[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 307/04 - Two iDEFENSE Security Advisories:



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 307/04 dated 17.06.04  Time: 15:55  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two iDEFENSE Security Advisories:

1. PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability

2. Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability



Detail
====== 

1. Remote exploitation of an input validation vulnerability in The PHP Group's 
HTML-embedded scripting language PHP allows attackers to bypass security protections.

2. Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache 
could allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache 
supports Basic, Digest and NTLM authentication. The vulnerability specifically 
exists within the NTLM authentication helper routine.






1.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             

           ESB-2004.0418 -- iDEFENSE Security Advisory 06.07.04
     PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
                               Vulnerability
                               17 June 2004

===========================================================================

        

Product:                PHP version 4.3.6
Publisher:              iDEFENSE
Operating System:       Windows
Impact:                 Increased Privileges
                        Execute Arbitrary Code/Commands
Access Required:        Remote

- - --------------------------BEGIN INCLUDED TEXT--------------------

PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability

iDEFENSE Security Advisory 06.07.04: www.idefense.com/application/poi/display?id=108&type=vulnerabilities
June 7, 2004

I. BACKGROUND

PHP is a widely-used general-purpose scripting language that is especially suited 
for Web development and can be embedded into HTML. More information is available at 
http://www.php.net.

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in The PHP Group's HTML-embedded 
scripting language PHP allows attackers to bypass security protections.

The problem specifically exists within the shell command escape routines
escapeshellcmd() and escapeshellarg(). These routines are intended for escaping shell 
metacharacters that may be present in user-supplied data prior to passing them to 
command execution routines such as system(), passthru(), popen(), exec() or the 
backtick operator. While both filter routines are functional on the Unix platform, 
they fail to filter all characters on the Windows platform. The escapeshellcmd() 
routine fails to filter the characters '%|>', allowing attackers to access environment 
variables, redirect output and execute arbitrary commands. The
escapeshellarg() routine fails to filter the character '%', allowing an attacker 
to access environment variables.

III. ANALYSIS

Exploitation allows attackers to compromise an affected system under the web server's 
privileges. Systems are not vulnerable by default, as a publicly accessible script 
must be present that utilizes one of the affected routines with user-supplied data.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in PHP version 4.3.6 
running on Microsoft Windows platforms. It is suspected that previous versions 
are also vulnerable.

V. WORKAROUND

Pass user-supplied data through custom character filters implemented with str_replace() 
or preg_replace(). Example:

    $user_supplied = preg_replace("/[>|%]/", "", $user_supplied);

VI. VENDOR RESPONSE

The input validation vulnerability inside escapeshellcmd() and 
escapeshellarg() on Win32 platform has been resolved. A new PHP version 
(4.3.7) immune to this vulnerability is due to be released on June 3rd, 2004.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

04/05/03   Vulnerability acquired by iDEFENSE
05/07/04   iDEFENSE clients notified
05/07/04   Initial vendor notification
05/17/04   Initial vendor response
06/07/04   Public disclosure

IX. CREDIT

3APA3A is credited with this discovery.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not 
be edited in any way without the express written consent of iDEFENSE. If you wish to 
reprint the whole or any part of this alert in any other medium other than electronically, 
please email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information constitutes 
acceptance for use in an AS IS condition. There are no warranties with regard to this 
information. Neither the author nor the publisher accepts any liability for any direct, 
indirect, or consequential loss or damage arising from use of, or reliance on, this 
information.

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQNE1aih9+71yA2DNAQKGsgP+LxJTyO/5ogVccRAJCVLtRzUo7DquRamA
0lG7oUSACkDx7qT/6cdoYXO1eyk8In/AjLPQ/bWIGf6rTneqzJrvITSzDZIIz3Kx
OAz7+CNB3bcPhCn4fHKmuHFWrFstG4JFQlWEGEGBmgwXYk1hGFiEiaScqM980h1n
BbzjgYNmXlk=
=UMAh
- -----END PGP SIGNATURE-----





2.





- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
            
           ESB-2004.0419 -- iDEFENSE Security Advisory 06.08.04
     Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
                               Vulnerability
                               17 June 2004

===========================================================================

        

Product:                Squid-Proxy 2.5.*-STABLE with NTLM helper enabled
                        Squid-Proxy 3.*-PREwith NTLM helper enabled
Publisher:              iDEFENSE
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2004-0541

Ref:                    ESB-2004.0397

- - --------------------------BEGIN INCLUDED TEXT--------------------

Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability

iDEFENSE Security Advisory 06.08.04 www.idefense.com/application/poi/display?id=107&type=vulnerabilities
June 8, 2004

I. BACKGROUND

Squid is a fully-featured Web Proxy Cache designed to run on Unix systems and supports 
proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, 
transparent caching, access control lists and many other features. More information is 
available at http://www.squid-cache.org.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could 
allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache supports Basic, 
Digest and NTLM authentication. The vulnerability specifically exists within the NTLM 
authentication helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length) {
    int rv;
    char pass[25] /*, encrypted_pass[40] */;
    char *domain = credentials;
    ...
    memcpy(pass, tmp.str, tmp.l);
    ...

The function contains a buffer overflow vulnerability due to a lack of bounds checking 
on the values copied to the 'pass' variable. Both the 'tmp.str' and 'tmp.l' variables 
used in the memcpy() call contain user-supplied data.

III. ANALYSIS

A remote attacker can compromise a target system if Squid Proxy is configured to use 
the NTLM authentication helper. The attacker can send an overly long password to 
overflow the buffer and execute arbitrary code.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Squid-Proxy 2.5.*-STABLE 
and 3.*-PRE when Squid-Proxy is compiled with the NTLM helper enabled.

V. WORKAROUNDS

Recompile Squid-Proxy with NTLM handlers disabled.

VI. VENDOR RESPONSE

A patch for this issue is available at:

http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CAN-2004-0541 to this issue. This is a candidate for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

04/27/04  Exploit acquired by iDEFENSE
05/19/04  iDEFENSE Clients notified
05/20/04  Initial vendor notification
05/20/04  Initial vendor response
06/08/04  Public Disclosure

IX. CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQNE3LSh9+71yA2DNAQLHCgP/e3hwMsvOMqIezUW3+bO/aShGgt5NBx+9
ZG3/mHav+Qvyyp+x5zNbgvmsdwIc5lJFSdsDcZK6nBheQ4NRV9EiecAazuu4D1aq
CUNm9SCTIw8GFDFmH4FKYHyIVEWzhwLMIRcuU6C884u+LAdwJ4pZj2QWidvwTtWk
hrhQh4A4xfE=
=PJ+U
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQNGv6opao72zK539AQEHygP/eGsjTVi/F3BXpRkNO2rjudc7tqFsypip
yOG+LCj9T13MSwoqOG1yidTx7dH6UpVn2rR4TPvsPlSOdfQeVWAszOLFJ7s52CLb
uLptO7j/Zhm2xisBG4JywlLMHhQkRy2CXZaAHvLUrdclADajQlW88PQFznWdvbXL
vVXCHxaques=
=Rshn
-----END PGP SIGNATURE-----