>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) HIGH: Apple QuickTime Multiple Vulnerabilities
> Affected:
> Apple QuickTime versions prior to 7.1.6 for Apple Mac OS X
> and Microsoft Windows
>
> Description: Apple Quicktime, Apple's cross-platform streaming media
> layer, contains a flaw in its interaction with Sun's Java Runtime
> Environment. A specially-crafted web page that instantiates QuickTime
> for Java objects could exploit this vulnerability and potentially
> corrupt memory in such a way that an attacker could execute arbitrary
> code with the privileges of the current user. Depending on
> configuration, no user interaction other than viewing a malicious web
> page would be necessary for exploitation. Note that QuickTime is
> installed by default on Mac OS X and is installed as part of Apple's
> iTunes for Windows. This vulnerability is distinct from the
> vulnerability discussed in the previous issues of @RISK.
>
> Status: Apple confirmed, updates available.
>
> Council Site Actions: Most of the reporting council sites are
> responding. At most sites the Quicktime users have
> auto-update enabled.
> Other sites plan to push the updates during the next
> regularly scheduled
> system maintenance.
>
> References:
> Apple Security Advisory
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
> (3) HIGH: Multiple F-Secure Products LHA Archive Processing
> Buffer Overflow
> Affected:
> F-Secure Antivirus Products for Microsoft Windows and Linux
>
> Description: Multiple products based on the F-Secure antivirus engine
> for Microsoft Windows and Linux contain a flaw in their processing of
> LHA archives. LHA is a popular archive format similar to ZIP or RAR. A
> specially-crafted LHA archive file could trigger this flaw,
> and exploit
> a buffer overflow to execute arbitrary code with the privileges of the
> scanning process. Note that, since some products using the vulnerable
> engine scan large amounts of traffic (including email),
> simply having a
> specially-crafted email transit a vulnerable server would be
> sufficient
> to trigger this vulnerability. In many cases, the vulnerable software
> may run with elevated (root or SYSTEM) privileges.
>
> Status: F-Secure confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
>
> References:
> F-Secure Security Bulletin
>
> Wikipedia Article on LHA
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> (4) MODERATE: Apache Web Server Multiple Vulnerabilities
> Affected:
> Apache versions 1.3.x, 2.0.x, and 2.2.x
>
> Description: According to a PNSC security advisory, the Apache web
> server contains multiple vulnerabilities. Flaws in processing requests
> could lead to multiple denial-of-service conditions. By sending a
> specially-crafted request, an attacker could cause a denial-of-service
> condition in the Apache process or related processes. Depending on
> configuration, an attacker may be able to exhaust processor resources,
> leading to a system-wide denial-of-service attack, or be able
> to send a
> POSIX "SIGUSR1" signal to an arbitrary process, leading to a
> denial-of-service condition in an arbitrary process on the vulnerable
> system. Note that, because Apache is open source, technical
> details for
> these flaws are available via source code analysis.
>
> Status: Apache has not confirmed, no updates available.
>
> Council Site Actions: All of the reporting council sites are using the
> affected software and plan to distribute patches once they are
> available.
>
> References:
> PSNC Security Advisory
>
> Wikipedia Article on the POSIX "SIGUSR1" signal
>
> Wikipedia Article on POSIX-style Signals
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
> (5) MODERATE: Mozilla-Based Browsers Multiple Vulnerabilities
> Affected:
> Mozilla Firefox versions prior to 2.0.4 and 1.5.12
> Mozilla SeaMonkey versions prior to 1.1.2 and 1.0.9
> Mozilla Thunderbird versions prior to 2.0.4 and 1.5.12
>
> Description: Applications based on the Mozilla framework contain
> multiple vulnerabilities. The most serious of these is a vulnerability
> that leads to memory corruption; it is believed that this may be
> exploitable for remote code execution, though this has not been proven
> yet. Additionally, an attacker may be able to exploit other
> denial-of-service, cross-site scripting, resource denial, or
> information
> disclosure vulnerabilities. The technical details can be obtained via
> source code analysis.
>
> Status: Mozilla confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to this
> issue. Although this application is not officially supported
> at most of
> the council sites, each site said that their user based
> either has they
> auto-update feature enabled, or they will work with the users
> to update
> as appropriate.
>
> References:
> Mozilla Foundation Security Advisories
>
>
>
>
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> ****************
> Other Software
> ****************
>
> (6) HIGH: Avira Antivir Antivirus Multiple Vulnerabilities
> Affected:
> Applications using the Avira Antivir antivirus engine
> versions prior to 7.4.24
> Known applications include:
> Avira Antivir Workstation Professional
> Avira Antivir Personal Edition Premium
> Avira Antivir Personal Edition Classic
>
> Description: The Avira Antivir antivirus engine, a popular antivirus
> engine, contains multiple vulnerabilities:
> (1) A flaw in the parsing of LZH formatted archives can lead to
> arbitrary code execution with the privileges of the
> vulnerable process.
