Дыры и безпасность

Вот решил завести топик. Не знаю уж все ли следят за этим. Буду постить сюда о наиболее примечательных дырах, открывающих ваши системы для хакеров. Сегодня

(1) CRITICAL: IE/IIS Microsoft Data Access Components (MDAC) Buffer
Overflow

Affected Products:
MDAC 2.1, 2.5, 2.6 (virtually all versions of Windows except XP) IIS
servers allowing remote access to vulnerable MDAC services Internet
Explorer 5.01, 5.5, 6.0 (except for Windows XP)

Description:
MDAC is a technology present in nearly all Windows installations.
Vulnerable versions contain a buffer overflow that can be remotely
exploited to execute arbitrary code in two different ways. First,
an attacker can compromise an IIS server by sending a malicious HTTP
request. Second, a hostile web server can compromise a web client
running Internet Explorer by sending a malicious HTTP response.
Successful exploitation of IIS provides attackers with SYSTEM
privileges by default. Web clients are compromised at the privilege
level of the user running Internet Explorer.

Risk: Remote Compromise.
Remote SYSTEM-level compromise of IIS servers, or remote compromise
of web client machines running Internet Explorer.

Deployment: Huge.
The vulnerable software is present in nearly all versions of Windows.

Ease of Exploitation: Unknown.
Foundstone's advisory provides some technical detail about how to
trigger the heap overflow on IIS servers. Fewer details are available
concerning how to exploit an IE client. Note that an attacker must
entice an IE victim to visit a hostile webserver.

Status: Vendor confirmed, patches available.

References:
Foundstone Advisory:


Microsoft Advisory and KnowledgeBase Article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

Council Site Actions:
All council sites reported action taken. They identified vulnerable
Internet-facing servers and have either already patched them or
have scheduled the patch to take place as soon as possible. One site
reported a large number of vulnerable Internet-facing system which
they have no access to. They are prepared to take these systems
offline if patches are not available and/or the appropriate support
groups cannot be identified.

All council sites plan to patch internally facing machines during
the next regular patch cycle.

**************************************************************

(1) HIGH: Simultaneous Queries DNS Spoofing Vulnerability

Affected Products:
ISC BIND 4.9.11 and prior
ISC BIND 8.2.7 and prior, and 8.3.4 and prior
Other DNS server implementations may also be vulnerable

Description:
A remote attacker can use an adaptation of the probabalistic "birthday
attack" to trick a DNS server into accepting a spoofed name query
response with far fewer packets than a brute force attack requires. If
the attacker generates multiple spoofed DNS queries for the same
resource record sourced from different IP addresses, a vulnerable
server will forward all of the queries, thus entering a state where
there are multiple open server requests for the same record. At this
point the attacker can send many spoofed DNS replies to the server,
and has a surprisingly good chance of successfully causing the server
to accept a fake response.

Risk: Remote attackers can cause DNS servers to accept, and possibly
cache, false DNS record information. By controlling the mapping between
hostnames and IP addresses in this manner, attackers can masquerade
as any desired Internet server.

Deployment: Huge. Some experts estimate that 60% of currently deployed
DNS servers are vulnerable.

Ease of Exploitation: Straightforward. This attack has been reasonably
well known in the DNS developer community for some time, thus it is
likely that attackers were also aware of the vulnerability prior to
the public announcement. Some reports indicate that the vulnerability
is being actively exploited.

Status: Vendor confirmed. The recommended action is to upgrade to BIND
9.2.1. Administrators can also reduce risk by limiting a server's
use of recursion, as non-recursive name servers are more resistant
to exploitation.

References:

CERT Vulnerability Note:


CAIS/RNP (Brazilian Research Network PSIRT) Security Advisory:


Bugtraq Discussions:

NEOHAPSIS - Peace of Mind Through Integrity and Insight

Council Site Actions:
Some council members are treating the issue as already well-known and
are taking no immediate action to upgrade servers, but are watching for
signs of exploitation and taking other actions to mitigate risk. Other
sites are either already running BIND 9 or have recommended that
administrators upgrade to BIND 9.


