User: Password:
Subscribe / Log in / New account


BadBunny? Only if you invite it in

There has been a lot of press, over the last several weeks, about the "BadBunny" worm, which infects (OO.o) files. Most of the buzz seems to be about the multi-platform nature of the worm, which is interesting, but the mainstream technical press seems to miss the fact that, without a number of bad user decisions, the worm would not do anything at all. There was a lot of noise about OO.o macros and security last summer, but the situation is the same as when we last reported about OO.o security: if one is going to use an office suite with a macro language, one must be careful about which macros are run.

The infected file itself is a graphics document file called badbunny.odg which contains macro definitions that can be executed when the file is loaded into OO.o. If the macro is run, it does different things depending on the platform, but attempting to infect either the mIRC or XChat Internet Relay Chat (IRC) clients is the first step. If those clients are run after the infection, BadBunny will try to propagate by offering the document file to other connected users.

As a secondary payload, BadBunny stores and runs a script file that tries to infect other files in the directory where the document file is stored. For reasons unknown, each operating system gets a script written in a different language: for Linux it is Perl, MacOSX is Ruby, and Windows is Javascript. BadBunny also attempts to do a "ping of death" denial of service attack against multiple anti-virus sites.

The worm was first reported by the anti-virus company Sophos back in May and was described as a "proof of concept" that was emailed to their researchers. The name, BadBunny, comes from the names of various files that get installed as well as a pornographic image of a man in a bunny suit that may be displayed. More recently, anti-virus vendor Symantec has reported BadBunny "in the wild", but it is not very widespread.

There are some pretty good reasons this worm has not spread widely. Users are becoming more aware of these kinds of problems and many already know to be "cautious when handling OpenOffice files from unknown sources" as Symantec suggests in their announcement. This is not, of course, an OO.o-specific problem. All files from unknown sources should be treated with care. In order to be affected by BadBunny, users will also have to enable the macros to run. As reported by Malte Timmermann, Sun's OO.o Technical Architect, the worm does not bypass the OO.o security checks and the user will be prompted before the macros are run. One can certainly imagine that there are users who will receive a file of unknown provenance, perhaps by email or over IRC, open it and run its macros, but they are, hopefully, few and far between; this is certainly not the infection vector of an attacker's dreams.

Like it or not, macro languages in office suites are here to stay. They have their uses (and abuses). For the most part, users will not even consider using an office suite that does not offer a scripting language. As Timmermann puts it: has a macro language with access to local resources.
Of course this macro language can be used for performing any kind of tasks, that's the intention of it!
Users shouldn't run macros from unknown sources, same like they shouldn't run any programs or other scripts from unknown sources.

It could be argued that the OO.o macro language should be simplified in ways that might help cut down the potential for abuse. It is difficult to see how that can be done when the major competitor, at least in the Windows world, has a "full featured" macro language. The balance between security and new features is always tricky, but when trying to compete against an established market leader, sometimes the features have to win.

If you believe that an office suite requires a sophisticated macro language, these kinds of problems cannot be considered security holes in the program; it is doing exactly as the user instructed it to. Individuals or organizations that want to use tools with these capabilities have to be security conscious. In the end, if users are going to blindly click through any kind of warning, any reasonable level of security is impossible. This is true no matter what operating system, web browser or office suite is used.

Comments (20 posted)

New vulnerabilities

kdebase: information leak

Package(s):kdebase CVE #(s):CVE-2007-2022
Created:June 13, 2007 Updated:September 19, 2007
Description: A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser. NOTE: CVE number may be incorrect, see CVE entry
rPath rPSA-2007-0190-1 kdebase 2007-09-18
Mandriva MDKSA-2007:138 kdebase 2007-07-03
Red Hat RHSA-2007:0494-01 kdebase 2007-06-13

Comments (1 posted)

kernel: several vulnerabilities

Package(s):kernel CVE #(s):CVE-2007-1353 CVE-2007-2451 CVE-2007-2453
Created:June 11, 2007 Updated:March 6, 2008
Description: Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353)

The GEODE-AES driver did not correctly initialize its encryption key. Any data encrypted using this type of device would be easily compromised. (CVE-2007-2451)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453)

Debian DSA-1504 kernel-source-2.6.8 2008-02-22
Debian DSA-1503-2 kernel-source-2.4.27 2008-03-06
Debian DSA-1503 kernel-source-2.4.27 2008-02-22
Red Hat RHSA-2007:0488-01 kernel 2007-06-25
Debian DSA-1356-1 linux-2.6 2007-08-15
SuSE SUSE-SA:2007:051 kernel 2007-09-06
Mandriva MDKSA-2007:216 kernel 2007-11-13
Mandriva MDKSA-2007:171 kernel 2007-08-28
Red Hat RHSA-2007:0671-01 kernel 2007-08-16
Red Hat RHSA-2007:0673-01 kernel 2007-08-08
Red Hat RHSA-2007:0672-01 kernel 2007-08-08
Ubuntu USN-489-1 linux-source-2.6.15 2007-07-19
Ubuntu USN-486-1 linux-source-2.6.17 2007-07-17
Fedora FEDORA-2007-600 kernel 2007-06-25
Fedora FEDORA-2007-599 kernel 2007-06-21
SuSE SUSE-SA:2007:035 kernel 2007-06-14
Red Hat RHSA-2007:0376-01 kernel 2007-06-14
Fedora FEDORA-2007-0409 kernel 2007-06-13
Ubuntu USN-470-1 linux-source-2.6.20 2007-06-08

Comments (none posted)

kernel: several vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-5823 CVE-2006-6054 CVE-2007-1592
Created:June 12, 2007 Updated:March 21, 2011
Description: A flaw in the cramfs file system allows invalid compressed data to cause memory corruption (CVE-2006-5823)

A flaw in the ext2 file system allows an invalid inode size to cause a denial of service (system hang) (CVE-2006-6054)

A flaw in IPV6 flow label handling allows a local user to cause a denial of service (crash) (CVE-2007-1592)

Mandriva MDVSA-2011:051 kernel 2011-03-18
Debian DSA-1503-2 kernel-source-2.4.27 2008-03-06
Debian DSA-1504 kernel-source-2.6.8 2008-02-22
Debian DSA-1503 kernel-source-2.4.27 2008-02-22
Red Hat RHSA-2007:0673-01 kernel 2007-08-08
Red Hat RHSA-2007:0672-01 kernel 2007-08-08
SuSE SUSE-SA:2007:035 kernel 2007-06-14
Red Hat RHSA-2007:0347-01 kernel 2007-05-16
SuSE SUSE-SA:2007:043 kernel 2007-07-09
Debian DSA-1304-1 kernel-source-2.6.8 2007-06-16
rPath rPSA-2007-0124-1 kernel xen 2007-06-14
Red Hat RHSA-2007:0436-01 kernel 2007-06-11

Comments (none posted)

madwifi-ng: multiple vulnerabilities

Package(s):madwifi-ng CVE #(s):CVE-2007-2830 CVE-2007-2829 CVE-2007-2831
Created:June 12, 2007 Updated:June 29, 2007
Description: Md Sohail Ahmad from AirTight Networks has discovered a divison by zero in the ath_beacon_config() function (CVE-2007-2830). The vendor has corrected an input validation error in the ieee80211_ioctl_getwmmparams() and ieee80211_ioctl_getwmmparams() functions(CVE-207-2831), and an input sanitization error when parsing nested 802.3 Ethernet frame lengths (CVE-2007-2829).
Ubuntu USN-479-1 linux-restricted-modules-2.6.15/.17/.20 2007-06-28
Mandriva MDKSA-2007:132 madwifi-source 2007-06-21
Gentoo 200706-04 madwifi-ng 2007-06-11

Comments (1 posted)

mecab: buffer overflow

Package(s):mecab CVE #(s):
Created:June 12, 2007 Updated:June 13, 2007
Description: MeCab 0.96 fixes several bugs and security issues.
Fedora FEDORA-2007-0379 ruby-mecab 2007-06-11
Fedora FEDORA-2007-0368 perl-mecab 2007-06-11
Fedora FEDORA-2007-0367 python-mecab 2007-06-11
Fedora FEDORA-2007-0366 mecab 2007-06-11

Comments (none posted) arbitrary code execution

Package(s) CVE #(s):CVE-2007-0245
Created:June 13, 2007 Updated:June 12, 2008
Description: A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code.
Fedora FEDORA-2008-5239 2008-06-11
Fedora FEDORA-2008-4104 2008-05-17
rPath rPSA-2007-0160-1 2007-08-14
Ubuntu USN-482-1 2007-07-10
Mandriva MDKSA-2007:144 2007-07-10
Gentoo 200707-02 openoffice 2007-07-02
SuSE SUSE-SA:2007:037 OpenOffice_org 2007-06-28
Fedora FEDORA-2007-606 2007-06-25
Fedora FEDORA-2007-0410 2007-06-13
Fedora FEDORA-2007-572 2007-06-12
Red Hat RHSA-2007:0406-01 2007-06-13
Debian DSA-1307-1 2007-06-12

Comments (none posted)

pam: privilege escalation

Package(s):pam CVE #(s):CVE-2007-1716
Created:June 12, 2007 Updated:November 15, 2007
Description: A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to an unauthorized user.
Red Hat RHSA-2007:0737-02 pam 2007-11-15
Red Hat RHSA-2007:0555-04 pam 2007-11-07
Fedora FEDORA-2007-546 pam 2007-06-11
Red Hat RHSA-2007:0465-01 pam 2007-06-11

Comments (none posted)

spamassassin: local denial of service

Package(s):spamassassin CVE #(s):CVE-2007-2873
Created:June 13, 2007 Updated:June 15, 2007
Description: The effect of the exploit is to allow overwriting of arbitrary files that are accessible by the spamd process (running as root), with data that is not under the control of the attacker.
Mandriva MDKSA-2007:125 spamassassin 2007-06-14
rPath rPSA-2007-0119-1 spamassassin 2007-06-13
Fedora FEDORA-2007-582 spamassassin 2007-06-12
Fedora FEDORA-2007-584 spamassassin 2007-06-12
Red Hat RHSA-2007:0492-01 spamassassin 2007-06-13
Fedora FEDORA-2007-0390 spamassassin 2007-06-12

Comments (none posted)

wordpress: SQL injection

Package(s):wordpress CVE #(s):
Created:June 8, 2007 Updated:June 13, 2007
Description: A lack of proper input filtering in wp_suggestCategories() of the WordPress XML-RPC API will allow SQL injection.
OpenPKG OpenPKG-SA-2007.021 wordpress 2007-06-08

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds