<< Previous Next >>
Behavioral Analysis
Use the cacls program to deny access to the DLL containing the
vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from
loading in PowerPoint, which will also prevent users from importing
PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the
default behavior is to block the opening of PowerPoint 4.0 files. If
the default behavior has been changed, restoring it is an effective
workaround.
VI. VENDOR RESPONSE
installation the default Administrator account's password was always set
equal to first admin's password.
I used a lot of different Windows XP (XP Professional and also XP Home on my
two notebooks). And in all versions from original (Gold) to SP1 and SP2
(didn't work with XP's installations with SP3) it was the same behavior
(except these two notebooks with XP Home). So normal behavior for Windows XP
is to set default admin's password equal to first admin's password.
> With any installation of it you have to boot in safe mode and manually set
> a password on the hidden admin account.
> always set equal to first admin's password.
>
> I used a lot of different Windows XP (XP Professional and also XP Home
> on my
> two notebooks). And in all versions from original (Gold) to SP1 and SP2
> (didn't work with XP's installations with SP3) it was the same behavior
> (except these two notebooks with XP Home). So normal behavior for
> Windows XP
> is to set default admin's password equal to first admin's password.
>
>> With any installation of it you have to boot in safe mode and
>> equal to first admin's password.
>>
>> I used a lot of different Windows XP (XP Professional and also XP Home on
>> my
>> two notebooks). And in all versions from original (Gold) to SP1 and SP2
>> (didn't work with XP's installations with SP3) it was the same behavior
>> (except these two notebooks with XP Home). So normal behavior for Windows
>> XP
>> is to set default admin's password equal to first admin's password.
>>
>>> With any installation of it you have to boot in safe mode and manually
>>>
>>> I used a lot of different Windows XP (XP Professional and also XP
>>> Home on
>>> my
>>> two notebooks). And in all versions from original (Gold) to SP1 and SP2
>>> (didn't work with XP's installations with SP3) it was the same behavior
>>> (except these two notebooks with XP Home). So normal behavior for
>>> Windows
>>> XP
>>> is to set default admin's password equal to first admin's password.
>>>
cPanel developers were notified of this vulnerability and given time to hotfix the issue.
Their response was:
After thoroughly investigating your report, we have come to the conclusion that this does not represent any deviation from the intended and documented behavior of Apache. As noted in your report, Apache's behavior with regard to symlinks is easily configurable via the FollowSymlinks and SymLinksIfOwnerMatch options. These settings can be changed inside WHM via Service Configuration -> Apache Configuration -> Global Configuration. Simply uncheck "FollowSymLinks" in the "Directory / Options" section, save your settings and rebuild the configuration and restart Apache. Disabling "Options" overrides can be done via the Apache include editor by specifying an AllowOverride setting for the /home directory.
While this is true, it should be noted that the default configuration in cPanel is readily exploitable after installation and that toggling these setting will ultimately cause issues with several large popular blog and CMS type applications. We feel this does not properly address the vulnerability in terms of a shared hosting environment.
The patch is provided by David Collins (CTO, Hostgator.com) and Ray Carro (Developer, Hostgator.com).
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port
1975 will mitigate this vulnerability.
| those situations, XSCF uses configurations or configuration policies
| supplied by the domain administrator to eliminate hardware from the
| domain configuration in an attempt to get a stable domain environment
| running.
The final paragraph suggests that the behavior is configurable, but
according to
<http://docs.sun.com/source/819-6202-13/21ch4p.html#0_pgfId-146307>,
it's not:
| 4.6.2 Clearing the Fault/Degradation Information
re: "set 403 page's charset in the server side by writing it in your server code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior. See below for the captured response from a test with this change.
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
> 515E running version 7.2 of Finesse. I will be posting all updates
> regarding this exploit as they come, and I apologize for it taking so
> long to release this information.
Dumb question: can you reproduce this issue when you have a non-blank
enable password? I can see this behavior when a blank enable password is
set, but if I have a non-blank enable password I don't see the behavior
- I get dropped back into unprivilege EXEC after using the backspace
key.
