IDGNet Virus & Security Watch Friday 2 May 2003

Introduction: * BizTalk, Oracle, Acrobat, Snort, OpenSSH/PAM patches; PDF-infecting virus Virus News: * Another 'proof of concept' PDF infector Security News: * Two new fixes in cumulative patch for BizTalk Server 2000 & 2002 * MS03-013 updated - XP SP1 slowed by security patch * MS02-071 updated - only affects Japanese language NT 4.0 TSE * Adobe Acrobat patch fixes JavaScript vulnerability * Hacking SQL Server explained... * IIS security and programming guide released * Remotely exploitable buffer overflow fixed in Oracle database server * Portable OpenSSH/PAM timing attack divulges user names * OpenSSH local privilege escalation on AIX * Another preprocessor overflow in Snort * Integer overflows (and relatives) explained * Virginia enacts tough anti-spam law

Introduction:

* BizTalk, Oracle, Acrobat, Snort, OpenSSH/PAM patches; PDF-infecting virus

Virus News:

* Another 'proof of concept' PDF infector

Security News:

* Two new fixes in cumulative patch for BizTalk Server 2000 & 2002

* MS03-013 updated - XP SP1 slowed by security patch

* MS02-071 updated - only affects Japanese language NT 4.0 TSE

* Adobe Acrobat patch fixes JavaScript vulnerability

* Hacking SQL Server explained...

* IIS security and programming guide released

* Remotely exploitable buffer overflow fixed in Oracle database server

* Portable OpenSSH/PAM timing attack divulges user names

* OpenSSH local privilege escalation on AIX

* Another preprocessor overflow in Snort

* Integer overflows (and relatives) explained

* Virginia enacts tough anti-spam law

Introduction:

There are many items in the Security section this week, but several of them are just news or informational, rather than important patches to be aware of. Microsoft BizTalk Server and Oracle administrators are likely to be busiest this weekend or early next week, with patches for both and the Oracle one being critical. Also, users of Snort who have not already done so should consider upgrading to Snort 2.0 to fix another remotely exploitable buffer overflow in a preprocesser. Also, users of OpenSSH with PAM support enabled should look into the item about a newly discovered timing attack against this configuration. Other than that we have linked to several interesting papers (and a book manuscript) discussing such things as wreaking havoc among SQL Servers, explaining increasingly popular integer overflows, and protecting IIS. Also we mention some new anti-spam legislation in the state of Virginia that may have some interesting test cases if it is ever used in anger.

It has been another quiet week on the virus front, but a new proof of concept PDF infector popped up. This exploits a newly announced vulnerability in the full Adobe Acrobat product. A description of, and patch for, this vulnerability is linked from another item in the Security section. The patch is important but the virus seems unlikely to travel far.

Virus News:

* Another 'proof of concept' PDF infector

Win32/Yourde will not set the world on fire. In fact, it may never be seen or heard of again, but as the world's media haven't had a chance to sink their teeth into it yet, it may still get its fifteen minutes of fame...

Yourde is a 'proof of concept' that a vulnerability in the Adobe Acrobat JavaScript parser can be exploited to write a virus. The Acrobat scripting vulnerability (see the appropriate entry in the Security section of the newsletter for a patch) allows scripts in PDF files to write code to the Acrobat plug-ins directory. Next time Acrobat is started a suitable plug-in can perform various actions, including infecting further PDF files with the JavaScript dropper code. This is what the Win32/Yourde does.

Note that the Acrobat Reader version of the product used on most client computers to read PDF files is _not_ affected by this as only the full PDF-writing version of Acrobat supports the plug-in features.

Computer Associates Virus Information Center

Network Associates Virus Information Library

Symantec Security Response

Security News:

* Two new fixes in cumulative patch for BizTalk Server 2000 & 2002

Microsoft has released a 'cumulative patch' patch for BizTalk Server 2000 and 2002. Cynics may query the term cumulative patch since this is the first hotfix released for BizTalk Server and thus there are no predecessor patches to accumulate, but let's not quibble over such linguistic niceties.

