SWF Whitepaper and VoIP Vulns

Posted on January 3, 2008 by Nathan Grandbois

There is a guide available from Adobe on creating secure Flash applications. In the wake of the mid December Adobe Shockwave Flash vulnerabilities, Adobe has released a white paper on “Creating more secure SWF web applications”. This, combined with flash data validation libraries available from Google, allow for a complete solution to any potential vulnerabilities. Developers of Flash animations/movies/applications should take the time to read over this document and see where they could use the data validation libraries within their environment. Security teams should be testing all of their environments Flash applications for any vulnerabilities and coordinate to get these resolved. From what I’ve read, when Adobe makes the second update for these issues available early 2008, the issues will not be completely resolved in already developed Flash applications.

Here’s a link to the article http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html and the validation libraries http://code.google.com/p/flash-validators/

Also, it appears a few SIP vendors have had vulnerabilities reported in them today. Avaya is affected by two issues, one in pam and the other in OpenSSH. The issue in pam could allow for the disclosure of sensitive data, or allow the injection of characters into log entries. The issue with OpenSSH could allow arbitrary code execution (race condition) and the discovery of valid usernames. Here’s the original Avaya advisories: http://support.avaya.com/elmodocs2/security/ASA-2007-526.htm and http://support.avaya.com/elmodocs2/security/ASA-2007-527.htm

Asterisk is vulnerable to a Denial of Service when handling the “BYE/Also” transfer method. Exploitation requires that a dialog already be established between the two parties. Asterisk versions prior to 1.4.17 are vulnerable. The issue is fixed in version 1.4.17.

RealPlayer, ClamAV, Nugache

Posted on January 2, 2008 by Nathan Grandbois

There’s a buffer overflow in RealPlayer 11. We don’t have much detail at this time, however it is reported that this can be exploited with a maliciously crafted file opened with a vulnerable version. Opening a malicious file will result in the execution of code under the context of the user running the application. The issue is reported in RealPlayer 11, other untested version may be vulnerable.

ClamAV version 0.92 contains multiple vulnerabilities. The first vulnerability is a race condition, where an attacker could generate a file with a specific name that would be called by a ClamAV function. This could allow the attacker to overwrite arbitrary files. The next issue is in the handling Base64-UUEncoded files. Attackers can create certain packed files that can bypass the scanner itself. The consequences of this should be self evident, and the possibility to occur is very real, due to the success rate of socially engineered emails and links.

More articles are emerging on the Nugache Trojan. Briefly, the Nugache Trojan is a very sophisticated piece of P2P controlled malware. Using decentralized management, nodes that can attach/detach, and encryption, this malware is a professional job. The authors of these articles seem to feel that the Storm and Nugache authors are the same, or share similar tactics. Once we see a full write up, we’ll post the details.

Research, NIST Speaks

Posted on December 31, 2007 by Nathan Grandbois

Over the past week some researchers have published new methods and tools for embedded device hacking and ways to improve blind SQL injection. It will be interesting to see the scope of where embedded device hacking goes, as more devices are getting additional capabilities, that may be coming in exchange for security. Also, the NIST says the feds are keeping up on their own penetration testing and will release new guidelines in March required third party testing for federally controlled facilities.

A new version of Nipper has been released. This handy tool performs configuration auditing for various network devices and can make limited security recommendations. When was the last time you went through your firewall rules? This should be happening at some regular occurrence, however dull it may be.

Another worm, Nugache, has recently been covered in an article by Bruce Schneier, where he talks about some interesting stuff. No direct C&C server, encrypted packets all around, and the ability for any node to become the “leader”. Bot development is becoming more sophisticated, and funded. Expect to see some serious Trojans in the coming future.

MS07-065 PoC, Scam Warning

Posted on December 28, 2007 by Nathan Grandbois

A proof of concept has been released for one of the vulnerabilities announced in Decembers Microsoft Update. The vulnerability in Message Queuing Service (ms07-065) now has a working proof of concept exploit available to the public. If you have not updated, or do not have automatic updates enabled, please do so.

Also, with the recent death of a foreign former prime minister, be on the lookout for emails or website attempting to lure you there as most of these will likely been social engineering/scam attempts.

Bricked HP Notebooks, IBM BoF, Cisco DoS

Posted on December 21, 2007 by Nathan Grandbois

IBM Lotus Domino Web Access is vulnerable to a buffer overflow. An ActiveX control (dwa7.dwa7.1) is responsible for this error. This can be exploited remotely and successful exploitation could result in the execution of arbitrary code. The vulnerability is reported in dwa7W.dll version 7.0.34.1. Users should set the kill bit for this ActiveX control until an update is made available.

More issues with HP notebooks. Another buffer overflow has been discovered in the HP Software Update that could result in the modification of system files resulting in a non bootable system. Every HP machine containing the HP Software Update is vulnerable. A working POC exploit has been released to the public. At this time there is no update available.

Finally, there is a Denial of Service in Cisco Firewall Services Module. This is a result of an error processing data with Layer 7 application inspections. The vulnerability is reported in FWSM System Software version 3.2(3). Cisco has made an update and workaround available at http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

HP InfoCenter POC, Adobe Flash Player

Posted on December 19, 2007 by Nathan Grandbois

On Wednesday, 12 December, we posted about a vulnerability in HP software installed on laptops. Well, we now have reports that a working POC exploit that grants remote access exists. HP has provided a workaround by disabling the HP Info Center. More information, including the workaround, can be found at the following URLs:

ftp://ftp.hp.com/pub/softpaq/sp38001-38500/
ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

Clam AntiVirus is vulnerable to remote exploitation of an integer overflow. This error is in the processing of PE files packed with the MEW packer. Exploitation of this vulnerability can result in execution of code in the context of the application running libclamav. If the clamd process is exploited, code can be executed under the context of the clamav user. This vulnerability exists within ClamAV 0.91.2. There is a workaround available by setting –no-pe when starting the clamscan. There is also an update available, which is version 0.92.

