Buffer Overflow Flaws Aplenty -- Microsoft Certified Professional Magazine Online

Buffer Overflow Flaws Aplenty

BOF rears its ugly head in Sun Java VM, Qualcomm Eudora and Symantec Discover, among others. Also: Using IPv6? Just ditch those Type 0 routing headers.

By Russ Cooper
06/25/2007

Secunia has released a few bulletins having to do with the easily exploited buffer overflow flaw in several products. First, there's Sun Java VM, which can be exploited to run code of a criminal’s choice if the victim can be convinced to parse a criminally crafted Jpeg or bitmapped image. The vulnerability results from improper handling of parameters within the ICC Profile of the image. Patches are not yet available.

Considering that jpegs were first noted as being able to cause criminal code execution more than two years ago, it's a surprise to find yet another product still vulnerable to image parsing errors.

Next, Qualcomm's Eudora client could be exploited to run code of a criminal’s choice if the victim could be convinced to connect their client to a criminally prepared SMTP server. If the Eudora client connected to such a server, a reply from that server to the client could result in exploitation in the security context of the victim.

Consider what a criminal would have to do to pull this off, though. The most likely attack scenario is for a victim’s normal SMTP server to become compromised and reconfigured to issue the criminal response upon connection. Otherwise, the criminal would have to convince the victim to change their default SMTP server in their Eudora configuration.

Finally, a slew of products -- Symantec Discovery, Centennial Discovery and Numara Asset Manager -- are mentioned on this Secunia bulletin because all can be exploited by an unauthenticated criminal who can send criminally crafted, unauthenticated TCP packets to a vulnerable system. Patches are unavailable.

The component typically runs in the context of SYSTEM, the most highly privileged user on a victim’s system.

Yet another example of products intended to connect with only one, or at least a very few, systems. A server would typically send out the probes to all IP devices to receive responses. If effective security management were built into these products, then they could only respond to requests from the legitimate servers within the victim’s organization. Unfortunately, the software will respond to any IP address which attempts to connect to it, thereby allowing for the possibility that criminally crafted packets can be sent and processed, resulting in exploitation.

This vulnerability certainly could result in a wide-spread problem within an organization that uses these unrepaired products; however, some other compromise is likely required before a machine in such an environment could be used to launch an attack against this vulnerability.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Just Say No to Type 0 Router Headers
After being reminded of the problems with Type 0 Routing Headers via a presentation at CanSecWest, the IETF has received two proposals regarding it; that's according to this article in CSO Magazine Online. The first suggests it become disabled by default; the second suggests it be removed from IPv6 entirely.

While it may be easier to turn it off by default, the more sensible solution is to simply remove it entirely. Let’s hope they move quickly, and, that implementers move equally quickly to address already deployed environments...such as Windows Vista!

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.