> LZH is an archive file format, similar to ZIP or RAR, and is
> related to
> the LHA archive file format.
> (2) Flaws in the handling of UPX-compressed executables and
> tar archives
> can lead to multiple denial-of-service conditions.
> Note that, because the antivirus engine may be running on
> mail or other
> servers, simply sending a specially crafted email that transits a
> vulnerable system may be sufficient to exploit one of these
> conditions.
>
> Status: Avira confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
>
> References:
> n.runs Security Advisories
>
>
>
> Wikipedia Article on LHA
>
> Vendor Home Page
>
> SecurityFocus BIDs
>
>
>
> **************************************************************
> ********************
>
> (7) HIGH: Avast! Antivirus SIS File Parsing Integer Overflow
> Affected:
> Avast! Antivirus versions prior to 4.7.700
>
> Description: Avast! antivirus, a popular antivirus engine, contains an
> integer overflow flaw in the parsing of Symbian Installation Source
> (SIS) files. This file format is used to package applications for
> various mobile devices utilizing the Symbian operating system. A
> specially crafted SIS file could trigger this vulnerability, and
> potentially execute arbitrary code with the privileges of the
> vulnerable
> process. Note that, because the vulnerable software may be
> running in a
> mode that results in the automatic scanning of files, simply
> sending an
> email to a vulnerable user may be sufficient to trigger this
> vulnerability.
>
> Status: Vendor confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
>
> References:
> n.runs Security Advisory
>
> Avast! Changelog
>
> Vendor Home Page
>
> SecurityFocus BID
>
>
> ********************************************************************
>
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
> Week 23, 2007
>
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5465 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
>
> 07.23.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Active Directory Logon Hours Username Enumeration
> Weakness
> Description: Microsoft Active Directory is an LDAP implementation used
> on the Microsoft Windows operating system. The application is exposed
> to a username enumeration weakness because of a design error in the
> application when verifying user-supplied input. Microsoft Active
> Directory on Microsoft Windows Server 2003 Standard Edition is
> affected.
> Ref:
> ______________________________________________________________________
>
>
> 07.23.5 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: F-Secure Policy Manager FSMSH.DLL Remote Denial of Service
> Description: F-Secure Policy Manager is a management application
> designed to handle security application installation and policy
> enforcement for company networks. The application is exposed to a
> remote denial of service issue due to a failure of the application to
> properly handle unexpected conditions. F-Secure Policy Manager
> versions prior to 7.01 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.17 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Avast! Managed Client SIS File Handling Remote Heap Overflow
> Description: Avast! Managed Client is used with Avast! Distributed
> Network Manager to deploy and manage Avast! antivirus software over
> the network. The application is exposed to a heap overflow issue in
> its SIS-processing routines. Avast! Managed Client versions earlier
> than 4.7.700 are affected.
> Ref:
>
> 0Avast!%20Antivirus%20SIS%20parsing%20Arbitrary%20Code%20Execu
> tion%20Advisory.pdf
> ______________________________________________________________________
>
> 07.23.21 CVE: Not Available
> Platform: Linux
> Title: PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to a "safe_mode" and "open_basedir"
> restriction bypass issue. PHP versions prior to 5.2.3 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.27 CVE: CVE-2007-2452
> Platform: Unix
> Title: GNU Locate Old Format Locate Database Local Buffer Overflow
> Description: GNU locate is included as part of GNU findutils. It is a
> utility to list files in a database matching certain criteria. The
> application is exposed to a local heap-based buffer overflow issue
> because it fails to properly bounds check user-supplied input before
> using it in a memory copy operation. GNU locate versions as found in
> GNU findutils versions prior to 4.2.31 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.29 CVE: CVE-2007-2872
> Platform: Cross Platform
> Title: PHP Chunk_Split() Unspecified Integer Overflow
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an integer overflow issue because it
> fails to ensure that integer values aren't overrun. PHP versions prior
> to 5.2.3 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.33 CVE: CVE-2007-2917
> Platform: Cross Platform
> Title: Authentium Command Antivirus ActiveX Control ODAPI.DLL Multiple
> Buffer Overflow Vulnerabilities
> Description: Authentium Command Antivirus is an antivirus application
> for multiple platforms. The application is exposed to multiple buffer
> overflow issues because it fails to bounds check user-supplied data
> before copying it into an insufficiently sized buffer. Command
> Antivirus versions 4.93.7 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.34 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple F-Secure Products Packed Executables and Archives
> Denial of Service
> Description: F-Secure Anti-Virus and Internet Gatekeeper are
> antivirus applications developed by F-Secure. Multiple F-Secure
> products are exposed to a denial of service issue because the
> application fails to handle exceptional conditions.
