Next Page >>
problem
== DoS attacks on MIME-capable software via complex MIME emails ==
== Preface ==
On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
problem with MIME software. Due to popular demand, I decided to publish a
short writeup of the talk.
== What is MIME? ==
MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
brlc> == DoS attacks on MIME-capable software via complex MIME emails ==
brlc> == Preface ==
brlc> On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
brlc> problem with MIME software. Due to popular demand, I decided to publish a
brlc> short writeup of the talk.
brlc> == What is MIME? ==
brlc> MIME is the standard format for email-messages. One could say, MIME is for
brlc> email, what html is for the web. The first RFC for MIME was published in
virtual. The chassis contains actual partitioning hardware which
routes the various cpus to only see specific hardware devices. The
physical segmentation of the hardware obviously must be completely
secure and reliable to meet Sun's promises of high availability.
Sun's system partitioning domains are supposed to be the best of the
isolation schemes in the market. But perhaps even they have problems.
During the porting of OpenBSD/sparc64 to this family of machines it
was discovered that the OS kernel can trigger a fault. This fault is
caught by the systems management controller (the XSCF, Fujitsu's
version of LOM/RSC console) which then powers the domain down, marks
>> virtual. The chassis contains actual partitioning hardware which
>> routes the various cpus to only see specific hardware devices. The
>> physical segmentation of the hardware obviously must be completely
>> secure and reliable to meet Sun's promises of high availability.
>> Sun's system partitioning domains are supposed to be the best of the
>> isolation schemes in the market. But perhaps even they have problems.
>>
>> During the porting of OpenBSD/sparc64 to this family of machines it
>> was discovered that the OS kernel can trigger a fault. This fault is
>> caught by the systems management controller (the XSCF, Fujitsu's
>> version of LOM/RSC console) which then powers the domain down, marks
. *Local Intranet Zone: * For content located on an organization's
intranet.
. *Trusted Sites Zone: * For content located on Web sites that are
considered more reputable or trustworthy than other sites on the Internet.
. *Restricted Sites Zone: * For Web sites that contain content that
can cause (or have previously caused) problems when downloaded.
. *Local Machine Zone: * This is an implicit zone for content that
exists on the local computer and it is not directly configurable through
Internet Explorer security options by the user.
Internet Explorer users or Administrators can assign specific websites
the user whenever potentially unsafe content is about to be downloaded.
Web sites that are not mapped into other zones automatically fall into
this zone.
* Restricted Sites Zone: used for Web sites that contain content that
can cause (or have previously caused) problems when downloaded. This
zone causes Internet Explorer to alert users when potentially-unsafe
content is about to be downloaded, or to prevent the content from
downloading. The user adds the URLs of these un-trusted Web sites to
this zone.
This is a writeup about a flaw that I found recently, and that
existed in multiple implementations of SMTP (Simple Mail Transfer
Protocol) over TLS (Transport Layer Security) including my Postfix
open source mailserver. I give an overview of the problem and its
impact, how to find out if a server is affected, fixes, and draw
lessons about where we can expect similar problems. A time line
is at the end.
For further reading:
http://www.kb.cert.org/vuls/id/555316
6. *Vendor Information, Solutions and Workarounds*
This issue was reported to Microsoft in August 2009. The vendor has
acknowledged the report and after extensive analysis indicated that it
plans to solve the problem in future updates to the associated products.
We recommend affected users to run all mission critical Windows
applications on non-virtualized systems or to use virtualization
technologies that aren't affected by this bug. Windows operating systems
and applications that must run virtualized using Virtual PC technologies
> it can potentially affect any web site including Google's various services
> (if Google would have used Debian systems to create their private keys).
>
>
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>
>
> Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc)
> which makes use of a compromised key has an actual problem and not a
> potential problem. Open ID as a standard isn't more affected than, lets say
Are all Application developers now required to work around obvious bugs
in the way Windows handles the mailto: handler ?
What you call for is in essence - mitigation, yes it's fine to mitigate
a "vulnerability". But shouldn't we be concentrating on finding and
fixing the root cause instead of trying to mitigate the problem in
(hundrets) of third-party applications ?
RAG> How is that a Microsoft or Windows problem?
How is that _not_ a Windows Problem ?
Are all Application developers now required to work around obvious bugs
in the way Windows handles the mailto: handler ?
What you call for is in essence - mitigation, yes it's fine to mitigate
a "vulnerability". But shouldn't we be concentrating on finding and
fixing the root cause instead of trying to mitigate the problem in
(hundrets) of third-party applications ?
RAG> How is that a Microsoft or Windows problem?
How is that _not_ a Windows Problem ?
January 31, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : git-core
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 532935
CVE ID : CVE-2009-2108
A bug in git-core caused the security update in DSA 1841 to fail to
July 25th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : git-core
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
Debian bug : 532935
CVE ID : CVE-2009-2108
It was discovered that git-daemon which is part of git-core, a popular
proxy to prevent access to web sites.
