[Full-disclosure] iDefense Security Advisory 12.07.10: Apple QuickTime PICT Memory Corruption Vulnerability
iDefense Security Advisory 12.07.10 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 07, 2010 I. BACKGROUND QuickTime is Apple's media player product used to render video and other media. The PICT file format was developed by Apple Inc. in 1984. PICT files can contain both object-oriented images and bitmaps. For more information visit http://www.apple.com/quicktime/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Apple Inc.'s QuickTime media player could allow attackers to execute arbitrary code in the context of the targeted user. The vulnerability specifically exists in the way specially crafted PICT image files are handled by the QuickTime PictureViewer. When processing specially crafted PICT image files, Quicktime PictureViewer uses a set value from the file to control the length of a byte swap operation. The byte swap operation is used to convert big endian data to little endian data. QuickTime fails to validate the length value properly before using it. When a length value is larger than the actual buffer size supplied, it will corrupt heap memory beyond the allocated buffer, which could lead to an exploitable condition. III. ANALYSIS Successful exploitation could allow attackers to execute arbitrary code in the context of the current user. To exploit this vulnerability, an attacker must persuade a victim into using QuickTime to open a specially crafted PICT picture file. This could be accomplished by either direct link or referenced from a website under the attacker's control. An attacker could host a Web page containing a malformed PICT file. Upon visiting the malicious Web page exploitation would occur and execution of arbitrary code would be possible. Alternatively a PICT file could be attached within an e-mail file. IV. DETECTION QuickTime Player versions prior to 7.6.9 are vulnerable. V. WORKAROUND iDefense recommends disabling the QuickTime Plugin and altering the .pct, .pic and .pict filetype associations within the registry. Disabling the plugin will prevent Web browsers from utilizing QuickTime Player to view associated media files. Removing the filetype associations within the registry will prevent QuickTime Player and Picture Viewer from opening .pct, .pic and .pict files. VI. VENDOR RESPONSE Apple Inc. has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4447 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3800 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/31/2010 Initial Vendor Notification 03/31/2010 Initial Vendor Reply 12/07/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Hossein Lotfi (s0lute). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.11.10: Apple Mobile OfficeImport Framework Excel Parsing Memory Corruption Vulnerability
iDefense Security Advisory 11.11.10 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 11, 2010 I. BACKGROUND The OfficeImport framework is an API used by Apple's mobile devices, including the iPod Touch, iPhone, and iPad. The framework is used to parse and display Microsoft Office file formats, such as Excel, Word, and PowerPoint. The OfficeImport framework is used by several applications, including MobileMail and MobileSafari. Both of these applications are attack vectors for this vulnerability. For more information, see the vendor's site found at the following link. http://www.apple.com/iphone/softwareupdate/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Apple Inc.'s OfficeImport framework could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing an Excel file with a maliciously constructed Excel record. Specific values within this record can trigger a memory corruption vulnerability, and result in values from the file being used as function pointers. This allows an attacker to execute arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker has several attack vectors. The most dangerous vector is through MobileSafari, which will automatically open and parse Office files embedded in web pages. This behavior is similar to Microsoft Office 2000, in that it enables drive-by style attacks without any user interaction beyond visiting a web page (no file open dialog is displayed, the file is simply opened). Additionally, an attacker can email a targeted user and attach a malicious file. The user will then have to view the email and attachment with MobileMail to trigger the vulnerability. IV. DETECTION iDefense has confirmed the existence of this vulnerability in OfficeFramework running on the following devices: iPod Touch, IOS 3.1.3 iPad, IOS 3.2.1 Apple has confirmed Mac OS X and Mac OS X Server v10.6 through v10.6.4 to be vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. There is no configuration option to disable the parsing of Office files in the browser. Additionally, due to a lack of control over file system permissions on Apple devices (and the method of library loading) it is not possible to remove or block access to the OfficeImport binary. VI. VENDOR RESPONSE Apple Inc. has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4435 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3786 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/25/2010 Initial Vendor Notification 08/25/2010 Initial Vendor Reply 11/11/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Tobias Klein. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.09.10: Microsoft Word RTF File Parsing Stack Buffer Overflow Vulnerability
