = hash2" and therefore Samba is not
vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0
through 3.0.4 are affected. (CAN-2004-0686)
Javier Fernández-Sanguino Peña has discovered an exploitable
vulnerability in the way that Shorewall handles temporary files and
directories. The vulnerability can allow a non-root user to cause
arbitrary files on the system to be overwritten. LEAF Bering and Bering
uClibc users are generally not at risk due to the fact that LEAF boxes
do not typically allow logins by non-root users. The complete advisory is
here.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
The August issue of CRYPTO-GRAM is out; this months topics include another
stupid aviation security story, alibi networks, GHB, and phishing attacks.
"Computer security is an arms race, and money creates
very motivated attackers. Unsolved, this type of security problem can
change the way people interact with the Internet. It'll prove that the
naysayers were right all along, that the Internet isn't safe for
electronic commerce."
Version 2.2 of the Metasploit Framework is out; click below for the details. This release contains a set of new exploits, PPC and Sparc exploit support, and much more.
vnunet has interviewed Robert Clyde, CTO at Symantec. "With open source, if an individual cares about a code flaw they'll fix it fast; if it's an obscure piece of code it could languish for years untouched. Commercial companies will try and fix all problems within a fixed timescale. Most commercial vendors are really behind reporting problems honestly and trying to fix them. I don't know of a single vendor who will sit on a vulnerability - maybe five years ago but not now."
Compare that with this eWeek article on Oracle's security performance. "It's been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be 'as quickly as possible.' For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards."
