Advisory #234 - Samba, Multiple News

Sûnnet Beskerming Alert List Advisory #234

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info@... to resolve the  
error.

Why not upgrade to get same day notification on security threats?  
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Samba
        - Remote Hacker Automatic Control
        - Time Since Discovery - 2 Days
=======================================
/*
        - Remote or Local - Can it be achieved through a network or does it  
require physical access?
        - Hacker - The bad guy
        - Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
        - Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1 .ANI Vulnerability Still Causing Problems
2.2 PirateBay Attacked
2.3 The Joy Of Variable-Width Encoding
=====================================

1. SECURITY

1.1 Samba - Remote Hacker Automatic Control

        -- Products Affected --
        Samba 3.0.24 and earlier

        -- Technical Description --
        Multiple vulnerabilities exist within the Samba networking tool,  
including remote code execution due to heap overflows, privilege  
escalation to root, and remote code execution through poor parameter  
handling.

        -- Description --
        The popular open source Samba networking tool (used to provide  
connection to Windows SMB/CIFS networking shares) has had a critical  
update released which addresses a number of vulnerabilities that  
could lead to remote attackers gaining complete control over a  
vulnerable system.  Because of the popularity of the software, it is  
considered a serious threat that has the potential to affect many end  
users and administrators.

        -- Recommended Action --
        Update to Samba 3.0.25 at the earliest opportunity.

        -- Source --
        (Paid subscription required to access)

        -- Updates Available --
        (Paid subscription required to access)

        -- External Tracking Data --
        (Paid subscription required to access)

        -- Threat Matrix --
                        U O
        Home User 8 9  (Very High - Critical)
        Corporate 8 9  (Very High - Critical)

=======================================
/*
Threat Matrix:
        U - User
        O - Operator
        Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 .ANI Vulnerability Still Causing Problems

As reported by eWeek and a number of other sources, it appears that  
the .ANI vulnerability recently patched by Microsoft in an out-of-
cycle patch is still causing problems for Internet users. In this  
particular case, it was a major website that was affected - Tom's  
Hardware.

When the .wmf vulnerability was a major concern a couple of years  
ago, many feared that the greatest threat to Internet users would  
come from compromised advertising hosts, who then provided malicious  
images to legitimate sites as part of their advertising programs.  
This would have the effect of a trusted site infecting users, by way  
of their advertising provider.

With the infected image being provided to site visitors for 24 hours,  
at least 100,000 hits on the infected image are likely to have  
happened (based on 5 million hits per month).

Incidents such as this highlight the difficulties of identifying  
'good' from 'bad' sites, and the problems that applications such as  
SiteAdvisor face when trying to determine the difference (and also  
what happens when a 'good' site is 'bad', even if only for a very  
short period).


2.2 PirateBay Attacked

According to a recent post on the PirateBay blog, an attacker was  
able to successfully attack and compromise the popular Torrent site,  
making off with the complete list of user accounts and hashed passwords.

Although it would be very difficult to recover the passwords  
(especially if they have been salted and hashed using an effective  
algorithm), the site operators are encouraging users to update their  
account details and change their passwords used to access the site.

The site operators claim to already know who compromised the site,  
and how they achieved the attack (it helps that they left a fairly  
public calling card).

Due to the general illegality of the material linked to on the site  
(although the .torrent files are actually hosted there, a .torrent  
file only points to a number of systems that are actually hosting the  
desired content), it is unlikely that any formal investigation will  
be undertaken to recover any damages, or for compensation.


2.3 The Joy Of Variable-Width Encoding

One of the problems that web and application developers face is how  
to handle variable-width encoding, where each character represented  
on the screen can take more than one byte of memory to store and  
display (the standard ASCII set only uses one byte per character).  
Probably the most common trouble encountered is when sites encoded in  
ASCII encounter utf-8, unicode, or asian character sets that contain  
characters which require more than one byte to display.  If a  
developer has not factored for the presence of these sort of  
character sets, their application or site may end up failing to  
properly display the desired input, or completely fail to show the  
characters.  Back end databases that are not prepared to receive  
unicode-type input may also cause problems when handling this  
information (such as MySQL's latin encoding versus utf-8 input).

What is a multi-byte character?  The û in Sûnnet Beskerming is a  
multi-byte character, which requires website code to be aware of its  
presence in order to display properly.  While it isn't present in the  
base ASCII set, it is in the extended ASCII set, and is present in  
many other sets, such as utf-8.

With this known issue, it would be assumed that defensive software  
would be aware of how to handle data that is presented in a multi-
byte character format.  Unfortunately, this isn't the case.  It has  
been discovered that many HTTP content scanners can not properly scan  
traffic that is encoded with half or full-width unicode character  
sets (which suggests that they are only set up to process a fairly  
basic ASCII character set), thus allowing the traffic to pass through  
without being able to detect malicious content (which the web  
application or server is more likely to understand).

To make matters worse, this is a method of attack that web attackers  
have known about for a very long time (based on how web applications  
handle odd input), and with the increasing use of HTTP content  
scanning many sites and users will find that they are a lot less  
protected than they think.  The simpleness of launching an attack  
using one of these methods means that this oversight by security  
companies is much worse than it initially appears.

This is a case of unintentional snake oil - if the security vendors  
aren't aware of an attack vector (even if it is well known), then  
they can't be sure that they aren't selling snake oil.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com