***********************************************************************

(1) CRITICAL: IE/IIS Microsoft Data Access Components (MDAC) Buffer
Overflow

Affected Products:
MDAC 2.1, 2.5, 2.6 (virtually all versions of Windows except XP) IIS
servers allowing remote access to vulnerable MDAC services Internet
Explorer 5.01, 5.5, 6.0 (except for Windows XP)

Description:
MDAC is a technology present in nearly all Windows installations.
Vulnerable versions contain a buffer overflow that can be remotely
exploited to execute arbitrary code in two different ways. First,
an attacker can compromise an IIS server by sending a malicious HTTP
request. Second, a hostile web server can compromise a web client
running Internet Explorer by sending a malicious HTTP response.
Successful exploitation of IIS provides attackers with SYSTEM
privileges by default. Web clients are compromised at the privilege
level of the user running Internet Explorer.

Risk: Remote Compromise.
Remote SYSTEM-level compromise of IIS servers, or remote compromise
of web client machines running Internet Explorer.

Deployment: Huge.
The vulnerable software is present in nearly all versions of Windows.

Ease of Exploitation: Unknown.
Foundstone's advisory provides some technical detail about how to
trigger the heap overflow on IIS servers. Fewer details are available
concerning how to exploit an IE client. Note that an attacker must
entice an IE victim to visit a hostile webserver.

Status: Vendor confirmed, patches available.

References:
Foundstone Advisory:


Microsoft Advisory and KnowledgeBase Article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

Council Site Actions:
All council sites reported action taken. They identified vulnerable
Internet-facing servers and have either already patched them or
have scheduled the patch to take place as soon as possible. One site
reported a large number of vulnerable Internet-facing system which
they have no access to. They are prepared to take these systems
offline if patches are not available and/or the appropriate support
groups cannot be identified.

All council sites plan to patch internally facing machines during
the next regular patch cycle.

**************************************************************

Тем, у кого это еще есть - пачить срочно!

--19 & 20 November 2002 Study Shows Many Haven't Patched OpenSSH
Vulnerability
A recent study showed that 30% of systems running OpenSSH remained
unpatched even after the Slapper worm illuminated the OpenSSH
vulnerability. Speculations about why the problem has not been fixed:
(1) lack of full time administrators, (2) stringent deadlines that
don't allow time for installing patches and (3) server maintenance
responsibility being given to people who have little security training.
It is also possible that some systems weren't patched because of
fears the patch might have an adverse effect on the system.

The World's No.1 Science and Technology News Service - New Scientist - New Scientist
[Editor's Note (Murray): This report is exceptionally well done.
An ounce of it is worth a pound of intuition or two pounds of good
intentions.]

Спасибо. Снёс OpenSSH нафиг.

Ага, вот мелко мягкий повысил уровень критичности для эксплорерной дырке, надейной на прошлой неделе:

Microsoft upgrades IE flaw to 'critical' after criticism

The company initially said the Web browser flaw was only a moderate risk to
users.



А это про саму дыру:

http://www.microsoft.com/technet/treeview/.../bulletin/MS02-068.asp

помещаю полностью, т.к. многих может затронуть.

---

BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
December 8, 2002 Vol. 1. No. 20
***********************************************************************
Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" for more data on how the
report is compiled.

For a free subscription, go to https://www.sans.org/sansnews/
***********************************************************************

Table of Contents:

Widely Deployed Software
(1) HIGH: Sybase Adaptive Server Multiple Buffer Overflows
(2) HIGH: Cyrus IMAP Server Remote Buffer Overflow
(3) HIGH: Samba Encrypted Password Change Request Buffer Overflow
(4) HIGH: Linksys Wireless Router Multiple Vulnerabilities

Other Software
(5) HIGH: Pico HTTP Server (pServ) Multiple Buffer Overflows

This Issue Sponsored by: Qualys **********************

ZAP Top 20 security vulnerabilities - FREE Network Security Scan!

Get INSTANT control of your network security. FREE Web service
automatically finds exposure to Top 20 threats identified by
SANS/FBI. Scan your network today — in just minutes learn if your
network is susceptible to attack. Why wait for trouble?