iDefense Security Advisory 11.09.10 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 09, 2010 I. BACKGROUND Microsoft Word is a word processing application from Microsoft Office. For more information about Microsoft Word, see the following website: http://office.microsoft.com/en-us/word/default.aspx Rich-Text Format (RTF) is a document file format developed by Microsoft for cross-platform document interchange. II. DESCRIPTION Remote exploitation of a stack buffer overflow vulnerability in Microsoft Corp.'s Word could allow attackers to execute arbitrary code under the privileges of the targeted user. This vulnerability specifically exists in the handling of a specific control word in an RTF document. Under certain circumstances, Word will copy its property strings into a stack buffer without checking the length, which causes a stack buffer overflow. III. ANALYSIS Exploitation allows remote attackers to execute arbitrary code on the affected host under the context of the user who opened the malicious RTF document with Microsoft Word. Exploitation might require that the user open a specially crafted RTF document with a vulnerable application. The most likely exploitation vector involves convincing a user to open an RTF document sent to the user via e-mail or linked on a website. Since Outlook 2007 uses the Word engine to process e-mails, it is also affected by this vulnerability. The attacker can send the user a specially crafted RTF e-mail. When this e-mail is opened or displayed in the preview pane using Outlook 2007, the vulnerability will be triggered. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Word 2003, Microsoft Word 2007, and Microsoft Outlook 2007. The following Microsoft products are vulnerable: * Microsoft Office XP SP 3 * Microsoft Office 2003 SP 3 * Microsoft Office 2007 SP 2 * Microsoft Office 2010 (32-bit editions) * Microsoft Office 2010 (64-bit editions) * Microsoft Office for Mac 2011 V. WORKAROUND Microsoft recommends reading e-mail in plain-text format as a workaround. VI. VENDOR RESPONSE Microsoft Corp. has released patches which address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010- to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2009 Initial Vendor Notification 08/12/2009 Initial Vendor Reply 11/09/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by wushi of team509. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 02.13.07: Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability
Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability iDefense Security Advisory 02.13.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 13, 2007 I. BACKGROUND The WinInet module provides access to common Internet protocols, including FTP and HTTP, allowing a programmers to add this functionality to their code without having to re-impelement the details. As an part of the base operating system, it is used in many applications including Microsoft's Internet Explorer. More information on the WinInet module is available at the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/wininet/portal.asp II. DESCRIPTION Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll' FTP client code could allow an attacker to execute arbitrary code. The vulnerability specifically exists in the parsing of reply lines from remote FTP servers. During an FTP session, the client makes requests for the server to perform some operation and the server responds with a numeric code, a human readable message and possibly some other information. As there can be multiple lines in a reply, code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure. By sending a specially crafted series of replys to the client, the heap may be corrupted in a controlled way to cause the execution of arbitrary code. III. ANALYSIS Successful remote exploitation of this vulnerability would allow a attacker to execute arbitrary commands in the context of the currently logged in user. In order to exploit this vulnerability, the attacker must convince the target to follow a link in a program which uses the vulnerable functions, such as Internet Explorer, Word, or Outlook. For any of these applications it is sufficient to embed an image linked to a malicious ftp server, but for modern versions of Outlook, the image will not render unless the user allows it. In testing by iDefense Labs, server responses were generated which put controlled values into controlled memory locations in Internet Explorer, with varying degrees of success on a system running Windows XP SP2. Although methods applied during initial testing