Slashdot Mirror

ERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service

Original release date: January 14, 2002 Last revised: -- Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

* Systems running CDE

Overview

The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583.

Read More...

Reports from places like cert and bugtraq show that there are just as many exploits out there for *nix based systems.

Network security of this nature is clearly not working when being applied at the OS or software levels, and a more flexible solution than the standard firewall is needed.

What would your opinion be of a 'mini-firewall' included as standard on all new network cards. The firewall would have packet filtering rules filtering out 'generic suspicious traffic' (such as bar an IP address for a day if something containing default.ida and a hell of a lot of 'N's comes through). The rules would be held on a flash ROM, which could be updated when necessary with software from a trusted source such as CERT and digitally signed by a non-trusted one such as Verisign.

Software could also be written to instruct the card to open certain ports and update the rules so that safe traffic for that software can pass through.

Unfortunately, the extra $20-30(?) would probably sink it dead in the water, not to mention the hassle of having to reprogram all network software to work with it. How does the idea stand in theory, though?

----

I Am The Why Troll

----

I Am The Why Troll

It's a release for security updates. This is very different from a bugfix release, which would generally be a much greater undertaking and require a lot more packages to be upgraded to newer versions. Think of it this way: a security update would be when Slash code allows users to gain the access levels of other users, including elevated privileges. A bugfix release would be an increment in the Slash code that fixes broken features that do not include security compromises. Makes sense? =)

----
I Am The Why Troll

If this was an MS exploit, we'd have 3 stories and 1000+ anti-MS "here we go again" comments already.

securityfocus has another english-language story on this, which can be found at http://www.securityfocus.com/news/306.

jon

securityfocus has another english-language story on this, which can be found at http://www.securityfocus.com/news/306.

jon

I suspect that the prerequisite was added because of this.

There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)

Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.

A small reader survey, May 2001 - Talkback.

Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.

A review of one IS manager's experience from Computerworld secuirty Column.

A so-so review of different security certificates from CertCities.

The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.

Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.

There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)

Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.

A small reader survey, May 2001 - Talkback.

Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.

A review of one IS manager's experience from Computerworld secuirty Column.

A so-so review of different security certificates from CertCities.

The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.

Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.

There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)

Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.

A small reader survey, May 2001 - Talkback.

Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.

A review of one IS manager's experience from Computerworld secuirty Column.

A so-so review of different security certificates from CertCities.

The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.

Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.

Grokster and possible trojan

Clicktilluwin DLDER Trojan"

Grokster and possible trojan

Clicktilluwin DLDER Trojan"

See the bugtraq archive for more information.

Amusing that its use is recommended in the security advisory.

The SecurID tokens work pretty well; they represent a nice balance of security and ease of use for the inexperienced user. The server software is a hulking piece of difficult-to-manage bloatware (it was when I last used it two years ago, in any case), but it's generally being installed and used by experienced folks.

The cards themselves have some tamperproofing that protects them from casual disassembly, but it doesn't look like something that's designed to withstand a determined attack. I think it'd be much harder, though, to access the internals of the card in a way that wouldn't leave obvious visible evidence of tampering--I'm guessing this was the design goal, not total tamperproofing.

The algorithm used by the cards isn't something that RSA publishes, but it's been out in the open for a while now.

The cards are each preloaded with a secret key, which is also loaded onto the SecurID server that does the authentication. Without the secret key, the algorithm doesn't do you that much good so long as it isn't easily possible to derive the secret key from a sequence of the displayed number. The jury is still out as to whether this is possible. But assuming there aren't obvious holes in the algorithm, one has to obtain the keying material from the server (where it's presumably closely guarded) or from the physical token itself. Doing the latter would require theft of the token or tampering in a way that would be obvious to the user.

See: www.securityfocus.com/news/282

• "Researchers Probe Dark and Murky Net

  Study finds hackers and military sites lurking in the Internet's phantom zones

  By Kevin Poulsen

  Nov 12 2001 3:59PM PT

Lessee..

November 12...

That's over a month ago.

The Reg® carried this story about then, too..

t_t_b

Basically, it's trusting client for security.

