« Return to Thread: Advisory #234 - Samba, Multiple News
Advisory #234 - Samba, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #234
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Samba
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 .ANI Vulnerability Still Causing Problems
2.2 PirateBay Attacked
2.3 The Joy Of Variable-Width Encoding
=====================================
1. SECURITY
1.1 Samba - Remote Hacker Automatic Control
-- Products Affected --
Samba 3.0.24 and earlier
-- Technical Description --
Multiple vulnerabilities exist within the Samba networking tool,
including remote code execution due to heap overflows, privilege
escalation to root, and remote code execution through poor parameter
handling.
-- Description --
The popular open source Samba networking tool (used to provide
connection to Windows SMB/CIFS networking shares) has had a critical
update released which addresses a number of vulnerabilities that
could lead to remote attackers gaining complete control over a
vulnerable system. Because of the popularity of the software, it is
considered a serious threat that has the potential to affect many end
users and administrators.
-- Recommended Action --
Update to Samba 3.0.25 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 9 (Very High - Critical)
Corporate 8 9 (Very High - Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 .ANI Vulnerability Still Causing Problems
As reported by eWeek and a number of other sources, it appears that
the .ANI vulnerability recently patched by Microsoft in an out-of-
cycle patch is still causing problems for Internet users. In this
particular case, it was a major website that was affected - Tom's
Hardware.
When the .wmf vulnerability was a major concern a couple of years
ago, many feared that the greatest threat to Internet users would
come from compromised advertising hosts, who then provided malicious
images to legitimate sites as part of their advertising programs.
This would have the effect of a trusted site infecting users, by way
of their advertising provider.
With the infected image being provided to site visitors for 24 hours,
at least 100,000 hits on the infected image are likely to have
happened (based on 5 million hits per month).
Incidents such as this highlight the difficulties of identifying
'good' from 'bad' sites, and the problems that applications such as
SiteAdvisor face when trying to determine the difference (and also
what happens when a 'good' site is 'bad', even if only for a very
short period).
2.2 PirateBay Attacked
According to a recent post on the PirateBay blog, an attacker was
able to successfully attack and compromise the popular Torrent site,
making off with the complete list of user accounts and hashed passwords.
Although it would be very difficult to recover the passwords
(especially if they have been salted and hashed using an effective
algorithm), the site operators are encouraging users to update their
account details and change their passwords used to access the site.
The site operators claim to already know who compromised the site,
and how they achieved the attack (it helps that they left a fairly
public calling card).
Due to the general illegality of the material linked to on the site
(although the .torrent files are actually hosted there, a .torrent
file only points to a number of systems that are actually hosting the
desired content), it is unlikely that any formal investigation will
be undertaken to recover any damages, or for compensation.
2.3 The Joy Of Variable-Width Encoding
One of the problems that web and application developers face is how
to handle variable-width encoding, where each character represented
on the screen can take more than one byte of memory to store and
display (the standard ASCII set only uses one byte per character).
Probably the most common trouble encountered is when sites encoded in
ASCII encounter utf-8, unicode, or asian character sets that contain
characters which require more than one byte to display. If a
developer has not factored for the presence of these sort of
character sets, their application or site may end up failing to
properly display the desired input, or completely fail to show the
characters. Back end databases that are not prepared to receive
unicode-type input may also cause problems when handling this
information (such as MySQL's latin encoding versus utf-8 input).
What is a multi-byte character? The û in Sûnnet Beskerming is a
multi-byte character, which requires website code to be aware of its
presence in order to display properly. While it isn't present in the
base ASCII set, it is in the extended ASCII set, and is present in
many other sets, such as utf-8.
With this known issue, it would be assumed that defensive software
would be aware of how to handle data that is presented in a multi-
byte character format. Unfortunately, this isn't the case. It has
been discovered that many HTTP content scanners can not properly scan
traffic that is encoded with half or full-width unicode character
sets (which suggests that they are only set up to process a fairly
basic ASCII character set), thus allowing the traffic to pass through
without being able to detect malicious content (which the web
application or server is more likely to understand).
To make matters worse, this is a method of attack that web attackers
have known about for a very long time (based on how web applications
handle odd input), and with the increasing use of HTTP content
scanning many sites and users will find that they are a lot less
protected than they think. The simpleness of launching an attack
using one of these methods means that this oversight by security
companies is much worse than it initially appears.