were unreliable, they did indicate that it was possible to use this vulnerability to cause code execution. The portion of the heap management structure overwritten is used to determine the length of the allocation it refers to. In combination with another less severe vulnerability in the FTP code, which allows a remote attacker to see a valid memory address, it may be possible to cause reliable remote exploitation. IV. DETECTION iDefense has verified that Internet Explorer 6 on the following Microsoft operating systems, with all security patches applied as of May 2006, are affected: Windows 2000 Advanced Server SP4 Windows XP SP2 Windows Server 2003 Enterprise Edition SP1 This vulnerability appears to have existed from at least Internet Explorer 5.0. It is suspected that all versions of Internet Explorer on all supported platforms are affected. V. WORKAROUND iDefense is unaware of any effective workarounds for this vulnerability. Blocking outgoing port 21 (ftp) requests is not effective, as this it is possible to supply an ftp URL with an alternative port. It may be possible to limit exposure to this vulnerability by configuring systems to use a proxy server for all ftp requests and only allowing white-listed sites. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability within MS07-016. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 08/16/2006 Initial vendor response 10/05/2006 Second vendor notification 02/13/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information
[Full-disclosure] iDefense Security Advisory 02.13.07: Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability
Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability iDefense Security Advisory 02.13.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 13, 2007 I. BACKGROUND Hewlett-Packard's HP-UX introduced Single Logical Screen (SLS) in 1995 to facilitate using multiple graphics devices on a single desktop. Distributed SLS, or SLS/d, extends SLS to allow the utilization of graphics devices within multiple computer systems. More information is available at the following URL. http://docs.hp.com/en/B2355-90142/ch05s03.html II. DESCRIPTION Remote exploitation of a design error within Hewlett-Packard's SLSd daemon could allow an attacker to execute privileges as the superuser. The problem specifically exists due to a design error within the SLSd_daemon RPC daemon that provides connectivity between the distributed systems. This daemon registers itself under the RPC PROGID of 536870913 or 351456, depending on the HP-UX version. By sending a specially crafted request, the daemon will write attacker supplied data to an arbitrary file as the superuser. III. ANALYSIS Exploitation allows an unauthenticated attacker to gain superuser privileges by overwriting select files such as .rhosts, cron scripts, or other files used for authentication. IV. DETECTION iDefense has confirmed the existence of this vulnerability within the SLSd_daemon binary as shipped with HP-UX 11.11i and 10.20. All versions are suspected to be vulnerable. V. WORKAROUND Employ firewalls to limit access to the affected system to reduce exposure to this vulnerability. If you are not using Distrubuted SLS, disable the SLSd_daemon. VI. VENDOR RESPONSE Hewlett-Packard has addressed this vulnerabilty with HP Security Advisory HPSBUX02191. More information is available at the following URL. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00862809 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/30/2007 Initial vendor notification 01/30/2007 Initial vendor response 02/13/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
iDefense Security Advisory 07.20.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
July 20, 2006
I. BACKGROUND
Solaris is a UNIX operating system developed by Sun Microsystems.
II. DESCRIPTION
Local exploitation of an integer overflow vulnerability in Sun
Microsystems Inc. Solaris allows attackers to read kernel memory from a
non-privileged userspace process.
The vulnerability specifically exists due to an integer overflow in
/usr/src/uts/common/syscall/systeminfo.c. The vulnerable code is as
follows:
125 if (kstr != NULL) {
126 if ((strcnt = strlen(kstr)) = count) {
127 getcnt = count - 1;
128 if (subyte(buf + count - 1, 0) 0)
129 return (set_errno(EFAULT));
130 } else
131 getcnt = strcnt + 1;
132 if (copyout(kstr, buf, getcnt))
133 return (set_errno(EFAULT));
134 return (strcnt + 1);
135 }
If the variable count (which is a value provided by the user invoking
the function) is 0, the function will call the copyout function with a
length argument of -1. Because copyout interprets the length argument as
an unsigned integer, a large amount of data will be copied out to
userspace, well beyond the boundaries that are intended.
III. ANALYSIS
Successful exploitation of this vulnerability allows attackers to read
sensitive kernel memory. This can lead to the compromise of passwords or
keys. It can also aid an attacker in gathering information for
exploitation of other kernel level vulnerabilities.
