IDGNet Virus & Security Watch Friday 23 May 2003

This issue's topics: Introduction: * Linux kernel patch, IMAP client flaws, LSF patch and Sobig.B virus Virus News: * New virus not so Palyh; perhaps Sobig Security News: * Another Linux kernel patch to watch for * Multiple IMAP client buffer overflows * Local root exploit in Platform LSF patched * Ozzie hacker sentenced on appeal * Shining a light on new hacking techniques

This issue's topics:

Introduction:

* Linux kernel patch, IMAP client flaws, LSF patch and Sobig.B virus

Virus News:

* New virus not so Palyh; perhaps Sobig

Security News:

* Another Linux kernel patch to watch for

* Multiple IMAP client buffer overflows

* Local root exploit in Platform LSF patched

* Ozzie hacker sentenced on appeal

* Shining a light on new hacking techniques

Introduction:

A quiet week on the security scene this week, apart from another Linux kernel patch. Though not part of an official kernel release, EnGarde (and possibly other distributors by now) have shipped a kernel package patching a problem in the 'ioperm' function code. Users of IMAP e-mail servers may also want to check a recent advisory pointing out various exploitable flaws in several popular IMAP clients. Although few of these flaws represent serious security concerns for a typical IMAP user, the advisory itself is yet a further indication of the increasing popularity of auditing code, and then testing, for integer handling errors.

On the virus front, the appearance of Sobig.B (initially dubbed Palyh by most antivirus vendors) last weekend gave us the second notable virus outbreak in a week. Following so close on the heels of Fizzer (reported in last week's newsletter), it is nowadays unusual to see two large outbreaks so closely spaced.

And, from the 'that's very interesting' department, we link to a new research paper suggesting the humble light bulb may become an indispensable hacking tool...

Virus News:

* New virus not so Palyh; perhaps Sobig

Groan... The puns are getting worse, but honestly, it's the material we

have to work with!

Anyway, fresh on the heals of Fizzer last week, Win32/Palyh whipped up a small storm early this week. Also dubbed Mankx, it was reported under that and the Palyh family names before the sharper-eyed virus analysts noticed that, internally, its code bore quite a resemblance to Sobig and it was agreed to name it Sobig.B. Like the original Sobig, this variant is a mass-mailer that also spreads through network shares and checks for updates from some hard-coded websites. Those websites (all based at Geocities) were quickly closed so as to prevent the subsequent release of further Trojans and the installation of WinGate proxies, or whatever other actions the virus' writer imagined, as was seen with the original Sobig.A variant. Also like its forebear, and somewhat out of keeping with most other recent, 'successful' mass-mailers, messages from this variant always appear to be from the same e-mail address. In this case that address is 'support@microsoft.com' and its messages all consist of the very short 'All information is in the attached file' message body and presumably enticing combinations of Subject: line and attachment name to lure unwary recipients into running the attachment.

MessageLabs' detection statistics show that Sobig.B did not quite reach the same peak daily rates as Fizzer and that the tail-off since that peak day has been somewhat steeper. Still, in the first five days since Sobig.B's release, the UK-based e-mail service provider has detected nearly 200,000 messages carrying the virus - about half the total number of Fizzer e-mails detected since its release a week earlier.

MessageLabs' Threat List - messagelabs.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Another Linux kernel patch to watch for

Further to last week's route cache table DoS, EnGarde has reported a locally exploitable privilege escalation through a flaw in the 'ioperm' function. Although not surrendering root directly, this vulnerability allows unprivileged users read and write access to I/O ports that they would normally be expected to have no access to. EnGarde has released a fixed kernel build for this (the fix was included in their RPM covering the route cache table bug) and other Linux distributions may similarly release their own fixes, so check with your distributors.

These two recent security flaws, plus the earlier ptrace vulnerability have raised questions as to why a new official kernel has not been released. It is very unusual for the Linux kernel to go this long without an official release, particularly when there are known serious, remotely exploitable security flaws in the current kernel.

Archived linux-kernel mailing list message - theaimsgroup.com

* Multiple IMAP client buffer overflows

Security researcher Timo Sirainen has discovered buffer overflows in multiple IMAP clients due to errors in handling huge integer sizes and/or signedness. When oversize and/or overlong responses to IMAP requests are sent from the IMAP server to affected clients, various crashes and lock-ups were observed, often with the clear potential for exploitation by running arbitrary, remotely supplied code. Sirainen tested Pine, UW-imapd (this server can also act as an IMAP client), Evolution, kmail, Mozilla, mutt, Sylpheed, OE 6.0 and Eudora and found problems of varying severity with all except kmail.

Updates for most vulnerable clients are available, and in many cases the result of exploitation is simply a DoS. More details of the specific tests and results, and of the affected and patched versions are available in Sirainen's advisory, an archived copy of which (from the Bugtraq mailing list) is linked below.

Archived Bugtraq list message 321528 - securityfocus.com

* Local root exploit in Platform LSF patched

Platform's LSF (Load Sharing Facility) v5.1 has a local root privilege escalation through the 'ckconfig' option of the 'lsadmin' program. Details of a simple exploit of this are available in the advisory linked below. Registered Platform LSF users can obtain a from the Platform FTP site, as detailed in the advisory.

Archived Bugtraq list message 322242 - securityfocus.com

* Ozzie hacker sentenced on appeal

Stephen Dendtler pleaded guilty to charges of unauthorized modification of computer data belonging to Australian ISP OptusNet earlier this year. Much to chagrin of various legal and computer security professionals (and no doubt the police involved in the case), his conviction was set aside by the judge hearing his case, meaning that no official record of his offence or conviction would exist.

The prosecution appealed this sentence on the grounds that it was too lenient and would set a poor precedent for future cases. Others were also concerned that such lenient treatment may give others considering such illegal actions the wrong message about the seriousness of such acts. The appeal judge concurred with the prosecution's view and fined Dendtler AU$4000 and put him on a two-year good behaviour bond.

OptusNet cracker is fined on appeal - the register.co.uk

* Shining a light on new hacking techniques

Although direct practical applications are still unclear, two Princeton University security researchers have shown that something as simple as a light bulb hooked to a dimming control may be useful as a 'hacking tool'. The techniques the pair described in a paper presented to the IEEE Symposium on Security and Privacy recently, rely on inducing 'soft' memory errors in the RAM holding running virtual machines (such as Java and .NET). In turn such errors can cause type-checking (the main protective mechanism used in such virtual machine technologies) and other failures in the VM, surrendering control to specially crafted programs loaded into the VM.

The demonstration 'attack' involved removing the cover from a standard PC and experimenting with the lamp as a heat source likely to increase the rate of soft memory errors. Clearly this is impractical as a real-world attack scenario - if an attacker has physical access to the computer many more practical and direct attacks are possible. However, the researchers speculate about the possibility that external sources of heat may be applied in similar fashion to 'credit card' and handheld devices to produce similar failure modes. In turn this raises the prospect of such attacks against certain 'tamper proof' devices, such as smart cards. The full research report, in a half-megabyte PDF, is linked below. If this sounds interesting, persist with (or skip over) the more technical mathematical calculations in the middle of the paper, as the really interesting results are toward the end of the paper.

Using Memory Errors to Attack a Virtual Machine - princeton.edu (PDF)

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureIEEEKasperskyKasperskyLinuxMessageLabsMozillaSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]