[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 538/04 - 2 iDEFENSE Security Bulletins - Sophos Small Business Suite Reserved Device Name Handling Vulnerability/IBM AIX ctstrtcasd Local File Corruption Vulnerability.



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 538/04 dated 28.09.04  Time: 14:50  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

iDEFENSE Security Bulletins:

1.	Sophos Small Business Suite Reserved Device Name Handling Vulnerability.

2.	IBM AIX ctstrtcasd Local File Corruption Vulnerability.


Detail
====== 

1.	Remote exploitation of design vulnerability in version 1.00 of Sophos Plc.'s Small 
	Business Suite allows malicious code to evade detection.

2.	Local exploitation of an input validation vulnerability in the ctstrtcasd command 
	included by default in multiple versions of IBM Corp. AIX could allow for the 
	corruption or creation of arbitrary files anywhere on the system.


- -----------------------------------------------------------------------------------



1.


Sophos Small Business Suite Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 09.22.04 
www.idefense.com/application/poi/display?id=143&type=vulnerabilities
September 22, 2004

I. BACKGROUND

Sophos Small Business Suite includes the Sophos PureMessage Small Business Edition, 
combining virus and spam protection for the email gateway, and Sophos Anti-Virus Small 
Business Edition, which offers desktop and server defense against the virus threat.

II. DESCRIPTION

Remote exploitation of design vulnerability in version 1.00 of Sophos Plc.'s Small 
Business Suite allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and directories named as reserved 
MS-DOS devices. These represent devices such as the first printer port (LPT1) and the first 
serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, 
COM1 and LPT1.

If malicious code embeds itself within a reserved device name, it can avoid detection by Small 
Business Suite when the system is scanned. Malicious code can also potentially use reserved 
device names to bypass e-mail scanning, thereby potentially delivering hostile payloads to users. 
Small Business Suite will scan the files and folders containing the virus and fail to detect or 
report them. Real-time protection against malicious code is also affected; if a malicious code is 
copied from a file named using a reserved MS-DOS device name to another file also named using a 
reserved MS-DOS device name, Small Business Suite will not detect it.

It may also be possible for malicious code to execute without detection from files named using 
reserved MS-DOS device name. Reserved device names can be created with standard Windows utilities 
by specifying the full Universal Naming Convention (UNC) path. The following command will successfully 
copy a file to the reserved device name 'aux' on the C:\drive:

copy source \\.\C:\aux

III. ANALYSIS

Exploitation allows remote attackers to launch malicious code that can evade detection. Remote 
attackers can unpack or decode an otherwise detected malicious payload in a stealth manner. 
Exploitation may allow attackers to bypass e-mail filters, thereby increasing the propensity 
of a target user executing a malicious attachment.

Files and directories using reserved MS-DOS device names can be removed by specifying the full 
Universal Naming Convention (UNC) path. The following command will successfully remove a file 
stored on the C:\ drive named 'aux':

del \\.\C:\aux

IV. DETECTION

Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions reportedly crash upon the 
parsing of files or directories employing reserved MS-DOS device names.

V. WORKAROUND

Explicitly block file attachments that use reserved MS-DOS device names. Ensure that no local files 
or directories using reserved MS-DOS device names exist. On most modern Windows systems, reserved 
MS-DOS device names should not be present. While the Windows search utility can be used to locate 
offending files and directories, either a separate tool or the specification of Universal Naming 
Convention (UNC) should be used to remove them.

VI. VENDOR RESPONSE

"LPT1, LPT2, COM1 etc are reserved by the operating system for devices. Despite this, Windows will 
allow these strings to be used as file names and when such files are accessed, the operating system 
attempts to treat them as devices rather than files except under the circumstances you have outlined.

Although this vulnerability has never been exploited by a virus it could be theoretically be used to 
contain viral code. Sophos has improved its code within both its on-access and on-demand scanners to 
deal with these improperly named files as files and not devices.