IV. DETECTION
iDefense has confirmed that Solaris 10 is vulnerable. Earlier versions
of Solaris are not affected.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
VI. VENDOR RESPONSE
Sun Alert ID 102343 addresses this issue and is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
12/15/2005 Initial vendor notification
12/15/2005 Initial vendor response
07/20/2006 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Windows Media Player is a video and audio file player for Windows based systems. It supports multiple file formats and allows playing files from either the local filesystem or the network. More information can be found at: http://www.microsoft.com/windows/windowsmedia/mp10/default.aspx II. DESCRIPTION Remote exploitation of a stack-based buffer overflow in the handling of PNG image file chunks by Microsoft Corp.'s Windows Media Player could allow attackers to execute arbitrary code. The Portable Network Graphics (PNG) specification defines an extensible, portable image format that gives lossless compression and allows transparency masking of various types. The format was developed as a patent-free alternative to GIF and TIFF format images, and the official specification is published on the W3C website. It should be noted that it is possible to cause Windows Media Player to be called as a 'helper application' in Internet Explorer and Mozilla browsers thus increasing the likelihood of exploitation. Windows Media Player uses a fixed-sized buffer in a function used when processing certain chunk types and no validation is performed on the length of the chunks this function is is passed. Therefore, a stack based buffer overflow can occur when WMP interprets a PNG file with an excessive chunk size. III. ANALYSIS Exploitation could allow a remote attacker to execute code in the context of the currently logged in user. In order to exploit this vulnerability, the victim must open a maliciously constructed file in Windows Media Player or follow a link in their browser to a website hosting such a file. No further user interaction is required for exploitation. In order to trigger this vulnerability, an attacker could construct a maliciously formed PNG file and link to it via an OBJECT tag on a website under their control. iDefense Labs has constructed a proof of concept exploit which achieved reliable code execution in both Internet Explorer and Mozilla Firefox. IV. DETECTION iDefense Labs has verified the existence of this vulnerability in version 10 of Microsoft Windows Media Player on Windows XP SP2 with all security patches installed as of May 23, 2006. Microsoft has reported that the following versions are affected: Windows Media Player 7.1 Windows Media Player for XP Windows Media Player 9 Microsoft Windows Media Player 10 V. WORKAROUND Any of the last three workarounds listed in the advisory for MS06-005 can be used to prevent exploitation. * Modify the Access Control List on the DirectX Filter Graph no thread registry key. * Backup and remove the DirectX Filter Graph no thread registry key. * Unregister Quartz.dll. Implementing these workarounds might prevent applications that use DirectX from functioning properly. This vulnerability is not the same as MS06-005, and the MS06-005 patches do not fix this vulnerability. The workarounds for that vulnerability are applicable here only because the vulnerability is in the same application and called in a similar manner. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-0025 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/22/2006 Initial vendor notification 02/22/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] iDefense Security Advisory 06.13.06: Microsoft Internet Explorer ART File Heap Corruption Vulnerability
Microsoft Internet Explorer ART File Heap Corruption Vulnerability iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Internet Explorer is the web browser included in Microsoft Corp.'s Windows products. II. DESCRIPTION Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Internet Explorer allows attackers to execute arbitrary code. Internet Explorer supports Johnson-Grace compressed images, or .art files. Johnson-Grace developed this technology in 1991. In 1994, American Online Inc. began using the technology and, in 1996, purchased the company to secure rights to it. It is now licensed to Microsoft for usage in Internet Explorer by way of the jgdw400.dll dynamically linked library, which is copyrighted by AOL. The vulnerability specifically exists due to improper parsing of a malformed .art file during rendering. With a carefully crafted .art file, it is possible to overwrite portions of the heap with static values from a file independent table in memory. Although this typically would be somewhat limiting from an exploitation standpoint, in this case an attacker can utilize large images or JavaScript to fill the heap so that these static values reliably point into controlled regions. Because there are an abundance of function pointers on the heap that an attacker may smash, heap integrity checks are not effective in preventing exploitation. III. ANALYSIS Successful exploitation of this vulnerability allows attackers to execute arbitrary code with the privileges of the currently logged-on user. iDefense Labs analysis has shown that exploitation can be as reliable as 75 percent with the current exploitation method. Upon failed exploitation attempts, the system may become slow or unresponsive due to the method employed by the exploit to fill memory in order to facilitate an exploitable memory state. It should be noted that hardware data execution prevention (DEP) will prevent exploitation from occurring by the iDefense Labs-maintained exploit code. This is a result of the payload executing on the heap, which is marked writable and thus not executable. It should also be noted that the file does NOT need to have an .art extension to be rendered by the vulnerable library. Any extension can be used, provided the image is loaded via an IMG SRC tag in an HTML document in Internet Explorer. IV. DETECTION iDefense has confirmed that the following Microsoft products are affected in default configurations: Windows XP Windows XP SP1 Windows XP SP2 Windows 2003 Windows 2003 SP1 iDefense has confirmed that the following Microsoft products are affected when recommended Windows feature updates have been installed: Windows 2000 SP4 To determine if a Windows 2000 system is affected, check for the existence of the file jgdw400.dll on the system. If the file exists, the system is affected. V. WORKAROUND iDefense has developed the following workaround, which has not demonstrated any impairment to the system in testing. However, as this is not a vendor-supplied workaround, it should be tested thoroughly before being applied to a production environment. Remove the following dynamically linked libraries from: C:\windows\system32\jgpl400.dll C:\windows\system32\jgdw400.dll C:\windows\system32\jgaw400.dll C:\windows\system32\jgsd400.dll C:\windows\system32\jgmd400.dll C:\windows\system32\jgsh400.dll This will effectively disable the viewing of all .ART files on the system. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-022.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2378 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2006 Initial vendor notification 02/07/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows MRXSMB.SYS MrxSmbCscIoctlCloseForCopyChunk DoS
Windows MRXSMB.SYS MrxSmbCscIoctlCloseForCopyChunk DoS iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Microsoft Windows Operating System is system software for Intel based PCs. More information can be found at the vendor website: http://www.microsoft.com II. DESCRIPTION Local exploitation of an access validation error in Microsoft Corp.'s Windows Operating System could allow attackers to cause a denial of service (DoS) condition. The vulnerability specifically exists due to a logic error in the Microsoft Client Side Caching (CSCDLL.DLL) and Microsoft Server Message Block Redirector Driver (MRXSMB.SYS) code. The Microsoft Client Side Caching infrastructure provides the user-mode portion of the offline files subsystem that allows interaction with network files while offline and preserves file system permissions. The Microsoft Server Message Block Redirector Driver is the kernel-mode file system driver that provides the network redirector functionality utilized by CSC. MRXSMB.SYS functions are exposed via IOCTL commands. An access validation error exists in the MrxSmbCscIoctlCloseForCopyChunk() function. In order to establish communication with the MRXSMB subsystem, a file handle to a shadow device is created. If the MrxSmbCscIoctlCloseForCopyChunk() function is passed the file handle to the shadow device, a deadlock occurs, resulting in an unkillable process. III. ANALYSIS Exploitation could result in the creation of unkillable processes. This attack can be used as protection against anti-virus or other host-based intrusion prevention systems. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Windows XP SP2. It is suspected that all versions of Microsoft Windows are vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2374 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2006 Initial vendor notification 02/07/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT iDefense credits Rubén Santamarta with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows MRXSMB.SYS MRxSmbCscIoctlOpenForCopyChunk Overflow
Windows MRXSMB.SYS MRxSmbCscIoctlOpenForCopyChunk Overflow iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Microsoft Windows Operating System is system software for Intel based PCs. More information can be found at the vendor website: http://www.microsoft.com II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in Microsoft Corp.'s Windows Operating System could allow attackers to gain SYSTEM privileges. The vulnerability specifically exists due to a logic error in the Microsoft Client Side Caching (CSCDLL.DLL) and Microsoft Server Message Block Redirector Driver (MRXSMB.SYS) code. The Microsoft Client Side Caching infrastructure provides the user-mode portion of the offline files subsystem, which allows interaction with network files while offline and preserves file system permissions. The Microsoft Server Message Block Redirector Driver is the kernel-mode file system driver that provides the network redirector functionality utilized by CSC. MRXSMB.SYS functions are exposed via IOCTL commands. An access validation error exists in the MrxSmbCscIoctlOpenForCopyChunk() function. In order to establish communication with the MRXSMB subsystem, a file handle to a shadow device is created and DeviceIoControl() is used to issue commands. If an attacker utilizes the METHOD_NEITHER method flag, the address will be unchecked and an overwrite of kernel memory can occur resulting in ring0 code execution. III. ANALYSIS Successful exploitation of this vulnerability could result in elevation to SYSTEM privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Windows XP SP2. It is suspected that all versions of Microsoft Windows are vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2373 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/09/2005 Initial vendor notification 12/13/2005 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT iDefense credits Rubén Santamarta with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Labs Releases COMRaider and HookExplorer
iDefense Labs is pleased to announce the public release of two new GPL tools authored by David Zimmer. COMRaider - COMRaider is a new GPL COM Object fuzzer that includes an integrated registry scanner, type library viewer, debugger, API logger, and includes a series of group audit capabilities. http://labs.idefense.com/labs-software.php?show=20 HookExplorer - HookExplorer is a small GPL utility designed to scan a target process and identify any IAT or detours style hooks that may be installed by unknown code. Data is presented in an easy to digest format and allows for custom filters to help trim results. HookExplorer is available for download at: http://labs.idefense.com/labs-software.php?show=19 More information, screenshots, help files and source code for the tools is available on the iDefense Labs Software page. Michael Sutton Director, iDefense Labs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 03.23.05: ISS Multiple Products Local Privilege Escalation Vulnerability
