|
|
Subject: eSecurityOnline Security Advisory 2408 - CIDER SHADOW CGI - msg#00408
List: security.bugtraq
eSO Security Advisory: 2408
Discovery Date: April 3, 2000
ID: eSO:2408
Title: CIDER SHADOW CGI arbitrary command execution
vulnerabilities
Impact: Remote attackers can execute commands with the
privileges of the running web server process
Affected Technology: CIDER SHADOW 1.5, 1.6
Vendor Status: Vendor informed
Discovered By: Kevin Kotas of the eSecurityOnline Research
and Development Team
CVE Reference: CAN-2002-0091
Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2408.asp
Description:
The CIDER Project's SHADOW intrusion detection utility is vulnerable to
CGI implementation flaws that allow a remote attacker to run arbitrary
commands on the analyzer. The problem occurs due to insufficient
character verification of sent variables. For multiple CGI scripts, an
attacker can send a specially crafted URL and execute commands with
the privileges of the running server.
Technical Recommendation:
By design, the analyzer web interface should only be reachable through
an internal network and with password authentication. Since the
possibility remains that an attacker can reach the analyzer, disable
network access to the web interface and only view the web pages
locally.
Copyright 2002 eSecurityOnline LLC. All rights reserved.
THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.
Was this page helpful?
Thread at a glance:
Previous Message by Date:
click to view message preview
Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies
On Tue, 23 Apr 2002, [iso-8859-1] Iván Arce wrote:
> 1) Control of function's arguments
>
> In [8] and [9] a method to exploit stack based buffer overflows on stack
> protected
> programs is presented. In the example, a local pointer is used to write to
> arbitrary
> memory locations within the program's memory space. This technique can be
> extended
> to exploit the fact that in standard C compiled programs, function arguments
> are located
> in the stack at "higher" addresses than the return address:
>
Above technique (extended) WAS described in [8]
(http://www.phrack.org/show.php?p=56&a=5):
"In this example we have our pointer (dst) on the stack beyond the canary
and RET value, so we cannot change it without killing the canary and
without being caught...
Or can we?
Both StackGuard and StackShield check whether RET was altered before the
function returns to its caller (this done at the very end of function).
In most cases we have enough time here to do something to take control of
a vulnerable program.
We can do it by overwriting the GOT entry of the next library function
called.
We don't have to worry about the order of local variables and since we
don't care if canary is alive or not, we can play!"
> 2) Returning with an altered frame pointer
It WAS described in [8] also:
"StackShield protection can be bypassed by overwriting the saved %ebp
which is not protected. One way of exploiting it (under the worst
conditions) was described in >>The Frame Pointer Overwrite<< by klog in
Phrack 55 [4]."
"[4] klog. The Frame Pointer Overwrite
http://www.phrack.com/search.phtml?view&article=p55-8"
> 4) Pointing the caller's frame to the Global Offset Table (GOT)
VERY interestin aproach! :)
All I wanted to say is that most of above was described (clearly? ;) in
the fall of 1999 and published in May 2000.
Anyway: THX for credits.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
Next Message by Date:
click to view message preview
eSecurityOnline Security Advisory 2397 - Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
eSO Security Advisory: 2397
Discovery Date: March 28, 2000
ID: eSO:2397
Title: Sun Solaris admintool -d and PRODVERS buffer
overflow vulnerabilities
Impact: Local attackers can gain root privileges
Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
Vendor Status: Patches are available
Discovered By: Kevin Kotas of the eSecurityOnline Research
and Development Team
CVE Reference: CAN-2002-0089
Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2397.asp
Description:
The Sun Solaris admintool utility is vulnerable to multiple buffer
overflow conditions that allow a local attacker to gain root access.
The problems are due to insufficient bounds checking on command line
options and on a configuration file variable. An attacker can use a
carefully constructed string with the -d command line option or with
the PRODVERS .cdtoc file variable to gain root privileges.
The first buffer overflow is related to command line execution of
admintool with the -d switch, when a long string is used with
"/Solaris" present.
The second buffer overflow occurs due to a lack of bounds checking
for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used
to specify variables for installation media. Through the
software/edit/add feature, a local directory can be specified that
contains a .cdtoc file. The file can contain a string of data for
the PRODVERS variable that will cause the program to crash or execute
code when processed.
Technical Recommendation:
Apply the following patches.
Solaris 2.5:
103247-16
Solaris 2.5_x86:
103245-16
Solaris 2.5.1:
103558-16
Solaris 2.5.1_x86:
103559-16
Solaris 2.6:
105800-07
Solaris 2.6_x86:
105801-07
Solaris 7:
108721-02
Solaris 7_x86:
108722-02
Solaris 8:
10453-01
Solaris 8_x86:
110454-01
As a workaround solution, remove the setuid permissions with the following:
chmod -s /usr/bin/admintool
Vendor site:
http://sunsolve.sun.com
Acknowledgements:
eSecurityOnline would like to thank Sun Microsystems and the Sun security
team for their cooperation in resolving the issue.
Copyright 2002 eSecurityOnline LLC. All rights reserved.
THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.
Previous Message by Thread:
click to view message preview
ITCP Advisory 13: Bypassing of ATGuard Firewall possible
- ------------------------------------------------------------
itcp advisory 13 advisories@xxxxxxxxxxxxxxxxx
http://www.it-checkpoint.net/advisory/12.html
April 29th, 2002
- ------------------------------------------------------------
ITCP Advisory 13: Bypassing of ATGuard Firewall possible
- -------------------------
Affected programs: ATGuard Personal Firewall (At least Version 3.2,
probably others)
URL: Not existant any more, the software is still wide spread
Vendor: The ATGuard-Technology was bought by Norton and included in it's
Norton Personal Firewall
Vulnerability-Class: Bypassing of a personal Firewall (Desktop Firewall)
OS specific: Windows
Problem-Type: local and remote
SUMMARY
ATGuard is a very good personal desktop firewall, which comes with a wide
range of possibilities:
- Firewall functions
- Webfilter functions
- Privacy protection functions
It is also possible, to allow specific connections bound to applications
(for example, you can allow all connections
to Port 80 on any host for Internet Explorer).
Futher, it is possible to protect the firewall configuration (and start &
stop of it) with a password. This could be a great
possibility, to control the activities of children and youths in the
internet.
DETAILS
As mentioned before, it is possible to allow for specific applications
specific connections.
For example, most users use Internet Explorer to browse the internet.
It is a logical assumption, that people using the Internet Explorer to
browse the WWW allow
outbound connections to all hosts at least to the destination port 80.
Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be
much better), to
determine wether the executed program is real the one, that is allowed to
connect to all hosts on port 80.
It just uses the filename (in this case "IEXPLORE.EXE").
IMPACT
ATGuard can be fooled to think that a disallowed program is allowed to
connect to the internet.
Trojan horses which use outbound connections or using
HTTP-Tunneling-Software to tunnel unwanted
connections (like ICQ) are not blocked.
EXPLOIT
There are many different possibilities to exploit this. This is a sample how
to get ICQ working on a computer,
on which only Internet Explorer is allowed to connect to port 80. All other
outbound connections are blocked by ATGuard.
Download the HTTP-Tunnel-Client from www.HTTP-Tunnel.com. Install it to your
computer.
When you try to configure it, it will tell you, that it can't find the
HTTP-Tunnel-Server.
Now, just rename / copy the File "HTTP-Tunnel Client.exe" to "IEXPLORE.EXE".
Fire it up again using the IEXPLORE.EXE-Filename. After short time it should
tell you, that it is working correctly.
As said before, it is possible to use trojan horses to fool bad configured
firewalls, etc...
SOLUTION
There doesn't exist an solution, since ATGuard is not developped anymore. We
were not able to test the Norton Personal Firewall
for this problem, since no one of us owns it. We are contacting Norton
directly with this Advisory.
ADDITIONAL INFORMATION
Vendor has not been contacted. (since he doesn't exist anymore).
Since there exist more personal firewalls like ATGuard, we will have a look
at the free ones and try the same.
Bugs discovered and published by Florian "BlueScreen" Hobelsberger
BlueScreen@xxxxxxxxxxxxxxxxx ) from
www.IT-Checkpoint.net
-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Next Message by Thread:
click to view message preview
eSecurityOnline Security Advisory 2397 - Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
eSO Security Advisory: 2397
Discovery Date: March 28, 2000
ID: eSO:2397
Title: Sun Solaris admintool -d and PRODVERS buffer
overflow vulnerabilities
Impact: Local attackers can gain root privileges
Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
Vendor Status: Patches are available
Discovered By: Kevin Kotas of the eSecurityOnline Research
and Development Team
CVE Reference: CAN-2002-0089
Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2397.asp
Description:
The Sun Solaris admintool utility is vulnerable to multiple buffer
overflow conditions that allow a local attacker to gain root access.
The problems are due to insufficient bounds checking on command line
options and on a configuration file variable. An attacker can use a
carefully constructed string with the -d command line option or with
the PRODVERS .cdtoc file variable to gain root privileges.
The first buffer overflow is related to command line execution of
admintool with the -d switch, when a long string is used with
"/Solaris" present.
The second buffer overflow occurs due to a lack of bounds checking
for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used
to specify variables for installation media. Through the
software/edit/add feature, a local directory can be specified that
contains a .cdtoc file. The file can contain a string of data for
the PRODVERS variable that will cause the program to crash or execute
code when processed.
Technical Recommendation:
Apply the following patches.
Solaris 2.5:
103247-16
Solaris 2.5_x86:
103245-16
Solaris 2.5.1:
103558-16
Solaris 2.5.1_x86:
103559-16
Solaris 2.6:
105800-07
Solaris 2.6_x86:
105801-07
Solaris 7:
108721-02
Solaris 7_x86:
108722-02
Solaris 8:
10453-01
Solaris 8_x86:
110454-01
As a workaround solution, remove the setuid permissions with the following:
chmod -s /usr/bin/admintool
Vendor site:
http://sunsolve.sun.com
Acknowledgements:
eSecurityOnline would like to thank Sun Microsystems and the Sun security
team for their cooperation in resolving the issue.
Copyright 2002 eSecurityOnline LLC. All rights reserved.
THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.
|
|