[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 538/04 - 2 iDEFENSE Security Bulletins - Sophos Small Business Suite Reserved Device Name Handling Vulnerability/IBM AIX ctstrtcasd Local File Corruption Vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 538/04 dated 28.09.04 Time: 14:50
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
iDEFENSE Security Bulletins:
1. Sophos Small Business Suite Reserved Device Name Handling Vulnerability.
2. IBM AIX ctstrtcasd Local File Corruption Vulnerability.
Detail
======
1. Remote exploitation of design vulnerability in version 1.00 of Sophos Plc.'s Small
Business Suite allows malicious code to evade detection.
2. Local exploitation of an input validation vulnerability in the ctstrtcasd command
included by default in multiple versions of IBM Corp. AIX could allow for the
corruption or creation of arbitrary files anywhere on the system.
- -----------------------------------------------------------------------------------
1.
Sophos Small Business Suite Reserved Device Name Handling Vulnerability
iDEFENSE Security Advisory 09.22.04
www.idefense.com/application/poi/display?id=143&type=vulnerabilities
September 22, 2004
I. BACKGROUND
Sophos Small Business Suite includes the Sophos PureMessage Small Business Edition,
combining virus and spam protection for the email gateway, and Sophos Anti-Virus Small
Business Edition, which offers desktop and server defense against the virus threat.
II. DESCRIPTION
Remote exploitation of design vulnerability in version 1.00 of Sophos Plc.'s Small
Business Suite allows malicious code to evade detection.
The problem specifically exists in attempts to scan files and directories named as reserved
MS-DOS devices. These represent devices such as the first printer port (LPT1) and the first
serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1.
If malicious code embeds itself within a reserved device name, it can avoid detection by Small
Business Suite when the system is scanned. Malicious code can also potentially use reserved
device names to bypass e-mail scanning, thereby potentially delivering hostile payloads to users.
Small Business Suite will scan the files and folders containing the virus and fail to detect or
report them. Real-time protection against malicious code is also affected; if a malicious code is
copied from a file named using a reserved MS-DOS device name to another file also named using a
reserved MS-DOS device name, Small Business Suite will not detect it.
It may also be possible for malicious code to execute without detection from files named using
reserved MS-DOS device name. Reserved device names can be created with standard Windows utilities
by specifying the full Universal Naming Convention (UNC) path. The following command will successfully
copy a file to the reserved device name 'aux' on the C:\drive:
copy source \\.\C:\aux
III. ANALYSIS
Exploitation allows remote attackers to launch malicious code that can evade detection. Remote
attackers can unpack or decode an otherwise detected malicious payload in a stealth manner.
Exploitation may allow attackers to bypass e-mail filters, thereby increasing the propensity
of a target user executing a malicious attachment.
Files and directories using reserved MS-DOS device names can be removed by specifying the full
Universal Naming Convention (UNC) path. The following command will successfully remove a file
stored on the C:\ drive named 'aux':
del \\.\C:\aux
IV. DETECTION
Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions reportedly crash upon the
parsing of files or directories employing reserved MS-DOS device names.
V. WORKAROUND
Explicitly block file attachments that use reserved MS-DOS device names. Ensure that no local files
or directories using reserved MS-DOS device names exist. On most modern Windows systems, reserved
MS-DOS device names should not be present. While the Windows search utility can be used to locate
offending files and directories, either a separate tool or the specification of Universal Naming
Convention (UNC) should be used to remove them.
VI. VENDOR RESPONSE
"LPT1, LPT2, COM1 etc are reserved by the operating system for devices. Despite this, Windows will
allow these strings to be used as file names and when such files are accessed, the operating system
attempts to treat them as devices rather than files except under the circumstances you have outlined.
Although this vulnerability has never been exploited by a virus it could be theoretically be used to
contain viral code. Sophos has improved its code within both its on-access and on-demand scanners to
deal with these improperly named files as files and not devices.
