Advisories

Barracuda Networks Confirms Exploitable Backdoors in its Appliances

/*
Oooooooooh,Barracuda!
*/

Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device.

The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances.

"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit," Barracuda explained via a tech alert published on Wednesday.

/*
As usual, emphasis is my own. This appears to be entirely due to factory-default settings and lazy administrators who do not change/disable such defaults.
*/

GNU libnss_db Local Information Disclosure Vulnerability

/*
According to the "Discussion" tab:
*/

The GNU 'libnss_db' library is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to read the first line of arbitrary local files. This may lead to further attacks.

libnss_db 2.2.3 is vulnerable; other versions may also be affected.

/*
I was not able to reproduce this on my machine as I did not already have the libnss-db package installed, and the package for my distro has already been fixed, so it does no good to install it.

The discussion shows this as an example:

sudo apt-get install libnss-db
sudo /etc/init.d/nscd stop (in case nscd is installed)
sudo ln -s /etc/shadow DB_CONFIG
$ sudo
line 1: root:*:14553:0:99999:7:::: incorrect name-value pair

Now if you already have sudo(8) privs to stop/start init.d services and use ln(1), I'm guessing there are probably easier ways of obtaining root. Every attack vector should be corrected, but this just seems a like the shooting fish in a barrel with sudo privs as such.
*/

ldd Arbitrary Code Execution

/*
This article explores a documented, though largely unknown, feature of the Linux dynamic linker. It also appears that BSD, Solaris, and HP-UX might also fall victim to this "trick."

I'm hesitant to call it a vulnerability since it's a documented feature, and requires some social engineering to succeed. It is, however, behavior that many experienced Unix admins may not be familiar with.
*/

Open Security Foundation To Maintain Attrition.org's Data Loss Database - Open Source

The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database - Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008.

Attrition.org's Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project's core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records.

DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. "We've worked hard to research, gather, and make this data open to the public," says Kelly Todd, one of the project leaders for DataLossDB. "Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information."

The Open Security Foundation's DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. "For a data set as dynamic as this, it made sense to build it into a more user-driven format.", states David Shettler, the lead developer for the Open Security Foundation. "With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers".

/*
This site is actually pretty neat. Not only does it have a searchable index, it also provides quick links to things like the latest incidents, largest incidents, most discussed incidents; and even breaks it down by type of loss (credit card numbers, social security numbers, and even medical records!).

This site manages to index so much information in so many useful ways, it's certainly worth supporting!
*/

Germany Seeks Expansion of Computer Spying

The laptop of one of the suspects in last year's bungled bombings contained plans, sketches and maps -- a virtual road map to an attack that could have killed dozens.

What if law enforcement agents had been able to secretly scan the contents of the computer before the attempted attack was carried out?

To the unease of many in a country with a history of government spying through the era of the Gestapo and communist rule in East Germany, law enforcement authorities are using the suitcase bomb case to argue for measures that would significantly expand their ability to spy on the once-private realm of My Documents.

/*
Makes me glad I don't run that OS with "My Documents". At least in Germany, the government is openly acknowledging their spying; that's more than we get here in the States.
*/

And in today's high-tech world, the proposed measure causes a chill to those who see hard drives as the new window to the soul.

"Back in the '80s when people were fighting the census, it was because they feared the state could find out that they were not honest toward the tax authorities or something like that," said Sven Lueders, head of the Humanist Union of Berlin, which helped organize a recent protest against the so-called Bundestrojaner, or federal Trojans. "Now what people fear is that the state can actually look into your computer. Because almost everybody has something on his computer that he doesn't want somebody else to see."

Microsoft Excel Remote Code Execution Vulnerabilities

Microsoft Excel Filter Records Remote Code Execution Vulnerability

/*
No exploit as of yet...
*/

Microsoft Excel BIFF Record Remote Code Execution Vulnerability

/*
No sploit for this one, either. With all the fuzzers out there, and knowing what part of the process the vulnerability deals with, I'm sure it won't be long before there's exploits in the wild.
*/

Microsoft Excel Set Font Remote Code Execution Vulnerability

/*
Same type of vulnerability, and no exploit.
*/

Suhosin - Hardened PHP

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

/*
This looks like a pretty nice way of securing PHP-based app servers. The FAQ details some things that might just surprise you if you think your PHP installation is secure.