This is a case of unintentional snake oil - if the security vendors
aren't aware of an attack vector (even if it is well known), then
they can't be sure that they aren't selling snake oil.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Samba
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 .ANI Vulnerability Still Causing Problems
2.2 PirateBay Attacked
2.3 The Joy Of Variable-Width Encoding
=====================================
1. SECURITY
1.1 Samba - Remote Hacker Automatic Control
-- Products Affected --
Samba 3.0.24 and earlier
-- Technical Description --
Multiple vulnerabilities exist within the Samba networking tool,
including remote code execution due to heap overflows, privilege
escalation to root, and remote code execution through poor parameter
handling.
-- Description --
The popular open source Samba networking tool (used to provide
connection to Windows SMB/CIFS networking shares) has had a critical
update released which addresses a number of vulnerabilities that
could lead to remote attackers gaining complete control over a
vulnerable system. Because of the popularity of the software, it is
considered a serious threat that has the potential to affect many end
users and administrators.
-- Recommended Action --
Update to Samba 3.0.25 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 9 (Very High - Critical)
Corporate 8 9 (Very High - Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 .ANI Vulnerability Still Causing Problems
As reported by eWeek and a number of other sources, it appears that
the .ANI vulnerability recently patched by Microsoft in an out-of-
cycle patch is still causing problems for Internet users. In this
particular case, it was a major website that was affected - Tom's
Hardware.
When the .wmf vulnerability was a major concern a couple of years
ago, many feared that the greatest threat to Internet users would
come from compromised advertising hosts, who then provided malicious
images to legitimate sites as part of their advertising programs.
This would have the effect of a trusted site infecting users, by way
of their advertising provider.
With the infected image being provided to site visitors for 24 hours,
at least 100,000 hits on the infected image are likely to have
happened (based on 5 million hits per month).
Incidents such as this highlight the difficulties of identifying
'good' from 'bad' sites, and the problems that applications such as
SiteAdvisor face when trying to determine the difference (and also
what happens when a 'good' site is 'bad', even if only for a very
short period).
2.2 PirateBay Attacked
According to a recent post on the PirateBay blog, an attacker was
able to successfully attack and compromise the popular Torrent site,
making off with the complete list of user accounts and hashed passwords.
Although it would be very difficult to recover the passwords
(especially if they have been salted and hashed using an effective
algorithm), the site operators are encouraging users to update their
account details and change their passwords used to access the site.
The site operators claim to already know who compromised the site,
and how they achieved the attack (it helps that they left a fairly
public calling card).
Due to the general illegality of the material linked to on the site
(although the .torrent files are actually hosted there, a .torrent
file only points to a number of systems that are actually hosting the
desired content), it is unlikely that any formal investigation will
be undertaken to recover any damages, or for compensation.
2.3 The Joy Of Variable-Width Encoding
One of the problems that web and application developers face is how
to handle variable-width encoding, where each character represented
on the screen can take more than one byte of memory to store and
display (the standard ASCII set only uses one byte per character).
Probably the most common trouble encountered is when sites encoded in
ASCII encounter utf-8, unicode, or asian character sets that contain
characters which require more than one byte to display. If a
developer has not factored for the presence of these sort of
character sets, their application or site may end up failing to
properly display the desired input, or completely fail to show the
characters. Back end databases that are not prepared to receive
unicode-type input may also cause problems when handling this
information (such as MySQL's latin encoding versus utf-8 input).
What is a multi-byte character? The û in Sûnnet Beskerming is a
multi-byte character, which requires website code to be aware of its
presence in order to display properly. While it isn't present in the
base ASCII set, it is in the extended ASCII set, and is present in
many other sets, such as utf-8.
With this known issue, it would be assumed that defensive software
would be aware of how to handle data that is presented in a multi-
byte character format. Unfortunately, this isn't the case. It has
been discovered that many HTTP content scanners can not properly scan
traffic that is encoded with half or full-width unicode character
sets (which suggests that they are only set up to process a fairly
basic ASCII character set), thus allowing the traffic to pass through
without being able to detect malicious content (which the web
application or server is more likely to understand).
To make matters worse, this is a method of attack that web attackers
have known about for a very long time (based on how web applications
handle odd input), and with the increasing use of HTTP content
scanning many sites and users will find that they are a lot less
protected than they think. The simpleness of launching an attack
using one of these methods means that this oversight by security
companies is much worse than it initially appears.
This is a case of unintentional snake oil - if the security vendors
aren't aware of an attack vector (even if it is well known), then
they can't be sure that they aren't selling snake oil.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #234 - Samba, Multiple News
| Free Forum Powered by Nabble | Forum Help |
