Re: [Full-disclosure] Forticlient VPN client credential interception vulnerability
You got to be kidding me... FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY When the FortiClient VPN client is tricked into connecting to a proxy server rather than to the original firewall (e.g. through ARP or DNS spoofing,) it detects the wrong SSL certificate but it only warns the user _AFTER_ it has already sent the password to the proxy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security-news] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities
After reading through such an extensive credit list in form of, "Reported by", "Fixed by", "Coordinated by", one wonders when we'll see the "Introduced by" in the drupal patch announcements? http://blog.zoller.lu > REPORTED BY > -- > FIXED BY > -- > COORDINATED BY > -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
RANT The world of mobile applications appear to have become one where vulnerability disclosureand awareness are not necessary. Until there are fully automated updates and refusal of service for outdated applications I see the need for disclosure. Who will start monitoring "Appstores" updates for signs of vulnerabilities ? Note to vulnerability researches : GMA appears to be a nice fuzzing target and in general for browser security assessments.(see below on rationale) Description --- GMA is known as "Good™ Mobile Access" and part of "Good for Enteprise" "The secure browser is integrated into the Good for Enterprise application, delivering a safe, intelligent user experience. Employees can launch Good’s browser directly from the Good launcher bar, as well as through links included in emails. Links to public websites will automatically launch the native browser." Title : GOOD for Enterprise GMA below 2.0.2 vulnerable to MITM URL : http://www-staging.good.com/products/good-mobile-access.php Root Cause: GMA failed to validate server authenticity when connecting through HTTPS I spotted what appears to be an undisclosed vulnerability in an enterprise mobile device management system. https://itunes.apple.com/us/app/good-for-enterprise/id333202351?mt=8 Excerpt from above : What's New in Version 2.0.2 This release addresses the following [..]- GMA now validates server authenticity when connecting through HTTPS. [..] This would imply GMA to have been vulnerable to MITM prior to version 2.0.2 Disclosure Timeline : = - GOOD disclosed over iTunes on the 02.08.2012 -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TLS/SSL Compatibility Report 2011
Hey, I though it would be worthwhile to let you know about my recent updates to the "TLS/SSL Compatiblity Report". A Document that tries to give a complete overview over what TLS/SSL protocols and what ciphers are available on different platforms and browsers. The 2011 version was updated notably with the following items : * Chrome moved away from SCHANNEL to NSS offering better crypto on lower end systems (XP, 2003). Loosing however the TLS 1.1 and TLS 1.2 capability of the latest Microsoft Operation Systems. Especially with the release of the BEAST we might want to know what platforms actually support TLS 1.1 (or 1.2). The blog post and document is available here: http://blog.g-sec.lu/2011/09/ssltls-hardening-and-compatibility.html Should you be aware of any missing or wrong information, drop me a mail. Regards, Thierry -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Binary Planting Goes "Any File Type"
10 year old bug classes are indeed fun to read, though the fun might be directed at some one as opposed to something. Even given it a cool name doesn't make that one a new weakness. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ISS Proventia Desktop
Hi FD, I'd need help confirming a specific vulnerability, if you happen to have ISS Proventia Desktop installed, please get in touch with me. You don't need to expose anything - I will provide more information. Regards, Thierry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Roland, Was not aware of the acronym - "BCP" is generally used for "Business continuity plan" in the industry. DR> On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote: >> There it is again, BCP. Is this the new "IDS" ? DR> BCP = Best Current Practice = iACLs, CoPP, et. al. DR> --- DR> Roland Dobbins // <http://www.arbornetworks.com> DR> Injustice is relatively easy to bear; what stings is justice. DR> -- H.L. Mencken DR> ___ DR> Full-Disclosure - We believe in it. DR> Charter: http://lists.grok.org.uk/full-disclosure-charter.html DR> Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Slippery Slopes everywhere : DR> Again, causing the RP CPU to go to 100% due to punted DR> management-plane traffic isn't a new phenomenon 1. Nobody claimed it to be a new phenomenon 2. He is not saturating anything. DR> Of course PSIRT will ask for details, as they should; my point is DR> that there's likely nothing new to see here, Oh that's the point now? I thought your point was that it is not a security "bug". I agree on the "nothing new" here, "new" however is not a relevant attribute to decide on whether it is a vulnerability or not. DR> Even if there is something new, here - which I doubt - it's DR> important that folks understand that there are BCPs they can We heard your BCPs and XZY clearly, doesn't make it less of a vulnerability. DR> The original poster asked if this were a configuration issue - DR> and the answer is, yes Interesting, how do you know ? 1. you do not know what caused the problem 2. you do obviously do not know what packets caused the problems If it is a default configuration and you can remotely cause a denial of service condition : it is a vulnerability. If it is a non standard configuration and you can remotely cause a denial of service condition : it is a vulnerability. DR> vulnerabilities - as opposed to merely saturating the RP of a DR> given network device with management-plane traffic. Some of them Last time : He appears to not be saturating anything. nmap -sV does surely not create saturisation... DR> And many of them could be mitigated via BCPs until such time as DR> fixed code could be deployed, as well. There it is again, BCP. Is this the new "IDS" ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
>> Those bugs might not be security-relevant, but they can be very annyoing >> nevertheless. Three letters, C I A - guess what property can be remotely triggered. There is no discussion whether this is "security-relevant" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Roland, >o - what he's found is a network in which common infrastructure self-protection > BCPs haven't been deployed, that's all. Please pass those standing inline at the Bullshit Bingo counter and get in first place. How much does your "remote viewing" capability costs per day ? If a device crashes when being scanned - it's a vulnerability. Bye -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc> During my training classes I always tell the -sV switch is coc> dangerous and known to (sometimes) crash the target. coc> Usually a better tool to test open udp ports is unicornscan, but coc> that doesn't have a switch like -iL. Since you are testing your coc> own devices and you know the community string, you could insider coc> to loop through the list of IP's and snmpget a value from the MIB. coc> Cor coc> sent from a mobile device coc> Origineel bericht coc> Van: Shang Tsung coc> Verzonden: 30-06-2010 13:03:32 coc> Onderw.: Should nmap cause a DoS on cisco routers? coc> Hello, coc> Some days ago, I had the task to discover the SNMP version that our coc> servers and networking devices use. So I run nmap using the following coc> command: coc> nmap -sU -sV -p 161-162 -iL target_file.txt coc> This command was supposed to use UDP to probe ports 161 and 162, which coc> are used for SNMP and SNMP Trap respectively, and return the SNMP coc> version. coc> This "innocent" command caused most networking devices to crash and coc> reboot, causing a Denial of Service attack and bringing down the coc> network. coc> Now my question is.. Should this had happened? Can nmap bring the whole coc> network down from one single machine? coc> Is this a configuration error of the networking devices? coc> This is scary... coc> Shang Tsung coc> coc> coc> This list is sponsored by: Information Assurance Certification Review Board coc> Prove to peers and potential employers without a doubt that you coc> can actually do a proper penetration test. IACRB CPT and CEPT coc> certs require a full practical examination in order to become certified. coc> http://www.iacertification.org coc> coc> ___ coc> Full-Disclosure - We believe in it. coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc> Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security contact Bluecoat
Dear List, Anybody aware of the security contact for Bluecoat. secure@ bounces -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)
Hello, Your missing legislative circumstances in your thoughts : >- Releasing at a conference => Probable court time. Under what legislation would that potentially be the case ? >- Keeping it to yourself => Working under the assumption that your the >only one that has found that same bug is still semi relevant due to >the incredibly small size of the exploit dev community. However, as >Dave said, they'll be toasting to their sleeping dead 0days some day. Under the jurisdiction I personaly am under I am responsbile if I DON'T disclose vulnerabilities (to the vendor) - this includes potential damages should the vulnerability be used. This is the law over here if you have the PSF statute. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TLS/SSL Hardening & Compatibility Report 2010
Dear List, At last. What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort. I really hope this comes in handy for you and was worth the effort. This is the "Release candidate" version of the paper, should no errors be found it will be the final version. This paper aims at answering the following questions : * What SSL/TLS configuration is state of the art and considered secure (enough) for the next years? * What SSL/TLS ciphers do modern browsers support ? * What SSL/TLS settings do server and common SSL providers support ? * What are the cipher suites offering most compatibility and security ? * Should we really disable SSLv2 ? What about legacy browsers ? * How long does RSA still stand a chance ? * What are the recommended hashes,ciphers for the next years to come The paper includes two tools : * SSL Audit (alpha) : SSL scanner scanning remote hosts for SSL/TLS support (Video) * Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool (Video) Without further ado here is the complete package http://blog.g-sec.lu/2010/02/new-paper-ssltls-hardening-and.html Other Tools and Papers - http://www.g-sec.lu/products.html PS: In order to know whether this type of publication is useful to some and whether I should spend time on such publications in the future, I would appreciate a heads-up if you find this to be interesting. Thierry Regards, Thierry ZOLLER ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Harden TLS/SSL - Tool release
TOOL: Harden SSL/TLS beta OS: Windows (2000,XP,Seven,2003,2008,2008R2) Requirement : .NET Framework 2.0 Author : Thierry Zoller for G-SEC Ltd. Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool. "Harden SSL/TLS" hardens the default SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows to remotely set SSL/TLS policies allowing or denying certain ciphers/hashes or complete ciphersuites. It took longer then I expected to create this tool, Windows 7 really strengthened the cryptosuites and introduced a new way Windows handles SCHANNEL policies and required quite some re-engineering. For instance, I had to create a mini state engine just for the preferred cipher list. Harden SSL/TLS allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance IIS, Google Chrome as well as Apple Safari and many more. By changing the settings you can indirectly control what ciphers and protocols these applications are allowed to use and stay compliant to whatever policies you use. Note: unfortunately neither chrome nor safari make use of the new TLS 1.2 protocol that Windows 7 introduced (hint hint). They both use SCHANNEL and just need to add a parameter to the SCHANNEL initialization in order to support it. (Let's see who is first) It allows to allow or deny: · Hashes · Keyexchange algorithms · Protocols · Ciphers & Ciphersuites · Priority of preferred Ciphersuites Advanced mode · Re-enable ECC P521 mode on Windows7 and 2008R2 (P521 mode was available on Vista and 2008 but removed in Windows7 and 2008R2) · Enable TLS 1.2 support on IIS 7.5 (off by default) · Set TLS Cache size and timeout Download and Information: http://blog.g-sec.lu/2010/02/harden-ssltls-tool-release.html Documentation : http://www.g-sec.lu/sslharden/documentation.pdf Video : http://www.g-sec.lu/sslharden/harde_ssl.swf -- http://www.g-sec.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Announce - SSL Audit (alpha) [G-SEC Ltd.]
Developed as part of G-SEC's investigation for the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool called SSL Audit. It is in alpha stage and thought it has a little interesting gimmick, don't expect too much. It implements it's own tiny SSL parsing engine and does not rely on OpenSSL or any other SSL Engine - This implies that it can detect ciphers suites not supported by OpenSSL and others. Apart from scanning available ciphersuites it has an interesting tidbit The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways. SSL Audit is able to fingerprint : · IIS7.5 (Schannel) · IIS7.0 (Schannel) · IIS 6.0 (Schannel) · Apache (Openssl) · Apache (NSS) · Certicom · RSA BSAFE Blog Post : http://blog.g-sec.lu/2010/02/ssltls-audit-alpha-tool-release.html Documentation: http://www.g-sec.lu/sslaudit/documentation.pdf Regards, Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Hi Paul,
Facts :
- Several distributions run with vulnerable settings per default
if there is a "misconfiguration" it is part of the vendor.
- Your not supposed to be able to traverse dirs.
Consequence it is a vulnerability, whether you can mitigate it is
a different piece of cake.
Next time somebody creates an IE8 0day that relies on javascript,
will you scream "misconfiguration!" ? Of course you could disable
javascript but is it by enabled default ? Yes.
The question for smb is who does restrict this setting?
My tests reveal - not many.
Congrats Kingcope, nice bug. Directory traversal in major daemon in
2010.
Regards,
Thierry
pssea> Dear Kingcope,
pssea> The samba server follows symlinks by default. There are options
pssea> ("follow symlinks", "wide links") for turning it off:
pssea>
http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
pssea>
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
pssea> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WIDELINKS
pssea> The "problem" at your installation seems a mis-configuration of
pssea> your server: please ask the admin to set "secure" options.
pssea> (Some samba installations, like mine, wish to allow same access as a
pssea> UNIX login would allow. Some shares like [home] are provided for ease
pssea> of use, users are encouraged to create symlinks to other "interesting"
pssea> places e.g. NFS-mounted directories.)
pssea> Cheers, Paul
pssea> Paul Szabo p...@maths.usyd.edu.au
pssea> http://www.maths.usyd.edu.au/u/psz/
pssea> School of Mathematics and Statistics University of SydneyAustralia
pssea> ___
pssea> Full-Disclosure - We believe in it.