> Ref:
> ______________________________________________________________________
>
> 07.23.35 CVE: Not Available
> Platform: Cross Platform
> Title: F-Secure Anti-Virus LHA Processing Buffer Overflow
> Description: F-Secure Anti-Virus is antivirus software available for
> Microsoft Windows and Linux. Multiple F-Secure Anti-Virus applications
> are exposed to a buffer overflow issue when they process malicious LHA
> archive files because the applications fail to properly check
> boundaries on user-supplied data before copying it to an
> insufficiently sized memory buffer.
> Ref:
> ______________________________________________________________________
>
> 07.23.36 CVE: Not Available
> Platform: Cross Platform
> Title: F-Secure Multiple Products Real-time Scanning Component Local
> Privilege Escalation
> Description: F-Secure provides multiple antivirus and internet
> security applications for the Microsoft Windows and Linux operating
> systems. Multiple F-Secure workstation and file server products are
> exposed to a local privilege escalation issue due to an improper
> access validation of the address space used by the affected component.
> Ref:
> ______________________________________________________________________
>
> 07.23.37 CVE: Not Available
> Platform: Cross Platform
> Title: Avira Antivir Tar Archive Handling Remote Denial of Service
> Description: Avira Antivir Antivirus is an antivirus
> application available for Microsoft Windows, Linux, FreeBSD, OpenBSD,
> and Sun Solaris. The application is exposed to a denial of service
> issue because the application fails to handle certain TAR archives.
> Avira Antivir version 6.35.0 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.38 CVE: CVE-2007-2388
> Platform: Cross Platform
> Title: Apple QuickTime for Java Unspecified Remote Heap Buffer
> Overflow
> Description: Apple QuickTime for Java is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied input prior to copying it to an insufficiently
> sized buffer. Apple QuickTime Player version 7.1.6 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.39 CVE: CVE-2007-2389
> Platform: Cross Platform
> Title: Apple Quicktime For Java Variant Information Disclosure
> Description: Apple QuickTime for Java is exposed to an
> information disclosure issue which convinces victims to visit a
> malicious web site. Please refer to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 07.23.40 CVE: Not Available
> Platform: Cross Platform
> Title: Apache HTTP Server Worker Process Multiple Denial of Service
> Vulnerabilities
> Description: Apache is exposed to multiple denial of service issues
> due to a failure in the application to properly handle malformed or
> malicious worker processes. Apache Software Foundation Apache versions
> 2.2.4, 2.0.59 and 1.3.37 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.44 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.45 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Resource Directory Traversal
> Description: Mozilla Firefox is a web browser available for multiple
> operating platforms. The application is exposed to a directory
> traversal issue because it fails to adequately sanitize user-supplied
> data. Mozilla Firefox versions 2.0.0.3 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.46 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based
> Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote heap
> based buffer overflow issue because it fails to properly bounds check
> user-supplied data before copying it to an insufficiently sized memory
> buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.47 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer
> Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.23.48 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref:
>
> 07.23.50 CVE: Not Available
> Platform: Cross Platform
> Title: Avira Antivir Antivirus Multiple Remote Vulnerabilities
> Description: Avira Antivir Antivirus is a multi-platform antivirus
> application. The application is exposed to a buffer overflow issue
> when processing specially crafted LZH archive files due to an integer
> handling flaw and an infinite loop denial of service issue when
> processing TAR archives. Avira Antivir AVPack versions prior to
> 7.03.00.09 and Engine versions prior to 7.04.00.24 are affected.
> Ref:
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
>
> ==============================================================
> ===========
> SANS Software Security @RISK: Secure Coding Error of the Month
> Vol. 1, Num. 1
> June 3, 2007
> ==============================================================
> ===========
>
> Millions of problems from one coding error.
>
> The apache.org foundation reports that more than 10 million copies its
> Apache Tomcat package have been downloaded, providing Java servlet
> functionality for web servers throughout the world. Moreover,
> Tomcat is
> frequently used as a standalone web server in high-traffic and
> high-availability environments where sensitive and valuable
> information
> are stored.
>
> So a programming error by one of the Tomcat developers is a BIG error.
> If it opens a security hole, millions of people now need to
> patch their
> systems. It is an even bigger problem because, sadly,
> thousands or tens
> of thousands of sites will not install the patch, possibly because no
> one will tell them about the need to do so, and will become victims of
> data theft, extortion, and other cyber crimes.
>
> As you read this first edition of SANS Software Security @RISK
> newsletter, note how little effort would have been needed to avoid the
> problem.
>
> *****************************************************
> Apache Tomcat JK Web Server Connector Buffer Overflow
> *****************************************************
>
> What kind of error is it? A buffer overflow.
> - -------------
>
> Buffer overflow is one of the oldest types of security vulnerabilities
> discovered as early as mid sixties. As the name suggests, the
> vulnerability arises when a programmer allows more data to be crammed
> into a storage area than the programmer had originally set aside. When
> the data overflows the reserved area, bad things often happen.
