Security Watch

Inside Jobs

BIG-IP, BEA WebLogic threats require insider knowledge; Veritas, Sybase BOVs; more

• By Russ Cooper
• 03/31/2008

Cross-Site Traffic Flaw Requires Insider Knowledge To Exploit
The BIG-IP management interface does not distinguish between traffic sent intentionally by a user and traffic that originates from a user's computer, but from an application other than that being used to perform management tasks. Therefore, criminals, who already have a way to cause an administrator's system to send traffic, can interact with the Big-IP management interface without having to obtain appropriate credentials. Patches are not yet available.
http://www.securityfocus.com/archive/1/487863

Insider threats are much talked about these days, but there really hasn't been any change in the fact that you face threats from your own employees. Vulnerability announcements often refer to an insider threat, but often it's really just a way to justify publishing an announcement.

If a criminal can get past your perimeter defenses and attack an insider vulnerability, he likely already has much more access than you've planned for. Further, a criminal would typically have to have considerable insider knowledge in order to execute such attacks.

BEA WebLogic Under Multiple Attacks
Three vulnerabilities have been patched in BEA WebLogic products.

BEA WebLogic Portal Administration Console should be accessed via an HTTPS session. However, once initiated, the console incorrectly redirects further traffic via HTTP. As such, it is possible for others to interject HTTP transactions into an administrator session without said administrator's knowledge.

The second vulnerability involves JMS messages. WebLogic applications should require the "receive" permission in order to receive JMS, but under undisclosed circumstances, an application without this permission could subscribe to Topic destinations and receive messages they would otherwise not be able to see.

The third vulnerability involves the ability for an unauthorized person to send messages to a protected distribution queue. Patches are available for all three vulnerabilities.
http://dev2dev.bea.com/pub/advisory/264
http://dev2dev.bea.com/pub/advisory/267
http://dev2dev.bea.com/pub/advisory/268

Classify these under "yet some more insider-only vulnerabilities." Consider carefully how you're using your insider-only tools. If you allow use of the Administration Console from the Web server employing the WebLogic applications, and one of those servers is compromised, the criminal now has access from the outside.

Veritas Security, Sybase MobiLink Rebuffed by BOVs
Symantec Veritas Storage Foundation Administrative GUI component contains a vulnerability that can be exploited by a criminal who could send packets to the system's UDP port 3207. Authentication is not required, and the port is typically accessible from inside a corporate network. Access from the Internet should be blocked by best practices. A patch is available.
http://www.symantec.com/avcenter/security/Content/2008.02.20a.html
http://www.zerodayinitiative.com/advisories/ZDI-08-007/

Vulnerabilities in backup systems have been at the heart of many an exploit in the past. In this case, though, we're talking about an administrative interface and not something that should be available to untrusted users.

Now, how about this one: Three fields used in authenticating remote clients to a Sybase MobiLink system can cause a buffer overflow when the client connects. A criminal's code could execute on the MobiLink server in the context of the service, typically highly privileged to allow it to impersonate any of the users who may connect to it. MobiLink is a database-to-client interface service that functions over TCP, HTTP, Hotsynch, and other connection methods. Proof-of-concept code has been published and it uses TCP 2439, the default port for the service. There are no updates available and Sybase has, as yet, not acknowledged the vulnerability.
http://www.securiteam.com/windowsntfocus/5SP0P1PNFM.html

MobiLink is used by companies to develop their own solutions to mobile device database connectivity, so the code used should have been vetted through an audit process. Had this been done, then validating parameters supplied by users should also have been done, in which case it is unlikely that criminals could pass overly long values to the authentication process. If, however, the solution was developed without adequate auditing or consideration of parsing user supplied information, your environment may be at risk. Despite this, the service should only be accessible to known clients or via clients who have already authenticated to a VPN service.

Bad Security News: Neosploit Upgraded
According to former Cybertrust malcode guru Roger Thompson, the criminal developers of Neosploit have issued a new version. This latest one includes two new exploits: one targeting the MS07-033 vulnerability in the ActiveVoice ActiveX control, and the other against Yahoo Music Jukebox. The Jukebox vulnerability was only announced earlier this month.
http://explabs.blogspot.com/2008/02/new-neo-now.html

It should come as no surprise to anyone that criminals maintain their malware to provide new exploits for more recent vulnerabilities, in the hopes of catching people who aren't using Automatic Updates, or who use barnacleware that doesn't update itself.