pssea> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
pssea> Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Samba Remote Zero-Day Exploit
http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iAWACS 2010 : Rules of the PWN2KILL contest
gt; distributed. AD> Any participant is free to communicate later on about his test/code/attack AD> performed during the contest. In this case, iAWACS organizers are not AD> responsible for that communication. AD> ___ AD> Full-Disclosure - We believe in it. AD> Charter: http://lists.grok.org.uk/full-disclosure-charter.html AD> Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability)
BID 36935 ERRATA: The previous trace POC was renamed to 36935-3.c on securityfocus and had a small error in it. It is now fixed and available here. I'd like to ask repositories to update. File available here: http://www.g-sec.lu/ssl-trace-poc.c Original Paper: http://www.g-sec.lu/practicaltls.pdf Regards, Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability)
Dear List, I updated the whitepaper with a lot of new information, some leveraging the vulnerability in other ways that certainly increase the effectiveness and impact of this vulnerability. A brief warning to those that think they are safe because they don't accept client-side renegotiations (server + openssl). I came across major websites where the SSL loadbalancer in front of the HTTPS servers were vulnerable. Although the servers were patched it still was possible to perform the attacks (The loadbalancer merged both sessions and handed them as one to the webserver) Updates : - Added a simple s_client testcase - Analysis of FTPS (vendors are encouraged to assess) - HTTPS : Injecting arbritary _responses_ into the stream - HTTPS : Downgrading HTTPS to HTTP and performing an active mitm (Discovered by Frank Heidt but details witheld, rediscovered by Thierry Zoller for this paper) With this new information G-SEC encourages Vendors and customers to reevaluate the impact of this vulnerability on their products. Brief explanations : HTTPS : Injecting arbritary _responses_ into the stream --- The attacker injects a TRACE command, by doing so the attacker can indirectly control the content that is send from the server to the victim over HTTPS Downgrading HTTPS to HTTP and performing an active mitm --- This attack leverages the known SSLStrip attack to also work on establised SSL connections. SSLstrip had the limitation that it required a user to access over HTTP in order to rewrite the html code to perform active mitm. This attack over the TLS renegotiation vulnerability now allows (if certain conditions are met) to downgrade EXISTING SSL connections to perform an SSLstrip attack. Proof of concept files ^^ G-SEC provides 2 proof of concept files : - ssl-trace.c : using TRACE to inject (partialy) arbritary content into the encrypted stream - ssl-302.c : Injecting a GET command to a 302 page redirecting the client to HTTP Whitepaper : http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html POC files : http://www.g-sec.lu/tls-ssl-proof-of-concept.html --- This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing. Post: http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html Direct Download http://clicky.me/tlsvuln Disclaimer Information is believed to be accurate by the time of writing. As this vulnerability has complex implications this document is prone to revisions in the future. Thierry ZOLLER - G-SEC http://www.g-sec.lu Principal Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Paper: MitM Attacks against the chipTAN comfort Online Banking System
Hi, Thank you for the information. MITM is used rather vaguely in this paper. Are the proposed techniques working in an MITM situation - where an attacker is in the middle of a network stream ? Say on a network over arp cache poisening? The paper afaik applies to systems that are already compromised by an attacker, i.e where malware has been installed. If this is the case what rights (Account acl) does the malware require in order to perform the mentioned attacks ? This brings me to an interesting more general discussion, can one define malware infected workstations and the attacks they perform locally as MITM ? Technically they inject themselves between the client and the server, however they need to be installed prior to be able to do so. Furthermore they have access to a lot more information and possibilities then an attacker that is, say in the middle of a network connection. For sake of allowing proper risk assessment by technically less trained persons - one should coin a better term than classical mitm - but maybe I am mistaken? what about MITMa (man in the machine) All: What's your opinion ? http://de.wikipedia.org/wiki/Man-in-the-middle-Angriff http://technet.microsoft.com/en-us/library/cc722487.aspx#EJAA #1 and #2 Regards, Thierry RPG> Abstract RPG> RPG> ChipTAN comfort is a new system which is supposed to securely authorise online RPG> banking transactions by means of a trusted device. It is assumed that chipTAN RPG> comfort specifically protects against man-in-the-middle attacks. Such attacks are RPG> currently putting bank customers who are using the iTAN system at risk. RedTeam RPG> Pentesting examined chipTAN comfort and showed that even when using this sys- RPG> tem, man-in-the-middle attacks can compromise online banking security. RPG> The full paper is available in German and English at RPG> http://www.redteam-pentesting.de/publications/MitM-chipTAN-comfort -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TLS / SSLv3 vulnerability explained (DRAFT)
Dear List, This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing. Post: http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html Direct Download http://clicky.me/tlsvuln Disclaimer Information is believed to be accurate by the time of writing. As this vulnerability has complex implications this document is prone to revisions in the future. Thierry ZOLLER - G-SEC http://www.g-sec.lu Principal Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [G-SEC 49-2009] McAfee generic PDF detection bypass
McAfee multiple products - Generic PDF detection bypass *** Cheap plug : If you are interested in client side vulnerabilities visit HACK.LU starting tomorrow 28-30 Oct with : Workshop: * Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, Billy K Rios Talks : * New advances in Office Malware analysis - Frank Boldewin * PDF Penetration Document Format - Didier Stevens * Ownage 2.0 - Saumil Shah (who else) * Malicious PDF origamis strike back - Guillaume Delugré Frederic Raynal *** Release mode : Coordinated Reference : [GSEC-05-2009] - MCafee generic PDF bypass WWW : http://www.g-sec.lu/mcafee-pdf-bypass.html Vendor: http://www.mcafee.com Status: Patched CVE : none attributed yet Credit: https://kc.mcafee.com/corporate/index?page=content&id=SB10003 (We disagree with the CVSS rating ) Discovered by : Thierry Zoller (G-SEC) Affected products : ~~~ All McAfee software that uses DATs including: - McAfee GroupShield - McAfee LinuxShield - McAfee NetShield for NetWare - McAfee PortalShield - McAfee Total Protection Service (SaaS) - McAfee Virex - McAfee Total Protection™ 2009 - McAfee Internet Security - McAfee VirusScan USB - McAfee VirusScan Enterprise - McAfee VirusScan Enterprise Linux - McAfee VirusScan Enterprise for SAP - McAfee VirusScan Enterprise for Storage - McAfee VirusScan Commandline - Mcafee SecurityShield for Microsoft ISA Server - Mcafee Security for Microsoft Sharepoint - Mcafee Security for Email Servers - McAfee Email Gateyway - McAfee Total Protection for Endpoint - McAfee Active Virus Defense - McAfee Active VirusScan Patch availability : Patches dsitributed through automatic updates I. Background ~ Quote: "McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide. Home users, businesses, service providers, government agencies, and our partners all trust our unmatched security expertise and have confidence in our comprehensive and proven solutions to effectively block attacks and prevent disruptions." II. Description ~~~ Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. General information about evasion/bypasses can be found at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html III. Impact ~~~ Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics. IV. Disclosure timeline ~ DD.MM. 01.06.2009 - Reported 20.10.2009 - McAfee informed us that they published the advisory on their website < waiting for others vendors to patch > 27.10.2009 - G-SEC releases this advisory About G-SEC ~~~ G-SEC™ is a vendor independent luxemburgish led IT security consulting group. More information available at : http://www.g-sec.lu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [G-SEC 48-2009] F-SECURE - Generic PDF detection bypass
F-SECURE multiple products - Generic PDF detection bypass *** Cheap plug : If you are interested in client-side vulnerabilities visit HACK.LU starting tomorrow [28-30 Oct] with : Workshop: * Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, Billy K Rios Talks : * New advances in Office Malware analysis - Frank Boldewin * PDF Penetration Document Format - Didier Stevens * Ownage 2.0 - Saumil Shah (who else) * Malicious PDF origamis strike back - Guillaume Delugré Frederic Raynal *** Release mode : Coordinated Reference : [GSEC-48-2009] - F-Secure generic PDF bypass WWW : http://www.g-sec.lu/fsecure-pdf-bypass.html Vendor: http://www.f-secure.com Status: Patched CVE : none attributed yet Credit: tba (probably FSC-2009-3) Discovered by : Thierry Zoller (G-SEC) Affected products : ~~~ - F-Secure Internet Security 2009 and earlier - F-Secure Anti-Virus 2009 and earlier - F-Secure Home Server Security 2009 - Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier - Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier - Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier - F-Secure Client Security 8.01 and earlier - F-Secure Anti-Virus for Workstations 8.0 and earlier - F-Secure Anti-Virus for Windows Servers 8.00 and earlier - F-Secure Linux Security 7.02 and earlier - F-Secure Anti-Virus Linux Client Security 5.54 and earlier - F-Secure Anti-Virus Linux Server Security 5.54 and earlier - F-Secure Anti-Virus for Linux Servers 4.65 - F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier - F-Secure Internet Gatekeeper for Windows 6.61 and earlier - F-Secure Internet Gatekeeper for Linux 3.02 and earlier - F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier - F-Secure Anti-Virus for Citrix Servers 7.00 and earlier - F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier Patch availability : Patches distributed through automatic updates I. Background ~ Quote: "F-Secure offers a broad range of PC and internet security products made for your home or business, so you will always be protected. Our internet security, antivirus and anti-spyware software is trusted by more than 180 internet service providers around the world. Moreover, with 16 global offices and a presence within more than 100 countries, F-Secure is sure to be there for you and your security software needs." II. Description ~~~ Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. General information about evasion/bypasses can be found at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html III. Impact ~~~ Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics. IV. Disclosure timeline ~ DD.MM. 15.05.2009 - Reported to F-Secure 12.07.2009 - Patches deployed automatically, F-Secure waits to coordinate public disclosure < waiting for others to patch > 27.10.2009 - G-SEC releases this advisory About G-SEC ~~~ G-SEC™ is a vendor independent luxemburgish led IT security consulting group. More information available at : http://www.g-sec.lu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [G-SEC 47-2009] Symantec generic PDF detection bypass
Symantec multiple products - Generic PDF bypass *** Cheap plug : Speaking of PDF - If you are interested in client-side vulnerabilities visit HACK.LU starting tomorrow [28-30 Oct] with : Workshop: * Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, Billy K Rios Talks : * New advances in Office Malware analysis - Frank Boldewin * PDF Penetration Document Format - Didier Stevens * Ownage 2.0 - Saumil Shah (who else) * Malicious PDF origamis strike back - Guillaume Delugré Frederic Raynal *** Release mode: Coordinated Reference : [GSEC-47-2009] - Symantec generic PDF bypass WWW : http://www.g-sec.lu/symantec-pdf-bypass.html Vendor : http://www.symantec.com Status : Patched CVE : none attributed yet Credit : http://tinyurl.com/ygqnlhs Discovered by : Thierry Zoller (G-SEC) Affected products : ~~~ - Symantec Mail Security for Domino - Symantec Mail Security for Microsoft Exchange - Symantec Mail Security for SMTP - Symantec Brightmail Gateway - Symantec AntiVirus for Network Attached Storage - Symantec AntiVirus for Caching - Symantec AntiVirus for Messaging - Symantec Protection for SharePoint Servers - Symantec Protection Suite - Symantec Scan Engine - Symantec Client Security - Symantec Endpoint Protection - Symantec AntiVirus Corporate Edition - Norton Internet Security - Norton 360 - Norton AntiVirus - Norton Systemworks Patch availability : Patches distributed through automatic updates I. Background ~ Quote: "Symantec helps consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored." II. Description ~~~ Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. General information about evasion/bypasses can be found at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html III. Impact ~~~ Known PDF exploits/malware may evade signature and heuristic detection, 0day exploits may evade heuristics. IV. Disclosure timeline ~ DD.MM. 01.06.2009 - Reported 12.06.2009 - "This will be posted to our Symantec Product Security Advisory page though we are not identifying these issues as vulnerabilities, it's just the best method to disseminate this type of product information" < waiting for others to patch > 27.10.2009 - G-SEC releases this advisory About G-SEC ~~~ G-SEC™ is a vendor independent luxemburgish led IT security consulting group. More information available at : http://www.g-sec.lu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [G-SEC 46-2009] Computer Associates multiple products arbritary code execution
Computer Associates (CA) Anti-Virus Multiple products - arbitrary code execution Release mode : Coordinated Reference : [GSEC-46-2009] - Computer Associates multiple products RCE WWW : http://blog.g-sec.lu/2009/10/computer-associates-multiple-products.html Vendor: http://www.ca.com Status: Patched CVE : CVE-2009-3587 & CVE-2009-3588 Credit: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878 Discovered by : Thierry Zoller (G-SEC) Vendor reaction rating : near perfect* * Continous feedback on progress - CVE numbers - In depth investigation of the issues at hand Affected products : ~~~ CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1 CA Anti-Virus 2007 (v8) CA Anti-Virus 2008 CA Anti-Virus 2009 CA Anti-Virus Plus 2009 eTrust EZ Antivirus r7.1 CA Internet Security Suite 2007 (v3) CA Internet Security Suite 2008 CA Internet Security Suite Plus 2008 CA Internet Security Suite Plus 2009 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1 CA Threat Manager Total Defense CA Gateway Security r8.1 CA Protection Suites r2 CA Protection Suites r3 CA Protection Suites r3.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1 CA ARCserve Backup r11.5 on Windows CA ARCserve Backup r12 on Windows CA ARCserve Backup r12.0 SP1 on Windows CA ARCserve Backup r12.0 SP 2 on Windows CA ARCserve Backup r12.5 on Windows CA ARCserve Backup r11.1 Linux CA ARCserve Backup r11.5 Linux CA ARCserve for Windows Client Agent CA ARCserve for Windows Server component CA eTrust Intrusion Detection 2.0 SP1 CA eTrust Intrusion Detection 3.0 CA eTrust Intrusion Detection 3.0 SP1 CA Common Services (CCS) r3.1 CA Common Services (CCS) r11 CA Common Services (CCS) r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 Affected Plattforms: ~~~ Windows UNIX Linux Solaris Mac OS X Netware Patch availability : Patches have been available since the 09.10.2009 - Please follow the steps listed here: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878 I. Background ~ Quote: "CA is one of the world's largest IT management software providers. We serve more than 99% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies in diverse industries worldwide" "CA Anti-Virus for the Enterprise is the next generation in comprehensive anti-virus security for business PCs, servers and PDAs. It combines proactive protection against malware with new, powerful management features that stop and remove malicious code before it enters your network, reducing system downtime" II. Description ~~~ Improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component leads to heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system. Attacker has control over EBX : Basic Block: 6e4305b0 mov cl,byte ptr [ebx] Tainted Input Operands: ebx 6e4305b2 add edi,28h 6e4305b5 push edi 6e4305b6 lea edx,[esp+14h] 6e4305ba mov byte ptr [esp+14h],cl Tainted Input Operands: cl 6e4305be inc ebx Tainted Input Operands: ebx 6e4305bf push edx 6e4305c0 mov ecx,esi 6e4305c2 mov dword ptr [esp+1ch],ebx Tainted Input Operands: ebx 6e4305c6 call arclib!arctkopenarchive+0x283a0 (6e42f9f0) III. Impact ~~~ The impact ranges from Denial of Service to potential remote arbitrary code execution. Due to the nature of Anti-virus products, the attack vectors can be near endless. An attack could be done over the way of an E-mail message carrying an RAR attachment (of a file recognised as being RAR), USB, CD, Network data etc. Please note that this is a general problem and not exclusive to Computer Associates. IV. Disclosure timeline ~~~
Re: [Full-disclosure] [-SPAM-] Re: When is it valid to claim that a vulnerability leads to a remote attack?
Hi James, Well, that would explain why client side exploits are so fruity these days. Probably nobody invests into protection against them , as the risk assessment team tells them it is a local issue only ? Pun intended ;) A PDF/DOC exploit should be classified as remotely exploitable or else your assessment suffers from lack of reality - sorry. We have the following denominations in this thread, which all mean different things, doesn't really help us here : * "a remote bug" * "a remote attack" * "remotely exploitable" "A remote attack" = An action "Remotely exploitable" = possibility that vulnerability is exploited remotely "A remote bug"= a bug that is remotely triggerable (??) doesn't even imply it is exploitable. I only perceive one of these denominations to be worth being used in risk assessment -that being "remotely exploitable" JM> If you classify a remote bug (anything that can be exploited remotely) then JM> you are classifying all bugs (you can use a privilege escalation exploit JM> remotely) Yes, you actually should consider you can use these types of attacks remotely, but "normally" not without a "first degree remote vulnerability" (add that to the list of denominations). JM> I agree with Thor, anything that exploits a remote service JM> (HTTP,FTP Etc..) without any user interaction. JM> On Sun, Oct 11, 2009 at 12:54 AM, Thor (Hammer of God) > wrote: >> >> >> > I think we can agree that yes, it is remotely exploitable and as such >> > should be categorized as "remote" in Risk/Impactt scoring systems ? >> > >> > Does anybody disagree ? I'd be interested to hear your point of view. >> >> Hey Thierry - I hope all is well... >> >> I'm happy to include "user assisted remote exploitation" as a "remote" >> vulnerability in academic conversations, but I don't categorize it as >> "remote" when assessing overall risk to a particular threat in production >> environments. Like everyone else, my TMs include impact and skill required >> to exploit a particular vulnerability; but they also include "likelihood of >> exploitation." While that may sound like a wildcard metric, I quantify it >> by applying the internal controls in place that may mitigate a particular >> attack. In "my" networks (networks I control, design, or consult for) most >> users couldn't execute [common] exploits even if they wanted to. I won't >> bore you with the controls I deploy as I'm confident you are well aware of >> the options one has, but the fact they exist at all place "user assisted >> remote exploits" in a different category for me when assessing risk. When >> the propensity for a vulnerability to be exploited lies in a particular >> user's response to any given >> trigger, as opposed to any authoritative in-place controls to mitigate >> exposure, then a model's relevant response options are greatly diminished >> (IMO). >> >> As such, I choose to categorize "remote" exploits as those that may be >> executed against a given host that is autonomously running a [vulnerable] >> service that can be connected to by some (any) other network client, device, >> or service for the purposes of ascertaining overall risk. >> >> t >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?