This comes following the Month of PHP Bugs.
*/

Microsoft’s Advisories Giving Clues to Hackers

The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.

Using clues in the workarounds section of the advisory, Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble.

...

In the wake of Maynor's comments above, I asked the MSRC if there's a legitimate gripe that about the level of details included in its advisories and was told that it's a "delicate balancing act" to avoid giving too much clues while ensuring customers have adequate pre-patch protections.

/*
It really must be a delicate balance. Usually within 24 hours of a patch being posted, the fix has been reverse-engineered and at least an underground exploit floating around for it. How many admins do you know that patch all of their servers within 24 hours of a show-stopper like this? Not many.

This does bring up an interesting point, though. How much can you give customers to protect themselves without giving the blackhats enough to start circulating exploits?
*/

Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability

"Microsoft Windows Domain Name System (DNS) Server Service is prone to a stack-based buffer-overflow vulnerability in its Remote Procedure Call (RPC) interface.

A remote attacker may exploit this issue to run arbitrary code in the context of the DNS Server Service. The DNS service runs in the 'SYSTEM' context.

Successfully exploiting this issue allows attackers to execute arbitrary code, facilitating the remote compromise of affected computers."

/*
Yet another brand new vulnerability in a Microsoft service; this one yielding SYSTEM privileges. While SecurityFocus doesn't have a proof-of-concept exploit, they do have a module for MetaSploit that will aid in the creation of working exploits.
*/

Microsoft Windows Help File Unspecified Heap Overflow Vulnerability

"This vulnerability presents itself when the application handles a specially crafted Windows Help ('.hlp') file.

A successful attack may facilitate arbitrary code execution in the context of a vulnerable user who opens a malicious file. Failed exploit attempts will likely result in denial-of-service conditions."

/*
It looks like there's a proof-of-concept in the wild for this one, too. This is a specially crafted .hlp file. I advise against trying to open it until you know what it does.
*/

Microsoft Word 2007 WWLib.DLL Buffer Overflow Vulnerability

"Microsoft Word is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue by enticing a victim to open a malicious Word file.

Successful exploits may allow an attacker to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions."

/*
Yet another vulnerability in Microsoft Office, this time using Microsoft Word as the attack vector. Apparently there's already a proof-of-concept exploit. Didn't cause my OpenOffice 2.0 to crash, though. With that being said, I still wouldn't attempt to open this document with a Microsoft application as I am not sure what the PoC might be capable of doing.
*/

Homeland Security: Apply MS06-040 Patch

Less than 24 hours after Microsoft shipped a dozen bulletins with security fixes for 23 serious software vulnerabilities, the U.S. government's Department of Homeland Security issued a firm notice to Windows users: immediately apply the patches in the MS06-040 bulletin.

In a somewhat unusual move, the DHS warned that the patches cover a remote code execution vulnerability that could be used in a network worm attack similar to Blaster, Slammer of Sasser.

"Windows users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch," the agency said in an public advisory.

/*
Why is it the same thing over and over again? If you're running Windows, you absolutely must enable automatic updates. There are just far too many patches to try to keep track of them manually.

What puzzles me is what interest the DHS has in protecting the end-user PCs of millions of average people. Sure, an advisory to all DHS and government employees would be routine, but a public advisory? They need to find better ways of spending their time. If they decide to start "reminding" everyone to update their Windows machines every time a new vulnerability is found, they'll not have the resources left to track the turrrists.
*/

Linux Kernel PROC Filesystem Local Privilege Escalation Vulnerability

/*
Requirements:

Kernel version <= 2.6.17.4

/proc must be mounted suid. On my Fedora Core 6-test1 (x86_64) it is not mounted suid.

public PoC requires kernel configuration option CONFIG_BINFMT_AOUT, vulnerability can be exploited without this option, although

This exploit appears to take advantage of a race-condition within the Linux kernel.

This comes just days after the prctl(2) vulnerability.
*/

Unpatched Powerpoint Flaw Exploited

Online criminals are taking advantage of an unpatched security hole in Microsoft's Office products again. Security experts say they've spotted a flaw in the Powerpoint slide-presentation program being exploited in the wild.

/*
This has really been a bad month or so for Microsoft. First Word, then Excel, now PowerPoint? It just goes to show that you shouldn't open attachments from non-trusted sources. I recommend GnuPG for verifying authenticity.

