÷ ËÏÎÃÅ ÅÓÔØ ÉÎÔÅÒÅÓÎÏÅ ÏÂÓÕÖÄÅÎÉÅ ÒÅÁËÃÉÉ ÐÒÏÉÚ×ÏÄÉÔÅÌÅÊ ÎÁ ÍÅÓÑà ÂÁÇÏ× PHP.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "A really bad week." That's what the @RISK editor and Tippingpoint
> vulnerability researcher, Rohit Dhamankar wrote to us this
> morning. And
> the director of the Internet Storm Center, Johannes Ullrich readily
> agreed. Why?
>
> Two zero-day vulnerabilities. Active exploits. No effective defenses.
> Windows had a zero-day that affects Vista as well as older
> versions. So
> important that Microsoft is issuing a special patch tomorrow
> and leaked
> it to a few folks today. The other zero-day hit CA's
> BrightStor. Holes
> in backup software may be more damaging than holes in
> operating systems
> because the vendors of backup software don't have the same level of
> automating patching that the operating system vendors have, and many
> users have *never* patched their backup software. And Lotus Domino
> users also had multiple vulnerabilities, some critical.
> Alan
>
> *****************************
> Widely-Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft Windows ANI File Format Vulnerability (0-day)
> Affected:
> Microsoft Windows XP
> Microsoft Windows 2000
> Microsoft Windows Server 2003
> Microsoft Windows Vista
>
> Description: Microsoft Windows contains a buffer overflow
> vulnerability
> that can be triggered by specially crafted "animated cursor"
> files. The
> animated cursor files (".ani" file extension) are used to
> store animated
> cursors and icon graphics. A malicious ANI file could exploit
> the buffer
> overflow to execute arbitrary code with the privileges of the current
> user. To exploit the flaw, an attacker can take any of the following
> actions: (a) Create a webpage containing a malicious .ani file and
> entice an attacker to visit his webpage. (b) Send an HTML email
> containing the malicious .ani file. (c) Create a shared folder
> containing the malicious .ani file and entice a user to browse his
> shared folder.
>
> This flaw is being exploited in the wild by a number of malicious
> websites. Please note that the overflow can be exploited by
> spoofing the
> file extension for other image formats such as JPEG. Windows
> will invoke
> the vulnerable component upon inspecting the file header.
>
> Status: Microsoft confirmed. Due to widespread exploitation, Microsoft
> is planning to release an emergency patch tomorrow. SANS
> Internet Storm
> Center maintains a list of domains that are distributing the exploit
> code. Please block any access to the domains listed here:
>
>
> Council Site Actions: All of the reporting council sites are waiting
> for the Microsoft patch.
>
> References:
> Microsoft Security Advisory
>
> Microsoft Security Blog Posting
>
urity-update-for-microsoft-security-advisory-935423.aspx
> McAfee Avert Labs Blog Posting
>
> SANS Handler's Diary
>
> Exploit Code
>
> MSDN Article on Cursors
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) CRITICAL: Computer Associates BrightStor "mediasrvr.exe"
> Buffer Overflow (0-day)
> Affected:
> CA ARCserv Backup products
>
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup services for Microsoft Windows, Novell NetWare, Linux,
> and UNIX. The "mediasrvr.exe" process contains a buffer overflow
> vulnerability in the handling of RPC requests. A specially-crafted
> request to procedure 191 could trigger this buffer overflow.
> Successfully exploiting this buffer overflow would allow an
> attacker to
> execute arbitrary code with the privileges of the "mediaserv.exe"
> process, usually "SYSTEM/root". Note that a working exploit
> is publicly
> available for this vulnerability.
>
> Status: Computer Associates confirmed, no updates available. Users may
> be able to mitigate the impact of this vulnerability by renaming the
> "mediasvr.exe" file to another name (e.g. "mediasvr.disabled") and
> restarting the BrightStor Tape Engine service.
>
> References:
> Posting by Shirk (includes working exploit)
>
> Computer Associates Posting
>
> SecurityFocus BID
>
>
> *********************************************************************
> **************************************************************
> ***************
>
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
>
> Week 14, 2007
>
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5411 unique vulnerabilities. For
> this special
> SANS community listing, Qualys also includes vulnerabilities
> that cannot
> be scanned remotely.