Hi Dan, DK> There are a substantial number of file formats that are code-execution DK> equivalent with no exploits necessary -- .exe, .com, .bat, etc. You thus DK> can't say that an executed file must not execute code, because there's no DK> way for the user to know whether a file on his desktop is an .exe or DK> something else. Maybe I misunderstand what you are saying but - Isn't the point in this case is that running binary files mapped as executables is not exploiting a vulnerability in a third party application ? I understood that Jonathan was asking whether the exploitation of a file format vulnerabilityin Product X can be categorized as remotely exploitable - even though it is not exposed to the outside and one can only reach arbitrary control by indirect means. I think we can agree that yes, it is remotely exploitable and as such should be categorized as "remote" in Risk/Impactt scoring systems ? Does anybody disagree ? I'd be interested to hear your point of view. DK> The key here is "escalation of privilege". At the point you're launching DK> formats, the privilege has already been granted. If you could dive into this a bit more as I can't follow you here. I frankly don't know any Access control logic where running a format leads to the escalation of a privilege, per se. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?
Hi Jonathan, IMHO it generally is classified as remote. Some vendors call it "user assisted remote arbitrary code execution" which, in my opinion is just downplaying the issue - there are virtually unlimited means to get somebody or something to open such a file some less assisted but still exploiting the issue at hand. If you want to find common ground with said person, propose the denomination above. This subject is indeed interesting and worth discussing, not sure FD is the best place though. Regards, Thierry JL> A reputable security defect reporting organization is claiming that a JL> Windows program is subject to a remote attack because: JL> * The vulnerable program (call it 'pqrminder') is registered as the JL> 'handler' for files with a specific extension (call it '.pqr'). JL> * If the user downloads a '.pqr' file (or is sent on in the mail and clicks JL> on it), then 'pqrminder' is invoked. JL> * If the file is malformed, then arbitrary code can be executed (buffer JL> overflow). JL> While recognizing that there is a bug here, that does not strike me as JL> being what is normally meant by a 'remote attack'. JL> -- JL> Jonathan Leffler (jleff...@us.ibm.com) JL> STSM, Informix Database Engineering, IBM Information Management JL> 4400 N First St, San Jose, CA 95134-1257 JL> Tel: +1 408-956-2436 Tieline: 475-2436 JL> "I don't suffer from insanity; I enjoy every minute of it!" -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Source for USB stick with hardware write-protect?
Whileprobablynot interesting for Forensic usage and OS dependant: Windows offers a simple registry key to block write requests to removable storage such as USB keys, Wrote a small app that does exactly this, it's a nice gimmick to have for various test cases. http://blog.zoller.lu/2009/03/new-tool-usb-write-blocker.html >> Meanwhile i'd like to enlarge the search - is there out any HDD sata >> drive enclosures with hardware write protect switch? >> MH> Google "Forensic write blocker". There's tons of products in a variety MH> of interfaces designed to do this (for the forensics industry). MH> Cheers, MH> Michael Holstein MH> Cleveland State University MH> ___ MH> Full-Disclosure - We believe in it. MH> Charter: http://lists.grok.org.uk/full-disclosure-charter.html MH> Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Source for USB stick with hardware write-protect?
Hi K, http://www.heise.de/ct/projekte/FAQ-406390.html#sticks -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Hi Kingcope, Thanks to a hint by "Petar" on the G-SEC blog [1] it appears that the very same bug was present in IIS3 and IIS4 and discovered by eeye in 1999 : http://research.eeye.com/html/advisories/published/AD19990124.html "Microsoft IIS (Internet Information Server) FTP service contains a buffer overflow in the NLST command. This could be used to DoS a remote machine and in some cases execute code remotely." Is this the same bug andwas the bug re-introduced ? Has Microsoft fixed LS but not NLST? "svn" mishap ? Maybe Mudge and/or Dildog can comment - would certainly be interesting to know whether and if HOW this bug was reintroduced. [1] http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html Regards, Thierry ZOLLER -- http://blog.zoller.lu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Confirmed. Ask yourselves why your fuzzers haven't found that one - Combination of MKDIR are required before reaching vuln code ? -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Re[2]: [Dailydave] Security people are leaches. [sic]
As Dave seems to have his ongoing NZ filtering going on again on the DailyDave list, I post it here.. Anybody wants create a list mirroring DD but letting replies through even if those are against your views? ===8<=== Original Nachrichtentext === Hi Aaron, >The 'shades of grey' only exist to security people. Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ? >To no one else is it important >that a bug disclose information, allow invalid root access, or escalate >privileges. You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller ===8<== Ende des Original Nachrichtentextes =--- Begin Message --- Hi Aaron, >The 'shades of grey' only exist to security people. Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ? >To no one else is it important >that a bug disclose information, allow invalid root access, or escalate >privileges. You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller --- End Message --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE8 crashes with simple HTML
Could reproduce, unhandled second chance read access violation in mshtml!Ptls5::FsUpdateBottomlessPel+0x41d (FPO: [7,45,4]) Faulting Instruction:40af4234 cmp ecx,dword ptr [eax+18h] Basic Block: 40af4234 cmp ecx,dword ptr [eax+18h] Tainted Input Operands: eax, ecx 40af4237 jne mshtml!ptls5::fsupdatebottomlesspel+0x47c (40af6cf7) Tainted Input Operands: ZeroFlag -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [GSEC-TZO-45-2009] iPhone remote code execution
Fell quite behind on this one, here it is. ___ Phone &iPod Touch - Remote arbritary code execution ___ Reference : [GSEC-TZO-45-2009] - iPhone remote arbritary code execution WWW : http://www.g-sec.lu/iphone-remote-code-exec.html CVE : CVE-2009-1698 BID : 35318 Credit: http://support.apple.com/kb/HT3639 Discovered by : Thierry Zoller Affected products : - iPhone OS 1.x through 2.2.1 - iPhone OS for iPod touch 1.x through 2.2.1 I. Background ¨¨ Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational corporation which designs and manufactures consumer electronics and software products. The company's best-known hardware products include " II. Description Calling the CSS attr() attribute with a large number leads to memory corruption, heap spraying allows execution of code. III. Impact ¨¨¨ Arbitrary remote code execution can be achieved by creating a special website and entice the victim into visiting that site. IV. Proof of concept None will be released VI. About ¨¨ G-SEC ltd. is an independent security consultancy group, founded to address the growing need for allround (effective) security consultancy in Luxembourg. By providing extensive security auditing, rigid policy design, and implementation of cutting-edge defensive/offensive systems, G-SEC ensures robust, thorough, and uncompromising protection for organizations seeking enterprise wide data security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Steven, [Removing a few addresses in CC that surely do not care too much about this discussion] SMC> I strongly suspect that as we collectively try to figure out how to solve SMC> resource-consumption issues for all kinds of software, we will quickly run SMC> into lots of complexity that may well enter the realm of undecidable SMC> problems First,nobodyhasto figure out how to "solve [all] resource consumption issues". That would be effort spent on a stupid idea. Design your software expecting it to run into these kind of problems and design proper generic mitigations, where possible. You are set. Has this been done before ? Yes, take google chrome as an example. In Google chrome, tabs are separated in such a way that well, only the tab affected closes, not the whole browser not the complete OS. So this is mitigating all these bugs by design and reducing the impact to a minimum, to a degree where I agree that it could be ignored and not called a "vulnerability". If someone designs software and claims that these problems cannot be mitigated andhence should be ignored or seen as "normal", in my personal opinion, should be looking for another job. Secondly, I really can't find anything related to the advisory in your posting. The bug at hand was an unclamped loop "within the browser code itself". NOT an loop feed by an external source. Comparing it to downloading huge files is comparing apples to oranges. Even the impact is another one, as that border case is accounted for. SMC> Web browsers are basically mini-operating systems (which others may have SMC> said before). Surely Product managers and marketing departments have said so, surely it can be designed to look like an OS. However comparing the current existing Browsers to an Operation system is ludicrous at best. SMC> Since they are very closely attached to their underlying SMC> operating system, Since when are browsers running Ring 0 ? SMC> But if you think of the infinite number of algorithms you could write in SMC> Javascript, then it becomes a recipe for the death of a thousand cuts. Infinite amount of possibilities does not necessarily equal infinite amounts of "defenses". - Browser detects loop or script that doesn't exit, asks user if he wants to stop it. Been there, done that. SMC> If you try to load the full XML downloads from cve.mitre.org into your SMC> browser, good luck with that - you get CPU and memory consumption very SMC> quickly (last time I checked). Apples and Oranges, nobody said CPU consumption is a vulnerability per se. The possible impact is what makes it a vulnerability or not, such as browser crashes, OS reboots, etc pp. I still have trouble to understand why some are not using the impact of a bug to rate it. The resulting impact (what can be done with it, what consequences this problem has for a user/system) is what defines the security aspect, not necessarily the root cause. SMC> But is that a vulnerability per se? It SMC> almost becomes a "laws-of-physics" vulnerability - if you send too much SMC> data to an underpowered system with a small pipe, then a DoS is going to SMC> occur because you can't violate the laws of physics. If you have not planed for that border case,for example the browser crashes or the OS reboots and it creates "damage" as in Dataloss - yes it is a vulnerability. Sorry, but stupidity or lack of effort has never protected somebody from calling it what it is. Last time I checked, software code didn't respect the laws of physics though. Pigs fly regularly in my "code". SMC> At some point a line needs to be drawn, though I don't SMC> know where that line is. I agree with Michal that a holistic approach SMC> could save a lot of people a lot of pain. These are empty words to my ears. "holistic approach" sounds like "war on terror". But maybe that's just me. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Michal, MZ> That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write: MZ> http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980 Ah, now that makes sense. So my theory goes right down the drain =X MZ> Also keep in mind that with relatively few exceptions, W3C simply MZ> trailed and struggled to capture status quo (or some compromise MZ> representation thereof) back then. Thanks for your insight! -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Michal, Interesting, http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html -- readonly attribute long length; -- MZ> Does not seem to be the case in HTML5 at least? There must have been a change then between HTML4 and HTML5 MZ> It may or may not have any practical uses (dynamic resizing of SELECTs MZ> without having to delete individual options). -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Michal, MZ> which does not seem to be that far MZ> from creating an overly nested DOM tree, or drawing an oversized Interesting tidbit: The W3C DOM specifies the select.length attribute to be *read only*. Yet (all) browsers have implemented it allowing to write to it. I am not sure what use that has (?) but one thing is sure, they failed to add a limit, the W3C didn't, but that's because it was never meant to be written to in the first place. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Steven, SMC> we will quickly run SMC> into lots of complexity that may well enter the realm of undecidable SMC> problems, Yeah, security is too complex. Dude, the fix was to LIMIT the the number of elements. This is not rocket science. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Michal, Yes, we all know that. The flaw here was not looping on itself a thousands of times, wow. It was a DOM implementation flaw. That's what made it interesting. A border case that was not accounted for. That's all, still interesting. I don't see how Javascripts endless loops are similar at all - sorry. MZ> There are literally thousands of HTML- and JavaScript-related denial MZ> of service vectors in modern browsers. If you want a silly, ad hoc MZ> example I just made up on the spot (and so could any reader of the MZ> list), try: MZ> foo = ''; MZ> for (i=0;i<7;i++) foo += foo; MZ> for (i=0;i<1;i++) document.write(foo); -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
One bug to rule them all IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror, Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more. Update/Changes : Backround : ~~~ + I failed to include details about the nature of the bug (DOM), the root cause is a DOM flaw and not a Javascript flaw as the Backround info might have lead to think. Thanks James Schend for the heads up. + The bug was present in a 9 year old version of Netscape - draw your own conclusions. Patch availability : + Seamonkey 1.1.17 and SeaMonkey 2 (soon to be Beta) have been patched Affected Products : + Blackberry 8800/probably all (null ptr exception, browser crash) Thanks to "528-0444" for the Report. + Google G1 latest (Firmware 1.5, Kernel: 2.6.27-00393-g6607056, Build: CRB43) (Browser crash) Thanks Scott Fraser for the Report. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)
to my terms and policy to be able TZ>> to republish mails that happen during notification in full or TZ>> partially" TZ>> 24.04.2009 - IBM states that TZ>> "Thierry, TZ>> Changes you make should be effective for new issues going forward. Period." TZ>> "We have reported to you that your issues DO NOT EVADE PRODUCTS. That is TZ>> unequivocable. You have not proven an evasion of a product. " TZ>> "We TZ>> have conducted that research and the report is negative, your issues do not TZ>> evade the product. [..] Further, we do TZ>> not for obvious reasons ever provide architectural details except in cases TZ>> of NIAP review under Common Criteria for EAL 2 or Higher, then in only TZ>> certain aspects.Your research does not attain that benchmark." TZ>> 08.05.2009 - Sending a new POC evading proventia (CAB) TZ>> no reply TZ>> 11.05.2009 - Re-sending asking for an acknowledgement TZ>> 15.05.2009 - TZ>> "We are in the final stages of completing the write up on our review of all TZ>> your reports. It may take until early AM US EDT to complete or possibly TZ>> early AM Central European Time." TZ>> 22.05.2009 - IBM sends in the results, and *surprise* it DID evade proventia. TZ>> Quote:" TZ>> IBM Proventia Desktop Endpoint Security - susceptible TZ>> IBM Proventia Network Multi-Function Security (MFS) - susceptible TZ>> Multiple engines are susceptible to this evasion. We are working internally TZ>> and with third-party OEM vendors to create a fix for this evasion. For our TZ>> own engine, we have placed a fix on our long-term development roadmap, but TZ>> this is a low priority for us because this engine runs in a desktop TZ>> environment where malicious code in these archives will be detected upon TZ>> extraction or execution. If and when an update addressing this issue is TZ>> delivered for our engine, we will credit you." TZ>> Ignoring that the end-point argument doesn't hold true for the network TZ>> device, isn't this incredible? TZ>> 22.05.2009 - I respond that TZ>> "[..] The files TZ>> bypass your protection - to argue with client-side protection (if any) TZ>> is reserved for the clients that use your products. You should rate it TZ>> as what it is. A bypass of your AV detection" TZ>> Heard, nothing back since the 23th may. I trust IBM to disclose and fix, TZ>> and maybe credit, but I thought I let IBM customers know where your TZ>> millions license fees are spent on. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Dear List, To all those sending in reports, thank you, *but* please read the patch section. It is normal that it doesn't work in Safari, Chrome, FF, Opera any longer, they have been patched. Try IE for an example. To stop the flood of mails, explaining that the POC doesn't work on mozilla x.y, or safari x.y. Read the "PATCH" section. Please. Regards, Thierry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)
As I received a lot of feedback on this bug, I thought I'd update you. After not replying to my notifications and subsequent forced partial disclosure, IBM stated officially on their website that they where not affected and to my surprise IBM got in contact immediately after disclosure to "coordinate" If your read the Timeline till the end, the story has a nice swing.., Drama, insults, everything. You could make a soap opera out of it. And you don't even have all the mails. What happened during this "coordination" even surprised myself. I am used to discussions, I am used to stupid answers. However what happened here bears no description. Short Guerilla Version of the Timeline (complete timeline below): --- - Hey Thierry sorry, we did not get your report, we'll keep you updated! We have IBM written on the proventia boxes but don't send reports to IBM!! - Post official statement to IBM website that IBM is NOT affected and forgetting to inform Thierry - Thierry, You cannot evade proventia, because we use special propretary ingredients! > What are these ingredients? - We won't tell !! and by the way you suck! your test methods suck! You aren't even EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from the big mighty IBM. > Sorry, the same poc evaded proventia last year! So you mus miss something!! - Thierry, stop sending us POC files, YOU CANNOT EVADE PROVENTIA, IT is IMPOSSIBLE, IRREVQUABLE, PERIOD >Silence - Thierry here is our report, you DID evade all our proventia products, we will credit you. In the timeline below you find my summary - 02.04.2009 - Forced partial disclose 02.04.2009 - An known contact at IBM asks for the POC 02.04.2009 - POC is resend 02.04.2009 - An third person is added to the coordination "list" 04.04.2009 - Sending another POC file (RAR) 06.04.2009 - POC is acknowledged and promise is made to get back once the material has been analysed. 10.04.2009 - Sending another POC file (ZIP) 10.04.2009 - The third person ergo the "Cyber Incident & Vulnerability Handling PM" is taking over coorindation 14.04.2009 - A comment was made to my blog that indicated IBM did answer the Bugtraq posting and negate my findings, having received no response from them personaly I ask "Dear Peter, I was refered to this url in a comment posted to my blog: http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417 can you confirm this ?" 15.04.2009 - IBM responds: "[..] we apologize that the path of communicating the disclosure was somewhat confusing. [..] The IBM contact address in the OSVDB is typically used for software products that are in another division of IBM, and thus, your report was not routed to us in a timely manner. In the future, we'd prefer that you contact myself directly" "We have now investigated the TZO-04-2009-IBM incident you reported and have found that we are not susceptible to this evasion." "[..]in this case, there are other components in our Proventia products that prevent this evasion from occurring" "Testing our production products, rather than testing this one piece of our technology, then you would have been able to see the same results" 16.04.2009 - As my tests indicate otherwise I ask "Could you please specify which >components< would prevent the evasion, as it is hard to see how to prevent it when the unarchiver code cannot extract the code itself" and "I would be glad to do so [Red:test production products] : Please send the respective appliances to " 16.04.2009 - IBM answers [..] "We are not an open source company, so the internal workings of our proprietary software is not something we publicly disclose. We do not provide our products for free to all of the independent testers that might be interested in our product lines--the number of requests simply would not be scalable or manageable if we did" 17.04.2009 - As I have no way to reproduce and IBM gives no details about their OH-SO Secret propretary software I state that "I cannot verify nor reproduce your statements as such I will leave this CVE entry as disputed." "Please provide tangible proof that you detect the samples. Screenshots, logs, outputs." AND "My worktime is not open source either[..] Yet I am currently working for your interests and customers, for free. I can stop reporting responsibly if this is what you are trying to achieve." 21.04.2009 - As their was no reply, I resend the previous mail 22.04.2009 - IBM acks receipt and promises to reply soon. == In the mean time, as I thanked AV-TEST gmbh in my advisory, somebody complains directly at AV-TEST Gmbh as force them to no longer give me access to their test clusters. AV-TEST Gmbh subsequently asks me to stop testing using their systems. As a note: Anybody spots a paralel to the mob? == 23.04.2009 - I inform IBM that "In
[Full-disclosure] [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
Don't wet your pants - it's DoS only
Release mode: Tried hard to coordinate - gave up
Reference : [GSEC-TZO-26-2009] - One bug to rule them all
WWW : http://www.g-sec.lu/one-bug-to-rule-them-all.html
Vendors :
http://www.firefox.com
http://www.apple.com
http://www.opera.com
http://www.sony.com
http://www.nintendo.com
http://www.nokia.com
http://www.siemens.com
others..