Microsoft has sort of a history of this. With Terminal Services, they log the IP address the client gives the server, instead of doing a getpeername() or something. (See this Bugtraq post.)

You've got to wonder what they are smoking. Maybe they're stuck back in the DTP/FTP days (1970s and '80s), but the nature of networking sure has changed since then, and wise programmers learn from the mistakes of the past.

Anyway, you want to talk protocols that break horribly with NAT, let's talk IPSec's out-of-band key-enchange mechanism. Grrrrr.

Am I the only one that thinks that long before IPv6 becomes common, everyone + dog will be behind NAT? Even when IPv6 becomes common, will the ISPs really give home users the 48 bits they're supposed to? Making protocols that work with NAT is not that hard, and as you point out, is better for security than some of the alternatives.

Grrrr. Thanks for reminding me of all this suppressed anger regarding stupid protocols. :P

"Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "

thats really messed up that and scary

Traditionally, Linux's bug-count has always been much higher. You can check out the counts at Security Focus, if you want. Most people attribute this to the open-versus-closed nature of Linux and Microsoft, though it's impossible to say for certain why. Maybe Linux is buggier. Maybe Microsoft just hides their bugs.

And remember ... Netscape engineers are weenies!

I'm sure that would never pass quality control and would be stopped really really fast.

(Oh yeah, and who was the clown that removed the strncpy calls from IIS and changed them to strcpy? ;-)

There is a thread on BugTraq which explores this issue in depth:

http-equiv@excite.com is quoted:
Clearly what this so-called "patch" does is convert all embedded file types in MHTML documents viewed in patched Internet Explorer 6 into *.TMP files. Previously all file types and file names were retained and if accepted would run.

I am talking about the same system of quality control here, but let's be realistic...we're talking about actual EXECUTABLE PROCESSES (since that's what trojans are) that are slipping through here. Not some obscure, nearly impossible-to-find directory traversal hack. Believe me, something like this would have been found.

and yes, that concern HAS been addressed already. Repeatedly. Too many times in too many discussions. We're all well aware of the blunders from Redmond. We don't need you to keep telling us how bad they suck. Besides, everybody makes mistakes sometimes. So please spare us the typical zealotry.

Not exactly...one thing fixed in this patch is a content-type/file extension spoof issue where a open/save to file/cancel dialog is displayed indicating a file of one type (say innocent wav) when in fact it is an executable. So, if the user chose open it would open...but as an executable not as a wav. If they had chosen save to file, and then opened it from explorer it would just not open (or in the case of a spoofed wav it would be noise, if it played at all). Jouko Pynnonen (the guy thanked in MS's release note), who reported it on BugTraq, says in his summary post that for this issue (he calls it file extension spoofing) was reported Nov. 19th. The issue with automatic execution of some content (no confirmation dialogs!) was apparently reported Nov. 27th to MS.

Pynnonen (the guy who found the exploit) has posted a new message to Bugtraq. If the servers reply is crafted correctly it can cause the program to be downloaded executed with *no* dialogs. See the posting for more details. Still no exploit given though.

-K

I wouldn't call this a level playing field either. Why not? Because of differences in the vendors' attitudes to the discovery of these problems.

Microsoft wants to sweep these problems under the rug; keep them as secret as possible and even criminalize those who discover them and make them known. They have a poor track record when it comes to timely releases for patches, and alerting their user base.

Do you, for instance, remember this slashdot story?

What about this?

The article in question is available here:
SecurityFocus Mail List Archive - File Extensions Spoofable in MSIE download dialog

Consider DNS, a distributed database.

OK.

I've sent them several emails regarding this security issue, and they've ignored me

Have you considered posting a bulletin to one of the security mailing lists, such as Bugtraq? Several websites who have ignored private notification have fixed holes after the holes were posted on Bugtraq.

Yes, I'm replying to my own post. SF is back up, and here's the index of IDS stuff, including the LIDS articles.

There was a series of articles on Security Focus (which seems to be down ATM) recently on LIDS. Although it isn't really a comparison with anything else, it might give you an idea of what it can and can't do.

I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.

TELNET SESSION?!??!!!