Click NOW to get started:


***********************************************************************

***********************************************************************
Additional sponsored link from SPI Dynamics:
ALERT! "Outsmart Web Application Attackers"- FREE 15 Day Product
Trial, which delivers Comprehensive Vulnerability Report.


************************************************************************

************************
Widely Deployed Software
************************

(1) HIGH: Sybase Adaptive Server Multiple Buffer Overflows

---

Affected Products:
Sybase Adaptive Server versions 12.0 and 12.5

Description:
Sybase Adaptive Server contains three stack-based buffer overflow
vulnerabilities that allow an attacker with non-privileged login
credentials to gain complete control of the server. The affected
software is very widely deployed in the securities, banking, and
healthcare industries, and in government and e-commerce environments.

Risk: Non-privileged users can execute arbitrary code under the
security context of the server, database, or extended stored procedure
server.

Deployment: Widely deployed, mission critical. According to the vendor
website, Sybase's installed base spans 90% of the world's securities
firms and 60% of its banks. The affected product is also widely used
by the US government and in the telecommunications, pharmaceuticals,
and healthcare industries. The Adaptive Server Enterprise product is
a data management platform for mission-critical, transaction-intensive
enterprise applications.

Ease of Exploitation: Straightforward. The security advisories include
technical details showing how to trigger the overrun conditions.

Status: Vendor confirmed, patches available. Users should apply
patches 12.5.0.2 and 12.0.0.6 ESD#1.

Severity: High (vulnerability details available, server root
compromise, widely deployed, high value assets, attacker must have
limited user privileges)

Council Actions: Sybase is widely used among Council sites. Those
using it in mission critical applications implemented the patches
immediately. The other Council members felt their perimeter
protection, based on port blocking, allowed them to tell the Sybase
administrators about the problem and have it corrected in the next
regular patch cycle.

References:
Application Security Inc. Advisories:

NEOHAPSIS - Peace of Mind Through Integrity and Insight


Sybase Adaptive Server Product Information:

http://www.sybase.com/sb_content/1019280/aseIndustrySolutions.swf

Sybase patches are available at:



(2) HIGH: Cyrus IMAP Server Remote Buffer Overflow

---

Affected Products:
Cyrus IMAP Server version 2.1.10 and prior

Description:
The Cyrus IMAP server for Unix contains a remotely exploitable buffer
overflow that allows non-authenticated attackers to execute arbitrary
code with the privileges of the server process (typically not root).

Risk: Remote server compromise with the privileges of the Cyrus
IMAP daemon. Since Cyrus stores all email under a single user ID,
a successful attacker would be able to read all messages stored on
the compromised system.

Deployment: Significant. The Cyrus IMAP server project was started by
the Carnegie Mellon University in 1994. The software is especially
popular with Linux and Solaris users, and is included with some
Linux distributions.

Ease of Exploitation: Straightforward. This is a heap-based buffer
overflow. The Bugtraq advisory contains many technical exploitation
details and a source code patch showing the location of the flawed
server code.

Status: Vendor confirmed. Users should upgrade to version 2.0.17 or
2.1.11 to fix the problem.

Severity: High (server non-root compromise, many vulnerability details,
significant deployment)

Council Actions: One Council site reported using Cyrus IMAP server
for email for more than 10,000 users. A close analysis of the
background information on the vulnerability led that site to conclude
that exploitation depends on certain properties of the malloc/free
implementation which were not present in the malloc/free implementation
in the operating system uses at that site. Nevertheless, they plan
to schedule an outage e-mail system to install a new version of the
Cyrus software

References:
Bugtraq Posting by Timo Sirainen:


CERT Vulnerability Note VU #740169:
Error

[ слишком длинный топик - автонарезка ]

Vendor Announcement:
http://asg.web.cmu.edu/archive/...


(3) HIGH: Samba Encrypted Password Change Request Buffer Overflow

---

Affected Products:
Samba versions 2.2.2 through 2.2.6

Description:
Samba contains a buffer overflow in code that handles password change
requests from clients. A malicious client can send an encrypted
password that, when decrypted by the smbd server, causes a stack-based
buffer overrun. Theoretically, the vulnerability could be exploited
by an unauthenticated remote attacker to execute arbitrary code with
root privileges.

Risk: Remote root compromise.

Deployment: Significant. Samba is the Unix server standard for
providing SMB/CIFS-based file and print services, and is included in
many Linux distributions.

Ease of Exploitation: Difficult. No exploits are known to exist,
and the Samba team states that they were unable to craft one
themselves. According to the Samba announcement, the attack would
have to be crafted such that converting a DOS codepage string to
little endian UCS2 unicode results in an executable block of code.

Status: Vendor confirmed, fixed software available. Users are advised
to upgrade to Samba version 2.2.7.

Severity: High (server root compromise, significant deployment,
unusually difficult exploit)

Council Actions: SAMBA was in use at nearly all of the Council sites.
Because exploitation is difficult, and they found no exploit in the
wild, all Council sites, even those with Samba systems accessible from
the Internet, decided to update centrally managed sites on the next
regularly planned update cycle. For systems managed by end users,
most sites block access at the perimeter and plan to tell the users
to patch the vulnerability on their next update cycle. One site
plans to do a version survey of all Samba systems in January 2003,
and then force updates to vulnerable systems.

References:
Samba Announcement:


Vendor Announcements:
SuSE, RedHat, Mandrake, Conectiva, Debian, Trustix

NEOHAPSIS - Peace of Mind Through Integrity and Insight

NEOHAPSIS - Peace of Mind Through Integrity and Insight

NEOHAPSIS - Peace of Mind Through Integrity and Insight


(4) HIGH: Linksys Wireless Router Multiple Vulnerabilities

---

Affected Products:
Linksys BEFW11S4 v2. Firmware versions 1.42.7, 1.43, 1.43.3
Linksys BEFSR41/BEFSR11/BEFSRU31. Firmware versions 1.42.7, 1.43,
1.43.3
Linksys BEFSR81. Firmware version 2.42.7.1
Linksys BEFN2PS4. Firmware version 1.42.7
Linksys BEFSX41. Firmware versions 1.43, 1.43.3, 1.43.4
Linksys BEFVP41. Firmware versions 1.40.2, 1.40.3
Linksys HPRO200
Linksys BEFN2PS4

Description:
Multiple remotely-exploitable vulnerabilities have been found in
Linksys wireless routers, allowing an attacker to gain complete
control of a vulnerable device. The flaws allow an attacker to
bypass authentication requirements and execute arbitrary code on the
device via a buffer overflow. For the most part, the flaws affect
the embedded HTTP server that is typically only enabled on the LAN
interface. However, CORE has demonstrated that a malicious HTML page
can be constructed that will, when loaded in a browser by a user
on the LAN network, contact the Linksys, bypass authentication, and
reconfigure the device to allow remote management from the Internet. At
that point the attacker is free to control the device remotely, and
exploit the buffer overflow to execute code. A user could encounter a
hostile web page while browsing the Internet, or receive it in an email
message. Most exploit attempts would be successful since all devices
use the same IP address (192.168.1.1) for the LAN interface by default.

Risk: Remote attackers can gain complete control of the device.

Deployment: Widely deployed. The affected products are used in many
small business and home office environments, and have won several
industry awards.

Ease of Exploitation: Straightforward/Trivial. The CORE advisory
contains examples and low-level technical details about how to exploit
the vulnerabilities.

Status: Vendor confirmed, firmware upgrades are available for some
products, others are still under development.

Severity: High (exploit code, server root compromise, significant
deployment, attacker must entice victim, mostly home user issue).

References:
CORE Security Technologies Advisory:


Linksys Firmware Upgrades:
http://www.linksys.com/download/


**************
Other Software
**************

(5) HIGH: Pico HTTP Server (pServ) Multiple Buffer Overflows

---

Affected Products:
pServ version 2.0b5 and possibly other versions

Description:
Pico HTTP server contains multiple remotely exploitable buffer
overflows that allow attackers to execute arbitrary code with the
privileges of the server process, typically root.

Risk: Remote root compromise.

Deployment: Small. Pico server is a freeware, open source HTTP server
for Unix designed to be small and easily portable.

Ease of Exploitation: Straightforward. The security advisory discusses
several stack-based buffer overrun vulnerabilities in detail, providing
sufficient information for an attacker to begin crafting an exploit.

Status: Vendor has not confirmed, no patch currently available.

Severity: High (server root compromise, vulnerability details
available, small deployment)

References:
Bugtraq Posting by Matthew Murphy:


pServe SourceForge Project Page:
pServ | Free software downloads at SourceForge.net
************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (Neohapsis GRC and Security Solutions and Services | Neohapsis) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Compting Magazine vet
the complete list through the major system manufacturers and jointly
publish it every week as the Security Alert Consensus. (SAC) You may
subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

[ слишком длинный топик - автонарезка ]

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical and highly skilled security managers at fifteen
of the largest user organizations in the United States each review the
"immediate action" vulnerabilities and describe what they did or did
not do to protect their organizations. Council members include banks
and other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed. The Council also includes representatives from the
National Infrastructure Protection Center and the White House Office
of Cyber Security.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all subscribers.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale

---

A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion


******************************************************************
Please feel free to share this issue with interested parties via
email, but no posting is allowed on internal or external web sites.
To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
SANS Institute and enter your SD number (from the
headers.) You will receive your personal URL via email.

Copyright 2002, SANS Institute
==end==

---

BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE98/fn+LUG5KFpTkYRAg1NAKChAfFB5jzFs0Ipd44CgJ1y3lHLFwCfU2dD
uNFpvFIvNjjuNYNK6yyWUKA=
=TDIQ

---

END PGP SIGNATURE-----

- --- Windows News -------------------------------------------------------

{02.49.018} Win - Enceladus FTP server CD overflow

The Enceladus Server Suite version 3.9 reportedly contains a buffer
overflow in the handling of the 'CD' FTP command, thereby allowing
a remote attacker to execute arbitrary code on the system.

This vulnerability is not confirmed.

Source: VulnWatch

{02.49.021} Win - MS02-067: Outlook 2000 e-mail header DoS

Microsoft released MS02-067 ("Outlook 2000 e-mail header DoS"). The
Outlook 2000 (only) client crashes when it receives a particular type
of e-mail with a malformed header. The client will continue to crash
whenever it encounters the particular e-mail. Other Outlook versions
are not affected.

FAQ and patch:


Source: Microsoft

{02.49.022} Win - MS02-068: IE cumulative patch 12/2002

Microsoft released MS02-068 ("IE cumulative patch 12/2002"). This
patch contains all prior Internet Explorer patches as well as a fix
for a critical new vulnerability, which lets a malicious e-mail or
Web site execute arbitrary command-line commands on a user's system.

FAQ and patch:


Source: Microsoft

{02.49.008} Cross - OpenLDAP2 multiple vulnerabilities

The SuSE security team found multiple remote and local buffer overflows
in the OpenLDAP2 package, which allow the execution of arbitrary code.

SuSE confirmed these and released updated RPMs, listed at the reference
URL below.

Source: SuSE

Microsoft warns of Java VM flaws
Microsoft late Wednesday issued a "critical" security alert for a series of Java Virtual Machine bugs, one of which could allow a hacker to steal information or reformat the hard drives of compromised computers.

И выглядит это плохо.

Mishka>Microsoft warns of Java VM flaws

Интересно, это к нему, что ли, только что у меня патч по автоапдейту скачался? Для "Microsoft VM".

Думаю, что да.

--16 December 2002 MySQL Vulnerabilities
A number of vulnerabilities have been found in the MySQL database
system and client libraries. The flaws could allow attackers to
cause denial of service, execute arbitrary code and bypass password
checking. Versions up to 3.23.53a and 4.0.5a are affected; an updated
version, 3.23.54, is not vulnerable to the flaws.