Security Watch

Hacker's Delight

A sample of one week's newly discovered vulnerabilities can keep hackers busy and security experts on their toes.

While we tend to focus on the name brands, vulnerabilities in lesser used utilities are continually uncovered and typically make up the vast majority of vulnerability discoveries every year. Here's but a sample of one week's discoveries:

Info-ZIP Cleans Up Sloppily
So who here has heard of Info-ZIP? Probably not many, but the reality is that it may well be on your network in various forms, whether its in Novell Netware, SAP, PGP, Mozilla/Firefox, Linux, Windows or Java. In fact, it would probably be pretty near impossible to identify everything in your environment that includes it. A vulnerability in the way the Unzip utility cleans its memory use after an error could allow a criminally crafted zip file to run code of a criminal's choice. Updates are available, but may not be available for everything you use that contains the vulnerable code.
http://www.securityfocus.com/bid/28288/
http://www.info-zip.org/

Luckily we don't, or shouldn't, trust zip files due to the amount of malware that's already circulating using the format. That said, this is a good example of just how much of a problem vulnerable code can create if you were to try and patch everything that might contain the vulnerability.

MG-SOFT Net Inspector's BOV Problem
Yet another HTTP server used to provide an interface for clients to access the utility. MG-Soft Net Inspector is an SNMP and ICMP network monitoring tool that continually monitors your network for devices. Among several ways a client can access the information the Net Inspector server has collected is a Java Web Start application accessed via the integral HTTP server via port TCP 5228. When the server logs the client access, it does not properly validate the parameters that were sent by the client, allowing for a buffer to be overflowed which could result in code of the criminal's choice executing in the context of the service -- which is typically highly privileged. Patches are not yet available.
http://www.securiteam.com/securitynews/5QP0D1PNPW.html
http://www.mg-soft.si/netinsp.html

Clearly, this service should only be available internally, but given the heightened concerns about internal criminals these days, its yet one more way they might gather information they might otherwise not have at hand. Imagine being able to identify sensitive devices, potentially hosting PII, by being able to view a network topology diagram that lays everything out for them. They might discover back-door networks that are used for backup, for example, or learn via the MIBs for devices more about their setup and functionality than they could via a protocol analyzer.

BOV Gives BootManage the Boot
Yet another logging vulnerability, this time in a TFTP server. Bootix BootManage TFTP Server serves up network installations or PXE boot images for your internal systems. Since TFTP is a UDP protocol it isn't going to be left accessible to external criminals, so it is yet another way for your internal criminals to attack you. A TFTP PUT request could contain an overly long file name which, despite being rejected by the TFTP server, will still be recorded. When that happens, a buffer is overflowed which could be controlled by the criminal to execute code on the TFTP server system. Patches are not yet available.
http://www.securityfocus.com/bid/28270/

Consider what could be done with such a vulnerability. If successful, it could be possible to replace the boot images that are on the system with new images that include a rootkit -- not a trivial exploit at all. A workaround would involve a proxy server that could filter PUT requests and prevent them. Since the protocol is UDP-based, spoofing is certainly a possibility and outright blocking of PUTs is the only sensible solution. Files should be able to be placed on the server via other protocols, such as SMP or even an authenticated HTTP instead.

SurgeMail's E-Mails Go Public
This is the type of vulnerability that has led to private e-mails and other content being stolen by criminals in the past. An authenticated user can send a criminally crafted LIST command via IMAP. If successful, code of the criminal's choice could execute on the e-mail server. NetWin Surgemail may very well be used by your ISP without you ever knowing it. Updates are not available.
http://www.securiteam.com/exploits/5UP0G1PNQC.html

Certainly not the first vulnerability in SurgeMail, and the fact that it requires you to authenticate prior to being able to exploit it may reduce the likelihood of it being exploited -- despite proof of concept code being available. The most likely target would be users of a free mail service where the criminal obtains a valid account and then leverages it to peruse the accounts of other users on the system.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular