IDGNet Virus & Security Watch Friday 8 August 2003

This issue's topics: Introduction: * Mimail virus; Sun ONE App Server, WU-FTPD, *BSD, Postfix updates Virus News: * Is Mimail safe? * DCOM worm expected... * US court allows 'Trojan evidence' Security News: * Lotus SameTime protocol credential theft, weak message encryption * Fix for Sun ONE Application Server disclosing JSP page contents * Exploitable off-by-one bug in WU-FTPD patched * Exploitable off-by-one bug in *BSD libc 'realpath(3)' * Patch fixes remote DoS & DDoS/bounce scanning in Postfix * Notepad popups in Internet Explorer

This issue's topics:

Introduction:

* Mimail virus; Sun ONE App Server, WU-FTPD, *BSD, Postfix updates

Virus News:

* Is Mimail safe?

* DCOM worm expected...

* US court allows 'Trojan evidence'

Security News:

* Lotus SameTime protocol credential theft, weak message encryption

* Fix for Sun ONE Application Server disclosing JSP page contents

* Exploitable off-by-one bug in WU-FTPD patched

* Exploitable off-by-one bug in *BSD libc 'realpath(3)'

* Patch fixes remote DoS & DDoS/bounce scanning in Postfix

* Notepad popups in Internet Explorer

Introduction:

What big virus will break this afternoon or overnight tonight? I ask because, as seems so often the case of late, the 'big' virus story of the week broke a few hours after I filed copy for last week's newsletter... Win32/Mimail started making waves overnight Friday through Saturday morning New Zealand time, several hours too late to be included in last week's newsletter and reporting on a week old virus seems oh so passe. Aside from Mimail, everyone seems anxious for the appearance of a worm based on the Microsoft DCOM vulnerability, given the wide availability of several exploits for that bug and the US Appeals Court hands down an interesting ruling on the status of evidence gathered through hacking.

On the security front there are several quite important patches - the Sun ONE Application Server may expose .JSP file contents rather than rendering them, there is a remotely exploitable bug in WU-FTPD (the uncharitable may ask "what month isn't there?"), that bug turns out to be inherited from a common BSD library (though it is not known if any standard services or applications shipped with the various BSD flavours expose the vulnerability remotely), and the popular Postfix mail server - widely seen as a flexible and secure alternative to sendmail - has two security bugs. Also, the SameTime protocol underlying one of the reputedly secure corporate instant messaging products has been found to be seriously compromised.

Virus News:

* Is Mimail safe?

Win32/Mimail@mm made quite a splash late last week and has continued its march across the net all week. Mimail is a mass-mailer with a twist. Rather than including a copy of its binary executable (perhaps suitably renamed to seduce the naive into 'opening' it) in its outgoing e-mail messages, it attaches a specially packaged copy of itself. Recipients of Mimail messages see a short note, apparently from the 'admin' account of their e-mail domain, advising them their account is about to expire and exhorting them to read the attached message for the details.

That attach 'message' is actually a .ZIP file - a type that recent 'extra secure' versions of Outlook, Outlook Express and some non-Microsoft e-mail clients will still display to their users. If the recipient opens the .ZIP file they will see it contains a .HTML file, which most users seem to assume are quite safe, perhaps because the world wide web is made up of such files and they are generally supposed to be 'just data'. Mimail's writer hoped - apparently correctly - that quite a few potential victims would feel safe enough 'opening' the .HTML file from inside the .ZIP.

Inside the .HTML file is a specially packaged copy of the virus'executable program file and some script code. In turn, that script hopes to take advantage of an old codebase vulnerability in Internet Explorer. That flaw was fixed sometime last year, except for pages running in the 'My Computer' security zone where the bug was silently fixed in the latest IE cumulative patch.

The effect of all this is that, if the recipient of a Mimail message has some program (such as old favourite WinZip) associated with .ZIP files and they double-click on the .ZIP attachment and then double-click the .HTML file inside the .ZIP, the .HTML file will be extracted, normally to the system's 'temporary files' folder, and Internet Explorer launched to open the .HTML file. Unlike the 'temporary internet files' folder, the standard temporary files folder is not in the Internet security zone, but in the 'My Computer' security zone. Thus, when opening the .HTML file to display it, the script and codebase trick cause Internet Explorer to extract the .EXE file from the .HTML file and execute it, unless the machine happens to have been patched with the latest IE cumulative update.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* DCOM worm expected...

There is much anticipation within the security community of the release of a worm based on the recent DCOM vulnerability described a few weeks back in the Security section of this newsletter. Several working exploits have been publicly released in the last two weeks, including at least one that uses 'universal offsets' for Windows 2000 and XP machines.

The nature of the DCOM flaw is that an attempt to exploit it means that an attacker's overflow leaves their exploit code at an indeterminate memory address, but with control over a couple of crucial CPU registers. Thus exploiting the flaw requires knowledge of a suitable location to set the instruction pointer to (EIP is one of the registers the overflow can control). For the overflow to work and return control to the attacker's code in (or past) the overflowed buffer requires that the location EIP is set to contains a specific command to jump to the address set in one of the other registers the overflow controls.

Early sample exploits included memory offsets that were specific to particular operating system, service pack and language versions. With the discovery and publication of these universal offsets for Windows 2000 and XP, it is widely believed to be only a matter of time before some malcontent takes some of the existing exploit code and adds self-spreading functionality. There are already several clear instances of machines being manually compromised via DCOM exploits and bot net agents, remote administration Trojans and other undesirable programs being installed via the backdoors introduced by current crop of DCOM exploits.