This author of this article apparently doesn't know much about Microsoft's security track-record. It leads you to the conclusion that due to "some of the work Microsoft has done in hardening the security of the Windows operating system" that vulnerability researchers have been forced to "look for lower-hanging fruit in applications that run on top of Windows." Searching for bugs in Microsoft software has always been like shooting fish in a barrel. Nothing has changed, just a few researchers shooting into a different barrel lately.
*/

0-day Exploit for Microsoft PowerPoint

Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted.
From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written.
This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend).

Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be.

/*
This is an update from the Internet Storm Center's handler's diary. They also link to a FAQ. Thanks to PacketStormSecurity for linking to PoC's 1, 2, and 3.
*/

/*
It looks like there were several Linux kernel-level vulnerabilities released yesterday and today.

Let's take a look...
*/

Linux Kernel PTraced Child Auto-Reap Local Denial of Service
/*
According to the discussion, it looks like this boils down to a simple NULL pointer reference. Kernels < 2.6.15 are vulnerable.
*/

Linux Kernel ATM Module Inconsistent Reference Counts Denial of Service
/*
Since this only affects users using the ATM code, it appears to be fairly limited. Kernels < 2.6.14 are vulnerable.
*/

Linux Kernel IP6_Input_Finish Remote Denial Of Service
/*
This one can cause the kernel to leak memory, eventually leading to a panic. Affected kernels are 2.6 kernels <= 2.6.12.5.
*/

Linux Kernel Sysctl_String Local Buffer Overflow
/*
An off-by-one buffer-overflow with potential to execute arbitrary code in the context of the local kernel (ring0). Affected kernels are 2.6 kernels < 2.6.15.
*/

Linux Kernel IP_ROUTE_INPUT Local Denial of Service
/*
Local denial of service due to bug in the 'ip_route_input()' function. Kernels affected are 2.6 kernels < 2.6.16.8.
*/

Linux Kernel SG Driver Direct IO Local Denial of Service
/*
A design error in the sg driver leads to an ability to cause a kernel panic. Kernel versions < 2.6.13 are affected.
*/

Linux Kernel SDLA IOCTL Unauthorized Local Firmware Access:
This issue allows local users with the 'CAP_NET_ADMIN' capability, but without the 'CAP_SYS_RAWIO' capability, to read and write to the SDLA device firmware. This may cause a denial-of-service issue if attackers write an invalid firmware. Other attacks may also be possibly by writing modified firmware files.
/*
It would appear that all kernel versions previous to 2.6.11 are vulnerable, although this is not stated in the article.
*/

Linux Kernel NFS Client Denial of Service
/*
Kernels < 2.6.15.5 are susceptible to non-privileged users being able to cause the kernel to panic via userland NFS utilities.
*/

Linux Kernel Choose_New_Parent Local Denial of Service
/*
Allows local users to cause kernel panic on kernels < 2.6.11.12.
*/

Linux Kernel SNMP NAT Helper Remote Denial of Service
/*
A bug in the SNMP NAT helper functionality, part of netfilter, can lead to memory corruption and a denial of service. Affected versions are < 2.6.16.18.
*/

Linux Kernel Shared Memory Security Restriction Bypass
/*
Potential to gain read/write access to shared memory, and write access to tmpfs mounted directories. It doesn't take a lot of imagination to come up with a handful of scenarios where you could turn write access to shared memory into a rootshell. Kernel versions < 2.6.16.7 are vulnerable.
*/

Linux Kernel IP ID Information Disclosure Weakness
/*
This is nothing new. This weakness in the initial sequence number for TCP connections is what nmap's "Idle Scan" depends on. Typically you'll want to use a low-load Windows computer as your zombie, but Linux is also vulnerable. 2.6 versions prior to 2.6.16.1 are vulnerable. Some 2.4 kernels are also vulnerable, but the article does not disclose which ones.
*/

Linux Kernel Multiple SCTP Remote Denial of Service
/*
It appears that some fairly specific circumstances need to be met for this to be valid, but results in a kernel panic. Kernels < 2.6.16 are vulnerable.
*/

Linux Kernel LSM ReadV/WriteV Security Restriction Bypass
/*
This vulnerability requires very specific and direct timing. It requires that you already have a file opened for read or write before the LSM change is made revoking that access. Upon calling open(2), the LSM configuration is properly enforced, thus the requirement of the file already being opened by the process. Kernels < 2.6.16.12 are vulnerable.
*/