This improvement to Sophos Anti-Virus will be included in version 3.86 (available 22/09/04)."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0552 to these 
issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

VIII. DISCLOSURE TIMELINE

08/06/2004   Initial vendor notification
08/06/2004   iDEFENSE clients notified
08/09/2004   Initial vendor response
09/22/2004   Coordinated public disclosure

IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in 
any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part 
of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx 
for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based 
on currently available information. Use of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. Neither the author nor the publisher 
accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or 
reliance on, this information.

- ----------------------------------------------------------------------------------


2.


IBM AIX ctstrtcasd Local File Corruption Vulnerability

iDEFENSE Security Advisory 09.27.04 
http://www.idefense.com/application/poi/display?type=vulnerabilities
September 27, 2004

I. BACKGROUND

The ctstrtcasd program is a setuid root application, installed by 
default under newer versions of IBM AIX. It is part of the Reliable 
Scalable Cluster Technology (RSCT) system.  It is also installed with 
multiple IBM products under Linux, including IBM Tivoli System 
Automation, IBM Cluster Systems Management, IBM Hardware Management 
Console, and IBM General Parallel File System.

II. DESCRIPTION

Local exploitation of an input validation vulnerability in the ctstrtcasd command included 
by default in multiple versions of IBM Corp. AIX could allow for the corruption or creation 
of arbitrary files anywhere on the system.

If a user specifies a file with the -f option, the contents of that file will be overwritten 
with 65,535 bytes of application trace data. If the file doesn't exist, it will be created. 
The file creation/overwrite is done with root privileges, thus allowing an attacker to cause 
a denial of service condition by damaging the file system or by filling the drive with 65,535 
byte files.

III. ANALYSIS

All that is required to exploit this vulnerability is a local account. 
Exploitation does not require any knowledge of application internals, making exploitation trivial, 
even for unskilled attackers. It is not evident that privilege escalation is possible through 
abuse of this.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in IBM AIX 
5.2. IBM has reported that RSCT versions 2.3.0.0 and greater are 
affected, for AIX 5.2 and 5.3 on pSeries; AIX on i5/OS (iSeries); RSCT 
on Linux (pSeries, xSeries, zSeries), and the pSeries Hardware 
Management Console. Products shipping and installing these affected versions of RSCT as reported 
by IBM are as follows:
 
  IBM AIX 5L Version 5.2 on pSeries
  IBM AIX 5L Version 5.3 on pSeries
  IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
  IBM Tivoli System Automation (TSA) for Linux 1.1
  IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
  IBM Cluster Systems Management (CSM) for Linux Version 1.4
     (version 1.4 and greater)
  IBM Hardware Management Console (HMC) for pSeries Version 3
  IBM Hardware Management Console (HMC) for pSeries Version 4
  IBM General Parallel File System (GPFS) Version 2 Release 2
      on Linux for xSeries and Linux for pSeries 

V. WORKAROUND

Only allow trusted users local access to security critical systems. Alternately, remove the setuid 
bit from ctstrtcasd using chmod 555 /usr/sbin/rsct/bin/ctstrtcasd.

VI. VENDOR RESPONSE

"Apply the workarounds or APARs as described [in the associated IBM Security Alert].

If you would like to receive AIX Security Advisories via email, please
visit:

   https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs";

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0828 to these 
issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.
 
VIII. DISCLOSURE TIMELINE 
 
08/11/2004   Initial vendor notification
08/25/2004   Secondary vendor notification
08/26/2004   Vendor response 
09/27/2004   Coordinated public disclosure 
 
IX. CREDIT 
 
iDEFENSE Labs is credited with this discovery. 
 
Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any 
way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of 
this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx 
for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based 
on currently available information. Use of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. Neither the author nor the publisher 
accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or 
reliance on, this information.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQVlv6Ypao72zK539AQG/EgP+PU60nSMBMQe7lFyzKw6aOjqznNPuQ+BL
4b3A8NKCyTTUHjBVcknAhqvdD65tu7b2dhz6nv+qpbkCPcElncMSHVafbbvzlckY
VLMtDQt2f8n45W2LzVQtEWbrxf4uXdKjimKPhwR4TXLZFJXO1IMNVFhrxY5HbnuQ
t9v4jvBSXtU=
=IVEV
-----END PGP SIGNATURE-----