Security
Authentication bypass in routers
An authentication bypass vulnerability is one of the more dangerous problems that a web application can have. It allows the attacker to perform some action that the application designer saw fit to restrict to authenticated users without providing said authentication. Using these techniques, an attacker can control a targeted web application from afar without even wasting time cracking bad passwords—a dream scenario for such people.
If an authentication bypass is found in the latest social networking site, the flaw could cause embarrassment, but if that bypass is in your home router, much worse things could result. A series of articles over at GNUCITIZEN highlights quite a variety of authentication bypass flaws in various embedded devices including routers. The flaws come from their research and recent router hacking challenge, which challenged readers to find holes in their routers. (There is no table of contents for the series, so here are links to the four installments: 1, 2, 3, and 4).
Most authentication bypass flaws are caused by a conceptual mistake made by web programmers: believing that the "normal" way of accessing the site is the only way to access it. This manifests itself as applications that check for particular URLs to see if they require credentials without considering the possibility of aliasing. For example, web servers will generally ignore double-slashes in a URL, but if the application checks for /privileged/page and gets /privileged//page it may very well fall prey to an authentication bypass. Other similar schemes can be used to make the URL look different, but arrive at the same place.
A far uglier possibility is applications that believe you can only get to a particular URL via a page that enforces authentication. This is a belief in "security through obscurity"; that attackers won't be able to guess the URLs for the pages "behind" the authentication screen. This is almost comical in that there are many ways to find out what those URLs are, not least by buying the device and accessing them yourself. Pages that require authentication need to check that the credentials have been provided whenever the page is accessed—without regard for what URL got them there.
Some applications do all of the checking correctly on the pages that show various settings in a form allowing them to be changed, but the action of the form submits it to a different program. Inexplicably, sometimes that program does not check for credentials. Perhaps the programmer believes that web forms can only be submitted from the page that they have created, but it is trivially easy to generate an HTTP POST with the appropriate parameters. It certainly does no good to protect the current value of settings from non-authenticated users if they can easily change them to any values they want.
In terms of web security, authentication bypass is usually quite easy to avoid, it is a matter of ensuring valid credentials anywhere they are required. Before performing any action that requires a logged-in user, check the cookie (or other persistent authentication mechanism) for validity to perform the action requested. For people using routers at home, perhaps the best advice is to make sure its administrative interface is not internet facing. Routers have a pretty bad track record of getting this right, so far, as the hacking challenge and other research has shown.
Brief items
A set of Android vulnerabilities
Core Security has sent out an lengthy security advisory about Google's Android platform. It seems that, in their hurry to get something out there, the developers at Google used some old image processing libraries with a number of old, well-known vulnerabilities. This release was not meant for deployment anywhere, and there should have been no harm done. Given the stakes, though, one can only assume that future releases will be made with more care.
New vulnerabilities
am-utils: overwrite arbitrary files
| Package(s): | am-utils | CVE #(s): | |||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | ||||
| Description: | The am-utils package could be vulnerable to an attack in which one local user can modify the contents of arbitrary files to which other local users running expn have write access. | ||||||
| Alerts: |
| ||||||
audacity: insecure tmpfile handling
| Package(s): | audacity | CVE #(s): | CVE-2007-6061 | ||||||||||||||||
| Created: | March 3, 2008 | Updated: | May 12, 2008 | ||||||||||||||||
| Description: | From the Gentoo advisory:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly. A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2008-0783 CVE-2008-0784 CVE-2008-0785 CVE-2008-0786 | ||||||||||||||||||||||||
| Created: | February 28, 2008 | Updated: | July 16, 2008 | ||||||||||||||||||||||||
| Description: | From the Mandriva alert: A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dbus: privilege escalation
| Package(s): | dbus | CVE #(s): | CVE-2008-0595 | ||||||||||||||||||||||||||||||||||||
| Created: | February 28, 2008 | Updated: | October 14, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert: Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
evolution: format string vulnerability
| Package(s): | evolution | CVE #(s): | CVE-2008-0072 | ||||||||||||||||||||||||||||||||||||||||
| Created: | March 5, 2008 | Updated: | May 28, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
firebird: multiple vulnerabilities
| Package(s): | firebird | CVE #(s): | CVE-2008-0387 CVE-2008-0467 | ||||||||
| Created: | March 3, 2008 | Updated: | March 27, 2008 | ||||||||
| Description: | From the Gentoo advisory:
Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-3731 | ||||
| Created: | March 3, 2008 | Updated: | March 5, 2008 | ||||
| Description: | From the rPath advisory:
Previous versions of the Linux kernel package contain a vulnerability in the ptrace system call which allows local users to cause a Denial of Service. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-6921 | ||||
| Created: | March 5, 2008 | Updated: | March 5, 2008 | ||||
| Description: | From the Red Hat advisory: a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. | ||||||
| Alerts: |
| ||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2007-6207 | ||||
| Created: | March 5, 2008 | Updated: | March 5, 2008 | ||||
| Description: | From the Red Hat advisory: a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. | ||||||
| Alerts: |
| ||||||
lighttpd: denial of service
| Package(s): | lighttpd | CVE #(s): | CVE-2008-0983 | ||||||||||||||||||||||||
| Created: | February 29, 2008 | Updated: | July 15, 2008 | ||||||||||||||||||||||||
| Description: | From the CVE entry: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
opera: several vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2008-1080 CVE-2008-1081 CVE-2008-1082 | ||||||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | ||||||||
| Description: | Opera version 9.26 fixes: an issue where simulated text inputs could trick users into uploading arbitrary files, image properties can no longer be used to execute scripts, and an issue where the representation of DOM attribute values could allow cross site scripting. | ||||||||||
| Alerts: |
| ||||||||||
qemu: insufficient block device address range checking
| Package(s): | qemu, zen | CVE #(s): | CVE-2008-0928 | ||||||||||||||||||||||||||||||||
| Created: | February 29, 2008 | Updated: | October 7, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From Debian Security: Ian Jackson discovered that accesses beyond end of qemu emulated disk devices can result in accesses to emulator's virtual memory space accesses and thus can allow user with sufficient privilege in guest (root, as this would need modification to kernel's driver) to break out of VM. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
thunderbird: heap overflow
| Package(s): | thunderbird seamonkey | CVE #(s): | CVE-2008-0304 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 29, 2008 | Updated: | January 8, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in certain cases when viewing an email message with an external MIME body. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
tshark, wireshark: multiple vulnerabilities
| Package(s): | tshark,wireshark | CVE #(s): | CVE-2008-1070 CVE-2008-1071 CVE-2008-1072 | ||||||||||||||||||||||||||||||||||||
| Created: | March 3, 2008 | Updated: | October 2, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | From the rPath advisory:
Previous versions of the wireshark package are vulnerable to multiple types of Denial of Service attacks, including crashes and excessive memory consumption. It has not been determined that these vulnerabilities can be exploited to execute malicious code. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
viewvc: multiple access violations
| Package(s): | viewvc | CVE #(s): | |||||||||
| Created: | March 3, 2008 | Updated: | March 5, 2008 | ||||||||
| Description: | From the Fedora advisory:
These security issues have been fixed: - omit commits of all-forbidden files from query results - disallow direct URL navigation to hidden CVSROOT folder - strip forbidden paths from revision view - don't traverse log history thru forbidden locations - honor forbiddenness via diff view path parameters | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>