Security Watch

Exchange Server Vulnerable to Buffer Exploit

An e-mail targetting the CDO for buffer overflow can cripple a secured Exchange Server.

• By Russ Cooper
• 11/07/2005

Hacking
Microsoft Security Bulletin MS05-048: Collaboration Data Objects (CDO/CDOEX): Of all of the recent Microsoft Security Bulletins, we here at Cybertrust believe this one has the greatest potential for abuse. Exchange Server uses CDO with Event Sinks in order to notify other software that some action should be taken. Some anti-virus and anti-spam software rely upon Event Sinks to determine when to process an e-mail. Prior to processing, the message is passed to CDO so its component parts can be handled. When this occurs, the buffer overflow can be exploited. As such, it is possible that an exploit e-mail could compromise a secured Exchange Server prior to the security software, resident on the box, detecting the malicious e-mail.

Exchange Servers are not the only servers that rely on CDO -- IIS, SQL and many third-party products use it. Exchange Servers are, however, the most likely target.

The vulnerability exists in the parsing of the “Content-Type” value contained in the message header. This field length is not constrained by RFCs related to e-mail. Cybertrust testing suggests that Content-Type values should not be longer than 512 bytes.

The vulnerability is similar to the ESMTP vulnerability patched by MS05-021. To date, no known attempts against this vulnerability have occurred. This suggests that this vulnerability may not get attacked either, but its attractiveness coupled with the high value of the victim systems dictates prudence.

It’s reasonable to expect working exploits within 30 days. Proof of concept has already been published, although that code is benign.

BEA recently released 24 patches for WebLogic Server and WebLogic Express. The patches cover vulnerabilities ranging from remote DoS, XSS, unauthorized access and admin lockout.

One has to wonder why BEA held so many of these patches to release them together. Although most of the vulnerabilities were low impact, certainly BEA WebLogic administrators should pay attention given that several involve the ability to modify or obtain the administrator password. So far, we haven’t seen an exploit code.

OpenSSL versions 0.9.7h and prior contain vulnerabilities that could allow a remote attacker to force an arbitrary connection to use a less secure OpenSSL version or forge valid certificates.

While the attack requires a lot of different issues to align properly, an attack against such a critical piece of security infrastructure should not be ignored. The current workaround is to simply disable SSL 2, which is pretty straightforward.

Denial of Service
For some unknown and unfathomable reason, Pennsylvania State University researchers not only decided to study but also publish "Exploiting Open Functionality in SMS-Capable Cellular Networks." The work outlines how many SMS messages it would take to overwhelm a cell-tower or SMS switch in order to prevent phone use.

What on earth were they thinking? All networks are funnels, so pour enough in and you can always find a way to overflow it. That should be a given, so the only real research was just how much must be sent to achieve the expected (and certain) result. Their findings were not, however, based on some fundamental flaw in the way SMS messages are formed, interpreted or even handled, but instead simply a demonstration of the capacity of the site being testing against. As with any attack that attempts to overwhelm resources, increase the available resources and you thwart the attack … until someone sends even more data at it. Gee, did we really need to see a study of that age-old theory!

Physical Security
Two biometric solution providers, Pay By Touch Solutions and BioPay, are convinced that retailers could save up to 75 percent in processing fees if fingerprints were used to identify accounts that transactions should be charged to. According to the companies, security concerns that their method of identifying the fingerprint could lead to that data being used to reconstitute an actual fingerprint are unfounded.

Were that the only concern, one might think this is a great idea. Sure, there’s no doubt that the ability to create an actual replica of someone’s fingerprint from data stored/received by a biometric device is a security concern. However, when such biometrics are being used to authenticate and authorize a transaction, the bigger concern should be whether or not the stored data can be replayed.

Marketing will have to overcome images like a stolen finger being pressed against glass, or the idea that a fingerprint may be as identifiable as your DNA. You must overcome the fear that the data will be abused for such a system to obtain widespread adoption, and this may be more difficult in the United States than most anywhere else given the population’s strong concerns over privacy.

Biometrics work best in places where you have someone watching you use the biometric device. This holds true for some point-of-sale transactions, but certainly not all. Further, should such devices become widely deployed, less and less scrutiny would be given to the people using the devices, opening the way for gummy bear attacks … not to mention dismemberment.

Privacy
Javelin Strategy & Research reported that, according to a study they conducted, only 2.2 percent of all bank-related fraud was due to computer viruses or hackers. Twenty-six percent of victims knew the person who had perpetrated the fraud, and 29 percent said their personal information was gleaned though a lost or stolen wallet, checkbook or credit card.

This is further evidence that crime is still more effective person-to-person rather than electronically. While reports of 40 million records being stolen by hackers get the headlines, if you have money stolen from your bank account, an acquaintance, friend or family member is more likely to be the culprit. No wonder “Law and Order” investigators always look at relatives and friends first!

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Governance
Three men were recently arrested by police in the Netherlands and accused of using a botnet of more than 100,000 computers to blackmail companies in the U.S. with the threat of denial-of-service attacks. The three, ages 19, 22 and 27, allegedly used computers infected with W32.toxbot in the scheme.

Toxbot was not stressed by any anti-virus company, demonstrating yet again that the slow-moving, under-the-radar attacks are extremely effective. Also, press releases don’t necessarily demonstrate threat or severity.

European Commission officials have warned that if the U.S. doesn't surrender some control of the Internet, countries such as China, Russia, Brazil and some Middle Eastern countries could set up their own nets. The Internet is currently controlled by the Internet Corporation for Assigned Names and Numbers under the authority of the U.S. Department of Commerce. The U.S. argues that control by other countries could result in net censorship. Gee, does that mean we won’t get spam, phishing attacks, spyware and other malware from these locations if they make this move?