ISS Multiple Products Local Privilege Escalation Vulnerability iDefense Security Advisory 03.23.05 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=403 March 23, 2006 I. BACKGROUND Internet Security Systems (ISS) has developed a suite of tools aimed at securing server and desktop systems. A flaw exists within a central module to these components that can allow unprivileged users to obtain complete control of the machine. http://www.iss.net/products_services/products.php II. DESCRIPTION Local exploitation of a design error in the multiple Internet Security Systems (ISS) products may allow a user to gain System level privileges. Exploitation of this issue is trival and can be done manually. This exploit has been confirmed in ISS BlackIce 3.6 product and is reportedly also found in the following products: - BlackICE PC Protection (Consumer) - BlackICE Server Protection (Consumer) - BlackICE Agent for Server (Corporate) - RealSecure Desktop 3.6 and 7.0 (Corporate) To exploit this condition you must first trigger an action that would initiate the Application Protection Module to display a warning. For the BlackIce product, this can be initiated by launching any executable moved or installed after the product itselft was first installed. From the Application Protection dialog press the More Info button with will bring up a secondary form. With this form active, pressing the F1 key will bring up the standard Windows Open File dialog prompting the user to manually locate the help file for the application. The problem arises when the BlackIce process fails to drop permissions before launching the help dialog. If a user resets the dialog file mask by entering *.exe [enter] they can then launch any executable on the system from the dialog by right clicking on it and choosing open. Applications run in this manner will be executed with System level rights. III. ANALYSIS Successful exploitation allows a local attacker to execute arbitrary commands as the System Administrator user. This allows complete system compromise including the installation and removal of applications, and ability to read and write any file on the system. IV. DETECTION iDefense has confirmed this vulnerability exists in version 3.6 of ISS BlackIce PC Desktop for Windows with all current updates applied. V. WORKAROUND There is currently no known work around for this issue. VI. VENDOR RESPONSE This issue does not affect Proventia Desktop, which is a replacement product for and a free upgrade from RealSecure Desktop 3.6 and 7.0. Nor does this issue affect Proventia Server, which is a replacement product for and a free upgrade from BlackICE Agent for Server. There are no other ISS products that use the components described. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2711 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/23/2005 Initial vendor notification 08/24/2005 Initial vendor response 03/23/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 03.23.06: RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow Vulnerability
RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow Vulnerability iDefense Security Advisory 03.23.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404 March 23, 2006 I. BACKGROUND RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. For more information, visit http://www.real.com/. II. DESCRIPTION Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's RealPlayer could allow the execution of arbitrary code in the context of the currently logged in user. The vulnerability specifically exists in the handling of the 'chunked' Transfer-Encoding method. This method breaks the file the server is sending up into 'chunks'. For each chunk, the server first sends the length of the chunk in hexadecimal, followed by the chunk data. This is repeated until there are no more chunks. The server then sends a chunk length of 0 indicating the end of the transfer. There are multiple ways of triggering this vulnerability. * Sending a well-formed chunk header with a length of -1 () followed by malicious data. * Sending a well-formed chunk header with a length specified which is less than the amount of data that will be sent, followed by malicious data. * Not sending a chunk header before sending malicious data. Each of these cases result in a heap overflow. Depending on the versions used, certain of these cases will not cause exploitable issues. However, the last case appears to be reliable in triggering a crash. III. ANALYSIS Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the currently logged in user. In order to exploit this vulnerability, an attacker would need to entice a user to follow a link to a malicious server. Once the user visits a website under the control of an attacker, it is possible in a default install of RealPlayer to force a web-browser to use RealPlayer to connect to an arbitrary server, even when it is not the default application for handling those types, by the use of embedded object tags in a webpage. This may allow automated exploitation when the page is viewed. As the client sends its version information as part of the request, it would be possible for an attacker to create a malicious server which uses the appropriate offsets and shellcode for each version and platform of the client. IV. DETECTION iDefense has confirmed the existence of this vulnerability in RealPlayer Version 10.4 and 10.5 for Windows and Both RealPlayer 10.4 and Helix Player 1.4 for Linux. The vendor has stated that the following versions are vulnerable: * RealPlayer 10.5 (6.0.12.1040-1348) * RealPlayer 10 * RealOne Player v2 * RealOne Player v1 * RealPlayer 8 It is suspected that previous versions of RealPlayer and Helix Player are affected by this vulnerability. V. WORKAROUND Although there is no way to completely protect yourself from this vulnerability, aside from removing the RealPlayer software, the following actions may be taken to minimize the risk of automated exploitation. Disable ActiveX controls and plugins, if not necessary for daily operations, using the following steps: 1. In IE, click on Tools and select Internet Options from the drop-down menu. 2. Click the Security tab and the Custom Level button. 