MS05-048 Proof of Concept Code Released
Overflow in the "content-type" field of the message header seems to be the culprit of the CDO vulnerability.
Proof of concept code for the CDO vulnerability
patched by MS05-048
is publicly available, although there are still no reports of any actual attacks
or attempts to exploit. The code indicates the overflow is in the "content-type"
field of the message header. In CDO Schema parlance, as it applies to Exchange,
It’s important to remember that the overflow occurs when the field is
populated from a stream, so you cannot test the length of the content-type field
ahead of time via CDO.
According to RFC-2045,
no maximum length is specified for the content-type header field. So we reviewed
a considerable number of "real-world" e-mail messages to determine
a reasonable content-type field length. All but 30 of the 100,000+ messages
we reviewed had a content-type length of less than 270 characters. The smallest
length of the other 30 was 604 characters, and ranged as high as 1,012 characters.
None of those with larger lengths were "valid" e-mails -- they were
all spam or malformed messages from spam mailers. None contained shell code.
-- Snort Back Orifice preprocessor vulnerability and Snort Back Orifice
preprocessor buffer overflow exploit code has been released.
Our assessment of the exploit code announcements was that risk was unchanged
and is not likely to change. Australia's AUSCERT Incident Response Team
issued an alert to its constituency claiming multiple exploits exist. However,
it referenced only one third-hand report of a single “semi-functional”
exploit that we were already aware of. We have not yet tracked a fully functional,
All affected versions of Snort run the Back Orifice preprocessor by default.
Disabling the preprocessor mitigates the vulnerability.
-- According to a study conducted by The Measurement Factory on behalf
of network appliance vendor Infoblox, the vast majority of DNS servers
available to the Internet are not employing best practices with respect to security.
The company queried approximately 1.3 million DNS servers and found that 75
percent accepted recursive queries. Accepting and processing a recursive query
from an untrusted system is a significant component in cache poisoning attacks,
or could lead to a denial of service.
The survey made no attempt to determine whether or not the DNS queried was,
in fact, vulnerable to a particular attack; it merely looked at whether or not
it might be possible to launch such an attack against it. Given that the survey
results indicated that 57 percent were running the latest secure versions of
BIND, chances are they are not vulnerable. In addition to accepting recursive
queries, the software must also allow non-authoritative responses to be placed
in its cache to actually become poisoned. However, that still leaves more than
500,000 DNS servers in the sample set likely vulnerable. Since The Measurement
Factory estimates the total number of DNS servers at 7.5 million, as many as
2.4 million may be susceptible to cache poisoning attacks.
Unfortunately, we must always restate the obvious: Basic security measures
are more effective than patches. While you may eliminate a vulnerable DNS server
by keeping it up-to-date, disabling its ability to perform recursive queries
from addresses outside of your private address space is equally as important,
if not more so.
Two separate spam e-mail runs have been sent which do not contain any
malware but include links to Web sites which contain malware.
The first spoofs a message from Symantec for users to download a security update
for a non-existent Trojan. If downloaded and executed, the resulting malware
is a variant of Rbot, aka SDbot, aka Spybot, depending on your vendor.
The other spoofs a billing-error message with links to either nlpshoping.com
or site.com domains. Victims who follow the link will have a variant of the
Inor spyware automatically installed on vulnerable Internet Explorer platforms.
Jupiter Research predicts that 20.4 million U.S. households will be using
voice over IP by 2010, primarily because VoIP costs less than traditional
telephone services. Jupiter estimates the number of VoIP subscribers in 2004
was 1.2 million.
According to an Inpulse Research survey of 1,000 U.S. IT professionals,
all indicated they were expecting to move to voice over IP within a year because
of an expected cost savings of 40 percent.
According to messages on CypherPunks, the Electronic Freedom
Foundation (EFF) is looking for a squeaky clean test case for the onion
router situation versus RIAA.
Onion routing is a privacy mechanism that is jointly supported by the department
of the Navy, EFF and others. It's a set of proxy systems located in different
places. If you want to connect to something and not be seen connecting to it,
you connect to some node in this cloud and various twisted algorithms connect
you to on opaque stream that defies traffic analysis.
I remember a system called “CROWDS” back in 1996 that sounds very
similar to this.
The Voice over IP Security Alliance (VoIPSA) announced it has
launched the VoIP Security Threat Taxonomy, a classification and description
of the types of security threats that affect IP telephony. The list appears
to be more attacks than threats, making it more of a tool list than taxonomy.
The Department of Justice, FBI and SEC are in discussions to formulate a plan
to extend the Communications Assistance to Law Enforcement Act (CALEA)
to the Internet using VoIP as the rationale for establishing their jurisdiction.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Currently, it seems that they are focusing their attention on having all ISPs
compliant with CALEA for VoIP. However, reports suggest that if the provider
is incapable of isolating VoIP traffic from other traffic or one VoIP subscriber
from another, then the “full pipe” would have to be turned over
to the authorities. They, the authorities, would then whittle out that traffic
they are interested in.
Clearly, this level of supervision invites abuse. It’s also the cause
of concern that all Internet traffic is being sought. How could it be determined
that other VoIP subscriber calls weren’t listened to, or that other traffic
from the desired VoIP subscriber IP address wasn’t also analyzed?
Further, there is the question of cost. While the original CALEA law allocated
$500 million to reimburse providers with the costs of complying, suggestions
in 2004 were that VoIP compliance would fall on the providers themselves. Should
this be the case, it could considerably increase the cost of VoIP.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.