|
|
Log in / Subscribe / Register

Security

A report from the Black Hat Briefings

August 7, 2006

This article was contributed by Jake Edge.

Last week's Black Hat Briefings had little of the drama of last year's conference, but did provide some interesting presentations on security vulnerabilities and techniques to detect and avoid them. There was little in the way of full disclosure this year at Black Hat, most presentations obscured the specific sites or vendors affected and instead concentrated on the underlying technology and how it could be exploited. Most of the presenters represented companies engaged in security research and penetration testing for their clients and seemed to want to protect those clients and/or bring in new ones by their 'responsible' disclosure. How exactly that helps the users of vulnerable software is, of course, the obvious question.

The purported 'main event' of the conference was the presentation on device drivers by David Maynor and johnny cache. LWN reported on this wireless vulnerability several weeks ago and looked forward to more details being released. Unfortunately, the session was rather anticlimactic; the 'demo' was a video and the details were still obscured. Maynor and cache were concerned that attendees with wireless cards would packet capture the demo and decided to use video instead. The only new information released about the vulnerability was that it was against a third party wireless adapter for MacOS X. It is a shame that the session was over-hyped because the rest of the information presented, fingerprinting wireless cards based on their 802.11 behavior, was quite interesting.

Two major themes were evident, at least in the talks the author attended: Asynchronous Javascript and XML (AJAX) security and automated fuzzing approaches. Fuzzing is the process of modifying data in a file format or protocol to attempt to subvert the program and it comes in (at least) two flavors: dumb and targeted. Dumb fuzzing just randomly changes values within the format or protocol to elicit unexpected behavior. Targeted fuzzing is, as the name implies, more focused on the details of the format or protocol and tries to change things that logically fit within the structure but may be corner cases that the implementer did not expect. Several tools and techniques to automate fuzzing of both varieties were presented in different sessions.

AJAX is, of course, the 'Web 2.0' technology that is becoming the buzzword of choice for startup companies. It is also a way to increase the risk of web application vulnerabilities if implemented poorly. AJAX increases the attack surface of an application by exposing more interfaces that can potentially be exploited. It is also a relatively immature technique and much of the instructional material, particularly tutorials available on the web, do not even bring up the topic of security. Several sessions were devoted to discussing areas of concern in AJAX and how using other techniques (such as cross-site scripting) can lead to web worms and viruses.

LWN will be covering both of these topics in more detail over the coming weeks.

More than 3000 people attended this year - a 30% increase over last year; this increase was very evident when trying to maneuver through the hallways or attend a popular talk in a smaller room. Several comments were heard about Black Hat outgrowing Caesar's Palace and potentially moving elsewhere sometime in the future. Even with the unexpected level of attendance, the show was very well run and provided many interesting sessions; it is certainly worth a look as a security conference to attend in the future.

[ The author wishes to thank his employer, Privacy Networks, for financial support for his trip to Las Vegas for Black Hat.]

Comments (none posted)

New vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 apache2,apache 2008-04-04
Ubuntu USN-575-1 apache2 2008-02-04
SuSE SUSE-SA:2006:051 apache2 2006-09-08
Debian DSA-1167-1 apache 2005-09-04
Red Hat RHSA-2006:0619-01 httpd 2006-08-10
Red Hat RHSA-2006:0618-01 apache 2006-08-08

Comments (none posted)

cfs: denial of service

Package(s):cfs CVE #(s):CVE-2006-3123
Created:August 3, 2006 Updated:August 9, 2006
Description: The cryptographic filesystem has an integer overflow that can be used by local users to crash the encryption daemon and cause a denial of service.
Alerts:
Debian DSA-1138-1 cfs 2006-08-02

Comments (none posted)

chmlib: missing input sanitizing

Package(s):chmlib CVE #(s):CVE-2006-3178
Created:August 7, 2006 Updated:August 9, 2006
Description: It was discovered that one of the utilities shipped with chmlib, a library for dealing with Microsoft CHM files, performs insufficient sanitizing of filenames, which might lead to directory traversal.
Alerts:
Debian DSA-1144-1 chmlib 2006-08-07

