- Email: [email protected]
Vulnerability analysis
vulnerability analysis
Vulnerability Analysis Thomas Kristensen, CTO, Secunia Yet again we have seen mechanisms put in place to help the user being abused by a hacker to compromise a system.
Microsoft This vulnerability arises in the way Microsoft Internet Explorer handles the so called "Friendly Error Pages". The Israel-based company GreyMagic discovered a method to inject scripts to the Local Security Zone using a "Friendly Error Page". The problem comes from the fact that Microsoft has failed to take into account the hacking technique called Cross Site Scripting. It is possible for an intruder to create a request which loads the "Friendly Error Page" with malicious script code which will be activated when the user clicks on a link — just as Microsoft's "Friendly Error Page" encourages the user to do. The problem with script code in the Local Security Zone is that it is executed with the same privileges as any other program which the user has activated. http://secunia.com/advisories/9056/
Adobe Acrobat Also our faith in "secure" documents has been challenged during the last month. A vulnerability was identified in Adobe Acrobat Reader and Xpdf allowing a malicious PDF document to activate arbitrary commands when a user clicks a link which spawns an external application. This could be an email address or link to a Web page. The problem is that Adobe Acrobat Reader and Xpdf fails to identify certain shell meta characters. These meta characters can be used to spawn other applications different from the email program or browser which was intended. So far this vulnerability has only been confirmed to work on Unix platforms. http://secunia.com/advisories/9037/ 4
The Xpdf and Adobe Acrobat Reader vulnerability also tells another story. Normally when a security researcher finds a vulnerability, he discloses this information to the vendor, CERT or similar. This was also the case with these vulnerabilities. However, a blackhat known as Hack4Life managed to get hold of this advisory from some unknown source. When he compromised the information he rapidly released it to the Full-Disclosure list before the vendor and CERT had managed to get a patch or an updated version ready. This is rather interesting and proves the need to keep track of vulnerabilities from a myriad of sources to ensure that you get the information that is relevant to your systems just as fast as the underground.
Linux Last month we examined a vulnerability, which could cause a denial- of-service in the Linux Kernel due to hash table collisions. Since that vulnerability was initially discovered, further research has been carried out. The flaw is based on the fact that programmers need to find ways to optimize and increase speed in various applications. One brilliant way to do this is to create hash tables, where entries are stored in a "compressed" format, allowing faster lookups. This does, however, cause a problem because it limits the number of unique entries. Thus, if someone is able to make multiple requests, which causes the same hashed value to be inserted to the table, it causes collisions which need to be handled in a more complex way. This requires relative large
amounts of CPU power compared to normal operations. There is a simple solution to this. But most programmers didn't know about this problem until recently, which makes it very likely that many other programs are vulnerable too. This includes the handling of fragmented TCP packets in the Linux Kernel, which caused Linux distributors to issue another upgrade of the kernel. http://secunia.com/advisories/8936/ http://secunia.com/advisories/8786/ The solution is to use a randomly generated key when calculating the hashes. This make it difficult for intruders to predict or guess the values, which causes the collisions. Furthermore, this random value could be changed at certain time intervals.
Others In May we also saw vulnerabilities in both Apache 2.0, Internet Information Services and Windows Media Services. The Apache vulnerabilities could be exploited to cause a denial- of-service attack and potentially allow a system compromise. The vulnerability was identified in a module called "mod_dav". At the same time we saw two advisories from Microsoft, at first Microsoft claimed that the "worst" could only be exploited to cause a denial-of-service, the other vulnerabilities could be used to conduct Cross Site Scripting or by local users to escalate their privileges. Microsoft's conclusions on the Denial of Service in the Windows Media Services, however, was wrong. Multiple independent security researchers provided evidence, which proved that the flaw could indeed be exploited to compromise a vulnerable system. http://secunia.com/advisories/8881/ http://secunia.com/advisories/8883/ http://secunia.com/advisories/8884/
Vulnerability Analysis Thomas Kristensen, CTO, Secunia Yet again we have seen mechanisms put in place to help the user being abused by a hacker to compromise a system.
Microsoft This vulnerability arises in the way Microsoft Internet Explorer handles the so called "Friendly Error Pages". The Israel-based company GreyMagic discovered a method to inject scripts to the Local Security Zone using a "Friendly Error Page". The problem comes from the fact that Microsoft has failed to take into account the hacking technique called Cross Site Scripting. It is possible for an intruder to create a request which loads the "Friendly Error Page" with malicious script code which will be activated when the user clicks on a link — just as Microsoft's "Friendly Error Page" encourages the user to do. The problem with script code in the Local Security Zone is that it is executed with the same privileges as any other program which the user has activated. http://secunia.com/advisories/9056/
Adobe Acrobat Also our faith in "secure" documents has been challenged during the last month. A vulnerability was identified in Adobe Acrobat Reader and Xpdf allowing a malicious PDF document to activate arbitrary commands when a user clicks a link which spawns an external application. This could be an email address or link to a Web page. The problem is that Adobe Acrobat Reader and Xpdf fails to identify certain shell meta characters. These meta characters can be used to spawn other applications different from the email program or browser which was intended. So far this vulnerability has only been confirmed to work on Unix platforms. http://secunia.com/advisories/9037/ 4
The Xpdf and Adobe Acrobat Reader vulnerability also tells another story. Normally when a security researcher finds a vulnerability, he discloses this information to the vendor, CERT or similar. This was also the case with these vulnerabilities. However, a blackhat known as Hack4Life managed to get hold of this advisory from some unknown source. When he compromised the information he rapidly released it to the Full-Disclosure list before the vendor and CERT had managed to get a patch or an updated version ready. This is rather interesting and proves the need to keep track of vulnerabilities from a myriad of sources to ensure that you get the information that is relevant to your systems just as fast as the underground.
Linux Last month we examined a vulnerability, which could cause a denial- of-service in the Linux Kernel due to hash table collisions. Since that vulnerability was initially discovered, further research has been carried out. The flaw is based on the fact that programmers need to find ways to optimize and increase speed in various applications. One brilliant way to do this is to create hash tables, where entries are stored in a "compressed" format, allowing faster lookups. This does, however, cause a problem because it limits the number of unique entries. Thus, if someone is able to make multiple requests, which causes the same hashed value to be inserted to the table, it causes collisions which need to be handled in a more complex way. This requires relative large
amounts of CPU power compared to normal operations. There is a simple solution to this. But most programmers didn't know about this problem until recently, which makes it very likely that many other programs are vulnerable too. This includes the handling of fragmented TCP packets in the Linux Kernel, which caused Linux distributors to issue another upgrade of the kernel. http://secunia.com/advisories/8936/ http://secunia.com/advisories/8786/ The solution is to use a randomly generated key when calculating the hashes. This make it difficult for intruders to predict or guess the values, which causes the collisions. Furthermore, this random value could be changed at certain time intervals.
Others In May we also saw vulnerabilities in both Apache 2.0, Internet Information Services and Windows Media Services. The Apache vulnerabilities could be exploited to cause a denial- of-service attack and potentially allow a system compromise. The vulnerability was identified in a module called "mod_dav". At the same time we saw two advisories from Microsoft, at first Microsoft claimed that the "worst" could only be exploited to cause a denial-of-service, the other vulnerabilities could be used to conduct Cross Site Scripting or by local users to escalate their privileges. Microsoft's conclusions on the Denial of Service in the Windows Media Services, however, was wrong. Multiple independent security researchers provided evidence, which proved that the flaw could indeed be exploited to compromise a vulnerable system. http://secunia.com/advisories/8881/ http://secunia.com/advisories/8883/ http://secunia.com/advisories/8884/