Have you been hacked or sniffed lately?

You might be lucky that your connection stopped!

--jeff

They even succeeded in providing a point & click local root exploit (for details take a look at Bugtraq).

I don't know if they are the first to offer this feature, but it's definitley nice.

I wrote/spoke too soon I believe, here's the post:
Brad's link at Buqtraq

Look at the BUGTRAQ advisiry. ;-) http://aris.securityfocus.com/alerts/wuftpd/ is quite useful. It looks like it's a run-of-the-mill buffer overflow. There are currently no IDS sigs that can detect it (but I'm sure that will change as soon as I post this.) If you can, disable anonftp access. If not, look through the log files for an extreamly long command. (The description shows 60+ 'a' in a row.)


This is very similar to an exploit discovered about 4 months ago. Why didn't the Wu-FTP people check to see if they were vulnerable?

I hardly cal an article being posted in a public forum last week "sushing"...

Now, RedHat maybe shouldn't have ever made this "agreement" to pospone patches. Maybe they noticed that people were already making use of this not-so-secret-to-black-hats bug. Or, maybe it was just a mistake... I don't know. I'm just glad I don't have a public wu-ftp server to deal with.

item: the version of wu-ftpd that rh released was a pre-release from cvs. they changed the version number. this bug was fixed in cvs months ago.

item: the securityfocus vuln-help people are supposed to help coordinate vendors & the software maintainers. they sent notification of the bug to the wrong address, so the wu-ftpd developers weren't even aware that there was a bug present until the day the rh advisory went out.

item: there was supposed to be a coordinated advisory put out on dec. 3rd. rh preempted that, causing this nasty confusion.

greg lundberg posted a big explanation of what went on to several mailing lists... it should be on the wuftpd-questions archive, but i don't see it there yet.

also, see the news item at securityfocus about this.

• Notify
  
• ProtectX
  
• X-NetStat
  

These utilities, when used together, would offer a defence, using a slightly different technique. Here, you'd be warned, the moment any intruder attempts to connect to your machine, OR your machine mysteriously attempts to connect to someone else. You also get the warning on when a file is changed.

(By relying on only one verifier, you're not quite so secure, but it was the best I could find in a short time. Apologies for that.)

Yup. Ian Goldberg gave a very interesting presentation on cracking WEP at BlackHat Vegas this year. None for me, thanks.

I'm inclined to agree with you that Disney couldn't possibly be dumb enough to rely on WEP alone, but then I wouldn't have thought ETrade was stupid enough to put their login credentials in a cookie vulnerable to cross-site scripting attacks either.

In no particular order:

• Cyberpunk: Outlaws and Hackers on the Computer Frontier
• The Hacker Crackdown
• The Fugitive Game: Online With Kevin Mitnick
• The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen
• Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It
• Masters of Deception: The Gang That Ruled Cyberspace
• Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

Since four of the books revolve around Mitnick and/or Poulsen, I would read them in this order: Cyberpunk, Takedown, Fugitive Game, Watchman. Cyberpunk precedes the Takedown/Fugitive Game by quite a while. Takedown and Fugitive Game cover nearly the same time period from different sides. Watchman takes place prior to Fugitive Game and isn't too closely related, but Justin Peterson (aka Eric) and Mark Tanner appear in both books.

You've got to be careful taking what's written in these books as 100% truth. For the most part they are based solely on interviews of hackers and their friends.

Littman's books (Fugitive Game and Watchman) in particular are nearly autobiographies of Mitnick and Poulsen. There is much criticism of Markoff's books (Cyberpunk and Takedown) and his articles about Kevin Mitnick. The main argument is that he glorified Mitnick and (with Shimomura's help) may have helped make him "America's Most Wanted Computer Outlaw".

As for ignoring the web, I think that's a mistake. For one, Justin Peterson's site has some of his rebuttals to Littman's books and other criticism he's received. Kevin Poulsen has his own site but it's getting a bit out of date now that he's busy with SecurityFocus.com. Mitnick probably won't have much to say online or in print until he completes his probation.