An attacker might add a very long string to the url to access web
resources althought their access is forbidden.
This problem could be verified in all firmware versions up to v1.12.
A similar vulnerability was already detected years ago in a similar
device Netgear RP114. [1, 2]
III. EXPLOITATION
Hi,
I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they have addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).
Cheers,
Shishir
---------- Forwarded message ----------
From: Shishir Birmiwal <shr@birmiwal.net>
- -----------/
2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)
In Comodo there are problems in the arguments validation of
'NtDeleteFile', 'NtCreateFile' and 'NtSetThreadContext' functions.
'NtDeleteFile' receives just one parameter, a pointer to an
'OBJECT_ATTRIBUTES' structure. These attributes would include the
'ObjectName' and the 'SECURITY_DESCRIPTOR', for example. This is the
hook placed by Comodo at 'NtDeleteFile'.
December 6th, 2007 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : wesnoth
Vulnerability : directory traversal
Problem type : remote
Debian-specific: no
CVE ID : CVE-2007-5742
A vulnerability has been discovered in Battle for Wesnoth that allows
remote attackers to read arbitrary files the user running the client
commands on vulnerable systems by attaching a specially crafted file that
triggers exploitation when unsuspecting users attempt to “View€? the
attachment. Exploitation of these vulnerabilities requires user intervention.
Although these specific vulnerabilities exist on a third–party component
the problem is compound by the way Lotus Notes displays information about
attachments, making it easier to elicit unsuspecting assistance from the
users to exploit them. Lotus Notes displays the file type and
corresponding icon based on the attached file’s extension rather than the
MIME Content-Type header in the email whereas the view functionality is
handled by the Verity KeyView component which processes the attachment
If I click on the test link in IE 7, by itself, it does not have the vulnerability.
The applications in question are accepting abitrary input and not validating correctly.
How is that a Microsoft or Windows problem?
Don't get me wrong, I want to protect end-users as much as the next person (as does MS), but if it is the application not validating correctly, could there not be hundreds of potential characters and strings that cause input validation problems in particular circumstances, which will vary according to the application?
If Microsoft scrubs out every potential malicious character, it's bound to break lots of legitimate applications. That would make plenty of users and developers mad.
The error was introduced with the Postfix SASL patch, and is present
in all Postfix versions where the command "postconf mail_release_date"
reports a value of 20000314 (March 14, 2000) or greater.
This problem was discovered by Thomas Jarosch of Intra2net AG.
The memory corruption is known to result in a program crash (SIGSEV).
Remote code execution cannot be excluded. Such code would execute
as the unprivileged "postfix" user. This user has no control over
processes that run with non-postfix privileges including Postfix
May 21, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : apr
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0419 CVE-2011-1928
Debian bug : 627182
June 25, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : tiff
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2011-0191 CVE-2011-0192 CVE-2011-1167
Debian Bug : 619614 630042
The recent tiff update DSA-2210-1 introduced a regression that could
Dec 20th, 2011 http://www.debian.org/security/faq
- ---------------------------------------------------------------------------
Package : lighttpd
Vulnerability : multiple
Problem type : remote
Debian-specific: no
Debian bug : 652726
CVE IDs : CVE-2011-4362 CVE-2011-3389
Several vulnerabilities have been discovered in lighttpd, a small and fast
Dec 20th, 2011 http://www.debian.org/security/faq
- ---------------------------------------------------------------------------
Package : lighttpd
Vulnerability : multiple
Problem type : remote
Debian-specific: no
Debian bug : 652726
CVE IDs : CVE-2011-4362 CVE-2011-3389
Several vulnerabilities have been discovered in lighttpd, a small and fast
April 15, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : apache2
Vulnerability : insecure default configuration
Problem type : local/remote
Debian-specific: yes
CVE ID : CVE-2012-0216
Niels Heinen noticed a security issue with the default Apache
configuration on Debian if certain scripting modules like mod_php or
April 02, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : netpbm-free
Vulnerability : stack-based buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2009-4274
Debian Bug : 569060
April 15th, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : ejabberd
Vulnerability : heap overflow
Problem type : remote
Debian-specific: no
CVE Id : CVE-2010-0305
Debian Bug : 568383
It was discovered that in ejabberd, a distributed XMPP/Jabber server
- ------------------------------------------------------------------------
Package : phpldapadmin
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
Debian bug : 561975
CVE Id : CVE-2009-4427
January 12, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : krb5
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-4212
Debian Bug : none
It was discovered that krb5, a system for authenticating users and services on a
January 28, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : maildrop
Vulnerability : privilege escalation
Problem type : local
Debian-specific: no
CVE Id : CVE-2010-0301
Debian Bug : 564601
The latest DSA for maildrop introduced two regressions. The maildrop
Next Page>>
|