Status : Varies
CVE : CVE-2009-1692 (created by apple same root cause)
Credit : Except Apple - nobody
Affected products :
~~~
- Internet Explorer 5, 6, 7, 8 (all versions)
- Chrome (limited)
- Opera
- Seamonkey
- Midbrowser
- Netscape 6 & 8 (9 years ago)
- Konqueror (all versions)
- Apple iPhone + iPod
- Apple Safari
- Thunderbird
- Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810 Internet
Tablet
- Aigo P8860 (Browser hangs and cannot be restarted)
- Siemens phones
- Google T-Mobile G1 TC4-RC30
- Ubuntu (Operating system sometimes reboots, memory management failure)
- possibly more devices and products that support Javascript,
try it yourselves. POC here : http://www.crashthisthing.com/select.html
Patch availability :
- Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19
https://bugzilla.mozilla.org/show_bug.cgi?id=460713
- Apple iPhone&iPod : patched
- IE : No patch for IE5, IE6, IE7, IE8 until IE9
- Webkit : Patched in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319
- Chrome : Patched, unknown which version)
- Opera : Patched after version 9.64
- Thunderbird (unknown)
- Konqueror : unknown (did not respond)
- Nokia : unknown, opened a case but never came back
- Aigo P8860 : unknown
- Siemens : unknown
- Others ? Find out by visiting the POC at
http://crashthisthing.com/select.html
I. Background
~
Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma
International in the ECMA-262 specification and ISO/IEC 16262. The language
is widely used on the web, especially in the form of its three best-known
dialects, JavaScript, ActionScript, and JScript."
II. Description
~~~
Calling the select() method with a large integer, results in continuos
allocation of x+n bytes of memory exhausting memory after a while.
The impact varies from null pointer dereference (no more memory,hence
crashing the browser) to the reboot of the complete Operation System
(Konqueror&Ubuntu)
There had never been a limit specified as to how many html elements the select
call should handle, after the report of this Bug, vendors apparently agreed to
a
limit of 10.000 elements : "Talked to some Apple and Opera guys at the
WHATWG social, and we decided this was a good number"
III. Impact
~~~
The Impact varies from Browser to Browser and from OS to OS.
Here is a small excerpt:
- Konqueror (Ubuntu)- allocates 2GB of memory then either crashes
the Browser or (most often) the OS reboots. Ubuntu's memory
management system appears to be configured as to NOT stop the process
that consumes too much memory, but a random process.
This sometimes leads to processes that are vital for the OS to
be killed, hence the reboot. I am not kidding. Thanks to
'FX' for Memory management hint.
- Chrome : allocates 2GB of memory then crashes tab with a null pointer
- Firefox : allocates 2GB of memory then the Browser crashes
- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes
- Opera : Allocated and commits as much memory as available,
will not crash but other applications will become unstable
- Nintento WII (Opera) : Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to David Raison)
- Sony PS3 - Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to Chris Gates)
- iPhone - iPhone hangs and needs hard reset
Video: http://vimeo.com/2873339 (Thanks to g0tcha)
- Aigo P8860 (Browser hangs and cannot be restarted)
IV. Proof of concept
~~~
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}
function go() {
poc(0);
}
URL: http://www.crashthisthing.com/select.html
Some have not understood what this code does, it does NOT loop as some vendors
claimed, it just calls select.lenght() ONCE with a huge integer. One might
wonder
if over the 9 last years that this bug existed, nobody ever entered a large
number in a select.lenght() call.
IV. Disclosure timeline
~
Nothing particular to note, except the usual discussion about availability being
a security issue.
V. Thanks
~
Chris Gates, David Raison, Fahem A
[Full-disclosure] Update: [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
Update: --- Patch was ineffective, Length2 was fixed and both SVGNumber and SVGNumber2, but no SVGLength. Affected products : - All firefox versions below 3.5 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Update: [TZO-27-2009] Firefox Denial of Service (Keygen)
Update -- Unfortunately the Denial of Service condition has not been fixed with the new versions/builds and according to tickets filled under the bugzilla ID the impact of this bug has changed since version 3.5. [1] Hence the list of affected products now is : - All versions below Firefox 3.5 [1] --- Comment #28 from PBForeman 2009-07-08 09:14:00 PDT --- When FF3.5 is open, cpu eventually runs 99%, using over 100,000K of memory. Closing FF does not stop the cpu or memory usage. Closing with Task Manager is the only way to exit FF. Previous versions of FF all ran stable, problem started with 3.5. Closing and restarting does not solve the problem. Removing program and reinstalling clean does not solve anything. Same settings were used from previous version to install FF3.5. Once cpu maxes out, FF ties up entire computer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-43-2009] - Clamav generic evasion (CAB)
From the low-hanging-fruit-department Clamav generic evasion (CAB) Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-43-2009] - Clamav generic evasion (CAB) WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-evasion-cab.html Vendor : http://www.clamav.net & http://www.sourcefire.com/products/clamav Status : Patched (in version 0.95.2) CVE : none provided Security notification reaction rating : good Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ClamAV below 0.96 Affected systems: - MACOSX server, - IBM Secure E-mail Express Solution for System Others : http://www.clamav.net/about/who-use-clamav/ I. Background ~ Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. " II. Description ~~~ The parsing engine can be bypassed by manipulating CAB (Filesize) archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to. III. Impact ~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure timeline ~ DD/MM/ Nothing particular too note. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-34-2009] Frisk FPROT generic evasion (RAR, ARJ, LHA)
From the low-hanging-fruit-department F-prot generic bypass (RAR,ARJ,LHA) Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-34-2009] - F-prot RAR,ARJ,LHA bypass WWW : http://blog.zoller.lu/2009/05/advisory-f-prot-generic-evasion-rar.html Vendor : http://www.f-prot.com Status : Current version not patched, next engine version will be patched CVE : none provided Credit : Given in the history file OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : n+1 (no patch for current build) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products (all versions below 4.5.0 ) - F-PROT AVES (High: complete bypass of engine) - F-PROT Antivirus for Windows (unknown) - F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Exchange (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine) - F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) - F-PROT Milter - for example sendmail (High: complete bypass of engine) - F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) - F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected : - Autentium (all versions) OEM Partners with unknown status : - Sendmail, Inc. - G-Data I. Background ~ Quote: "FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within RAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 07/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. No reply 09/05/2009 : Resending PoC file asking to please acknowledge receipt 19/05/2009 : Frisk acks receipt and states that "I have confirmed that this issue is indeed present in F-Prot engine versions 4.4.4 and earlier. It is not present in the 4.5.0 engine, which is the current development version, and is scheduled for release in the near future" 20/05/2009 : Ask for patch timeline 22/05/2009 : Frisk states that there will be no patch for versions below 4.5.0 and that the next version 4.5.0 is not affected (dev build) "As a side note, F-PROT 4.4 and older also had a similar issue with ARJ and LHA/LZH files - failing to detect the archive if it was not at the beginning of the file" 10/06/2009 : Ask Frisk whether 4.5.0 has been released now no reply 18/06/2009 : Release of this advisory. [1] F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-40-2009] Clamav generic bypass (RAR, CAB, ZIP)
From the low-hanging-fruit-department Clamav generic evasion (RAR,CAB,ZIP) Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP) WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html Vendor : http://www.clamav.net & http://www.sourcefire.com/products/clamav Status : Patched (in version 0.95.2) CVE : none provided Credit : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009 Security notification reaction rating : good Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ClamAV below 0.95.2 Affected systems: - MACOSX server, - IBM Secure E-mail Express Solution for System http://www.clamav.net/about/who-use-clamav/ I. Background ~ Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. " II. Description ~~~ The parsing engine can be bypassed by manipulating RAR,ZIP archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to. III. Impact ~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure timeline ~ DD/MM/ No timeline, nothing particular to note. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-33-2009] Fprot generic bypass (TAR)
From the low-hanging-fruit-department F-prot generic TAR bypass / evasion Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-33-2009] - F-prot TAR bypass / evasion WWW : http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html Vendor : http://www.f-prot.com Status : Current version not patched, next engine version will be patched in version 4.5.0. Vendor didn't reply if said version is now in ciculation. CVE : none provided Credit : Given in the History file OSVDB vendor entry: none [1] Security notification reaction rating : better than last time Notification to patch window : n+1 (no patch for current build) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products (all versions up to 4.5.0 which is not released yet) - F-PROT AVES (High: complete bypass of engine) - F-PROT Antivirus for Windows (unknown) - F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Exchange (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine) - F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) - F-PROT Milter - for example sendmail (High: complete bypass of engine) - F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) - F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected : - Autentium (all versions) OEM Partners with unknown status : - Sendmail, Inc. - G-Data I. Background ~ Quote: "FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated TAR archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 28/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. No reply 11/05/2009 : Resending PoC file asking to please reply 20/05/2009 : Frisk replies that it was unable to extract the PoC file with "tar" and hence see no bypass. 20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip 22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions 22/05/2009 : I state that I will not discuss this topic any further, everything has been said and written multiple times. Either Frisk patches or they do not. 22/05/2009 : Frisk states that the changes to the parsing code are minor i.e not relying on the checksum. The patch will be included in the next releaes candidate 4.5.0 and credit will be given in the History file Comment: I give it some time to 4.5.0 to be released. 10/06/2009 : Ask Frisk if 4.5.0 has been released now no reply 14/06/2009 : Release of this advisory [1] F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-37-2009] Apple Safari
Apple Safari Remote code execution (CSS:Attr) Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: ZDI (see previous timelines to know why this went to ZDI) Ref : [TZO-37-2009] - Apple Safari Remote code execution (CSS) Vendor : http://www.apple.com WWW : http://blog.zoller.lu/2009/05/advisory-apple-safari-remote-code.html Status : Patched (http://support.apple.com/kb/HT3613) Credit : http://support.apple.com/kb/HT3613 CVE : CVE-2009-1698 Affected products : - Apple Safari versions prior to 4.0 I. Background ~ Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational corporation which designs and manufactures consumer electronics and software products. The company's best-known hardware products include Macintosh computers, the iPod and the iPhone." II. Description ~~~ Calling a CSS attr attribute with a large number leads to memory corruption III. Impact ~~~ Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. IV. Proof of concept You can build one with above information V. Disclosure time-line ~ No time-line available ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-36-2009] Apple Safari & Quicktime Denial of Service
Apple Safari & Quicktime Denial of Service Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated Ref : [TZO-36-2009] - Apple Safari & Quicktime DoS Vendor : http://www.apple.com WWW : http://blog.zoller.lu/2009/05/advisory-apple-safari-quicktime-dos.html Status : Not patched Credit : none given (Apple can't find a place to credit) Discovered : 18.11.2008 Zoller, 19.06.2009 Alexios Fakos (probably plenty of others) Security notification reaction rating : good Notification to patch window : n+1 Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products - Apple Safari (all) - Quicktime (all) I. Background ~ Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational corporation which designs and manufactures consumer electronics and software products. The company's best-known hardware products include Macintosh computers, the iPod and the iPhone." II. Description ~~~ A null pointer is being dereference when CFRelease() is called on NULL. III. Impact ~~~ The browser will crash, your data might be lost. IV. Proof of concept (hold your breath) Video V. Disclosure timeline ~ DD/MM/ 18/11/2008 : Send proof of concept file and a description that failed to give the correct impact. 25/11/2009 : Apple acknowledges receipt and reproducability : "After investigating this issue further, we've determined that the crash your test case triggers is caused by dereferencing a null pointer and not from a format string issue" 20/01/2009 : Ask for an update 23/01/2009 : Apple sends an encrypted and signed PGP mail, fine, however the mail is encrypted with their own key 23/01/2009 : Ask for the mail to be resend as I don't have Apple's private key 24/01/2009 : Apple states that "Regarding the QuickTime null dereference you reported, this bug is still being worked on by our engineers and is not addressed in QuickTime 7.6" 26/01/2009 : Ask apple for a fix timeline as this is an ridiculouly easy to fix vulnerability 27/01/2009 : Apple statest "Regarding the QuickTime null deref issue, it is currently set to be part of the next QuickTime update. [..] Additionally, we do not intend to describe this crasher in our security advisory. Note: No Security advisory = no credit, should have published here. 28/01/2009: Apple states "Given that we are handling this as a crasher and not as a security exposure, it stands to reason that you may want to disclose it without waiting for the update that addresses it and without further coordination with Apple. We do appreciate the fact that you reported it to us and are intending to address it in the next available update" [..] [Several discussion about CIA, why a DoS against the iPhone is worth a security advisory, when it isn't against safari.. etc. I spare you the details] [..] 29/01/2009 : Ask why I should hold disclosure for a DoS in a particular portable apple product but disclose DoS in other apple products. Asked apple to make a choice, either DoS is a security issue and I won't disclose or it isn't and I disclose all of them, including the one in the very portable apple product 30/01/2009 : Apple answers that "Your QuickTime and Safari issues constitute denial of service. We consider any denial of service issue to be security related, and they are important to fix. We plan to fix the ones you reported in the next available updates." "I believe we can put credit in an appropriate place for the WebKit/Safari change. I was not able to locate a suitable place for crediting the QuickTime crasher" Fast forward 5 months, and apple releases a stream of code execution bug fixes for Quicktime. 01/06/2009 :
[Full-disclosure] [TZO-33-2009] Frisk F-prot evasion (TAR)