* US court allows 'Trojan evidence'

SubSeven, the notorious remote access Trojan (or RAT), may have had its day in court - and it won, in a sense... A US federal Appeals Court has overturned an earlier District Court ruling from Virginia, thereby allowing the use of evidence given to police by a 'hacker'.

At the heart of the issue, which has now been deliberated over in several courts, is whether the evidence provided by the hacker should be admissible or even actionable. The hacker duped some of the readers of a child porn newsgroup into downloading and running a copy of the SubSeven RAT then monitored their activities and the contents of their computer's hard drives via the RAT. Material gained thus was then handed to police who made their own, further investigations. As you can probably imagine, the manner in which the initial evidence was obtained raised concerns over constitutional rights related to illegal search and seizure.

US court okays malware in hunt for Web paedos - theregister.co.uk

Judges OK evidence from hacker vigilante - zdnet.com

Security News:

* Lotus SameTime protocol credential theft, weak message encryption

Lotus SameTime, now known as Lotus Instant Messaging and Web Conferencing, is an 'instant messenger' (IM) type product that has been marketed particularly into the corporate sector. Much of that marketing effort plays on the quite reasonable concerns of corporate network administrators that the better known 'consumer level' IM products are very insecure, sending messages as clear text and so on - not the sort of medium over which you should encourage your staff to discuss possibly commercially sensitive matters.

An anonymous researcher has posted a description of several flaws in the encryption employed in the SameTime protocol which essentially open users of SameTime protocol-based IM to just the weaknesses of the more popular IM products that SameTime has been sold as addressing. The full details can be read in the archived copy of the description posted to the Bugtraq security mailing list linked below, but in short it seems that both the users encrypted password and the encryption key are included in the initial login sequence so anyone who can eavesdrop the network connection of a SameTime user can trivially recover their user details and password and thus easily spoof that person on the network. Further, the implementation of the encryption used for message packets suffers from a couple of serious weaknesses that greatly reduce the difficulty of brute-forcing message decryption.

Archived Bugtraq list message (332280) - securityfocus.com

* Fix for Sun ONE Application Server disclosing JSP page contents

Sun ONE Application Server 6.5 SP1 Maintenance Update 2 (MU2), and later, fixes an unspecified problem which can disclose the source code of Java Server Pages (JSP) applications hosted on the server. Sun ONE Application Server 6.0 and 7.0 and later platforms are not affected but all architectures supported by Sun ONE Application Server 6.5 are.

Aside from obtaining and installing the maintenance update (linked to from the page linked below), a workaround that Sun says will thwart attempts to exploit this flaw is also described in Sun's security alert.

Sun ONE Application Server May Disclose JSP Source

* Exploitable off-by-one bug in WU-FTPD patched

A couple of Polish security researchers have found an off-by-one bug in the WU-FTPD FTP server and shown that it is remotely exploitable. Most OS distributors that ship WU-FTPD have released update packages to install a fixed version of this rather benighted FTP daemon. Administrators of systems running WU-FTPD should check with their distributors for the availability of such packages.

This bug was subsequently discovered to have been inherited from some BSD libc code the WU-FTPD developers put to their own uses. The next item describes that situation.

wu-ftpd fb_realpath() off-by-one bug - isec.pl

* Exploitable off-by-one bug in *BSD libc 'realpath(3)'

As mentioned in the previous item, the root cause of the WU-FTPD bug was discovered to be code re-used from the BSD 'realpath(3)' function. FreeBSD, NetBSD and OpenBSD have all released patches to fix the bug in case any packaged or third party products expose the vulnerable function call.

NetBSD administrators should also look at the advisory describing a possible remotely invocable crash in OSI connected systems. NetBSD has an advisory for this immediately below the realpath advisory on the appropriate page linked below.

FreeBSD Security Advisories - freebsd.org

Security and NetBSD - netbsd.org

OpenBSD security page - openbsd.org

* Patch fixes remote DoS & DDoS/bounce scanning in Postfix

In a recent post to security mailing list Bugtraq, Michal Zalewski described two security flaws in Postfix. Neither affect the latest releases (version 2.0) but both affect 1.1.11 which is widely shipped with several popular Linux distributions, perhaps because it is long-established code and for the lack of reported security issues. The frst issue is a remote denial of service in versions up to and including 1.1.12 (1.1.9 and earlier versions are not vulnerable by default, but can be configured to become vulnerable). The second was fixed in 1.1.12 but the full significance of the issue was not realized at the time and thus it was not flagged as a security issue.

Full details are available in the archived copy of Zalewski's message linked below. Most major Linux distributors have or will soon release updated packages.

Archived Bugtraq list message (331713) - securityfocus.com

* Notepad popups in Internet Explorer

Privacy and security researcher Richard Smith has posted an interesting article to his rather appropriately named ComputerBytesMan.com web site. In it Smith describes an odd side-effect of Internet Explorer's handling of the 'view-source:' protocol. Aside from the user being able to manually enter a view-source: URL into IE's address bar, several types of links (if not all?) in a page's HTML mark-up can be specified with the view-source: protocol which IE happily obliges by popping open in Notepad (under a default Windows configuration). Although perhaps not a yawning security threat per se, this certainly opens some interesting 'HTML spam' options. Sites that perform HTML filtering on incoming web pages, HTML e-mail, etc may now wish to also filtering out view-source: URLs. The handling of such URLs in other browsers is less well defined and possibly less 'useful' to spammers.

Notepad popups - computerbytesman.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyLinuxMicrosoftOpenBSDSophosSymantecTrend Micro AustraliaWinZip

Show Comments

Market Place

[]