Overall Microsoft rates the severity of the cumulative patch as 'moderate' for BizTalk Server 2000 and 'important' for BizTalk Server 2002. The more serious of the two vulnerabilities fixed by this patch is only present in BizTalk Server 2002 as it affects the 'HTTP receiver' option which is not available in the earlier version. Exploiting the HTTP receiver buffer overflow can allow an attacker to run arbitrary code under in the security context of the IIS Server account. Depending on your setup this may be of somewhat more critical severity than just 'important', but as Microsoft points out, this option is not enabled by default so may be unlikely to affect many installations.

The second vulnerability, which is present in both versions, is a number of SQL injection flaws in the web pages providing the web interface to the Document Tracking and Administration (DTA) component. DTA is enabled by default, but default DTA users are not highly privileged so exploiting these flaws should not enable significant privilege elevation.

Microsoft Security Bulletin MS03-016

* MS03-013 updated - XP SP1 slowed by security patch

Last Friday Microsoft revised MS03-013 to acknowledge that many Windows XP systems with SP1 installed were significantly slowed by installing the patch accompanying that security bulletin. There is, as this issue of the newsletter goes to press, still no further change in the status of the promised revised MS03-013 patch for XP users - 'Microsoft is actively working on a revised patch for Windows XP Service Pack 1 and will re-issue that patch when it has been completed and fully tested'.

If your XP SP1 systems have been grinding since installing this patch, keep checking the security bulletin for the announcement of the updated patch for XP.

Microsoft Security Bulletin MS03-013Z

* MS02-071 updated - only affects Japanese language NT 4.0 TSE

There are probably extremely few Japanese language NT 4.0 Terminal Server Edition machines in New Zealand. However, if you happen to have one and it failed after installing the MS02-071 hotfix, the re-released patch should allow you to properly install MS02-071 now.

The revised security bulletin explains that in some (unexplained) circumstances the patch installer copies the wrong binaries to NT 4.0 TSE Japanese Language machines if they are multi-processor systems. The patch installer apparently correctly copies the multi-processor version of the necessary file(s) to non-Japanese NT 4.0 multi-processor machines.

In short, non-Japanese, non-TSE, non-NT 4.0 machines are not affected by the re-issued patch.

Microsoft Security Bulletin MS02-071

* Adobe Acrobat patch fixes JavaScript vulnerability

Although Adobe has described the problem in only the most general of terms, all users of the full version of Adobe Acrobat 5.0 for Windows are strongly recommended to obtain the latest update. It includes a security patch that fixes the JavaScript vulnerability exploited by Win32/Yourde (see the Virus section of the newsletter) plus several other functionality patches.

Note that this only applies to the full version of Adobe Acrobat (the PDF authoring package) and _not_ the widely used and free Acrobat Reader version of the product.

Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch - adobe.com

* Hacking SQL Server explained...

Cesar Cerrudo, who has found several security flaws in Microsoft SQL Server and related products (including the SQL injection flaw in the DTA component of BizTalk Server and fixed in the cumulative patch announced elsewhere in this newsletter) has posted two papers on the Application Security Inc website. The first describes how he found several SQL security flaws and the second is a fairly detailed guide to hacking SQL Server-driven web sites using SQL injection techniques. The latter paper should be especially useful reading to administrators of sites with SQL Server 'exposed' to the Internet through a web application interface, even if they think they have it well secured.

Hunting Flaws in Microsoft SQL Server - appsecinc.com (PDF)

Manipulating Microsoft SQL Server Using SQL Injection - appsecinc.com (PDF)

* IIS security and programming guide released

Security researcher and author, Jason Coombs, has decided to release the manuscript of his latest book electronically. Coombs reports that although he originally had interest from Microsoft Press in publishing the work, 'perhaps fearing that acknowledging flaws and pointing out weaknesses in their own products would undermine their position with respect to prosecuting DMCA violators'.