From the low-hanging-fruit-department F-prot generic evasion (TAR) CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : [TZO-33-2009] - F-prot TAR bypass / evasion WWW : http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html Vendor : http://www.f-prot.com Status : Current version not patched, next engine version will be patched CVE : none provided Credit : Given in the History file OSVDB vendor entry: none [1] Security notification reaction rating : better than last time Notification to patch window : n+1 (no patch for current build) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products (all versions up to 4.5.0 which is not released yet) - F-PROT AVES (High: complete bypass of engine) - F-PROT Antivirus for Windows (unknown) - F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Exchange (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine) - F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) - F-PROT Milter - for example sendmail (High: complete bypass of engine) - F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) - F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected : - Autentium (all versions) OEM Partners with unknown status : - Sendmail, Inc. - G-Data I. Background ~ Quote: "FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated TAR archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 28/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. No reply 11/05/2009 : Resending PoC file asking to please reply 20/05/2009 : Frisk replies that it was unable to extract the PoC file with "tar" and hence see no bypass. 20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip 22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions 22/05/2009 : I state that I will not discuss this topic any further, everything has been said and written multiple times. Either Frisk patches or they do not. 22/05/2009 : Frisk states that the changes to the parsing code are minor i.e not relying on the checksum. The patch will be included in the next releaes candidate 4.5.0 and credit will be given in the History file Comment: I give it some time to 4.5.0 to be released. 10/06/2009 : Ask Frisk if 4.5.0 has been released now no reply 14/06/2009 : Release of this advisory [1] F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-32-2009] Norman generic bypass (RAR)
From the low-hanging-fruit-department Norman generic evasion (RAR) CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed Release mode: Coordinated but limited disclosure. Ref : [TZO-32-2009] - Norman generic evasion (RAR) WWW : http://blog.zoller.lu/2009/06/advisory-norman-generic-evasion-rar.html Vendor : http://www.norman.com Status : Patched (with decompression engine version 5.99.07) CVE : none provided Credit : http://www.norman.com/support/security_bulletins/69333/en OSVDB vendor entry: Norman is not listed as a vendor in OSVDB Security notification reaction rating : ok Notification to patch window : 77 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07, relased on Norman's Internet update servers as an automatic update 03 June 2009. This solves the vulnerability for all updated Norman's products except for Norman Network Protection - Norman Virus Control single user and corporate versions - Norman Internet Control - Norman Virus Control E-mail plugins - Norman Endpoint Protection - Norman Secuirty Suite - Norman Network Protection - Norman Virus Control for Lotus Domino - Norman Virus Control for Exchange - Norman Virus Control for Linux - Norman Virus Control for Novell Netware (FireBreak) - Norman Email Protection - Norman Email Protection Appliance - Norman Online Protection - Norman Virus Control for AMaViS - Norman Virus Control for MIMEsweeper - Third party vendors that use the Engine OEM vendors known to use the Norman engine : - eeye I. Background ~ Quote: "Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and proactive protection unlike any other competitor" II. Description ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all. III. Impact ~~~ The bug results in denying the engine the possibility to inspect code within the RAR archives. There is no inspection of content at all. A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure time-line ~ DD/MM/ 05/03/2009 : Send proof of concept (RAR Size), description the terms under which I cooperate and the planned disclosure date. No reply 13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt to responsible disclose. 14/03/2009 : Norman acknowledges receipt 23/03/2009 : Send proof of concept (RAR Method) 23/03/2009 : Asking for an update for the RAR Size sample 02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release the patch a.s.a.p 02/04/2009 : Norman promises to get back with release dates/advisory information as soon as they have some firm dates 06/04/2009 : Norman confirms reproduction of RAR Headflags PoC 20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported vulnerabilities have been patched internaly. 22/04/2009 : Ask for a list of affected versions/products no answer 27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch is correct. 28/04/2009 : Send TAR PoC file no acknowledgement 07/05/2009 : Ask for an update to all reported bugs no reply 08/05/2009 : Inform Norman that as I no longer receive any replies I assume that the patch is deployed and set that the final disclosure date to the 1.06.2009 09/05/2009 : Norman states they probably can't make the 1/06/2009 09/05/2009 : Propose to postpone disclosure upon request 28/05/2009 : Ask for an update as 01.06.2009 still is set 30/05/2009 : Norman asks to postpone the disclosure by a week as they
[Full-disclosure] [TZO-31-2009] Ikarus multiple generic evasions (CAB, ZIP, RAR)
From the low-hanging-fruit-department Ikarus multiple generic evasions (CAB,RAR,ZIP) CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed Release mode: Coordinated but limited disclosure. Ref : [TZO-31-2009] - Ikarus multiple evasions through CAB,RAR,ZIP WWW : http://blog.zoller.lu/2009/06/subscribe-to-rss-feed-in-case-you-are.html (sorry) Vendor : http://www.ikarus.at Status : Patched (after engine version 1.1.58) CVE : none provided Credit : t.b.a OSVDB vendor entry: Ikarus is not listed as a vendor in OSVDB Security notification reaction rating : good Notification to patch window : 77 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - IKARUS virus utilities (scan-time) - IKARUS m...@ilwall - IKARUS Content Wall - IKARUS security.proxy I. Background ~ Ikarus Software GMBH is an Anti-virus company based in Austria. II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive. III. Impact ~~~ The bug results in denying the engine the possibility to inspect code within the CAb,RAR,ZIP archives. There is no inspection of content at all. A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure time-line ~ DD/MM/ 23/03/2009 : Send proof of concept (ZIP), description the terms under which I cooperate and the planned disclosure date. 04/04/2009 : Send proof of concept (RAR) 07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun 10/04/2009 : Resending ZIP PoC 13/04/2009 : Submitting CAB PoC 17/04/2009 : Ikarus demands to delay disclosure 01/05/2009 : Ikarus states that it has started Q&A for the new builds 03/06/2009 : Ikarus informs me that they started deploying the patches/updates Credit will be given on a website to come. 09/06/2009 : Release of this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-30-2009] Kaspersky and the silent patch that wasn't (PDF evasion, forced full disclosure)
From the facepalm department Kaspersky and the silent fix that wasn't PDF Evasion Release mode: Forced disclosure Ref : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure) WWW : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html Vendor : http://www.kaspersky.com Status : Silent fix that doesn't work - No appropriate patch CVE : none provided Credit : none given OSVDB vendor entry: No [1] Security notification reaction rating : Catastropic Not only did the headquarter not answer, they (tried) to patch this vulnerability silently, only to fail at it. See Timeline. This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything. This is however the last time I will not disclose, I am no longer part of an entity that tolerates irresponsible non-disclosure. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks. Notification to patch window : x+n Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products (all versions) : - Kaspersky Internet Security - Kaspersky Anti-Virus - Kaspersky Mobile Security - Kaspersky Small Office Security - Kaspersky Open Space Security - Kaspersky Business Space Security - Kaspersky Work Space Security - Kaspersky Enterprise Space Security - Kaspersky Targeted Security - Kaspersky® Anti-Virus for Microsoft ISA Server - Kaspersky® Anti-Virus for Proxy Server - Kaspersky® Anti-Virus for Check Point Firewall-1 - Kaspersky® Anti-Virus for Windows Server - Kaspersky® Anti-Virus for Windows Server Enterprise Edition - Kaspersky® Anti-Virus for Novell NetWare - Kaspersky® Anti-Virus for Linux File Server - Kaspersky® Anti-Virus for Samba Server - Kaspersky® Security for Microsoft Exchange 2007 - Kaspersky® Security for Microsoft Exchange 2003 - Kaspersky® Anti-Virus for Lotus Notes/Domino - Kaspersky® Anti-Virus for Windows Workstation - Kaspersky® Anti-Virus for Linux Workstation - Kaspersky® Anti-Virus for Linux Mail Server - Kaspersky® Mail Gateway - Kaspersky® Anti-virus for MIMEsweeper See notification and disclosure terms for details about this list. I. Background ~ Quote: "We develop, produce and distribute information security solutions that protect our customers from IT threats and allow enterprises to manage risk. We provide products that protect information from viruses, hackers and spam for home users and enterprises and offer consulting services and technical support. " II. Description ~~~ The PDF files are not parsed correctly, a PDF file starts with the magic byte "%PDF" and ends with the magic byte "%%EOF", everything in between those markers is parsed and interpreted. Furthermore PDF files are read from the bottom to the top. Adobe Acrobat nor the FoxitReader care too much about the data that comes prior the magic byte, the kaspersky engine does, not only does it care, it fails to detect the malware inside the PDF file. I will spare you the details, a PDF file is bascialy a container that starts with %PDF and ends with %%EOF. What follows are the details of this evasion, note this one is generic and the easiest one, there are plenty more. What you read below is true as amazing as it might seem, you can't have it more simple. Example of a malicious PDF file [2]+[3] : %PDF Malicious content here %%EOF Doing : Enter stuff here, like random text. %PDF Malicious content here %%EOF This has the result that the malware is no longer being detected. Note: Not a single byte of the malware itself been altered, and strictly speaking the content that represent a PDF file hasn't been changed at all. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. Kaspersky was given the PoC file directly through myself and F-Secure, they went ahead an patched this by adding a signature for the POC file, adding a PE header in front of a PDF file (with a PDF extension) still evades detection and the exploit still triggers when opening the file with Adobe. Thus the patch is flawed by design. III. Impact ~~~ The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the av engine "through various means". A general description of the impact and nature
Re: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding. The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities
Hi Will, WD> Here's the (mac) exploit module to go along with my simul-report to WD> apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb OMFG, you must by kidding, are we 1999 again ?? Classical Stack buffer overflow in URL request ?! ..o m f g =) Nice find! itms_base_url = "itms://:" itms_base_url << "A"*268 # Fill up the real buffer itms_base_url << "" # $ebx, $esi, $edi, $ebp itms_base_url << target['Addr'] # hullo there, jmp *%ecx! -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is FFSpy a hoax?
Relatively old discussion, log into bugzilla and search - or read : http://lhs.loria.fr/index.php?option=com_content&view=article&id=62:malicious-firefox-extensions&catid=36:news&Itemid=54 http://indefinitestudies.files.wordpress.com/2008/08/beaucamps-reynaud-maliciousextensions-en.pdf -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [TZO-27-2009] Firefox Denial of Service (Keygen)
Hi Travis, With all due respect: >A memory leak in an interactive program that requires you to view a hostile >page for 9hours is clearly of negligible security impact. Ok I will take the strawman : The impact is Denial of Service. Ignoring that this discussion is of *any* interest to anybody or even for this overly stupid problem : - 9 hours for 300+ megabytes - x minutes for x bytes Only a few bytes of "k" leads to the compromises of the private key. (DSA). Does this matter, not really. It's your key anyways. Does something "leak" to somewhere were it's not supposed to be, no. Memory is just not correctly freed. --- I'm sure that if you were to familiarise yourself with the some of the rudimentary concepts involved in dynamic memory allocation you will understand their decision. --- Yep, I am an ignorant idiot, can we move on now ? If *you* can't imagine a setup or extreme border case where (as example) entropy that is being collected is indirectly affected, be it in quality of entropy or size, then clearly *I* must be the idiot that doesn't understand the concept of memory allocations. --- Rest assured, there is zero possibility that a memory leak can result in "reduced entropy, weak key material etc" as you mentioned in email. If you want to discuss further I'd recommend to take it off list. General comment: I am interesting to see the kind of feedback I get when posting an Firefox bug as opposed to bugs of other vendors. It's almost like you hit a little boy and everybody steps into for his defence. Anyways, too much noise for such a stupid, near irrelevant but. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-27-2009] Firefox Denial of Service (Keygen)
From the very-low-hanging-fruit-department Firefox Denial of Service (KEYGEN) Release mode: Forced release. Ref : [TZO-27-2009] - Firefox Denial of Service (KEYGEN) WWW : http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html Vendor : http://www.firefox.com Status : No patch CVE : none provided Credit : none Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=469565 Security notification reaction rating : There wasn't any appropriate reaction. Notification to patch window : x+n Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Firefox 3.0.10 (Windows) - Likely : All Firefox versions supporting the KEYGEN tag. I. Background ~ Firefox is a popular Internet browser from the Mozilla Corporation. In 2007 the Mozilla Corporation had a revenue of over 75 million dollars [1], out of which 68 million where made with a search advertising deal, in other words with the search box in Firefox that defaults to Google. I envy the spirit of everyone that works on Firefox code in their spare time, for free. II. Description ~~~ This bug is a simple design bug that results in an endless loop (and interesting memory leaks). Once upon a time Netscape thought it would be a great idea to add the keygen tag () as a feature to their Browser. The keygen tag offers a simple way of automatically generating key material using various algorithms. For instance it is possible to generate RSA, DSA and EC key material. "The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag." More information: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag This feature includes the automatic submission of the public part to a script, the crux. The Keygen tag reloads the document by submitting the public key as an argument to the current URI. Combining this with a javascript body onload() call (or meta refresh) results in an neat endless loop blocking access to the UI. Furthermore memory is leaked during the process. III. Impact ~~~ The browser doesn't respond any longer to any user input, tabs are no longer accessible, your work if any might be lost. Restarting the Firefox process and restoring the previous Firefox session will re-spawn the tab and start the loop again. According to a Bugzilla entry memory is also leaked during the process. So let's recap, we have a function that generates key material and looping causes memory to leak. One might think this should be important enough to investigate, especially if you know that for DSA for instance, only a few bits of k can reveal an entire private key. [3] Note: I am not saying the memory leaks include key material, seeing the lack of interest this bugzilla ticket triggered, I have not considered investigating further. What I am saying is that if security is taken seriously memory leaks that directly or indirectly happen during key generation need to be investigated thoroughly. IV. Proof of concept (hold your breath) ~~~ Live : http://secdev.zoller.lu/ff_dos_keygen.html IV. Disclosure timeline ~ DD/MM/ 14/12/2008 : Created bugzilla entry (security) with (the wrong) proof of concept file. 14/12/2008 : Attached the correct POC file (mea culpa) and a stack trace and details of memory corruption that repeatedly occurred during testing the POC 24/12/2008 : dved...@mozilla.com comments : "I can definitely confirm the denial of service aspect, and there's a very minor memory leak (after 9 hours of CPU time memory use went from 60MB to 360MB). Haven't been able to reproduce a crash." 27/05/2009 : The 4 month grace period [2] given is reached. Release of this advisory. [1] http://www.mozilla.org/foundation/documents/mf-2007-audited-financial-statement.pdf http://www.guidestar.org/FinDocuments//2007/200/097/2007-200097189-047bbaa9-9.pdf [2] http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html [3] http://rdist.root.org/?s=dsa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
Hi Michal, Yep, positive, welcome to the world of rediscovery, sad that the bugs seems to been known since 2007. Speak about Mozilla being the fastest to patch. Ticket has now been marked as duplicate of that one. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Addendum : [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
Hi Jim,
Read again:
Affected : All Firefox versions that support SVG.