Comments (none posted)

clamav: remote code execution

Package(s):clamav CVE #(s):CVE-2006-4018
Created:August 9, 2006 Updated:August 18, 2006
Description: There is a boundary error in the clamav code used to unpack Windows PE executable files; the result could potentially allow a remote attacker to execute code on the system running clamav.
Alerts:
Debian DSA-1153-1 clamav 2006-08-18
Trustix TSLSA-2006-0046 clamav, kernel 2006-08-11
SuSE SUSE-SA:2006:046 clamav 2006-08-09
Mandriva MDKSA-2006:138 clamav 2006-08-08
Gentoo 200608-13 clamav 2006-08-08

Comments (none posted)

dhcp: programming error

Package(s):dhcp CVE #(s):CVE-2006-3122
Created:August 4, 2006 Updated:August 9, 2006
Description: Justin Winschief and Andrew Steets discovered a bug in dhcp, the DHCP server for automatic IP address assignment, which causes the server to unexpectedly exit.
Alerts:
Debian DSA-1143-1 dhcp 2006-08-04

Comments (none posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 freeradius 2007-04-23
Debian DSA-1145-1 freeradius 2006-08-08

Comments (none posted)

gnupg: integer overflow

Package(s):gnupg CVE #(s):CVE-2006-3746
Created:August 3, 2006 Updated:August 15, 2006
Description: GnuPG has an integer overflow vulnerability. An attacker can create an overly long packet that can cause GnuPG to crash or possibly overwrite memory, causing a denial of service or possible code execution.
Alerts:
Mandriva MDKSA-2006:141 gnupg 2006-08-14
SuSE SUSE-SR:2006:020 gpg, krb5, ncompress, ethereal 2006-08-14
Gentoo 200608-08:02 gnupg 2006-08-05
Gentoo 200608-08 gnupg 2006-08-05
Trustix TSLSA-2006-0044 apache, gnupg, libtiff 2006-08-04
Debian DSA-1141-1 gnupg2 2006-08-04
Fedora FEDORA-2006-868 gnupg 2006-08-04
Fedora FEDORA-2006-867 gnupg 2006-08-04
Debian DSA-1140-1 gnupg 2006-08-03
Ubuntu USN-332-1 gnupg 2006-08-03
Slackware SSA:2006-215-01 gnupg 2006-08-03
rPath rPSA-2006-0143-1 gnupg 2006-08-02
Red Hat RHSA-2006:0615-01 GnuPG 2006-08-02

Comments (none posted)

krb5: local privilege escalation

Package(s):krb5 CVE #(s):CVE-2006-3083
Created:August 9, 2006 Updated:July 7, 2010
Description: Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Alerts:
Mandriva MDVSA-2010:129 heimdal 2010-07-07
SuSE SUSE-SR:2006:022 heimdal, xsp 2006-09-08
Gentoo 200608-21 heimdal 2006-08-23
Ubuntu USN-334-1 krb5 2006-08-16
Fedora FEDORA-2006-905 krb5 2006-08-09
Mandriva MDKSA-2006:139 krb5 2006-09-09
Gentoo 200608-15 mit-krb5 2006-08-10
rPath rPSA-2006-0150-1 krb5 2006-08-09
Red Hat RHSA-2006:0612-01 krb5 2006-08-08
Debian DSA-1146-1 krb5 2006-08-09

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 ltsp 2007-03-18
Gentoo 200608-12 x11vnc 2006-08-07
Gentoo 200608-05 libvncserver 2006-08-04

Comments (none posted)

pike: SQL injection

Package(s):pike CVE #(s):
Created:August 7, 2006 Updated:August 9, 2006
Description: Some input is not properly sanitized before being used in a SQL statement in the underlying PostgreSQL database. A remote attacker could provide malicious input to a pike program, which might result in the execution of arbitrary SQL statements.
Alerts:
Gentoo 200608-10 pike 2006-08-06

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds