Saturday, December 24, 2011

Vulnerable Weekends #5

Introduction:
Report #5A analyzes the MIT Kerberos Telnet remote, privileged code execution vulnerability. This vulnerability has been identified within the MIT Kerberos based Telnet installations that are provided with FreeBSD, GNU inetutils, etc.

Report #5B analyzes the VLC TiVo file parser arbitrary code execution vulnerability.

Vulnerability Report #5A: MIT krb5-appl Telnet Client and Server encrypt_keyid() Remote Code Execution Vulnerability

Vulnerable Product: Installations of MIT krb5-appl derived telnet utilities prior to krb5-1.8

CVE ID: CVE-2011-4862

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 10.0

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 8.3

Details:
MIT krb5-appl has been reported to contain a vulnerability that could be leveraged by a remote attacker to execute arbitrary code on the targeted system.  The vulnerability has been reported in the code responsible for handling Kerberos based authentication mechanism.

The vulnerability was introduced when BSD telnet daemon and client utilities included support for cryptographic security via MIT Kerberos based authentication mechanism. This code was further included within FreeBSD and GNU inetutils making these vulnerable as well.

The vulnerability allows a pre-authentication memory corruption error that could be triggered remotely by submitting an arbitrarily long encryption key to the target system. Specifically, the vulnerability exists within the encrypt_keyid() function of the encrypt.c source file of the affected software:

static void
encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
{
   ...
    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
    /*
     * Length or contents are different
     */
    kp->keylen = len;
    memcpy(kp->keyid,keyid, len);
    if (ep->keyid)
        (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
    ...
}

The vulnerable source file defines the following structure to keep record of the encryption state:

#define   MAXKEYLEN 64

static struct key_info {
    unsigned char keyid[MAXKEYLEN];
    int keylen;
    int dir;
    int *modep;
    Encryptions *(*getcrypt)();
} ki[2] = {
    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
};

However, the vulnerable function fails to impose sufficient boundary restrictions on user-supplied encryption keys and copies those into keyinfo structure without honoring the MAXKEYLEN constant via a memcpy operation. This could cause a heap-based buffer overflow error, leading to the memory corruption error.

Successful exploitation could allow the attacker to leverage the memory corruption error to execute arbitrary code on the targeted system with the privileges of the affected software. Failed exploit attempts could result in a denial of service condition on the targeted system.

Vulnerability Sources:
http://www.securityfocus.com/bid/51182
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
https://bugzilla.redhat.com/show_bug.cgi?id=770325
http://osvdb.org/78020


Vulnerability Report #5B: VLC .TY (TiVo) File Parser Arbitrary Code Execution Vulnerability

Vulnerable Product: Installations of VLC Media Player with versions 0.9.0 through 1.1.12

CVE ID: NA

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score:6.9

Details:
VLC Media Player has been reported to contain a vulnerability that could allow a remote attacker to execute arbitrary code on the targeted system. The vulnerability is introduced by the libty_plugin that helps parsing of .ty files.

struct demux_sys_t
{
...
ty_rec_hdr_t    *rec_hdrs;          /* record headers array */
int             i_cur_rec;          /* current record in this chunk */
int             i_num_recs;         /* number of recs in this chunk */
...
};

The vulnerability exists due to an implementation flaw within the get_chunk_header() function of the ty.c source file of the vulnerable plugin. The vulnerable plugin improperly handles the record headers array, rec_hdrs, corrupting heap structures in the memory.

diff --git a/modules/demux/ty.c b/modules/demux/ty.c
index e916b41..b181a6a 100644 (file)

--- a/modules/demux/ty.c
+++ b/modules/demux/ty.c
@@ -1887,6 +1887,7 @@ static int get_chunk_header(demux_t *p_demux)
     /*msg_Dbg( p_demux, "chunk has %d records", i_num_recs );*/

     free(p_sys->rec_hdrs);
+    p_sys->rec_hdrs = NULL;
     /* skip past the 4 bytes we "peeked" earlier */
     stream_Read( p_demux->s, NULL, 4 );

Successful exploitation could allow the attacker to leverage the memory corruption error further and execute arbitrary code on the targeted system within the security context of the affected software.

Vulnerability Sources:
http://www.securityfocus.com/bid/51147
http://www.videolan.org/security/sa1108.html
http://git.videolan.org/?p=vlc.git;a=blobdiff;f=modules/demux/


Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Sunday, December 18, 2011

Vulnerable Weekends #4

Introduction:
Report #4A analyzes the Microsoft Windows True-Type fonts handling vulnerability that the W32.Duqu malware leverages to install itself on vulnerable systems. Once installed, it could then leverage its elevated privileges to execute arbitrary code.

Report #4B analyzes the Microsoft Windows DVR-MS media files processing vulnerability that could also be leveraged to execute arbitrary code on the targeted system.

Vulnerability Report #4A: Microsoft Windows Kernel-Mode Drivers True-Type Font Handling Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Server 2003, Vista, Server 2008, and 7

CVE ID: CVE-2011-3402

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score:9.3

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score:7.7

Details:
Microsoft Windows has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability has been reported within the Kernel-Mode driver, Win32k.sys, that provides rendering support for True-Type fonts.

The vulnerability is due to the fact that the vulnerable font processing engine fails to perform mandatory boundary checks on user-supplied input received via crafted True-Type fonts embedded within a Microsoft Office .doc file. An attacker who could convince a remote user to open a malicious .doc file, containing the specially crafted content, could exploit this vulnerability to cause a memory corruption error within kernel space. Further, the attacker could leverage such memory corruption errors to inject arbitrary shellcode within system memory and execute it with SYSTEM privileges on the targeted system.

Public sources confirm that the W32.Duqu malware, assumed to be a variant of W32/Stuxnet-B, leverages this vulnerability to infect vulnerable systems.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50462
http://tools.cisco.com/security/center/viewAlert.x?alertId=24500
http://www.symantec.com/security_response/writeup.jsp?docid=2011-101814-1119-99


Vulnerability Report #4B: Microsoft Windows Media Player DVR-MS Files Processing Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Vista, and 7

CVE ID: CVE-2011-3401

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 6.9

Details:
Microsoft Windows Media Player has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability exists within the encdec.dll library used by the vulnerable platforms.

The vulnerability is introduced while the affected software tries to process Microsoft Digital Video Recording (DVR-MS) media files. The affected software fails to perform sufficient security checks on user-supplied input received via such files, leading to a memory corruption error within kernel space. An attacker who could convince a targeted user to open a malicious .dvr-ms file, could exploit this vulnerability and leverage the memory corruption error to execute arbitrary code with SYSTEM privileges.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50957
http://secunia.com/advisories/cve_reference/CVE-2011-3401/

Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Saturday, December 10, 2011

Vulnerable Weekends #3

Introduction:
Report #3A analyzes the Cisco WebEx Player remote code execution vulnerability. The vendor states that a functional exploit for this vulnerability exists, however no public sources confirm its availability.

Report #3B analyzes the ISC DHCP denial of service vulnerability. Although, DHCP requests will only be received from local clients, attackers could also exploit this vulnerability from an adjacent network using a relay agent that comes bundled with the vulnerable product suite.

Vulnerability Report #3A: Cisco WebEx Player WRF Files Processing Remote Code Execution Vulnerability

Vulnerable Product: Installations of Cisco WebEx Player with versions T26 prior to SP49 EP40 and T27 prior to SP28

CVE ID: CVE-2011-3319

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 7.7

Details:
Cisco WebEx Player is an application that helps to playback or edit WebEx meetings recording, WebEx Recording Format (WRF) files.

The vulnerable software fails to perform sufficient sanitization on user-supplied input received via a malicious .wrf file. A shared library, atdl2006.dll, has been identified as the source of this vulnerability. The vulnerable library uses an unsanitized, user-supplied size parameter to allocate a dynamic buffer via the memcpy() function. However, due to insufficient checks on this parameter, a heap-based buffer overflow could be triggered.

Attackers who can successfully lure a targeted user to open a malicious .wrf file or visit a crafted webpage, could exploit this vulnerability. Once exploited, the attacker could execute arbitrary code on the targeted system with the privileges of the user.

The vendor, Cisco, has confirmed this vulnerability and provided official fixes to mitigate it. Users are requested to refer to the vendor advisory for further details.

Vulnerability Sources:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
http://www.zerodayinitiative.com/advisories/ZDI-11-341/
http://www.securityfocus.com/bid/50373


Vulnerability Report #3B: ISC DHCP Incorrect Extended Regular Expressions Processing Denial of Service Vulnerability

Vulnerable Product: Installations of ISC DHCP server with versions prior to 4.2.3-P1 and 4.1-ESV-R4

CVE ID: CVE-2011-4539

CVSS v2 Score:
Access Vector: ADJACENT NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL
Base Score: 2.9

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 2.1

Details:
Internet Systems Consortium (ISC) provides an open source, reference implementation for Dynamic Host Configuration Protocol (DHCP) which includes components such as a server, a client and a relay agent.

The vulnerability exists within the server component which is responsible for handling DHCP requests received from local clients or from adjacent clients via a relay agent.

The vulnerable component incorrectly evaluates an extended regular expression consisting of a comparison operator such as ~= or ~~. While processing a DHCP request, if such operators are encountered within its configuration file, dhcpd.conf, the vulnerable component could terminate abnormally, leading to a denial of service (DoS) condition.

The vulnerability, however, could only be triggered if the targeted server has been configured to parse extended regular expressions. As such, only those installations where an administrator has manually configured the vulnerable component to use such operators, are exposed to this vulnerability.

The vendor, ISC, has confirmed this vulnerability and released patches for its mitigation. Users are requested to refer to the vendor advisory for further details.

Vulnerability Sources:
https://www.isc.org/software/dhcp/advisories/cve-2011-4539
http://www.securityfocus.com/bid/50971

Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Saturday, December 3, 2011

Vulnerable Weekends #2

Introduction:
Report #2A analyzes the GNU GDB code execution vulnerability. Although online reports indicate that various vendors were aware of this vulnerability as early as April 2011 and are still involved in its resolution, there has been no official confirmation.

Report #2B provides an analysis for the acclaimed Intel VT-d chipsets privilege escalation vulnerability. Xen has confirmed this vulnerability and has released two patches that either disallow the virtual machine to boot if its using the vulnerable configuration or narrows down the scope of this vulnerability to a denial of service.

Vulnerability Report #2A: GNU GDB Insecure Scripts Processing Arbitrary Code Execution Vulnerability

Vulnerable Product: Installations of GDB with versions 7.3.1 and prior.

CVE ID: CVE-2011-4355

CVSS V2 Score:
Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: SINGLE

Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL
Base Score: 4.1 

Exploitability: UNPROVEN
Remediation Level: UNAVAILABLE
Report Confidence: UNCORROBORATED
Temporal Score: 3.3

Details:
GDB, the GNU Project debugger, is one of the most valuable tools available for understanding the internals of a program. The debugger provides a wide array of options for its users to explore. One such option, however, could allow an authenticated attacker to execute arbitrary code on the targeted system.

The vulnerable debugger fails to perform sufficient sanitization on user-supplied input received via malicious Executable and Linkable Format (ELF) or Common Object File Format (COFF) files.

The vulnerable debugger looks for a special .debug_gdb_scripts section within such object files to obtain a list of scripts that are to be executed. The standard local file lookup procedure, which includes searching for the specified filename within the current directory and then through each of the file locations specified within the system path, is used to search for the specified script.

Since, the validity of such user-specified scripts is not taken into account before executing them, this feature could allow an attacker who has obtained privileged access to an enterprise system to execute arbitrary code. The attacker could install malicious scripts within the current directory or within one of the standard file search paths and then reference them using the vulnerable option from a crafted object file. When the vulnerable debugger initiates a debug operation on such object files, it could encounter the option and execute the requested scripts with the privileges of the user.

The vendor, GNU, has not yet confirmed this vulnerability and as such there are no official patches or updates available for this vulnerability. Users are requested to get in touch with the vendor to obtain patches/updates for their installations.

Vulnerability Sources:


Vulnerability Report #2B: Intel VT-d MSI Traps Injection Using PCI Passthrough Privilege Escalation Vulnerability

Vulnerable Product: Installations of Xen with versions 4.1.2 and prior.

CVE ID: CVE-2011-1898

Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: SINGLE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 6.6

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 4.9

Details:
Xen, a Virtual Machine Monitor (VMM), contains a vulnerability which an authenticated attacker could leverage to gain elevated privileges on the targeted system.

The vulnerable hypervisor fails to restrict a guest virtual machine, that has ownership of a PCI device, to edit the interrupt injection registers via Direct Memory Access (DMA) and trigger abrupt Message Signaled Interrupts (MSIs). This flaw could allow the attacker to inject arbitrary traps and gain privileged access on the host system.

Target platforms that support PCI passthrough to make certain PCI devices accessible within guest virtual machines and have the Interrupt Remapping feature either disabled or unsupported are exposed to this vulnerability.

An authenticated attacker who has sufficient privileges to execute a virtual machine, that has access to certain PCI devices, could exploit this vulnerability on the vulnerable platforms. Newer Intel chipsets include support for Interrupt Remapping and as such are immune to this vulnerability. However there is still a huge userbase for older, vulnerable hardware that makes this vulnerability critical.

The vendor, Xen, has confirmed this vulnerability and provided official patches to mitigate this vulnerability. Users are however informed that though official patches mitigate this vulnerability, the attacker could still cause a denial of service condition on the targeted system. The only available solution would be to either enable the Interrupt Remapping feature or upgrade to a hardware platform that supports it.

Vulnerability Sources:

Generic Sources:

Sunday, November 20, 2011

Vulnerable Weekends #1

Introduction:
Last week Mozilla revised the major version number for its popular web browsing application, Firefox, taking it to version 8.0. Its been hardly a few days since Firefox 8.0 has been available publicly, reports about a denial of service (DoS) vulnerability within the latest and prior releases started to make news. I have tried to analyze this vulnerability and #1A is a report for the same.

The #1B report provides yet another interesting update related to a remote code execution (RCE) vulnerability confirmed within ProFTPd.

Vulnerability Report #1A: Mozilla Firefox OnStartRequest() Function XPCOM Object Processing Denial of Service Vulnerability

Vulnerable Product: Installations of Mozilla Firefox with versions 8.0 and prior.

CVE ID: Not available

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL
Base Score: 4.3

Exploitability: PROOF-OF-CONCEPT
Remediation Level: UNAVAILABLE
Report Confidence: UNCORROBORATED
Temporal Score: 3.7

Details:
Mozilla Firefox, the popular open source web browsing application, reportedly contains a vulnerability which could be leveraged by an attacker to cause a denial of service (DoS) condition on the targeted system.

The vulnerable web browser performs insufficient sanitization on user-supplied input encountered while processing crafted webpages.

Online reports indicate that the OnStartRequest() function which is defined within the nsObjectLoadingContent.cpp source file of the affected software is where the vulnerability resides. This function erroneously permits a comparison between a Cross Platform Common Object Model (XPCOM) object with a NULL value received as input. This flaw could return a NS_BINDING_ABORTED value to the calling function, leading to an abnormal termination of the vulnerable web browser.

An attacker who can successfully lure a targeted user to visit a malicious webpage that contains crafted input for the vulnerable function or who can persuade a user to open a malicious web page received as an e-mail attachment, could trigger this vulnerability. When the vulnerable web browser tries to process such crafted webpages, the above mentioned flaw is triggered, leading to the DoS condition on the targeted system.

Proof-of-concept (PoC) code to demonstrate the validity of the vulnerability claim and an impact of a successful exploit attempt has been made available on public sources like Exploit-DB.

The vendor, Mozilla, has not yet confirmed this vulnerability and as such there are no official patches or updates available for this vulnerability. Users are requested to get in touch with the vendor's support services to obtain updates for their installations.

Vulnerability Sources:


Vulnerability Report #1B: ProFTPd pr_cmd_dispatch_phase() Function Response Code Handling Arbitrary Code Execution Vulnerability

Vulnerable Product:
Installations of ProFTPd versions with 1.3.3 and prior.

CVE ID: CVE-2011-4130

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.0

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 6.7

Details:
ProFTPd, the popular FTP daemon, reportedly contains a vulnerability which could be leveraged by an attacker to execute arbitrary code on the targeted system.

The vulnerable daemon fails to manage a pool used for the client responses. While processing user requests, if an exceptional condition occurs, the daemon uses a response pointer to select user response to be sent for the triggered exception. However, due to a flaw within the code responsible for handling exceptions, the response pointer is incorrectly restored to the appropriate response code and it could be made to point to a desired memory location.

Online reports indicate that the pr_cmd_dispatch_phase() function defined within the main.c source file of the vulnerable daemon is where the vulnerability resides. The vulnerable function provides a mechanism for issuing calls to the registered ProFTPd modules. However, before entering the requested module, the daemon essentially stores the resp_pool state so that it can be used upon return. While the control is within the requested module, if an exception is triggered, the vulnerable daemon fails to restore resp_pool state, which could then be altered using a controlled memory corruption.

An attacker who can complete the initial authentication phase on the targeted system could successfully trigger this vulnerability. When the vulnerable daemon tries to handle an explicitly triggered exception, it could allow arbitrary code execution on the targeted system.

The vendor, ProFTPd.org, has confirmed this vulnerability and provided official updates to mitigate it. Users are requested to immediately apply the latest updates on their vulnerable installations.

Vulnerability Sources:

Generic Sources:

Wednesday, November 16, 2011

Vulnerable Weekends - Introduction

Starting this week onwards, I will be posting regular updates related to the latest vulnerability reports submitted in the wild. Using this blog, I will try to analyse and post updates for around 1 to 2 vulnerability reports each weekend, prioritizing on the ones that involve highest security risks.

Vulnerability analysis and reporting includes multiple facets, most of which are very well documented online. As such, I mostly aim to cover the extremely important information in the vulnerability reports published here. I will include necessary references wherever applicable.

Readers are kindly requested to leave behind their comments. Whether you like/dislike the analysis, want me to make any changes in the report format or require additional details, just let your concerns known via the comments section or reach out via mails.

Have a secure weekend!

Tuesday, October 18, 2011

GPG Key

Use the below fingerprint to verify my GPG Public key and obtain it from the following link:

Key fingerprint:
AF83 AF3D 9F76 8303 7F0C C9F6 C7F0 58C4 E073 8139

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7F058C4E0738139

If you have any concerns regarding the content included on this blog, or you just want to reach out, shoot a signed mail. If anything is confidential, use the above key to encrypt it. Just make sure to include the signature. I will try to reply at the earliest.