3. Under ActiveX Controls and Plugins, then Run Activex Controls and Plugins, click the Disable radio button. In general, exploitation requires that a targeted user be socially engineered into visiting a link to a server controlled by an attacker. As such, do not visit unknown/untrusted website and do not follow suspicious links. When possible, run client software, especially applications such as IM clients, web browsers and e-mail clients, from regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities such as this. VI. VENDOR RESPONSE Information from the vendor about this vulnerability is available at to following URL: http://service.real.com/realplayer/security/03162006_player/en/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2922 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification 09/09/2005 Initial vendor response 03/23/2006 Public disclosure IX. CREDIT This vulnerability was found internally by Greg MacManus of iDefense Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the
[Full-disclosure] iDefense Security Advisory 02.24.06: SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability
SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability iDefense Security Advisory 02.24.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=395 February 24, 2006 I. BACKGROUND SCO Unixware is a Unix operating system that runs on many OEM platforms. More information about the product is available from: http://www.caldera.com/products/unixware714/ II. DESCRIPTION Local exploitation of an access validation error in SCO Unixware allows attackers to gain root privileges. The vulnerability specifically exists due to a failure to check permissions on traced executables. The ptrace() system call provides an interface for debugging other processes on the system. SCO Unixware's implementation of the ptrace system call fails to check for setuid permissions on binaries before attaching to the process. This results in the complete control of memory and execution for the traced process with root privileges. Attackers can inject data into the running setuid process and execute arbitrary code with root permissions. III. ANALYSIS Exploitation of this vulnerability is trivial. Simply placing shellcode in the environment and changing the instruction pointer via ptrace() is enough to elevate privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in SCO Unixware versions 7.1.3 and 7.1.4. All previous versions of SCO Unixware are suspected to be vulnerable. V. WORKAROUND It is not possible to reduce the impact of this vulnerability other than to restrict access to the affected systems. VI. VENDOR RESPONSE The vendor has released the following advisory to address this issue: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9/SCOSA-2006.9.txt VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/15/2005 Initial vendor notification 10/13/2005 Initial vendor response 02/24/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller TIP DoS Vulnerability
Microsoft Distributed Transaction Controller TIP DoS Vulnerability iDEFENSE Security Advisory 10.11.05 www.idefense.com/application/poi/display?id=320type=vulnerabilities October 11, 2005 I. BACKGROUND The Distributed Transaction Controller provides a method for disparate processes to complete atomic transactions. The Transaction Internet Protocol (TIP) is one the ways that the DTC service can be accessed. This service is part of a standard installation on Windows NT 4.0, Windows 2000, Windows XP and Windows 2003. II. DESCRIPTION Remote exploitation of a denial of service vulnerability within various versions of Microsoft Corp.'s Windows operating system allows attackers to cause the msdtc.exe process to crash. The vulnerability specifically exists because of a flaw in processing responses from foreign servers. The DoS can be triggered by sending a command sequence that causes the DTC service to connect back to a hostile server. If the hostile server sends an unexpected protocol command during the reconnection request, the DTC service will throw an exception and exit. This attack can be used to kill the DTC service and prevent other applications from using the service to process transactions. The following commands can be sent over TCP port 3372 to force the DTC service to connect to an arbitrary host and process commands: IDENTIFY 3 3 DST_IP:DST_PORT/ANYID - PUSH SOMESTRING PREPARE RECONNECT III. ANALYSIS Successful exploitation of this vulnerability will cause applications requiring the MSDTC service to fail. One such service is Microsoft SQL Server. Any other applications that rely on clustering to be functional will also fail. This service should not be exposed to public networks, thus mitigating the risk of this vulnerability. IV. DETECTION iDEFENSE has confirmed the existence and exploitability of this vulnerability in Microsoft Windows 2000 SP4. All versions of Microsoft Windows with the vulnerable service running are suspected vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1979 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/23/2005 Initial vendor notification 03/23/2005 Initial vendor response 10/11/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. AdmID:9E521A24084F967D48CEDA9887450D09 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