Then think about what version of Firefox you are using.
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
JP> Using FF2.0.0.20 and the file does not result in loss of use. All
JP> tabs are functional. All JAVA links continue function. Same
JP> result for naming the POC file to .HTML, .HTM.
>>>> Thierry Zoller 05/26/2009 13:13 >>>
JP> For those that failed to reproduce, try naming the POC file with an XHTML
JP> extension.
JP> ___
JP> Full-Disclosure - We believe in it.
JP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
JP> Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Addendum : [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
For those that failed to reproduce, try naming the POC file with an XHTML extension. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
Hi Sub, S> does not work on firefox 3.0.10, tested Reproduced the bug on 3.0.10 prior to posting. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
From the low-hanging-fruit-department Firefox et al. Denial of Service - All versions supporting SVG CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Forced release. Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html Vendor : http://www.firefox.com Status : No patch CVE : none provided Credit : none Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615 Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW Notification to patch window : x+n Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Firefox all supporting SVG (didn't care to investigate which, task of the vendor) - all software packages using mozilla engine and allowing SVG I. Background ~ Firefox is a popular internet browser. II. Description ~~~ This bug is a typical result of what we call unclamped loop. An "attacker" will give the Radius value of the Circle attribute a very big value. That is leetness. Stack trace : ntkrnlpa.exe+0x6e9ab ntkrnlpa.exe!MmIsDriverVerifying+0xbb0 hal.dll+0x2ef2 xul.dll!NS_InvokeByIndex_P+0x30c36 xul.dll!NS_InvokeByIndex_P+0x30e8a xul.dll!NS_InvokeByIndex_P+0x30e02 xul.dll!NS_InvokeByIndex_P+0x30f5e xul.dll!XRE_InitEmbedding+0x7858 xul.dll!XRE_InitEmbedding+0xf4ee xul.dll!XRE_TermEmbedding+0x11411 xul.dll!gfxTextRun::Draw+0xdd4d xul.dll!gfxTextRun::Draw+0xe1ca xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495 xul.dll!gfxTextRun::SetSpaceGlyph+0x2678 xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3 xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6 xul.dll!NS_StringCopy_P+0x9942 xul.dll!gfxImageSurface::gfxImageSurface+0x3188 xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8 Also produces exceptions in MOZCRT19... MOZCRT19!modf+0x2570: 600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef III. Impact ~~~ Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost. IV. Proof of concept (hold your breath) ~~~ IV. Disclosure timeline ~ DD/MM/ 18/11/2008 : Created bugzilla entry (security) with proof of concept, description the terms under which ooperate and the planned disclosure date. 24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG (seems to be looping in libthebes), but I can definitely confirm the DoS. 14/12/2008 : Ask for any action plan and my assessement of considering it low risk No reply. 28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug to the public [..] a bug like this is more likely to be fixed by being visible to more people than by leaving it in a closet. 26/05/2009 : In 2009 I agree; release of this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs
Hi, >> - RL!unpack >> http://ap0x.jezgra.net/unpackers.html Second download entry on that page : RL!Unpack -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs
Hi Piotr, Any information with regards to how MMMBoB performs when trying to unpack a bit more obfuscated/aggressive packers like Themida / VMprotect ? On a side note: I see often that some generic unpackers are rarely cited/referenced, although they are interesting and perform astonishingly well. Here are two generic unpackers I think deserve some exposure too : - RL!unpack http://ap0x.jezgra.net/unpackers.html (tested against 101+ packers/mods) - Quickunpack http://rapidshare.com/files/104264619/qunpack21.zip -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-25-2009] Panda generic evasion (TAR)
From the low-hanging-fruit-department Panda generic evasion (TAR) Why are there two panda advisories instead of one ? See http://blog.zoller.lu/2009/05/100th-post-what-about-big-guys.html You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : TZO-25-2009 - Panda generic evasion (TAR) WWW : http://blog.zoller.lu/2009/04/advisory-panda-generic-evasion-tar.html Vendor : http://www.pandasecurity.com Status : Patched (Through hotfix and automatic update) CVE : none provided OSVDB listing: No [1] Credit : http://www.pandasecurity.com/homeusers/support/card?id=80060&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=60039&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2 Security notification reaction rating : Good Notification to patch window : +-22 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Global Protection 2009 (Hotifx) - Internet Security 2009 (Hotifx) - Panda Antivirus Pro 2009 (Hotfix) - Panda Security for Business with Exchange - Panda Security for Business - Panda Security for Enterprise - Panda GateDefender Integra (patched through automatic updates) - Panda GateDefender Performa (patched through automatic updates) - Panda AdminSecure (patched thorugh automatic updates) SaaS - Panda Managed Office Protection - TrustLayer Mail Quote : "What virus protection guarantees does TrustLayer offer? With respect to the antivirus filtering service, TrustLayer offers a 100% virus-free contractual guarantee." I. Background ~ Quote: "Panda Security is one of the world's leading creators and developers of technologies, products and services for keeping clients' IT resources free from viruses and other computer threats at the lowest possible Total Cost of Ownership." II. Description ~~~ The parsing engine can be bypassed by a specially crafted RAR archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 28/04/2009 : Sent proof of concept TAR, description the terms under which I cooperate and the planned disclosure date 07/05/2009 : Resent POC, description and terms 11/05/2009 : Inform Panda that his is my last attempt to contact them and that I will publish the information on the 20th of Mai. 11/05/2009 : Panda informes me that they are still evaluating and fixing release dates and asks for more time. 11/05/2009 : Panda states that they send me a fix for the TAR bug in order to cross check it fixes the problem. 21/05/2009 : Panda informs me of the release of hotfixes and affected Products. 22/05/2009 : Ask for clarification on affected products 22/05/2009 : Release of this advisory. [1] Panda is invited to leave their security contact e-mail address at http://osvdb.org/vendor/1/Panda%20Software . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-24-2009] Panda generic evasion (CAB)
From the low-hanging-fruit-department Panda generic evasion (CAB) Why are there two panda advisories instead of one ? See http://blog.zoller.lu/2009/05/100th-post-what-about-big-guys.html CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : TZO-24-2009 - Panda generic evasion (CAB) WWW : http://blog.zoller.lu/2009/04/why-are-there-two-panda-advisories.html Vendor : http://www.pandasecurity.com Status : Patched (Through hotfix and automatic update) CVE : none provided OSVDB listing: No [1] Credit : http://www.pandasecurity.com/homeusers/support/card?id=80060&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=60039&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2 Security notification reaction rating : Good Notification to patch window : +-32 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Global Protection 2009 (Hotifx) - Internet Security 2009 (Hotifx) - Panda Antivirus Pro 2009 (Hotfix) - Panda Security for Business with Exchange - Panda Security for Business - Panda Security for Enterprise - Panda GateDefender Integra (patched through automatic updates) - Panda GateDefender Performa (patched through automatic updates) - Panda AdminSecure (patched thorugh automatic updates) SaaS - Panda Managed Office Protection - TrustLayer Mail Quote : "What virus protection guarantees does TrustLayer offer? With respect to the antivirus filtering service, TrustLayer offers a 100% virus-free contractual guarantee." I. Background ~ Quote: "Panda Security is one of the world's leading creators and developers of technologies, products and services for keeping clients' IT resources free from viruses and other computer threats at the lowest possible Total Cost of Ownership." II. Description ~~~ The parsing engine can be bypassed by a specially crafted CAB archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within CAB archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 13/04/2009 : Send proof of concept CAB, description the terms under which I cooperate and the planned disclosure date 13/04/2009 : Panda acks receipt and starts investigating 15/04/2009 : Panda denies DoS and bypass condition and considers the bug a reporting issue as a MAX Size rule blocks the sample. 16/04/2009 : Ask if the Gatedefender product ranges, detects, flags or blocks the POC file. 17/04/2009 : Provide a new POC file to Panda that aims at evading the Max Size rule and detection. 17/04/2009 : Panda acks receipt and will investigate. 20/04/2009 : Inform Panda that I sent the wrong POC on the 17/04/2009 and attached the correct one. 28/04/2009 : Ping Panda for updates 28/04/2009 : Panda states that they are planning the patch timeline and will inform me asap. 21/05/2009 : Panda informs me of the release of hotfixes and affected Products. 22/05/2009 : Ask for clarification on affected products 22/05/2009 : Release of this advisory. [1] Panda is invited to leave their security contact e-mail address at http://osvdb.org/vendor/1/Panda%20Software . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-22-2009] Bitdefender generic evasion of heuristics (for PDF)
From the low-hanging-fruit-department Bitdefender generic evasion of heuristics (for PDF) CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics) WWW : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html Vendor : http://www.bitdefender.com Status : Patched (with sig update after 13.05.2009) CVE : none provided Credit : none OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : 5 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Bitdefender Antivirus 2009 - Bitdefender Internet Security 2009 - Bitdefender Total Security 2009 - Bitdefender Small Office Security - Bitdefender for Fileservers - Bitdefender for Samba - Bitdefender for Sharepoint - Bitdefender Security for Exchange - Bitdefender Security for Mailservers - Bitdefender for ISA Servers - Bitdefender Client security Bundles: - BitDefender Business Security - Bitdefender Antivirus for Unices - Bitdefender Corporate Security - Bitdefender SBS Security I. Background ~ Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA." II. Description ~~~ The heuristics can be bypassed by a special formatted PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the AV engine "through various means". III. Impact ~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html Interestingly this opens the possibility to evade at scan time and run-time. IV. Disclosure timeline ~ DD/MM/ 08/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 13/05/2009 : Bitdefender notifies my that the patch was deployed. [1] Bitdefender is encouraged to leave their security contact details at http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-23-2009] Avira antivir generic evasion of heuristics (for PDF)
From the low-hanging-fruit-department Avira Antivir generic PDF evasion of heuristics CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : [TZO-22-2009] - Avira Antivir generic PDF evasion (heuristics) WWW : http://blog.zoller.lu/2009/04/advisory-avira-antivir-generic-evasion.html Vendor : http://www.avira.com Status : Patched (Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168) CVE : none provided Credit : t.b.a OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : 10 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Avira AntiVir Free - Avira AntiVir Premium - Avira AntiVir Premium Security Suite - Avira AntiVir Professional (Desktop) - Avira AntiVir Server - Avira AntiVir Exchange - Avira AntiVir SharePoint - Avira AntiVir ISA Server - Avira AntiVir MIMEsweeper - Avira AntiVir for KEN! 4 - Avira AntiVir Virus Scan Adapter for SAP NetWeaver® - Avira AntiVir Professional (Unix) - Avira AntiVir Server (Unix) - Avira AntiVir MailGate - Avira AntiVir WebGate I. Background ~ Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected. The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008" II. Description ~~~ The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the av engine "through various means". III. Impact ~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html Interestingly this opens the possibility to evade at scan time and run-time. IV. Disclosure timeline ~ DD/MM/ 08/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 10/05/2009 : Avira acknowledges receipt. 11/05/2009 : Avira states that the internal development build has been patched and that the public updates are to be rolled out end of the week. 18/05/2009 : Avira informs me that "we already released the fixed engine to the public on friday, 15th May, 17:59 pm CET: Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168 18/05/2009 : Release of this advisory. [1] Avira is encouraged to leave their security contact details at http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IIS6 + webdav and unicode rides again in 2009
FYI: IIS7 + Webdav seems not to be affected I can't stress enough that this is not a simple auth bypass only - You can _upload_ arbritary data to the server. http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IIS6 + webdav and unicode rides again in 2009
Hi, PDF as image: http://view.samurajdata.se/psview.php?id=023287d6&page=1 -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-21-2009] Fprot CAB bypass / evasion
From the low-hanging-fruit-department F-prot generic CAB bypass / evasion CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : [TZO-21-2009] - F-prot CAB bypass / evasion WWW : http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html Vendor : http://www.f-prot.com Status : Current version not patched, next engine version patched Date unknown, vendor doesn't answer any longer. CVE : none provided Credit : none prodided OSVDB vendor entry: none [1] Security notification reaction rating : better thn last time Notification to patch window : n+1 (no patch for current build) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : # F-PROT AVES (High: complete bypass of engine) # F-PROT Antivirus for Windows (unknown) # F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) # F-PROT Antivirus for Exchange (High: complete bypass of engine) # F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine) # F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine) # F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) # F-PROT Milter - for example sendmail (High: complete bypass of engine) # F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) # F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected : - Autentium (all) Command Software Systems, an Authentium company, has been developing and selling an antivirus solution utilizing the powerful F-PROT Antivirus engine since 1991. OEM Partner unknown status : - Sendmail, Inc. - G-Data - I. Background ~ Quote: "FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated CAB (Filesize) archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within CAB archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 15/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file and that some archive programs tested suffer from an integer overflow extracting the file. 15/04/2009 : Inform FRISK that the sample should extract fine. 20/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file. 20/04/2009 : Inform FRISK that the sample should extract fine. 22/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file. However it will be patched nonetheless "being low-priority, it will not be added to the 4.4 branch. In other words, the fix will be included in the next engine released." 22/04/2009 : Sending FRISK a slightly modified POC (same field, different value) that extracts fine and still bypasses the engine. Ask vendor to confirm that the new engine catches the POC. No Reply 27/04/2009 : Resending previous mail asking to check whether the patch has been effectively closed No Reply 08/05/2009 : Release of this advisory. [1] F-prot is encouraged to leave their security contact details
[Full-disclosure] [TZO-20-2009] AVG ZIP evasion / bypass
>From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Coordinated but limited disclosure. Ref : [TZO-20-2009] - AVG generic ZIP bypass / evasion WWW : http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html Vendor : http://www.AVG.com Status : Patched (with engine build 8.5 323) CVE : none provided Credit : t.b.a OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : +-28 days Comment: Interestingly at AVG, the support department handles the security notification response, which strangely seemed to work out this time. I guess when procedures and awareness are in place it doesn't matter that much. (You loose the "bouncer effect" for irrelevant reports though). I'd recommend to designate one person to be responsible to security related issues, and "train" the others to forward to that person (even in case of doubt if security or not) if you choose to have support department handle security notifications. Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - AVG Anti-Virus Network Edition (prior to engine build 8.5 323) - AVG Internet Security Netzwerk Edition (prior to engine build 8.5 323) - AVG Server Edition für Linux/FreeBSD (prior to engine build 8.5 323) - AVG eMail Server Edition (prior to engine build 8.5 323) - AVG File Server Edition (prior to engine build 8.5 323) - AVG Internet Security SBS Edition (prior to engine build 8.5 323) - AVG Anti-Virus SBS Edition (prior to engine build 8.5 323) - AVG Anti-Virus plus Firewall (prior to engine build 8.5 323) - AVG Anti-Virus (prior to engine build 8.5 323) I. Background ~ Quote: "Founded in 1991, with corporate offices in Europe, the US and the UK, AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats. With more than 80 million active users around the world, the AVG family of security software products is distributed globally through resellers and through the Web and supports all major operating systems and platforms." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated ZIP (Filelenght) archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within RAR and ZIP archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 14/04/2009 : AVG acknowledges reproducibility 14/04/2009 : I inform AVG that this is a security notification not a simple bug report. 15/04/2009 : AVG acknowledges through a second channel 15/04/2009 : AVG informs me that the fix has been made and the code is currently being tested prior to being deployed. 15/04/2009 : Ask second channel AVG contact what versions and products are affected. no reply 07/05/2009 : Ask AVG wether the patches have now been deployed 08/05/2009 : AVG answers that the patches have been deployed 08/05/2009 : Ask AVG what versions have been affected 08/05/2009 : AVG states that "[..]AVG 8.5 build 285 are affected by this issue but the latest release of AVG 8.5 build 323 has resolved the reported issue.[..]" 08/05/2009 : Release of this advisory. [1] Grisoft (AVG) is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Grisoft to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Changes : [TZO-17-2009]Trendmicro multiple bypass/evasions
__ UPDATE : Trendmicro RAR / CAB bypass evasion __ CHANGES to original advisory [TZO-172009] Trendmicro : -- Status : RAR / CAB issue WILL be patched on June 17 Quoting vendor : "This vulnerability is capable of allowing attackers to send RAR files with corrupted RAR headers through our gateway products, which bypass the compressed files without scanning them." Comment: This just goes to proove that publishing changes perception, as customers read, react and complain. (Trend previously denied patching). In other words, always publish even if the vendor denies patching. In the name of all TrendMicro customers I would like to thank those customers that reacted and complained. Wihtout publication there is no change, without those reacting to advisories there is neither. Prooves #2 and #5 at http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html to be valid. Regards, Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Request : Microsoft Forefront (all) anybody?
