IDGNet Virus & Security Watch Friday 15 March 2002

Introduction: * Windows SQL Server, mod_ssl, zlib and a worm (of course!) Virus News: * Bounding to a screen near you... Security News: * Multiple Microsoft SQL Server 7.0 and 2000 buffer overflows * Two vulnerabilities in various RADIUS implementations * zlib bug affects many Linux, Unix and other OS applications * Security patch for mod_ssl

This issue's topics:

Introduction:

* Windows SQL Server, mod_ssl, zlib and a worm (of course!)

Virus News:

* Bounding to a screen near you...

Security News:

* Multiple Microsoft SQL Server 7.0 and 2000 buffer overflows

* Two vulnerabilities in various RADIUS implementations

* zlib bug affects many Linux, Unix and other OS applications

* Security patch for mod_ssl

Introduction:

A relatively quiet week on the virus front and for Windows administrators, but several pressing matters for Linux and Unix admins. Windows SQL Server administrators should check into their possible exposure to remote buffer overflow exploit via default extended stored procedures installed with the server software, and some Windows software is potentially affected by the zlib bug which may keep some Linux and Unix administrators particularly busy for some days to come. Apache users with mod_ssl installed should also be checking for an update to that important crypto software. Users of any equipment running RADIUS should check the CERT/CC advisory mentioned below and with their vendor if not mentioned in the advisory.

Although quiet, the virus scene was not quite dead this week, with another trivial mass mailer gaining enough momentum overnight last night to stir things up.

Virus News:

* Bounding to a screen near you...

Late yesterday and overnight, a new mass mailing worm has spread quickly around the world. Those behind corporate mail servers with content management gateways should have been well protected because this worm is very simple and depends on no new tricks to sneak past wary system administrators.

Known as Win32/Fbound.C by most antivirus developers (but also as Impo and Zircon), this worm arrives as the attachment patch.exe. The message body is blank and the Subject: line depends on the final domain of the recipient's e-mail address. If their address ends with '.jp' one of seventeen Japanese language Subject: lines is used, otherwise the Subject: line is 'Important'. If run, Fbound simply mass mails itself to all addresses found in the Windows Address Book, using its own SMTP client code. Its messages are sent via the default SMTP server recorded in the victim's registry.

Fbound's Base64 encoding algorithm is buggy, resulting in the whole attachment being sent as an invalid very long line. This has resulted in some mail servers and e-mail clients truncating the attachment, resulting in a copy that will not load and execute should the recipient try to run it. Unfortunately, most popular SMTP mail server software seems quite happy to process this invalid message, allowing the worm to spread far and wide.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Multiple Microsoft SQL Server 7.0 and 2000 buffer overflows

Cesar Cerrudo has uncovered multiple remotely exploitable buffer overflows in Microsoft SQL Server 7.0 and 2000. The overflows occur in any of the extended stored procedures included in default installations of SQL Server. As Cerrudo went public with his findings before sending them to Microsoft there has been no public response by Microsoft yet. Cerrudo recommends that affected users disable extended stored procedures - his full security bulletin is linked below.

Buffer Overflows in extended stored procedures - Application Security Inc.

* Two vulnerabilities in various RADIUS implementations

CERT/CC has posted an advisory concerning two vulnerabilities common to many implementations of the Remote Authentication Dial In User Service (RADIUS). Both are remotely exploitable and can be used to perpetrate denials of service against vulnerable devices. Further, at least in some implementations, one of these vulnerabilities may allow arbitrary code injection and execution.

The CERT/CC advisory, linked below, should be checked fro vendor details as to which products supporting RADIUS are affected and for the availability of patches or updates.

CERT/CC Advisory CA-2002-06

* zlib bug affects many Linux, Unix and other OS applications

Although not the algorithm with best lossless compression ratio, the deflate algorithm has been very popular in many applications across many OSes. There are several reasons for this, not least the availability of high-quality, time-tested implementations of its compression and decompression in 'free' source form (no copyright limitations) and because the algorithm itself is free of any software patent or other possibly limiting factors governing its use. Apart from being the core algorithm in the popular Zip archiving products, deflate is used extensively in Unix and Linux applications where compression is useful or advantageous.

These latter uses in particular have benefited from a standard library implementation of the compression and decompression routines known as zlib. Thus, it should come as no surprise to learn that innumerable hours have been spent in the last week or so checking, double-checking and rebuilding great volumes of code following the recent discovery and patching of a double-free error in zlib that may leave some affected programs open to arbitray code execution attacks.

Although most common use of zlib is through dynamic linking, where the fix is simply to install the a new copy of the library file built from the patched code, many core uses of the code involve static linking. The range and number of affected products is huge, so we will not even try to start to enumerate the possibilities. The zlib home page, linked below, is obviously a good place to start your search for solutions.

Aside from providing the latest release of the library's code, v1.1.4, the zlib home page has links to the zlib security advisory describing the bug and a link to a list of over 500 applications known to be affected by this bug. That list has links to a handy Perl script, find-zlib, that searches binaries for the signature of some static tables used in zlib or in general inflate/deflate code.

Aside from searching out possibly affected programs on your own systems, you should check with the vendors of systems and applications, as there has been a huge amount of system and application updating and package rebuilding in the last few days. CERT/CC has also released an advisory which acts as a partial listing of vendor exposures to this bug and availability of fixes.

zlib home page and security advisory

CERT/CC Advisory CA-2002-07

* Security patch for mod_ssl

The mod_ssl module which supplies encrypted HTTP connections for the popular Apache web server has been found vulnerable to a remote buffer overflow. Overflowing this buffer to exploit the vulnerability would be quite involved, as the affected buffer is reached via the client certificate after it has been checked by the server. Thus, an attacker would have to get a specially formed certificate signed by a CA acceptable to the server(s) to be attacked.

Version 2.8.7 of mod_ssl was released late in February to fix this flaw and most vendors now have updated packages available. Although mod_ssl is not part of the Apache web server software, it is very commonly shipped with packaged Linux distributions that include Apache. Either check with your distributor or visit the mod_ssl site, linked below, and get the source for latest version or patches and rebuild.

mod_ssl home page

Join the newsletter!

Error: Please check your email address.

More about ApacheApplication securityCA TechnologiesCERT AustraliaF-SecureInc.KasperskyKasperskyLinuxMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]