When the enable password is blank you still get prompted for a password
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that
were affected by this type of "bug". My position is that customers
deserve better security than this.
- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.
- Evasions are the Cross Site scripting of File formats bugs
Yes.
Some bypasses required modifications in the AV "kernel" and cannot be
fixed with a signature update. As such it would not only take longer
but for those customers that do no push binary updates immediately
(or not at all) increase the window of exposure consistently.
- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.
- Evasions are the Cross Site scripting of File formats bugs
Yes.
secondary hostile page until after rendering was complete. AV client
involved was outdated engine with current definitions, and not worth
maligning. Not tested with modern AV.
Not sure what if anything is new about this, but the obfuscation and the
client behavior suggest something of interest. The point seems to be to
render known bad code from a page that robot testers will find to be
clean, and possibly to bypass AV auto-protection.
The exploit was obfuscated javascript. VirusTotal had no complaints
about the script below, whether obfuscated or not.
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
It may not be a simple fix, but the first steps shouldn't have much
resistance. While digest authentication isn't the best password
protocol out there, it's almost usable right now and provides tangible
security benefits for those adventurous developers who are willing to
work around browser limitations. With some very small changes in
browser behavior, form-based HTTP authentication becomes truly
possible without ugly hacks. From there, I think it can gain some
real traction under it's own merits.
Of course some apps will always use cookies for flexibility or
backward compatibility, but I don't see cookies *advancing* the safety
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
>From: wborskey@gmail.com
>To: bugtraq@securityfocus.com
>Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
>Sent: Apr 24, 2010 9:15 PM
>
>After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it.
>
>After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once!
>
>The XP machine was using a self assigned 169.254.
>Because the bridge group discard rule was discarding their traffic at layer 2. But somehow, I guess because it had open sockets to public IP addresses, it tried to ARP for those addresses to discover what network it was on an where to send the packets.
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
The idea of /proc is to refer to files being opened by the process,
while RETAINING the original INODE attributes, regardless of the fact
that
this particular process accessed the file via read-only access.
You are expecting transactional behavior in /proc, where /proc only
registers object information.
I think this discussion had never existed if they used another name for
the 'fd' placeholder in /proc... Because then you wouldn't linked the
/proc fd to the fd being used within the actual process space.
proxies unable to go out with their own IPs, the prefetch couldn't
work anymore and the NetCache proxies seems to not want to spoof the
clients' IP addresses for that URL until the prefetch is done (never).
Here it is a PoC using a Google's IP for the testing purposes, but the
same behavior would be exhibited by the victim proxy with host names:
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Cherokee issued a public patch that resolved the issue but caused some
issues (http://svn.cherokee-project.com/changeset/3944) and has been
later replaced (http://svn.cherokee-project.com/changeset/3977) by a
better fix that both resolve the issue and doesn't affect the normal
webserver behavior. Use the second patch or a safe release like 0.99.34
or above. If you are using Cherokee 0.99.32 please note that your build
uses the first patch.
Webrick (Ruby) sent us the following patch and issued a release
that fixes the issues. Detailed informations are available at the
> even happier.
Susan, you are welcome.
I would be happy to wait for patches of browser vendors, but as already
told you in details, it's not possible due to behavior of browser vendors.
All they mostly ignore such holes, all they don't count DoS as
vulnerabilities, they called them "stability issues" and so don't attend to
them seriously (and not fixing or fixing slowly). I don't respect such
statement as "stability issues" for DoS holes, and during 2008-2010 I worked
hard to change vendors' mind on this issue, but they still ignore it.
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer
situations, such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and releases,
customers should consult with their service provider or support organization to
ensure any applied workaround or fix is the most appropriate for use in the
intended network before it is deployed.
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
WebKit-based browsers only):
http://lcamtuf.coredump.cx/focus-webkit/
It's not very serious, but more cuter than clickjacking proper. WebKit
focus behavior on Windows makes this particular PoC easier there, but
I believe that no browser is designed to counter this general attack
pattern in any particular way. The usual opt-in mitigations
(X-Frame-Options, frame busting) should offer a reasonable degree of
protection already.
<<Previous Next>>
|