This improvement to Sophos Anti-Virus will be included in version 3.86 (available 22/09/04)."
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0552 to these
issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
VIII. DISCLOSURE TIMELINE
08/06/2004 Initial vendor notification
08/06/2004 iDEFENSE clients notified
08/09/2004 Initial vendor response
09/22/2004 Coordinated public disclosure
IX. CREDIT
Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in
any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part
of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx
for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information. Neither the author nor the publisher
accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
- ----------------------------------------------------------------------------------
2.
IBM AIX ctstrtcasd Local File Corruption Vulnerability
iDEFENSE Security Advisory 09.27.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
September 27, 2004
I. BACKGROUND
The ctstrtcasd program is a setuid root application, installed by
default under newer versions of IBM AIX. It is part of the Reliable
Scalable Cluster Technology (RSCT) system. It is also installed with
multiple IBM products under Linux, including IBM Tivoli System
Automation, IBM Cluster Systems Management, IBM Hardware Management
Console, and IBM General Parallel File System.
II. DESCRIPTION
Local exploitation of an input validation vulnerability in the ctstrtcasd command included
by default in multiple versions of IBM Corp. AIX could allow for the corruption or creation
of arbitrary files anywhere on the system.
If a user specifies a file with the -f option, the contents of that file will be overwritten
with 65,535 bytes of application trace data. If the file doesn't exist, it will be created.
The file creation/overwrite is done with root privileges, thus allowing an attacker to cause
a denial of service condition by damaging the file system or by filling the drive with 65,535
byte files.
III. ANALYSIS
All that is required to exploit this vulnerability is a local account.
Exploitation does not require any knowledge of application internals, making exploitation trivial,
even for unskilled attackers. It is not evident that privilege escalation is possible through
abuse of this.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in IBM AIX
5.2. IBM has reported that RSCT versions 2.3.0.0 and greater are
affected, for AIX 5.2 and 5.3 on pSeries; AIX on i5/OS (iSeries); RSCT
on Linux (pSeries, xSeries, zSeries), and the pSeries Hardware
Management Console. Products shipping and installing these affected versions of RSCT as reported
by IBM are as follows:
IBM AIX 5L Version 5.2 on pSeries
IBM AIX 5L Version 5.3 on pSeries
IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
IBM Tivoli System Automation (TSA) for Linux 1.1
IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
IBM Cluster Systems Management (CSM) for Linux Version 1.4
(version 1.4 and greater)
IBM Hardware Management Console (HMC) for pSeries Version 3
IBM Hardware Management Console (HMC) for pSeries Version 4
IBM General Parallel File System (GPFS) Version 2 Release 2
on Linux for xSeries and Linux for pSeries
V. WORKAROUND
Only allow trusted users local access to security critical systems. Alternately, remove the setuid
bit from ctstrtcasd using chmod 555 /usr/sbin/rsct/bin/ctstrtcasd.
VI. VENDOR RESPONSE
"Apply the workarounds or APARs as described [in the associated IBM Security Alert].
If you would like to receive AIX Security Advisories via email, please
visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs";
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0828 to these
issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
VIII. DISCLOSURE TIMELINE
08/11/2004 Initial vendor notification
08/25/2004 Secondary vendor notification
08/26/2004 Vendor response
09/27/2004 Coordinated public disclosure
IX. CREDIT
iDEFENSE Labs is credited with this discovery.
Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any
way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of
this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx
for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information. Neither the author nor the publisher
accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQVlv6Ypao72zK539AQG/EgP+PU60nSMBMQe7lFyzKw6aOjqznNPuQ+BL
4b3A8NKCyTTUHjBVcknAhqvdD65tu7b2dhz6nv+qpbkCPcElncMSHVafbbvzlckY
VLMtDQt2f8n45W2LzVQtEWbrxf4uXdKjimKPhwR4TXLZFJXO1IMNVFhrxY5HbnuQ
t9v4jvBSXtU=
=IVEV
-----END PGP SIGNATURE-----