IDGNet Virus & Security Watch Friday 29 August 2003

This issue's topics: Introduction: * Dreamweaver, sendmail, Oracle 9i, Helix/Real servers, RealOne, pam_smb patches Virus News: * Major antivirus conference in Sydney, November 2003 * More virus e-mail, by George... Security News: * Fix for cross-site scripting flaw in Dreamweaver * Yet another sendmail vulnerability * Yet another Oracle9i vulnerability * Remote root exploit in Helix Universal, other Real servers patched * Real also fixes cross-zone/domain flaw in RealOne Player for Windows * Update fixes remote root vulnerability in pam_smb * Directory traversal fixed in 'unofficial' UnZip update * Worm nukes power plant?

This issue's topics:

Introduction:

* Dreamweaver, sendmail, Oracle 9i, Helix/Real servers, RealOne, pam_smb patches

Virus News:

* Major antivirus conference in Sydney, November 2003

* More virus e-mail, by George...

Security News:

* Fix for cross-site scripting flaw in Dreamweaver

* Yet another sendmail vulnerability

* Yet another Oracle9i vulnerability

* Remote root exploit in Helix Universal, other Real servers patched

* Real also fixes cross-zone/domain flaw in RealOne Player for Windows

* Update fixes remote root vulnerability in pam_smb

* Directory traversal fixed in 'unofficial' UnZip update

* Worm nukes power plant?

Introduction:

Ongoing effects from the Sobig, and to a lesser extent Blaster, events of the last couple of weeks continue, but there is little truly newsworthy to report this late in the second and third weeks of these worm's respective runs. Of interest to those especially charged with antivirus responsibilities may be the AVAR conference in Sydney in early November. This is the annual conference of the Association of anti-Virus Asia Researchers, but despite the name draws top AV researchers from around the world with speakers from Ireland, Finnland and the US among those confirmed so far. It is also probably the best chance yet (or for the foreseeable future) of visiting such a conference so close to New Zealand and with recent trans-Tasman fare reductions, may be the only affordable international antivirus conference in reach of NZ IT staff.

On the security front there are many of moderately to severely critical vulnerabilities that need patching, perhaps of most note (for endurance) being sendmail and for severity the Helix and related RealNetworks server updates. The final story in the security section is a 'must read'...

Virus News:

* Major antivirus conference in Sydney, November 2003

Leading antivirus industry figures from around the globe are speaking at the Association of anti-Virus Asia Researchers (AVAR) annual conference. For the first time the AVAR conference is being held in Australia, presenting perhaps the best opportunity so close to home for New Zealand IT folk to attend such a conference and meet some of the industry's key players.

The conference runs from 5 - 7 November at the Westin Sydney hotel. More details are available from the AVAR conference page linked below. (In the interest of fairness, it should be noted that your newsletter compiler is co-presenting a paper, but would have included this item if he was only planning on attending as a delegate.)

AVAR 2003 in Sydney - aavar.org

* More virus e-mail, by George...

We have recommended the dry, sardonic wit of long-time virus and antivirus scene-watcher George Smith before. His latest observations about some of the fallout from recent worms du jour - Blaster and, particularly, Sobig - seem worthy of your attention. Surely Smith has captured the exasperation, if not frustration, of many newsletter readers at the barrage of bounce messages from e-mail gateway virus scanners incorrectly informing them 'you are infected with Sobig'. Is this aspect of the solution worse than the problem?

Viral Opportunity - securityfocus.com

Security News:

* Fix for cross-site scripting flaw in Dreamweaver

Macromedia has released fixes and/or workarounds for some cross-site scripting (XSS) flaws in Dreamweaver MX, all versions of UltraDev, and two extensions included as part of volumes 2 and 4 of the DRK (Developer's Resource Kit) . If exploited such XSS flaws may allow unsanctioned access to site-specific cookie and/or session information from the browsers of visitors to sites authored with Dreamweaver. The problem is due to a common cause of XSS problems - direct use of a variable from the web site browser that is not URL encoded before use on the server or in pages subsequently presented to (another) browser visiting the site. This allows an attacker to write script which may ultimately be executed on a user's browser.

Patches for Dreamweaver MX and the faulty DRK Extensions are available from the Macromedia pages linked below, as are more details of the issues.

Security Issue and Patch for Dreamweaver/DRK Server - macromedia.com

Security Issue and workaround for Dreamweaver UltraDev - macromedia.com

* Yet another sendmail vulnerability

All standard releases of sendmail 8.12.x prior to version 8.12.9 are potentially vulnerable to an exploitable flaw in the DNS map code introduced in the 8.12 tree. It is unknown whether the vulnerability is remotely exploitable, but given sendmail's huge userbase, it is likely that if it is exploitable someone with something to gain by exploiting it will find a way. Sites that do not have DNS maps enabled are immune to (theoretical) exploitation of this flaw, but sendmail sites with the DNS maps option enabled and handling large volumes of e-mail are likely to see sendmail processes crashing due to this bug.

Administrators of vulnerable sendmail sites are strongly recommended to update to 8.12.9, or at least to apply the simple source patch included in the sendmail.org advisory on this issue (linked below) and to rebuild. Alternately, the distributors of most popular OSes that ship sendmail have produced updated or patched versions and made these available via the usual channels. Sites running commercial versions of sendmail should check the Sendmail Inc. download pages for the latest versions.

