Saturday, December 24, 2011

Vulnerable Weekends #5

Introduction:
Report #5A analyzes the MIT Kerberos Telnet remote, privileged code execution vulnerability. This vulnerability has been identified within the MIT Kerberos based Telnet installations that are provided with FreeBSD, GNU inetutils, etc.

Report #5B analyzes the VLC TiVo file parser arbitrary code execution vulnerability.

Vulnerability Report #5A: MIT krb5-appl Telnet Client and Server encrypt_keyid() Remote Code Execution Vulnerability

Vulnerable Product: Installations of MIT krb5-appl derived telnet utilities prior to krb5-1.8

CVE ID: CVE-2011-4862

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 10.0

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 8.3

Details:
MIT krb5-appl has been reported to contain a vulnerability that could be leveraged by a remote attacker to execute arbitrary code on the targeted system.  The vulnerability has been reported in the code responsible for handling Kerberos based authentication mechanism.

The vulnerability was introduced when BSD telnet daemon and client utilities included support for cryptographic security via MIT Kerberos based authentication mechanism. This code was further included within FreeBSD and GNU inetutils making these vulnerable as well.

The vulnerability allows a pre-authentication memory corruption error that could be triggered remotely by submitting an arbitrarily long encryption key to the target system. Specifically, the vulnerability exists within the encrypt_keyid() function of the encrypt.c source file of the affected software:

static void
encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
{
   ...
    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
    /*
     * Length or contents are different
     */
    kp->keylen = len;
    memcpy(kp->keyid,keyid, len);
    if (ep->keyid)
        (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
    ...
}

The vulnerable source file defines the following structure to keep record of the encryption state:

#define   MAXKEYLEN 64

static struct key_info {
    unsigned char keyid[MAXKEYLEN];
    int keylen;
    int dir;
    int *modep;
    Encryptions *(*getcrypt)();
} ki[2] = {
    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
};

However, the vulnerable function fails to impose sufficient boundary restrictions on user-supplied encryption keys and copies those into keyinfo structure without honoring the MAXKEYLEN constant via a memcpy operation. This could cause a heap-based buffer overflow error, leading to the memory corruption error.

Successful exploitation could allow the attacker to leverage the memory corruption error to execute arbitrary code on the targeted system with the privileges of the affected software. Failed exploit attempts could result in a denial of service condition on the targeted system.

Vulnerability Sources:
http://www.securityfocus.com/bid/51182
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
https://bugzilla.redhat.com/show_bug.cgi?id=770325
http://osvdb.org/78020


Vulnerability Report #5B: VLC .TY (TiVo) File Parser Arbitrary Code Execution Vulnerability

Vulnerable Product: Installations of VLC Media Player with versions 0.9.0 through 1.1.12

CVE ID: NA

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score:6.9

Details:
VLC Media Player has been reported to contain a vulnerability that could allow a remote attacker to execute arbitrary code on the targeted system. The vulnerability is introduced by the libty_plugin that helps parsing of .ty files.

struct demux_sys_t
{
...
ty_rec_hdr_t    *rec_hdrs;          /* record headers array */
int             i_cur_rec;          /* current record in this chunk */
int             i_num_recs;         /* number of recs in this chunk */
...
};

The vulnerability exists due to an implementation flaw within the get_chunk_header() function of the ty.c source file of the vulnerable plugin. The vulnerable plugin improperly handles the record headers array, rec_hdrs, corrupting heap structures in the memory.

diff --git a/modules/demux/ty.c b/modules/demux/ty.c
index e916b41..b181a6a 100644 (file)

--- a/modules/demux/ty.c
+++ b/modules/demux/ty.c
@@ -1887,6 +1887,7 @@ static int get_chunk_header(demux_t *p_demux)
     /*msg_Dbg( p_demux, "chunk has %d records", i_num_recs );*/

     free(p_sys->rec_hdrs);
+    p_sys->rec_hdrs = NULL;
     /* skip past the 4 bytes we "peeked" earlier */
     stream_Read( p_demux->s, NULL, 4 );

Successful exploitation could allow the attacker to leverage the memory corruption error further and execute arbitrary code on the targeted system within the security context of the affected software.

Vulnerability Sources:
http://www.securityfocus.com/bid/51147
http://www.videolan.org/security/sa1108.html
http://git.videolan.org/?p=vlc.git;a=blobdiff;f=modules/demux/


Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Posted by at No comments:
Labels: , , , , , , ,

Sunday, December 18, 2011

Vulnerable Weekends #4

Introduction:
Report #4A analyzes the Microsoft Windows True-Type fonts handling vulnerability that the W32.Duqu malware leverages to install itself on vulnerable systems. Once installed, it could then leverage its elevated privileges to execute arbitrary code.

Report #4B analyzes the Microsoft Windows DVR-MS media files processing vulnerability that could also be leveraged to execute arbitrary code on the targeted system.

Vulnerability Report #4A: Microsoft Windows Kernel-Mode Drivers True-Type Font Handling Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Server 2003, Vista, Server 2008, and 7

CVE ID: CVE-2011-3402

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score:9.3

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score:7.7

Details:
Microsoft Windows has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability has been reported within the Kernel-Mode driver, Win32k.sys, that provides rendering support for True-Type fonts.

The vulnerability is due to the fact that the vulnerable font processing engine fails to perform mandatory boundary checks on user-supplied input received via crafted True-Type fonts embedded within a Microsoft Office .doc file. An attacker who could convince a remote user to open a malicious .doc file, containing the specially crafted content, could exploit this vulnerability to cause a memory corruption error within kernel space. Further, the attacker could leverage such memory corruption errors to inject arbitrary shellcode within system memory and execute it with SYSTEM privileges on the targeted system.

Public sources confirm that the W32.Duqu malware, assumed to be a variant of W32/Stuxnet-B, leverages this vulnerability to infect vulnerable systems.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50462
http://tools.cisco.com/security/center/viewAlert.x?alertId=24500
http://www.symantec.com/security_response/writeup.jsp?docid=2011-101814-1119-99


Vulnerability Report #4B: Microsoft Windows Media Player DVR-MS Files Processing Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Vista, and 7

CVE ID: CVE-2011-3401

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 6.9

Details:
Microsoft Windows Media Player has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability exists within the encdec.dll library used by the vulnerable platforms.

The vulnerability is introduced while the affected software tries to process Microsoft Digital Video Recording (DVR-MS) media files. The affected software fails to perform sufficient security checks on user-supplied input received via such files, leading to a memory corruption error within kernel space. An attacker who could convince a targeted user to open a malicious .dvr-ms file, could exploit this vulnerability and leverage the memory corruption error to execute arbitrary code with SYSTEM privileges.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50957
http://secunia.com/advisories/cve_reference/CVE-2011-3401/

Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Posted by at No comments:
Labels: , , , , , , , , , , ,

Saturday, December 10, 2011

Vulnerable Weekends #3

Introduction:
Report #3A analyzes the Cisco WebEx Player remote code execution vulnerability. The vendor states that a functional exploit for this vulnerability exists, however no public sources confirm its availability.

Report #3B analyzes the ISC DHCP denial of service vulnerability. Although, DHCP requests will only be received from local clients, attackers could also exploit this vulnerability from an adjacent network using a relay agent that comes bundled with the vulnerable product suite.

Vulnerability Report #3A: Cisco WebEx Player WRF Files Processing Remote Code Execution Vulnerability

Vulnerable Product: Installations of Cisco WebEx Player with versions T26 prior to SP49 EP40 and T27 prior to SP28

CVE ID: CVE-2011-3319

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 7.7

Details:
Cisco WebEx Player is an application that helps to playback or edit WebEx meetings recording, WebEx Recording Format (WRF) files.

The vulnerable software fails to perform sufficient sanitization on user-supplied input received via a malicious .wrf file. A shared library, atdl2006.dll, has been identified as the source of this vulnerability. The vulnerable library uses an unsanitized, user-supplied size parameter to allocate a dynamic buffer via the memcpy() function. However, due to insufficient checks on this parameter, a heap-based buffer overflow could be triggered.

Attackers who can successfully lure a targeted user to open a malicious .wrf file or visit a crafted webpage, could exploit this vulnerability. Once exploited, the attacker could execute arbitrary code on the targeted system with the privileges of the user.

The vendor, Cisco, has confirmed this vulnerability and provided official fixes to mitigate it. Users are requested to refer to the vendor advisory for further details.

Vulnerability Sources:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
http://www.zerodayinitiative.com/advisories/ZDI-11-341/
http://www.securityfocus.com/bid/50373


Vulnerability Report #3B: ISC DHCP Incorrect Extended Regular Expressions Processing Denial of Service Vulnerability

Vulnerable Product: Installations of ISC DHCP server with versions prior to 4.2.3-P1 and 4.1-ESV-R4

CVE ID: CVE-2011-4539

CVSS v2 Score:
Access Vector: ADJACENT NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL
Base Score: 2.9

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 2.1

Details:
Internet Systems Consortium (ISC) provides an open source, reference implementation for Dynamic Host Configuration Protocol (DHCP) which includes components such as a server, a client and a relay agent.

The vulnerability exists within the server component which is responsible for handling DHCP requests received from local clients or from adjacent clients via a relay agent.

The vulnerable component incorrectly evaluates an extended regular expression consisting of a comparison operator such as ~= or ~~. While processing a DHCP request, if such operators are encountered within its configuration file, dhcpd.conf, the vulnerable component could terminate abnormally, leading to a denial of service (DoS) condition.

The vulnerability, however, could only be triggered if the targeted server has been configured to parse extended regular expressions. As such, only those installations where an administrator has manually configured the vulnerable component to use such operators, are exposed to this vulnerability.

The vendor, ISC, has confirmed this vulnerability and released patches for its mitigation. Users are requested to refer to the vendor advisory for further details.

Vulnerability Sources:
https://www.isc.org/software/dhcp/advisories/cve-2011-4539
http://www.securityfocus.com/bid/50971

Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Posted by at 2 comments:
Labels: , , , , , , , ,

Saturday, December 3, 2011

Vulnerable Weekends #2

Introduction:
Report #2A analyzes the GNU GDB code execution vulnerability. Although online reports indicate that various vendors were aware of this vulnerability as early as April 2011 and are still involved in its resolution, there has been no official confirmation.

Report #2B provides an analysis for the acclaimed Intel VT-d chipsets privilege escalation vulnerability. Xen has confirmed this vulnerability and has released two patches that either disallow the virtual machine to boot if its using the vulnerable configuration or narrows down the scope of this vulnerability to a denial of service.

Vulnerability Report #2A: GNU GDB Insecure Scripts Processing Arbitrary Code Execution Vulnerability

Vulnerable Product: Installations of GDB with versions 7.3.1 and prior.

CVE ID: CVE-2011-4355

CVSS V2 Score:
Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: SINGLE

Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL
Base Score: 4.1 

Exploitability: UNPROVEN
Remediation Level: UNAVAILABLE
Report Confidence: UNCORROBORATED
Temporal Score: 3.3

Details:
GDB, the GNU Project debugger, is one of the most valuable tools available for understanding the internals of a program. The debugger provides a wide array of options for its users to explore. One such option, however, could allow an authenticated attacker to execute arbitrary code on the targeted system.

The vulnerable debugger fails to perform sufficient sanitization on user-supplied input received via malicious Executable and Linkable Format (ELF) or Common Object File Format (COFF) files.

The vulnerable debugger looks for a special .debug_gdb_scripts section within such object files to obtain a list of scripts that are to be executed. The standard local file lookup procedure, which includes searching for the specified filename within the current directory and then through each of the file locations specified within the system path, is used to search for the specified script.

Since, the validity of such user-specified scripts is not taken into account before executing them, this feature could allow an attacker who has obtained privileged access to an enterprise system to execute arbitrary code. The attacker could install malicious scripts within the current directory or within one of the standard file search paths and then reference them using the vulnerable option from a crafted object file. When the vulnerable debugger initiates a debug operation on such object files, it could encounter the option and execute the requested scripts with the privileges of the user.

The vendor, GNU, has not yet confirmed this vulnerability and as such there are no official patches or updates available for this vulnerability. Users are requested to get in touch with the vendor to obtain patches/updates for their installations.

Vulnerability Sources:


Vulnerability Report #2B: Intel VT-d MSI Traps Injection Using PCI Passthrough Privilege Escalation Vulnerability

Vulnerable Product: Installations of Xen with versions 4.1.2 and prior.

CVE ID: CVE-2011-1898

Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: SINGLE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 6.6

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 4.9

Details:
Xen, a Virtual Machine Monitor (VMM), contains a vulnerability which an authenticated attacker could leverage to gain elevated privileges on the targeted system.

The vulnerable hypervisor fails to restrict a guest virtual machine, that has ownership of a PCI device, to edit the interrupt injection registers via Direct Memory Access (DMA) and trigger abrupt Message Signaled Interrupts (MSIs). This flaw could allow the attacker to inject arbitrary traps and gain privileged access on the host system.

Target platforms that support PCI passthrough to make certain PCI devices accessible within guest virtual machines and have the Interrupt Remapping feature either disabled or unsupported are exposed to this vulnerability.

An authenticated attacker who has sufficient privileges to execute a virtual machine, that has access to certain PCI devices, could exploit this vulnerability on the vulnerable platforms. Newer Intel chipsets include support for Interrupt Remapping and as such are immune to this vulnerability. However there is still a huge userbase for older, vulnerable hardware that makes this vulnerability critical.

The vendor, Xen, has confirmed this vulnerability and provided official patches to mitigate this vulnerability. Users are however informed that though official patches mitigate this vulnerability, the attacker could still cause a denial of service condition on the targeted system. The only available solution would be to either enable the Interrupt Remapping feature or upgrade to a hardware platform that supports it.

Vulnerability Sources:

Generic Sources:
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)