In the hope that the research that went into preparing the book may be of use to IIS administrators and programmers, he has made it available for free download. Note - particularly if you are on a slow link - the ZIP file linked below is approximately 4 MB.

(Interestingly, if you search for the author or title at Amazon, you can still find evidence of Microsoft Press' intention to publish the book and even see the cover design...)

IIS Security and Programming Countermeasures - forensics.org (ZIP)

* Remotely exploitable buffer overflow fixed in Oracle database server

David Litchfield of Next Generation Security Software has found another remotely exploitable security flaw in Oracle database products. This one is a buffer overflow in the database links functionality that allows Oracle database servers to query each other. Specifically, an overlong parameter passed to a 'CREATE DATABASE LINK' query can be used to gain the privileges of the Oracle database server process. On Unix-ish OSes that means an attacker can run arbitrary code that could compromise the entire database server and all data stored in its databases. Under Windows the Oracle server runs as local system, so an attack based on this vulnerability would compromise the entire operating system.

In any case this is a very high severity threat as the database privilege needed to execute the vulnerable command is assigned to the 'CONNECT' role, membership in which is extended to most users. Oracle has also released an advisory on this vulnerability which contains directions for obtaining the necessary updates. Oracle 7.3.x, all 8.0.x, all 8.1.x, 9i release 1, and 9i release 2 are all affected.

Oracle Database Link Buffer Overflow - nextgenss.com

Buffer Overflow in Oracle Net Services for Oracle Database - oracle.com (PDF)

* Portable OpenSSH/PAM timing attack divulges user names

Marco Ivaldi of the Data Security Division of MediaServices has described a trivial timing attack that allows reliable remote detection of user names on machines running portable OpenSSH with PAM support. A patch introducing a compensatory delay to avoid the detection of the response time difference when trying to authenticate an invalid name as compared to trying to authenticate a valid name has been released.

Archived Bugtraq list message 320031 - securityfocus.com

* OpenSSH local privilege escalation on AIX

Damien Miller has reported that OpenSSH versions before 3.6.1p2 built on AIX with a non-AIX compiler (for example, gcc) is (probably) vulnerable to local privilege escalation through injection of 'fake' libraries in the PATH. The OpenSSH build script for AIX has logic to deal with the AIX linker's behaviour, but not that of other linkers that may be used on AIX. The gory details are available in the archived Bugtraq message linked below and the ensuing discussion thread.

Those who don't build their own binaries but instead download them should note what two sources of AIX OpenSSH binaries have said about this matter. Darren Tucker, who maintains OpenSSH binaries for AIX on zip.com.au, has warned that all the packages available from his site were affected. He has removed all affected packages and replaced just the latest 3.6.1p1-1 package with freshly built binaries using suitable linker switches. The OpenSSH on AIX Project, hosted at ibm.com, claims that none of its packages have ever been affected by this problem (a statement to this effect is linked below, as are Tucker's and IBM's OpenSSH for AIX download pages).

Archived Bugtraq list message 320038 - securityfocus.com

Darren Tucker's OpenSSH Page - zip.com.au

Portable OpenSSH: Dangerous AIX linker Behavior - NOT! - ibm.com

OpenSSH on AIX Images Project - ibm.com

* Another preprocessor overflow in Snort

The Stream4 preprocessor in all versions of Snort since (and including) 1.8 has an exploitable integer overflow. Snort requires Stream4 preprocessing to perform stateful inspection and to do stream reassembly. Disabling the Stream4 preprocessor will disable these functions and leave a system monitored by Snort blind to attacks obfuscated via stream fragmentation. Most distributors shipping Snort now have updated packages built from the Snort 2.0 release which does not have this flaw.

Snort Advisory: Integer Overflow in Stream4 - snort.org

Stream4 Integer Overflow - sourcefire.org

* Integer overflows (and relatives) explained

A few years back, buffer overflows became the vulnerability of choice. Once the basics of pulling off such a buffer overflow attack were understood, more and more security researchers found ways to poke an 'unexpected' amount of data into applications that would erroneously try to process it, overwriting some critical internal program control variables (usually return address pointers to be called on exiting a function) and thus surrendering control to code included in the data overflow. The commonest points of such attacks were the widespread use of a buffer of a preset size as the target for string manipulation functions that did not check source and target buffer sizes. Of course, malicious uses of such methods also escalated rapidly...

Although such classic buffer overflows are still with us and still popular, several developments in compiler design and mechanisms for hardening programs, and whole OSes, against such attacks are appearing. As so often happens in security, this has prompted other 'advances' in finding common flaws. Of late, much interest has been turned on integer overflows and related integer manipulation errors, with several recent major security flaws being based on these techniques.

The rise of buffer overflow attacks saw developers code reviewing and switching, wherever possible to 'safe' string manipulation functions. Likewise, the rise of integer manipulation attacks should see developers checking for such flaws in their code. To spot such flaws you have to understand them though and to address a relative dearth of explanatory material about this class of attacks as a whole, Microsoft has posted a good introductory article describing the basics of integer overflows and related integer abuse security flaws. The article - by Michael Howard, the Senior Security Program Manager of Microsoft's Secure Windows Initiative group and co-author of the well-received book 'Writing Secure Code' - is clearly written and a good read for anyone unsure of what integer overflows are or why one should be concerned there are none present in their code.

Reviewing Code for Integer Manipulation Vulnerabilities - microsoft.com

* Virginia enacts tough anti-spam law

Although not strictly a security topic, systems administrators and others charged with maintaining the security of computer systems are often asked about spam, and particularly spam-prevention. Many computer industry pundits are of the opinion that spam is a massive problem and the various measures of its volume clearly show that spam has been increasing at an outstanding rate for the last few years. This growth has been especially marked in the last six to twelve months with many spam monitoring measures now showing at least 35%, and some as high as or slightly over 50%, of all e-mail messages being classified as spam.

In light of this huge, and most argue entirely wasteful, growth there have been increased calls for legislative measures, as the technical solutions suggested to date have clearly not worked. Several countries and many of the individual states within the US have introduced various legislative restrictions on spam, or more correctly, unsolicited commercial e-mail (UCE). Of particular interest among all this law-making are the just-enacted statutes in the state of Virginia.

Although Virginia's anti-spam laws are notable for the very high penalties they allow to be imposed, including asset seizure and up to five years jail, the most interesting aspect of the legislation is the extent of coverage it claims. Neither senders nor recipients need to live in Virginia - just the traffic from the spamming has to flow through Internet networking in the state.

And why is that such a big deal? Well, several of the largest Internet and telecoms companies are based in Virginia and many of the rest have major routing hubs in the state. Despite the decentralization that is the heart of the Internet's design and implementation success, a large proportion of the networks traffic will be routed through a virtual 'corridor' in Virginia which is also adjacent to the major federal hub of Washington D.C. (it should not be surprising that CIA and NSA headquarters and what is probably the planet's largest communications monitoring operation are handily located either...).

Aside from linking to a news article covering the details of the new Virginia law, we have also linked to a recent report from the Center for Democracy & Technology (CDT). The CDT report outlines the findings of a six-month study of which sources of e-mail addresses are most used by spammers, how much spam one is likely to receive depending on various forms of online participation, the reliability of 'opt-out' mechanisms supplied by various sites as part of their privacy policies and so on.

Perhaps the most important practical finding of this study was that the simple act of HTML entity-encoding characters in an e-mail address allowed it to be displayed naturally on a web page in a browser but attracted _no_ spam. The report's authors concluded from this result of their research that the address-trawling robots spammers obviously use to harvest addresses are (at least for now) blind to entity-encoding.

Va. Has Nation's Toughest Anti-Spam Law - seattlepi.com

Why Am I Getting All This Spam? - cdt.org

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsAmazon Web ServicesApplication securityCA TechnologiesCDTIBM AustraliaMicrosoftNext Generation Security SoftwareNSAOraclePAMSymantecTechnology

Show Comments

Market Place

[]