>
> In early March, a critical buffer overflow was disclosed in
> versions of
> Apache Tomcat JK Web Server Connector.
>
> This vulnerability is a stack-based buffer overflow. The flaw can be
> triggered by a long URI input to the mod_jk module. An unauthenticated
> user can exploit this overflow by sending a large URI to execute
> arbitrary code of his choice on the server.
>
> Information about the problem of interest to security professionals --
> the vulnerable versions of Tomcat, damage that can be done,
> and exploits
> in the wild -- have all been well covered in SANS weekly @RISK
> newsletter and elsewhere (and are referenced at the end of
> this issue).
> Here we focus instead on the aspect of the problem relevant to
> programmers: the programming error that led to this huge problem?
>
>
> What coding error was responsible for this vulnerability?
> -
> --------------------------------------------------------------
> ----------
>
> Buffer overflows arise because programmers forget to check that the
> length of data being copied into a buffer is less than or equal to the
> buffer size.
>
> Let us now look at the vulnerable function that led to the Tomcat
> overflow.
>
> The buffer overflow was found in the map_uri_to_worker() function that
> is defined in native/common/jk_uri_worker_map.c file.
>
> #define JK_MAX_URI_LEN 4095 (From jk_uri_worker_map.h)
>
> *************
> Function code
> *************
> const char *map_uri_to_worker(jk_uri_worker_map_t *uw_map,
> const char *uri, jk_logger_t *l)
> {
> unsigned int i;
> char *url_rewrite;
> const char *rv = NULL;
> char url[JK_MAX_URI_LEN+1];
>
> JK_TRACE_ENTER(l);
>
> if (!uw_map || !uri) {
> JK_LOG_NULL_PARAMS(l);
> JK_TRACE_EXIT(l);
> return NULL;
> }
> if (*uri != '/') {
> jk_log(l, JK_LOG_WARNING,
> "Uri %s is invalid. Uri must start with /", uri);
> JK_TRACE_EXIT(l);
> return NULL;
> }
>
> ###############################
> Erroneous Code in this function
> ###############################
>
> for (i = 0; i < strlen(uri); i++)
> if (uri[i] == ';')
> break;
> else
> url[i] = uri[i];
> url[i] = '\0';
>
>
> What is wrong with this function?
> - ---------------------------------
>
> Notice that "uri" is an input to the function. It is being copied into
> a locally declared variable url. url is a buffer of size
> 4096. However,
> the copy operation depends on the size of the input uri. There is no
> check in the function to stop copying if the length of uri is greater
> than the maximum length of url buffer i.e. 4096. This results in a
> stack-based buffer overflow, which is usually the simplest buffer
> overflow to exploit.
>
> What did it take to fix the vulnerable function?
> - ------------------------------------------------
>
> Introduce a check for the length of the uri that is copied
> into the url
> variable.
>
> **********
> Fixed Code
> **********
>
> for (i = 0; i < strlen(uri); i++) {
> if (i == JK_MAX_URI_LEN) {
> jk_log(l, JK_LOG_WARNING,
> "Uri %s is invalid. Uri must be smaller
> then %d chars",
> uri, JK_MAX_URI_LEN);
> JK_TRACE_EXIT(l);
> return NULL;
> }
> if (uri[i] == ';')
> break;
> else
> url[i] = uri[i];
> }
>
> As you can see, once the length of uri reaches the max length of 4096,
> the copy operation is terminated.
>
> Take Away:
> Programmers who want to avoid this kind of error should follow SANS
> Secure Programming Rule 01.1.1:
> -
> --------------------------------------------------------------
> -----------
>
> Input Validation - The programmer must securely process
> inputs from all
> aspects of the environment, then correctly decode, canonicalize, and
> validate those inputs.
>
> Source: SANS Secure Coding in C Examination Blueprint,
> (www.sans-ssi.org/ (rest of url))) More granular rules can be found at
> that url, as well.
>
> References:
> - ----------------
>
> Zero Day Initiative Advisory
>
>
> SANS @RISK Posting
>
>
> Apache Tomcat Homepage
>
>
> Apache Tomcat Code
>
> _1_2_20/jk/native/common/jk_uri_worker_map.c?revision=513250&v
> iew=markup
>
> Secunia Advisory
>
> CVE 2007-0774
>
> The National Vulnerability Database:
>
>
> ============================================================
> Copyright 2007, The SANS Institute
> You may distribute copies of Software Security @RISK to anyone within
> your own organization but you may not post it.
>
> ______________________________________________________________________
>
> Subscriptions: @RISK is distributed free of charge to people
> responsible
> for managing and securing information systems and networks. You may
> forward this newsletter to others with such responsibility inside or
> outside your organization.
>