Hi, If you are running Microsoft Forefront (especially server side) and are willing to help out, please get in touch with me. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Update: [TZO-15-2009] Aladdin eSafe generic bypass - Forced release
Update: Aladdin responded and posted a blog post, please read the timeline and then the blog post. http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx It is said that : - "This means that in case a customer receives such a specially crafted archive file, he will not be able to extract it." This is wrong. Winrar for example extracts the PoC files fine. "We have acted on the issue after two days since its first coming into view." Please see the timeline below and draw your conclusions "The eSafe products affected by this vulnerability are 7.1, 7.0, and 6." I was not communicated this information and had to find a referer in my log files in order to know. Full update to be published after more discussions... - IV. Disclosure timeline ~ DD/MM/ 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took previously known security contacts that are known to exist. No reply. 13/04/2009 : Resending. Copied secur...@aladdin.de, secur...@aladdin.com sec...@aladdin.com, sec...@aladdin.de,supp...@aladdin.com, supp...@aladdin.de in CC. No reply. 16/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. No reply. 18/04/2009 : Online virus scan service offered to gap the bridge between vendors that don't reply and myself. Aladin was contacted through third party. No reaction 19/04/2009 : Aladdin visited the blog entry that explains the bypasses and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html No reaction 27/04/2009 : Release of this limited advisory. [1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)
From the low-hanging-fruit-department - Mcafee multiple generic evasions Release mode: Coordinated but limited disclosure. Ref : TZO-182009 - Mcafee multiple generic evasions WWW : http://blog.zoller.lu/2009/04/mcafee-multiple-bypassesevasions-ziprar.html Vendor : http://www.mcafee.com Status : Patched CVE : CVE-2009-1348 (provided by mcafee) https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT Security notification reaction rating : very good Notification to patch window : +-27 days (Eastern holidays in between) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - McAfee VirusScan® Plus 2009 - McAfee Total Protection™ 2009 - McAfee Internet Security - McAfee VirusScan USB - McAfee VirusScan Enterprise - McAfee VirusScan Enterprise Linux - McAfee VirusScan Enterprise for SAP - McAfee VirusScan Enterprise for Storage - McAfee VirusScan Commandline - Mcafee SecurityShield for Microsoft ISA Server - Mcafee Security for Microsoft Sharepoint - Mcafee Security for Email Servers - McAfee Email Gateyway - McAfee Total Protection for Endpoint - McAfee Active Virus Defense - McAfee Active VirusScan It is unkown whether SaaS were affected (tough likely) : - McAfee Email Security Service - McAfee Total Protection Service Advanced I. Background ~ Quote: "McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide. Home users, businesses, service providers, government agencies, and our partners all trust our unmatched security expertise and have confidence in our comprehensive and proven solutions to effectively block attacks and prevent disruptions." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR (Headflags and Packsize),ZIP (Filelenght) archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within RAR and ZIP archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 04/04/2009 : Send proof of concept RAR I, description the terms under which I cooperate and the planned disclosure date 06/04/2009 : Send proof of concept RAR II, description the terms under which I cooperate and the planned disclosure date 06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, ack acknowledges receipt of RARII 10/04/2009 : Send proof of concept ZIP I, description the terms under which I cooperate and the planned disclosure date 21/04/2009 : Mcafee provides CVE number CVE-2009-1348 28/04/2009 : Mcafee informs me that the patch might be released on the 29th 29/04/2009 : Mcafee confirms patch release and provides URL https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT 29/04/2009 : Ask for affected versions 29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including both gateway and endpoint" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Addendum: [TZO-17-2009]Trendmicro multiple bypass/evasions
[Snip] I. Background ~ ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. http://www.eset.com/products/eset_performance_advantages.php [Snip..] I. Background ~ I. Background Quote:"Trend Micro Incorporated is a global leader in network antivirus and Internet content security software and services. Founded in 1988, Trend Micro was a pioneer in secure content and threat management, leading the migration of early virus protection from the desktop to the network server and the Internet gateway. Today, the company continues to advance its comprehensive approach to management of content security threats into the Internet cloud, encompassing information flow beyond the boundaries of the network. With its 24x7 global support operations and dedication to innovative technologies and methodologies, Trend Micro is well positioned to protect its customers against an expanding range of threats that silently endanger business operations, personal information, and property." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-17-2009]Trendmicro multiple bypass/evasions
__ Trendmicro RAR,CAB,ZIP bypass/evasions __ Release mode: Coordinated but limited disclosure. Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP bypass/evasion WWW : http://blog.zoller.lu/2009/04/trendmicro-multiple-evasion-and-bypass.html Status : No patch, but mitigation recommendations for certain products (see below) Vendor : http://www.trendmicro.com/ Security notification reaction rating : Good Notification to patch time window : n+1 days (no patch) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : Client-side products - These will not be patched, trends reason is that malware will be detected up on extraction. While this is true for end-user setups this is not the case if you use such products to scan Fileservers, Database servers or any server where an enduser does not actively extract content. The detection is still completely bypassed. In other words you can no longer assume that RAR,ZIP,CAB (or any other archive) is safe/clean after a Trendmicro scan with these products . Hence I can no longer recommend these products for such uses and hence my recommendation to trend to offer patches, if you use the products in such environment please contact Trend and ask for a patch. I applaud Trend however for the time and effort spent with communicating with me and the transparency presented. Client-side Impact : Low for usage in End-user scenarios Client-side Impact : High for usage in fileserver, database scenarios. 1. OfficeScan product suites (All of OfficeScan products) 2. ServerProtect product suite (All products of Server protect) -ServerProtect for Microsoft Windows/Novell NetWare -ServerProtect for EMC Celerra -ServerProtect for NetApp -Server Protect for Linux -ServerProtect for Network Appliance Filers 3. Trend Micro Internet Security product suites (Internet Security Pro, Internet Security, Antivirus+AntiSpyware) 4. Client / Server / Messaging Suite ( The OfficeScan component ) 5. Worry Free Business Security - Standard 6. Worry Free Business Security - Advanced ( The security agent component ) 7. Worry Free Business Security Hosted 8. Housecall Gateway products - InterScan Web Security Suite product lines and InterScan Web Protect for ISA Impact: Detection is evaded but files are quarantined by default ,residual risk of an administrator deblocking a file as there is no detection of malicious code. InterScan Messaging Security Appliance Impact: Detection is evaded but files are quarantined by default ,residual risk of an administrator deblocking a file as there is no detection of malicious code. Neatsuite Advanced (combination of InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail Suite for Domino or Exchange, and All) Please see, specific product recommendation ScanMail for Exchange Impact: Protection is bypassed by default After mitigation: Residual risk of an administrator deblocking a file as there is no detection of malicious code. Mitigation recommendations from Trend: 1. Set the "Virus Scan > Action > Files outside of scan restriction Criteria" to any of the secured options. Quarantined entire message and set to Notify 2. The CAB file will be blocked and the Administrator will receive the email notification. ScanMail for Domino Suites Impact: Protection is bypassed by default, detection is also bypassed after mitigation but file is quarantined as "non extractable". After mitigation: Residual risk of an administrator deblocking a file as there is no detection of malicious code. Mitigation recommendations from Trend: 1. Open the ScanMail for Domino Configuration database 2. Go to Configurations > Policies 3. Double click on Default Mail Scan 4. Click on Scan Options Tab > Scan Restrictions 5. Put a mark on Exceed extracted file size and set this to either of the much secured action a. Quarantine b. Delete 6. Put any of the preferred value to maximum extracted file size 7. Click on Save & Closed I. Background ~ ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. http://www.eset.com/products/eset_performance_advantages.php II. Description ~~~ The parsing engine can be bypassed by a specially
[Full-disclosure] [TZO-16-2009] Nod32 CAB bypass/evasion
__ From the low-hanging-fruit-department - Nod32 CAB bypass/evasion __ Release mode: Coordinated but limited disclosure. Ref : TZO-162009 - Nod32 CAB bypass/evasion WWW : http://blog.zoller.lu/2009/04/nod32-eset-cab-generic-evasion-limited.html Status : No patch, but mitigation recommendations (see below) Vendor : http://www.trendmicro.com/ Security notification reaction rating : Good Notification to patch time window : 14 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ESET Smart Security 4 (update #4036) - ESET NOD32 Antivirus 4 (update #4036) - ESET Smart Security 4 Business Edition (update #4036) - ESET NOD32 Antivirus 4 Business Edition (update #4036) - ESET NOD32 Antivirus for Exchange Server (update #4036) - ESET Mail Security (update #4036) - ESET NOD32 Antivirus for Lotus Domino Server (update #4036) - ESET File Security (update #4036) - ESET Novell Netware (update #4036) - ESET DELL STORAGE SERVERS (update #4036) - ESET NOD32 Antivirus for Linux gateway devices (update #4036) I. Background ~ ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. http://www.eset.com/products/eset_performance_advantages.php II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all. IV. Disclosure timeline ~ 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date No reply 17/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose. 17/04/2009 : Eset acknowledges receipt and previous receipt 29/04/2009 : Eset informs me that the bug was fixed on the 27th of April through and auotmatic update (update #4036) 29/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Errata: [TZO-13-2009] Avira Antivir generic CAB evasion / bypass
Errata: BID/CVE : The issue was in ZIP and not CAB archive handling. Thank you for your understanding. Regards, Thierry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-15-2009] Aladdin eSafe generic bypass - Forced release
__ From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion __ Release mode: Forced relaese, vendor has not replied. Ref : TZO-152009 - Aladdin eSafe Generic Evasion WWW : http://blog.zoller.lu/2009/04/aladdin-esafe-generic-evasion-bypass.html Status : Not patched Vendor : http://www.aladdin.com Security notification reaction rating : Catastrophic (vendor visited specific url at my website but has not reacted) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html If you wonder the about the reasons behind such forced releases please visit: http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html Affected products : - t.b.a (Vendor has not reacted, please see below) - probably all versions including gateway solutions As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment. I. Background ~ Quote: "Aladdin is dedicated to being the leading provider of security services and solutions used to protect digital assets, enable secure business, and maximize the benefits from creating, selling, distributing and using digital content." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated archive file. Details are currently witheld due to other vendors that are in process of deploying patches. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Aladdin is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks. Aladdin is advised to leave a specific security contact at [1] in order to simplify getting in contact with them. As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all. IV. Disclosure timeline ~ DD/MM/ 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took previously known security contacts that are known to exist. No reply. 13/04/2009 : Resending. Copied secur...@aladdin.de, secur...@aladdin.com sec...@aladdin.com, sec...@aladdin.de,supp...@aladdin.com, supp...@aladdin.de in CC. No reply. 16/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. No reply. 18/04/2009 : Online virus scan service offered to gap the bridge between vendors that don't reply and myself. Aladin was contacted through third party. No reaction 19/04/2009 : Aladdin visited the blog entry that explains the bypasses and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html No reaction 27/04/2009 : Release of this limited advisory. [1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-14-2009] Comodo Antivirus RAR evasion
__ From the low-hanging-fruit-department - Comodo antivir bypass/evasion __ Release mode: Coordinated but limited disclosure. Ref : TZO-142009 - Comodo evasion RAR WWW : http://blog.zoller.lu/2009/04/comodo-antivirus-evasionbypass.html Vendor : http://www.comodo.com Status : Patched Security notification reaction rating : Good Notification to patch window : 41 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Comodo Internet Security 3.5.x and 3.8.x (Impact low due to on access scan) - Comodo Anti-Virus (Impact low due to on access scan) I. Background ~ Quote: "Comodo's range of solutions gives businesses the ability to create online trust through proprietary technology that help e-businesses convert more customers, retain more customers and increase lifetime value." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date No reply 16/03/2009 : Resend notification 23/03/2009 : Comodo answers that the bug has been fixed and will be deployed in version 3.9 due in end of April. 02/04/2009 : Ask for affected versions. 02/04/2009 : Comodo answers that the ranges 3.5.x and 3.8.x have been affected and that the sheduled release date is the 25th of April. Credit will be given in the release notes. 27/04/2009 : Notify comodo that I plan to release the advisory today and assume the production code has been released in the 25.04.2009 27/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-13-2009] Avira Antivir generic CAB evasion / bypass
__ From the low-hanging-fruit-department - Avira antivir bypass/evasion __ Release mode: Coordinated but limited disclosure. Ref : TZO-132009 - Avira Antivir evasion CAB WWW : http://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html Vendor : http://www.avira.com Status : Patched Security notification reaction rating : Good Notification to patch window : 7 days (Eastern holidays in between) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Virus Scan Adapter for SAP NetWeaver® - Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Server (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) I. Background ~ Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected. The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over. AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008" II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date 10/04/2009 : Avira acknowledges receipt and informs me of the eastern holidays in Germany. 