Security Watch

MS05-048 Proof of Concept Code Released

Overflow in the "content-type" field of the message header seems to be the culprit of the CDO vulnerability.

Proof of concept code for the CDO vulnerability patched by MS05-048 is publicly available, although there are still no reports of any actual attacks or attempts to exploit. The code indicates the overflow is in the "content-type" field of the message header. In CDO Schema parlance, as it applies to Exchange, is "urn:schemas:mailheader:Content-Type."

It’s important to remember that the overflow occurs when the field is populated from a stream, so you cannot test the length of the content-type field ahead of time via CDO.

According to RFC-2045, no maximum length is specified for the content-type header field. So we reviewed a considerable number of "real-world" e-mail messages to determine a reasonable content-type field length. All but 30 of the 100,000+ messages we reviewed had a content-type length of less than 270 characters. The smallest length of the other 30 was 604 characters, and ranged as high as 1,012 characters. None of those with larger lengths were "valid" e-mails -- they were all spam or malformed messages from spam mailers. None contained shell code.

-- Snort Back Orifice preprocessor vulnerability and Snort Back Orifice preprocessor buffer overflow exploit code has been released.

Our assessment of the exploit code announcements was that risk was unchanged and is not likely to change. Australia's AUSCERT Incident Response Team issued an alert to its constituency claiming multiple exploits exist. However, it referenced only one third-hand report of a single “semi-functional” exploit that we were already aware of. We have not yet tracked a fully functional, system-compromise exploit.

All affected versions of Snort run the Back Orifice preprocessor by default. Disabling the preprocessor mitigates the vulnerability.

-- According to a study conducted by The Measurement Factory on behalf of network appliance vendor Infoblox, the vast majority of DNS servers available to the Internet are not employing best practices with respect to security. The company queried approximately 1.3 million DNS servers and found that 75 percent accepted recursive queries. Accepting and processing a recursive query from an untrusted system is a significant component in cache poisoning attacks, or could lead to a denial of service.

The survey made no attempt to determine whether or not the DNS queried was, in fact, vulnerable to a particular attack; it merely looked at whether or not it might be possible to launch such an attack against it. Given that the survey results indicated that 57 percent were running the latest secure versions of BIND, chances are they are not vulnerable. In addition to accepting recursive queries, the software must also allow non-authoritative responses to be placed in its cache to actually become poisoned. However, that still leaves more than 500,000 DNS servers in the sample set likely vulnerable. Since The Measurement Factory estimates the total number of DNS servers at 7.5 million, as many as 2.4 million may be susceptible to cache poisoning attacks.

Unfortunately, we must always restate the obvious: Basic security measures are more effective than patches. While you may eliminate a vulnerable DNS server by keeping it up-to-date, disabling its ability to perform recursive queries from addresses outside of your private address space is equally as important, if not more so.

Malicious Code
Two separate spam e-mail runs have been sent which do not contain any malware but include links to Web sites which contain malware.

The first spoofs a message from Symantec for users to download a security update for a non-existent Trojan. If downloaded and executed, the resulting malware is a variant of Rbot, aka SDbot, aka Spybot, depending on your vendor.

The other spoofs a billing-error message with links to either or domains. Victims who follow the link will have a variant of the Inor spyware automatically installed on vulnerable Internet Explorer platforms.

Human Factors
Jupiter Research predicts that 20.4 million U.S. households will be using voice over IP by 2010, primarily because VoIP costs less than traditional telephone services. Jupiter estimates the number of VoIP subscribers in 2004 was 1.2 million.

According to an Inpulse Research survey of 1,000 U.S. IT professionals, all indicated they were expecting to move to voice over IP within a year because of an expected cost savings of 40 percent.

According to messages on CypherPunks, the Electronic Freedom Foundation (EFF) is looking for a squeaky clean test case for the onion router situation versus RIAA.

Onion routing is a privacy mechanism that is jointly supported by the department of the Navy, EFF and others. It's a set of proxy systems located in different places. If you want to connect to something and not be seen connecting to it, you connect to some node in this cloud and various twisted algorithms connect you to on opaque stream that defies traffic analysis.

I remember a system called “CROWDS” back in 1996 that sounds very similar to this.

The Voice over IP Security Alliance (VoIPSA) announced it has launched the VoIP Security Threat Taxonomy, a classification and description of the types of security threats that affect IP telephony. The list appears to be more attacks than threats, making it more of a tool list than taxonomy.

The Department of Justice, FBI and SEC are in discussions to formulate a plan to extend the Communications Assistance to Law Enforcement Act (CALEA) to the Internet using VoIP as the rationale for establishing their jurisdiction.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Currently, it seems that they are focusing their attention on having all ISPs compliant with CALEA for VoIP. However, reports suggest that if the provider is incapable of isolating VoIP traffic from other traffic or one VoIP subscriber from another, then the “full pipe” would have to be turned over to the authorities. They, the authorities, would then whittle out that traffic they are interested in.

Clearly, this level of supervision invites abuse. It’s also the cause of concern that all Internet traffic is being sought. How could it be determined that other VoIP subscriber calls weren’t listened to, or that other traffic from the desired VoIP subscriber IP address wasn’t also analyzed?

Further, there is the question of cost. While the original CALEA law allocated $500 million to reimburse providers with the costs of complying, suggestions in 2004 were that VoIP compliance would fall on the providers themselves. Should this be the case, it could considerably increase the cost of VoIP.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.