>
> 07.14.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Cursor And Icon ANI Format Handling Remote
> Code Execution
> Description: Microsoft Windows is exposed to an issue which can result
> in the execution of arbitrary code remotely. This issue
> occurs due to a
> memory corruption error caused when handling malformed ANI cursor or
> icon files. Windows XP SP2 and Windows Server 2003 SP1 when running
> Internet Explorer versions 6 and 7 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer HTML Denial of Service
> Description: Microsoft Internet Explorer is exposed to a denial of
> service issue because it fails to handle a malformed web page
> properly. The issue occurs when the application processes a malicious
> page containing an excessive amount of "0x90" instructions in between
> the "HTML", "HEAD" and "TITLE" HTML tags. Microsoft Internet Explorer
> version 7 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.3 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Computer Associates BrightStor ARCserve Backup Buffer Overflow
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup and restore protection for Windows, NetWare, Linux, and
> UNIX servers as well as Windows, Mac OS X, Linux, UNIX, AS/400, and
> VMS clients. The application is affected by a remote buffer overflow
> issue because the application fails to perform proper bounds checking
> on data supplied to the application. Computer Associates BrightStor
> ARCServe Backup for Windows 11.0, and Computer Associates BrightStor
> ARCServe Backup versions 11.5 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
>
> 07.14.12 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel IPV6_SockGlue.c NULL Pointer Dereference
> Description: The Linux kernel is exposed to a NULL pointer dereference
> issue in the "do_ipv6_setsockopt()" function of the
> "net/ipv6/ipv6_sockglue.c" file. Please refer to the advisory for
> further details.
> Ref:
> ______________________________________________________________________
>
> 07.14.18 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Multiple Functions Reference Parameter Information
> Disclosure
> Description: PHP is exposed to an information disclosure vulnerability
> due to a design error. PHP versions 4 through 4.4.6 and 5
> through 5.2.1
> are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.20 CVE: Not Available
> Platform: Cross Platform
> Title: Cisco Unified CallManager And Unified Server Multiple Remote
> Denial Of Service Vulnerabilities
> Description: Cisco Unified CallManager (CUCM) is the call processing
> component for the CiscO IP telephony solution. Cisco Unified Presence
> Server (CUPS) is an indentity tracking component of the Cisco IP
> telephony solution. The application is exposed to multiple remote
> denial of service issues because the devices fail to handle certain
> network packets or network requests. Please refer to the advisory for
> further details.
> Ref:
>
> 09186a008080f17b.shtml
> ______________________________________________________________________
>
> 07.14.22 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Session.Save_Path() TMPDIR Open_Basedir Restriction Bypass
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an "open_basedir" restriction
> bypass issue.
> PHP 4 up to and including 4.4.6, and PHP 5 up to and including 5.2.1
> are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.23 CVE: Not Available
> Platform: Cross Platform
> Title: IBM Lotus Domino Web Access Unspecified Cross-Site Scripting
> Description: IBM Lotus Domino Web Access is a messaging and personal
> information manager available for Linux, UNIX, and Microsoft Windows.
> The application is exposed to cross-site scripting attacks because it
> fails to sufficiently sanitize user-supplied input before
> displaying it
> in dynamically generated content. IBM Lotus Domino versions 7.0.2 and
> earlier are affected.
> Ref:
> .
> php?id=493
> ______________________________________________________________________
>
> 07.14.24 CVE: CVE-2007-1675
> Platform: Cross Platform
> Title: IBM Lotus Domino IMAP Unspecified Buffer Overflow
> Description: IBM Lotus Domino is a client/server product designed for
> collaborative working environments. Domino is designed for email,
> scheduling, instant messaging and data-driven applications. The
> application is exposed to a remote buffer overflow issue because it
> fails to properly bounds check user-supplied data before copying it to
> an insufficiently sized memory buffer.
> Ref:
> ______________________________________________________________________
>
> 07.14.25 CVE: Not Available
> Platform: Cross Platform
> Title: IBM Lotus Domino LDAP Server Task Unspecified Buffer Overflow
> Description: IBM Lotus Domino is a client/server product designed for
> collaborative working environments. Domino is designed for email,
> scheduling, instant messaging, and data-driven applications. The
> application is exposed to a remote buffer overflow vulnerability
> because it fails to properly bounds check user-supplied data before
> copying it to an insufficiently sized memory buffer. IBM Lotus Domino
> 7.0.2 and earlier versions are affected.
> Ref:
> .
> php?id=494
> ______________________________________________________________________
>
> 07.14.27 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Zip_Entry_Read() Integer Overflow
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an integer overflow issue because it
> fails to ensure that integer values aren't overrun. PHP versions prior
> to 4.4.5 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.28 CVE: Not Available
> Platform: Cross Platform
> Title: HP OpenView Network Node Manager Unspecified Remote
> Unauthorized Access
> Description: HP OpenView Network Node Manager is a network management
> application. It is exposed to an unspecified, unauthorized access
> issue. HP OpenView versions 6.20, 7.01, 7.50, 7.51 and versions in the
> 6.40 branch are affected. Please refer to the advisory for further
> details.
> Ref:
> ______________________________________________________________________
>
> 07.14.29 CVE: Not Available
> Platform: Cross Platform
> Title: HP Jetdirect FTP Print Server RERT Command Denial of Service
> Description: HP JetDirect FTP Print Server provides network
> connectivity between printers and computers. The application is
> exposed to a remote denial of service issue which occurs when the
> "RERT" command is passed a filename consisting of 271 to 277
> characters. FTP Print Server 2.4 and prior versions are affected.
> Ref:
>
> 07.14.31 CVE: Not Available
> Platform: Cross Platform
> Title: Asterisk PBX_AEL.C Switch Blocks Security Bypass
> Description: Asterisk is an open source PBX application available for
> multiple operating platforms. The Asterisk Extension Language (AEL) is
> a programming language designed for use with Asterisk PBX systems. The
> application is exposed to a security bypass issue because the AEL
> fails to securely generate extensions when compiling arbitrary labels.
> Asterisk affects versions in the 1.2.0 and 1.4.0 branches.
> Ref:
> ______________________________________________________________________
>
> 07.14.35 CVE: CVE-2006-4175
> Platform: Cross Platform
> Title: Sun Java System Directory Server Uninitialized Pointer Remote
> Memory Corruption
> Description: Sun Java System Directory Server is an LDAP (Lightweight
> Directory Access Protocol) server distributed with multiple Sun
> products. The issue exists in the "ns-slapd" daemon/server when
> processing clean up code after certain failed queries. Sun Java System
> Directory Server versions prior to 5.2 Patch5 are affected.
> Ref:
>
3-1&searchclause=
> ______________________________________________________________________
>
> 07.14.36 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Hash Table Overwrite Arbitrary Code Execution
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an arbitrary code execution issue which
> occurs because the session extension does not set a proper value for
> the reference count for session variables. PHP 4 versions prior to
> 4.4.5, and PHP 5 versions prior to 5.2.1 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.37 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Session Data Deserialization Arbitrary Code Execution
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an arbitrary code execution issue when
> "register_globals" is activated, and session data can be deserialized
> to overwrite the PHP "_SESSION" array. PHP 4 versions prior to 4.4.5,
> and PHP 5 versions prior to 5.2.1 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.14.38 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Session_Decode Double Free Memory Corruption
> Description: PHP is exposed to a double free memory corruption issue.
> PHP versions 4.4.5 and 4.4.6 are affected. Please refer to the
> advisory for further details.
> Ref:
> ______________________________________________________________________
>
> THE MONTH OF PHP BUGS
>
> The month of March brought us the Month of PHP Bugs (MOPB), a
> full-disclosure campaign aimed at improving the overall
> security in the
> popular PHP application server platform. Like previous Month of Bugs
> initiatives (Month of Brower Bugs, Month of Apple Bugs), the MOPB
> coordinators are releasing a new bug every day for the entire month of
> March. One of the heavy-hitters behind MOPB is Stefan Esser, a former
> member of the PHP security response team. Stefan left the
> PHP security
> team due to a lack of momentum and various impasses in fixing the
> security bugs he found.
>
> Politics aside, the MOPB effort has lived up to its promise.
> We've seen
> a new bug every day. But should PHP users be worried? At the middle
> of the month, we performed a 'mid-month' analysis of the bugs released
> so far. The analysis reviewed the overall impact of the bugs, their
> applicability to common deployments, and how they were being fixed by
> the PHP developers. The mid-month analysis is available at:
>
> nth-of-PHP-Bugs_3A00_-Mid_2D00_month-analysis.aspx
>
> The biggest conclusion of the mid-month analysis was that
> typical users
> of the latest versions of PHP (5.2.1 and 4.4.5) only needed to worry
> about two bugs (MOPB #1 and #2). Those two bugs allow a
> remote attacker
> to perform a denial of service attack on the server. The
> remaining bugs
> were either fixed in the last released version of PHP, or require a
> local user/malicious PHP script executed on the system to exploit the
> bug. We also reviewed the bugs released after the mid-month analysis;
> our general conclusion is that the analysis results/conclusions are
> unaffected, as the newer bugs didn't change the overall
> dynamics of what
> was already released.
>
> This brings up two important points: if you're not running the latest
> version of PHP (specifically 5.2.1 and 4.4.5), you should strongly
> investigate upgrading immediately. Many of the MOPB releases
> highlight
> bugs fixed in those releases, and some of them can be considered quite
> serious. Also, if you happen to be a web hosting provider or
> otherwise
> allow arbitrary users to upload and execute PHP scripts, you are in a
> very serious predicament: most of the MOPB bugs require local
> access to
> exploit, and once exploited, allow the arbitrary execution of
> code which
> can circumvent PHP's built-in safemode and other security
> restrictions.
> You may consider looking to Esser et. al.'s excellent and free
> Hardened-PHP or Suhosin patches to proactively add additional security
> constraints to PHP (and help mitigate many of the MOPB bugs in the
> process).
>
> So far the PHP security team/developers have been making
> moderate fixes
> in response to the MOPB bugs. However, two things get called into
> question. First, just because the PHP team has committed a patch,
> doesn't mean the bug is fixed. We've witnessed a few
> occasions were the
> fix wasn't thorough enough or improperly applied. One of the
> MOPB bugs
> (#32) actually points to a new security problem introduced by
> the ad-hoc
> fix of MOPB bug #31. So while the speed of the PHP developers in
> committing patches is high, we can't necessarily say the same of the
> quality and thoroughness of the fixes. Second, even if all the fixes
> are committed to the development source code repository
> (CVS), we still
> have to wait for when the PHP team rolls the latest code into an
> official release. People generally don't deploy beta CVS snapshots of
> software on their production systems-so those fixes won't see
> widespread
> deployment an official release is tested and made. And right now,
> there's no telling when that will happen. We hope it will
> occur almost
> immediately after the MOPB ends, but ultimately we will have
> to wait and
> see.
>
> Even when there is an official PHP release, there can still be
> additional delay for various OS/package distributors (i.e. Linux, BSD)
> to turn the PHP release into a distribution package. For example, if
> you're a SuSE user, and you are using the SuSE RPM version of
> PHP, then
> after the PHP team releases the next version (i.e. 5.2.2
> and/or 4.4.6),
> you still have to wait until SuSE either makes a new PHP RPM or
> back-ports the fixes to whatever PHP version branch they are using.
>
> Curiosity got the better of us, so we decided to look at the various
> development mailing lists of many popular OS distributions (OpenBSD,
> FreeBSD, SuSE, Debian, and Fedora). We searched CVS commit lists,
> development discussion lists, and ports commit lists for any reference
> to PHP made on or after March 1st. We found OpenSuSE was the only one
> to have committed fixes for the MOPB bugs to their
> distribution package
> repository. SuSE also made a public statement in their
> latest Security
> Summary Report indicating they are watching the progress of the MOPB
> campaign and plan to act after it concludes. But aside from those two
> cases, our cursory look into the development efforts of some
> popular OS
> distros didn't turn up any current efforts to dealing with any of the
> problems uncovered by the MOPB effort. We do want to explicitly note
> that this isn't necessarily a bad thing-it is understandable to wait
> until the conclusion of the MOPB campaign before acting. Plus, this
> doesn't reflect any private development efforts that haven't been
> committed into CVS yet. Regardless, it's still an interesting
> observation.
>
> Overall this is an interesting time for PHP users. While
> there will be
> a little bit of turmoil in the release and deployment of the next PHP
> version, overall Esser and the MOPB crew have successfully
> bolstered the
> security of PHP. Combined with their ongoing efforts on the free
> Hardened-PHP and Suhosin security enhancements for PHP, I think one
> thing is clear: Esser and the MOPB crew truly are just trying to make
> the world a more secure place for PHP users. And for that, we should
> thank them.
>
> Resources:
> Month of PHP Bugs:
>
>
> Month of PHP Bugs: Mid-month analysis
>
> nth-of-PHP-Bugs_3A00_-Mid_2D00_month-analysis.aspx
>
> Hardened-PHP project:
>
>
> Suhosin PHP security extension:
>
>
> Questions:
>
> ______________________________________________________________________
>
> Subscriptions: @RISK is distributed free of charge to people
> responsible
> for managing and securing information systems and networks. You may
> forward this newsletter to others with such responsibility inside or
> outside your organization.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFGEYcV+LUG5KFpTkYRAq+iAJ9SNktkaIrE2ANTNvBneoHHaXFm1QCdFfdg
> 2VMGdMpohMDb+IeUmM7JZ94=
> =0HLL
> -----END PGP SIGNATURE-----
>