Multiple vulnerabilities have been reported in Adobe’s Flash Player. These affect Adobe Flash CS3, Adobe Flash Player 9.x, Adobe Flex 2.x, Macromedia Flash 8.x, Macromedia Flash Player 7.x, and Macromedia Flash Player 8.x. The vulnerabilities can result in a variety of outcomes, including Denial of Service and compromising users systems. There are updates available for each of the Flash players affected. Note that this will be the last update for Adobe Flash Player 7.

Additionally, there is a vulnerability that could allow system compromise in AIX 5.2, 5.3, and 6.1. The vulnerability is related to Perl Regular Expressions Unicode Data Buffer Overflow. There are interim fixes available here ftp://aix.software.ibm.com/aix/efixes/security/perl_ifix.tar.

Citrix Web Interface is vulnerable to an unspecified cross site scripting attack. The cross site scripting is in the online help portion of the software. More information can be found in the original advisory http://support.citrix.com/article/CTX115283

Apple Security Update, Various Overflows

Posted on December 18, 2007 by Nathan Grandbois

Apple has released security update 2007-009. This update contains fixes for several critical vulnerabilities, plus fixes for other issues. Updates are available for 10.4.11 and 10.5.1. For a complete list of vulnerabilities fixed, please visit http://docs.info.apple.com/article.html?artnum=307179.

There is buffer overflow in HP-UX. The issue lies in a function call to sw_rpc_agent_init within swagentd that if given malformed arguments, could result in a buffer overflow. This could allow attackers to execute arbitrary code. Authentication is not required. Hewlett-Packard has released an update to address this vulnerability, available from HP document ID #SB2294r1.

Trend Micro ServerProtect contains an insecure method exposure in the StRpcSrv.dll. The bug exists in the SpntSvc.exe daemon running on TCP port 5168. An attack against this vector could result in full file system access that could be leveraged to execute arbitrary code. An update to this issue has been release, and more information can be found at http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt.

The perl package Net::DNS is vulnerable to a denial of service. By sending a malformed DNS reply to a server or application running Net::DNS, it is possible to cause the package to crash. This would in turn crash any application running the Net::DNS module. Net::DNS version 0.60 build 654 is vulnerable. This issue has been assigned CVE-2007-6341.

St. Bernard Open File Manager is vulnerable to a heap-based buffer overflow. This is due to a boundary error in ofmnt.exe, in which an attacker can send a malicious packet to the service and cause the overflow. This could result in the execution of code as a SYSTEM user. Version 9.6 build 602 available to customers addresses this issue. Other vendors using this software may have made updates available as well.

Mac Java, JUNOS, and a Samba Exploit

Posted on December 17, 2007 by Nathan Grandbois

Mac OS X has multiple vulnerabilities in Java. An error in a Java access check could be exploited to add or remove items from a Keychain without prompting the user. This could be achieved by a specially crafted Java packet. This affects Mac OS X versions prior to 10.5. The next issue is in Java 1.4 and J2SE 5.0 that could allow for a denial of service, bypassing security mechanisms, or compromise a users system. Users of Mac OS X systems should update to Java release 6.

A vulnerability in Juniper JUNOS can be exploited to cause a denial of service. This can occur due to an error processing BGP UPDATE messages, and can be triggered by a specially crafted BGP message. Administrators of Juniper devices should apply the vender recommended updates, available at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view.

The samba_mailslot() vulnerability reported earlier this month now has public exploit code available. Samba 3.0.27a is vulnerable to stack-based buffer overflow when processing “SAMLOGON” domain logon packets. Code is now available to exploit this vulnerability, although it currently only causes a denial of service. Samba 3.0.28 is currently available.

Avaya PCRE, IBM AIX Multiple Vulns

Posted on December 13, 2007 by Nathan Grandbois

Certain Avaya products are affected by a vulnerability in PCRE (perl compatible regular expressions). This could cause a denial of service on the Avaya system, or lead to compromise using the affected library. The following applications are affected:

* Avaya Communication Manager (CM 3.x and 4.x)
* Avaya CCS/SES (3.1.1, 3.1.2 and 4.0)
* Avaya AES (4.0.1, 4.1)
* Avaya Intuity AUDIX LX (2.0)
* Avaya Message Networking (3.1)
* Avaya Messaging Storage Server (MSS 3.x)

For more information, see the original advisory at http://support.avaya.com/elmodocs2/security/ASA-2007-505.htm.

IBM AIX 5.x contains multiple, unspecified vulnerabilities. There are too many to list here, so if you are a user of AIX 5.x, please visit IBM support and obtain the latest updates for your specific version.

VMWare ESX Update, XSS Testing for Webmail Systems

Posted on December 10, 2007 by Nathan Grandbois

A recent update of VMWare ESX server contains many fixes, but a few of them are critical to the security of the application. Now should be the time to look in to updating VMWare on you computers.

A new XSS testing tool has been released. XSS testing tools are nothing new, however this is the first dedicated solely to testing XSS in webmail applications. Written in perl, it tests XSS in mail messages sent to an account you specify. It’s called Excess, and can be found at http://www.scanit.be/excess.html

Also, striking similarities between the Quicktime bug found in 2002 and the recent RTSP bug have been noticed. CVE 2002-0252 and 2007-6166 are very much alike each other. Has Apple reintroduced the same bug from 2002?

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Nathan Grandbois