16/04/2009 : Asked for update 17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14 7.6.1.19", changes have been made to the sdk in order to allow 3rd party AV vendors that use the engine to reveive more details about the file. 18/04/2009 : Avira informs me that the patch is in production since the 17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148 18/04/2009 : Ask for more details about the impact of gateway appliances 23/04/2009 : Avira states that the archive effectively evade the default configuration of Avira AntiVir MailGate and Avira AntiVir WebGate (prior to patch). Future evasions can be blocked by setting "BlockSuspiciousArchive" to yes however this is not enabled by default. 27/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-12-2009] SUN / Oracle JVM Remote code execution
__ SUN/ORACLE JAVA VM Remote code execution __ Release mode: Coordinated. Ref : TZO-122009- SUN Java remote code execution WWW : http://blog.zoller.lu/2009/04/sunoracle-java-vm-remote-code-execution.html Vendor : http://www.sun.com Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected Products: - JVM Version 6 Update 1 - JVM Version 6 Update 2 I. Background ~ Dictionary.com : "The Java Virtual Machine (JVM) is software that converts the Java intermediate language (bytecode) into machine language and executes it. The original JVM came from the JavaSoft division of Sun. Subsequently, other vendors developed their own; for example, the Microsoft Virtual Machine is Microsoft's Java interpreter. A JVM is incorporated into a Web browser in order to execute Java applets. A JVM is also installed in a Web server to execute server-side Java programs. A JVM can also be installed in a client machine to run stand-alone Java applications." II. Description ~~~ Please understand that no details will be given, too many bad guys would use it for drive-by attacks. At this point in time (old + fixed) there is really no need to. III. Impact ~~~ Memory corruption due to a write attempt to a user controlable offset. i.e exploitable. The Java VM is reachable through every major browser. IV. Disclosure timeline ~ 19/11/2008 : Send proof of concept, description to Microsoft (sic), as bug was triggered through IE. 20/11/2008 : Microsoft asks for clarification 21/11/2008 : Clarification sent. 12/12/2008 : Microsoft replicated the memory corruption in Version 6 update 1 and recommends getting in contact with SUN 12/12/2008 : Send proof of concept and description to SUN 16/12/2008 : Sun acknwoledges receipt. PGP keys are exchanged. 13/01/2009 : Asked for update from SUN 17/01/2009 : Asked for update and indicate this is the last request prior to release if no answer is given. 12/03/2009 : SUN asks for more specific details 12/03/2009 : Details given 24/04/2009 : Notify SUN that I am drafting the advisory and would require feedback and details 24/04/2009 : SUN asks for a copy of the advisory and explains the engineering team is still working on the case 07/04/2009 : Asks SUN for an update 08/04/2009 : Sun responds that the team is still working on the case 20/04/2009 : Asking for an update and details 20/04/2009 : SUN responds that the engineers could not reproduce in Update 11 and 12 20/04/2009 : I test the new updates and can no longer reproduce the issue 22/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Addendum :[TZO-09-2009] Avast bypass / evasion (Limited details)
URL: http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html Update : After the reaction from avast, it is now clear that all versions and products are affected, however there is no plan to patch, the patch will come or will not come - sometime in the future. You are encouraged to read the time line and draw your own conclusions. Desktop Protection * avast! 4 Professional (impact low, reason real-time protection) * avast! 4 Home Edition (impact low, reason real-time protection) * avast! Pro Family pack (impact low, reason real-time protection) * avast! WHS Edition (impact low, reason real-time protection) * avast! Mac Edition (impact unknown) * avast! Linux Home Edition (impact unknown) * avast! U3 Edition (impact unknown) * avast! 4 BART CD (impact unknown) * avast! for PDA (impact unknown) Corporate Protection * avast! 4 Server Edition(impact high, complete bypass) * avast! 4 Server Edition Plug-ins * avast! 4 Exchange Server Edition (impact high, complete bypass) * avast! 4 ISA Server Edition (impact high, complete bypass) * avast! 4 SharePoint Server Edition (impact high, complete bypass) * avast! 4 SMTP Server Edition (impact high, complete bypass) * avast! 4 Lotus Domino Edition (impact high, complete bypass) * avast! Distributed Network Manager (impact high, complete bypass) * avast! 4 Professional (impact unknown) * avast! 4 BART CD (impact unknown) * avast! for Linux/Unix Server (impact high, complete bypass) * avast! for PDA (impact unknown) * Net.Purum (impact unknown) OEM * Copperfasten - Mail Firewall Appliance * TN North Software - Interner Anywhere eMailServer * IceWarp Software - Merak Email Server * SmartMax Software, Inc. - MailMax Server * NetWin Software - SurgeMail Email Server * Hexamail Ltd. - Hexamail Guard - Antivirus option * Bains Digital - Defender MX Time line '' * 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and secur...@. sec...@avast.de, sec...@alwil.com, secur...@alwil.com secur...@avast.de No reply. * 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact adresses that were previously used to report vulnerabilities were used: secal...@avast.com, v...@avast.com No reply. * 17/04/2009 : Release of this advisory and begin of grace period. * 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and claims that this is a non issue because the POC would not correctly decompress. * 17/04/2009: Reply that the POC works as expected and asked why there has been no reaction to previous notifications. No reply. * 20/04/2009: Asked for patch timeline and affected version * 20/04/2009: Avast replies that all versions and all product ranges are affected, however "There's currently no plan to release a special patch for this as our risk assessment makes it a very low priority issue." * 20/04/2009: Replied that Avast can assesses the risk to loose customers and money; not the entire cumulated risk their customers run in specific environments. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-11-2009] Fortinet bypass / evasion (Limited details)
__ From the low-hanging-fruit-department - Fortinet bypass/evasion __ Release mode: Forced release, vendor has not replied. Ref : TZO-112009 - Fortinet Generic Evasion WWW : http://blog.zoller.lu/2005/04/fortinet-evasion-bypass-limited-details.html Vendor : http://www.fortinet.com Security notification reaction rating : Catastrophic Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - t.b.a (Vendor has not reacted, please see below) As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment. I. Background ~ Quote: "Fortinet is a leading provider of network security appliances and the leader of the unified threat management (UTM) market worldwide. Fortinet's award-winning portfolio of security gateways, subscription services, and complementary products delivers the highest level of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion. " II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated archive file. Details are currently witheld due to other vendors that are in process of deploying patches. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Fortinet is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks. Fortinet (aswell as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them. As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all. IV. Disclosure timeline ~ 09/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry tandard security contacts addresses secure@ and secur...@. No reply. 14/03/2009 : Resending specifying this is the last attempt to disclose reponsibly. No reply. 15/04/2009 : Fortinet published advisories for third party vendors with the adress dontreply-secresea...@fortinet.com, used secresea...@fortinet.com to resend advirory. No reply. 17/04/2009 : Last attempt to contact, information sent to i...@foritnet.com no reply, as of time of publishing 17/04/2009 : Release of this advisory and begin of grace period. [1] http://osvdb.org/vendor/1/Fortinet%20Inc_ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-09-2009] NOD32 (Eset) bypass / evasion (Limited details)
__ From the low-hanging-fruit-department - Nod32 bypass/evasion __ Release mode: Coordinated but limited disclosure. Ref : TZO-092009 - Nod32 Evasion RAR WWW : http://blog.zoller.lu/2005/04/nod32-eset-generic-evasion-limited.html Vendor : http://www.eset.com/ Security notification reaction rating : Good enough Notification to patch window : 14 days Intersting backround statistics: Time required to coordinate disclosure and write the advisory: 2,5 hours Time required to find the bug : 25 minutes Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ESET Smart Security 4 (before 15/04/2009) - ESET NOD32 Antivirus 4 (before 15/04/2009) - ESET Smart Security 4 Business Edition (before 15/04/2009) - ESET NOD32 Antivirus 4 Business Edition (before 15/04/2009) - ESET NOD32 Antivirus for Exchange Server (before 15/04/2009) - ESET Mail Security (before 15/04/2009) - ESET NOD32 Antivirus for Lotus Domino Server (before 15/04/2009) - ESET File Security (before 15/04/2009) - ESET Novell Netware (before 15/04/2009) - ESET DELL STORAGE SERVERS (before 15/04/2009) - ESET NOD32 Antivirus for Linux gateway devices (before 15/04/2009) - Command line version : NOD32 prior to 3.0.677 I. Background ~ ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. http://www.eset.com/products/eset_performance_advantages.php II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all. IV. Disclosure timeline ~ 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date No reply 09/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose. 09/04/2009 : Eset acknowledges receipt and previous receipt and apologises for not being able to answer due to an internal miscommunication. Patch will be deployed on the 15th of April. 09/04/2009 : Ask where changelog/advisory will be posted to 09/04/2009 : Eset responds that credit will be included in changelogs http://www.eset.com/support/updates.php?pageno=3 17/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-08-2009] Bitdefender generic bypass/evasion
__ From the low-hanging-fruit-department - Bitdefender bypass/evasion __ Release mode: Coordinated but limited disclosure. Ref : TZO-082009 - Bitdefender Evasion CAB WWW : http://blog.zoller.lu/2009/04/bitdefender-generic-bypassevasion-cab.html Vendor : http://www.bitdefender.com Security notification reaction rating : Good Notification to patch window : 1 day (!) Intersting backround statistics: Time required to coordinate disclosure and write the advisory: 2 hours Time required to find the bug : 10 minutes Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Bitdefender Antivirus 2009 (pre update 13/04/2009) - Bitdefender Internet Security 2009 (pre update 13/04/2009) - Bitdefender Total Security 2009 (pre update 13/04/2009) - Bitdefender Small Office Security (pre update 13/04/2009) - Bitdefender for Fileservers (pre update 13/04/2009) - Bitdefender for Samba (pre update 13/04/2009) - Bitdefender for Sharepoint (pre update 13/04/2009) - Bitdefender Security for Exchange (pre update 13/04/2009) - Bitdefender Security for Mailservers (pre update 13/04/2009) - Bitdefender for ISA Servers (pre update 13/04/2009) - Bitdefender Client security (pre update 13/04/2009) Bundles: - BitDefender Business Security (pre update 13/04/2009) - Bitdefender Antivirus for Unices (pre update 13/04/2009) - Bitdefender Corporate Security (pre update 13/04/2009) - Bitdefender SBS Security (pre update 13/04/2009) I. Background ~ BitDefender™ provides security solutions to satisfy theprotection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA. II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all. IV. Disclosure timeline ~ 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date 14/04/2009 : Bitdefender responds that the problem was fixed by an automatic update on the 13/04/2009 16/04/2009 : Asked what product line and version has been affected and a CVE number. 15/04/2009 : Bitdefender states that "All our products are affected by this problem. We don't have a CVE number". 17/04/2009 : Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-09-2009] Avast bypass / evasion (Limited details)
__ From the low-hanging-fruit-department - AVAST bypass/evasion __ Release mode: Forced release, vendor has not replied. Ref : TZO-092009 - AVAST Generic Evasion WWW : http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html Vendor : http://www.avast.com Security notification reaction rating : Catastrophic Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - List t.b.a when vendor cooperates (probably all versions) - Known engine version to be affected - prior and post VPS:090409-0 As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment. I. Background ~ Quote: "Comprehensive network security solution for corporate customers certified and tested by ICSA and Checkmark. It provides complete server and desktop virus protection." II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld : A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. AVAST is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks. AVAST (aswell as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all. IV. Disclosure timeline ~ 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and secur...@. sec...@avast.de, sec...@alwil.com, secur...@alwil.com secur...@avast.de No reply. 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact adresses that were previously used to report vulnerabilities were used: secal...@avast.com, v...@avast.com No reply. 17/04/2009 : Release of this advisory and begin of grace period. [1] http://osvdb.org/vendor/1/ALWIL%20Software ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
Hi Marcus, MM> I think we have brought this up to the kernel guys often already MM> without much effect ... and I am aware of above posts. I am a bystander that is bewildered by the situation and have not been following this "situation" from the beginning. MM> This is Opensource, if the original authors don't provide security MM> guidance, You mean "this is anarchy" or sparte ? SCNR There is no need for "security guidance", there is a need for a simple FLAG [x] Might be security relevant or [X] is security relevant. Others might then look into it a lot faster instead of triaging through hundrets of irrelevant bugs. MM> someone else can easily step up and do it, like Brad, or Fefe, MM> or whoever else. Brad and Fefe have certainly other things to do than point out security intrinsics of bugs in OSS software. Setting the flags above might help getting others to look into faster. How about solving the problem by open sourcing the knowledge required to attribute the security nature of a coding error as to help those that simply ignore it ? That could be a start too. It's often plain easy and can be explained in IF ELSE kind of way. MM> Even we as Linux distributors should probably set some people up to study the MM> .stable releases for such things. It would certainly help, what helps a lot more from my POV is creating a website, a sort of hallofshame, that discloses silent security fixes. It helps everbody, puts pressure on the "they are just normal bugs" fraction, helps those that ignore WHY a particular bug has security implications and helps the overall perception of OSS software in terms of security. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
>The correct wording is "no advisory was released yet". An exception to the rule? The question is why? If fefe wouldn't have pointed it out there would have been no advisory, like the 100 other silently fixed security bugs that even those that backport don't catch. There is a clear statement from the Kernelhacker groups on this situation, and it is *not* positive, so why make it look like those that complain just do it at the wrong point in time. again see : http://lwn.net/Articles/285438/ http://lwn.net/Articles/286263/ http://lwn.net/Articles/287339/ http://lwn.net/Articles/288473/ and hundrets of others. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
Addendum 2: http://lwn.net/Articles/285438/ http://lwn.net/Articles/286263/ http://lwn.net/Articles/287339/ http://lwn.net/Articles/288473/ -- http://secdev.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