On some servers, if you make a query for http://<server>/<path>/?M=A or http://<server>/<path>/?S=D you will get a directory listing instead of the default page. This is a result of FancyIndexing in Apache and can be disabled through methods detailed in the Bugtraq discussion.

The originator of the discussion pointed out that his log files had get requests from Google that specifically looked for these directory listings, so it's pretty clear they were (are?) doing it intentionally.

On some servers, if you make a query for http://<server>/<path>/?M=A or http://<server>/<path>/?S=D you will get a directory listing instead of the default page. This is a result of FancyIndexing in Apache and can be disabled through methods detailed in the Bugtraq discussion.

The originator of the discussion pointed out that his log files had get requests from Google that specifically looked for these directory listings, so it's pretty clear they were (are?) doing it intentionally.

• Only use HTTPS, never use just plain HTTP.
  
• Use CGI, Java Servlets, or some other server-side program technology to password-protect the site. I will refer to the resulting program(s) as the security program
  
• Never accept a password from a GET request, only accept them from POST requests.
  
• Never make the user list or password list visible from the internet, not even an encrypted password list.
  
• Never place the sensitive information in a directory the web server software knows how to access. Only the security program should know how to find the info.
  
• Review all documentation for your web server software and the platform used for the security program. Pay special attention to seciurity issues, make sure you aren't inadvertently opening up holes. Keep current, do this at minimum four times a year.
  
• Subscribe to any security mailing lists for your web server platform operating system web server software, and for the programing platform you used for the security program. If there is anything else running on this machine, subscribe to their security mailing lists too.
  
• Subscribe to cert-advisory and BugTraq. Read in detail all the messages that are relevant to your setup. Review your setup after each relevant message.
  
• Don't use IIS.
  
• Don't use Windows 95/98/Me. Don't use Windows XP Home Edition.
  
• Don't use any version of MacOS before OS X.
  
• Don't use website hosting services for sensitive information.
  
• Never connect to this webserver using telnet, ftp or FrontPage. SSH is your friend.
  
• Never have Front Page Extensions (or its clones or workalikes) installed on a webserver with sensitive data.
  
• If there is anything above that you don't understand, or if you can't afford the time for any of the above, hire a professional with security experience and recommendations from people you trust who have used his or her services. It's bad enough that amateurs are running webservers, much less running ecommerce sites and other sites with sensitive data.

eh? It's been plenty stable for me. I've taken to accepting Red Hat's installation of 2.4.9 on the servers. It works fine for me... And the uptime keeps counting. :-)

Well, I guess 2.4.9 is fine, as long as you don't care about local root holes.

Use the browser's features to disable the execution of JavaScript.

In addition, enable "Use cookies to trace password protected documents".

No. It means that if there is a known exploit in the wild then it is legitimate to post information about the vulnerability that it pertains to.

Let's say for a second that I'm a network administrator (which I have been) or in a related position. Would I want to know about how someone will be able to break into my network or servers? You bet I would. What if it was possible to avoid being affected by the exploit by changing default settings or shutting down services temporarily? I think whatever inconvience that might cause would be outweighed by keeping my network secure.

Obviously you haven't had to deal with this sort of stuff before. I'd suggest you do a quick search through the Bugtraq archives for informed discussions on vulnerability disclosure. In the information security world it's a topic which has (almost) been flogged to death.

Actually, in the security bulletin, the word "irresponsibly" is linked to a rather interesting article from Scott Culp, who is the Manager of the Microsoft Security Response Center. This seems like a source for Microsoft's position in the Security Focus story.

What they're complaining about is the bugfinder releasing the details to the public just "a few days" after giving it to them. I'm willing to agree that a few days is not enough time to publish and release a patch, but I'd take a guess that, if Microsoft had replied to the person who sent in the bug exploit with an informative response that provided information on their fix and how long it would take, and asking him to wait for a reasonable amount of time, then he wouldn't have released it to the public so soon. Most likely, he got a curt or no response from Microsoft, and felt like the only way he could get any response to such a major security flaw would be to publish it to a public forum.

war driving by the bay http://www.securityfocus.com/news/192

WLAN Survey http://www.dis.org/projects.html