DNS map problem in 8.12.x before 8.12.9 sendmail.org

Sendmail Security Patch Information - sendmail.com

* Yet another Oracle9i vulnerability

Oracle has released an update for Oracle9i Database Release 2 to fix a buffer overflow vulnerability in the XML Database (XDB) component of the product. To exploit this vulnerability and either effect a denial of service against the database server or possibly run arbitrary code of the attacker's choice, one of two conditions must be met - either the attacker must have an authenticated database session or the FTP and HTTP servers in the XML Database must be enabled.

Patches are available from Metalink and some more details of the vulnerability are available in the Oracle security advisory linked below.

Buffer Overflow in XML Database of Oracle9i Server - oracle.com (PDF)

* Remote root exploit in Helix Universal, other Real servers patched

RealNetworks has posted patches for x86 Linux and Windows versions of its Helix Universal Server 9, RealSystem Server 8, 7 and RealServer G2 products. All products have a remotely exploitable buffer overflow triggered by carefully formed URLs directed to the servers.

Server Exploit Vulnerability - real.com

* Real also fixes cross-zone/domain flaw in RealOne Player for Windows

The delightfully named 'DigitalPranksters' have released a security advisory describing a cross-zone and cross-domain security flaw in the popular RealOne Player software. The flaw is in Real's SMIL protocol and is such that successive requests for resources specified by URL are incorrectly executed in the security context of the previous resource. Thus, for example, if a local resource were accessed then a remotely sourced JavaScript, the script would run in the 'My Computer' security zone (which has almost no restrictions under default installations).

According to Real, RealOne Player (English only), RealOne Player v2 for Windows (all languages), and RealOne Enterprise Desktop (all versions, standalone and RealOne Desktop Manager) are vulnerable. Patches or updates fixing this problem are available from the Real security advisory linked below.

Update to Address RealOne Player Security Vulnerabilities - real.com

RealOne Player Allows Cross Zone and Domain Access - digitalpranksters.com

* Update fixes remote root vulnerability in pam_smb

pam_smb is a pluggable authentication module that allows PAM to authenticate against Server message Block (SMB) servers such as those running NT or Samba. The pam_smb developers have released an update, pam_smb 1.1.7, that fixes a remotely exploitable buffer overflow vulnerability in 1.1.6 and earlier versions. The 'CHANGES' file for the 1.1.7 release notes simply (and rather cryptically) 'Looks like another buffer overflow potential'. In fact, the only code modification between 1.1.6 and 1.1.7 involves an unsafe (no length check) string copy of the (user-supplied) password

As an exploit for the vulnerability has already been publicly posted, sites using pam_smb are advised to obtain and build the 1.1.7 release from the pam_smb home page on SourceForge (linked below) or to obtain update packages from their OS distributors as these become available. Note that all pam_smb 2.0.0 pre-release versions prior to 2.0.0-rc5 are also vulnerable (not that you would be running them in a production environment, but...).

pam_smb home page - sourceforge.net

* Directory traversal fixed in 'unofficial' UnZip update

Several Linux distributors have released update packages for their ports of the Info-ZIP group's UnZip utility. Earlier in the year a directory traversal bug in UnZip, where the utility would honour '..' directory names in paths inside a zip archive, was patched.

More recently that patch was found to be flawed. If certain characters that are invalid in filenames were interspersed between the two dot characters of a directory traversing path in a zip archive file, the directory traversal patch would not consider the path problematic, but later processing in the UnZip code would strip (perhaps rather than replace) the invalid character, meaning that the actual unpacking code would still perform a directory traversal. The UnZip maintainer in the Info-ZIP group is believed to still be working on a comprehensive patch for this problem, but several Linux distributors have released their own patched versions (the UnZip code for most other OSes is still likely to be vulnerable to embedded invalid characters defeating its directory traversal prevention mechanisms).

As there is no official public patch for this issue, we have just linked to the UnZip home page where there is a brief announcement that the developers are aware of this, and another closely related, issue.

Info-ZIP UnZip home page - info-zip.org

* Worm nukes power plant?

An interesting article by SecurityFocus' Kevin Poulsen late last week pointed out the apparent (to some experts) dangers of allowing what are supposed to be isolated, specialist monitoring and critical-system control computers and networks to interconnect with other networks of a (potentially) lesser security level.

Poulsen's article explains how the Slammer worm from earlier this year effectively disabled a "Safety Parameter Display System" - something as critical as its name suggests - at a nuclear power plant. Slammer entered the plant's network by first accessing the corporate network of the plant's owner/operator via unprotected partner contractors' network connections, and then found its way into the power plant control network. Fortunately the specific plant was offline and a redundant, manual system covers for failures in the computerized control and monitoring system.

The plant concerned is owned and operated by Ohio utility FirstEnergy Corp., another of whose operations is now under investigation as the possible initial source of the problems that triggered the recent massive electricity blackout in the North-Eastern US and parts of Canada. Suggestions that the height of Blaster's rampage and the electricity blackout may not have been entirely coincidental have already arisen, and Poulsen addresses these, and other issues of malware and network problems that may affect aspects of US 'critical infrastructure' in this fascinating article.

Slammer worm crashed Ohio nuke plant network - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about Inc.LinuxMacromediaMetalinkOraclePAMRealNetworksSecurityFocus

Show Comments

Market Place

[]