02.25.08

Virtualization and Security

Posted in IT, Security, Vulnerabilities at 7:06 pm by Tyler Reguly

Virtualization. A technology that is supposed to save organizations money... take 10, 20 or even 50 physical servers and run them on a single virtual server. The concept seems to make sense; after all, as someone recently pointed out to me... virtualization has existed in the mainframe world for quite some time. The problem today is that everyone is moving their servers to flawed virtualization software. Flawed software that poses a security risk... a risk that opens the door to ‘hackers' and ‘crackers'.

Even if we ignore some of the vulnerabilities that we've seen in the past 12 months, we can look at the ones that came out only a few days ago. Vulnerabilities in Samba, Python and a SCSI driver, all of which ship with VMWare ESX Server, were published/announced and while VMWare has issued patches, there was a period when these vulnerabilities introduced a new threat into any environments utilizing the software.

Everyone (primarily the virtualization companies) keeps talking about how great virtualization is, but how many people are actually weighing the security risks. In every IT prediction blog for 2008 we saw mention of virtualization and virtualization security.... this means the security people are thinking about it, but how about the enterprise world... are their IT staffs considering it?

I'm a big fan and I'm hoping we'll see VMWare ESX 3i introduce a new level of security, being a 32MB hypervisor we'll hopefully see limited vectors of attack. That doesn't mean that we won't see people continue to run ESX 2.x and ESX 3.x, after all ESX 3.x can still be purchased.

I also have to wonder how people prioritize the installation of virtualization software patches. If the hardware is responsible for 20 virtual servers, how willing are people to risk applying a patch that might have issues. This is why enterprises have patch testing cycles before they implement them... Even if people are willing to install the patches, how often are they aware that there ESX server needs patches installed? Do they monitor the updates, do they receive email notifications? Even when they do find out, do they act on the provided information? I've seen internet facing Exchange servers more than 2 years behind on their patches, and I've seen Linux systems that have never been patched. Where do people place ESX? First? Second? Third? Does it depend on the systems hosted on the server? I honestly don't know the answers to these questions, but I'd be curious to find out.

Up until this point, I had written this post over the weekend... Seeing as we'd seen a couple of ESX vulnerabilities that are somewhat serious. What made me revisit this post and continue it was the release of a VMWare Workstation vulnerability by Core Technologies. A vulnerability that could have negative impacts on malware researchers that have shared folders enabled. This is another example of a negative impact that virtualization technology has, that a physical installation wouldn't have.

We're rapidly pushing forward with virtualization, but how prepared are we for it? I've noticed there are a couple of VMWare related talks at CanSecWest this year... Yet is anyone outside of the research community seriously thinking about this? I guess we'll have to wait and see.

01.10.08

MS08-001 Disassembly Flash

Posted in IT, Security, Vulnerabilities at 12:51 pm by Tyler Reguly

By now many people will have seen this, it appeared on Slashdot and Halvar posted it to his blog, but for those that haven't... this is a pretty cool flash to watch. MS08-001 Disassembly.

11.28.07

Has SANS Top 20 Lost All Meaning?

Posted in IT, Security, Vulnerabilities at 4:14 pm by Tyler Reguly

I'm not going to give an answer to that... but I want everyone to think about it. As most people have read by now, the SANS Top-20 2007 list has been published.

The list this year contains the following:

  1. C1. Web Browsers
  2. C2. Office Software
  3. C3. Email Clients
  4. C4. Media Players
  5. S1. Web Applications
  6. S2. Windows Services
  7. S3. UNIX and Mac OS Services
  8. S4. Backup Software
  9. S5. Anti-virus Software
  10. S6. Management Software
  11. S7. Database Software
  12. H1. Excessive User Rights and Unauthorized Devices
  13. H2. Phishing / Spear Phishing
  14. H3. Unencrypted Laptops and Removable Media
  15. A1. Instant Messaging
  16. A2. Peer-to-Peer Programs
  17. N1. VoIP Servers and Phones
  18. Z1. Zero Day Attacks

Now take a look at past year's lists [2000, 2001, 2002]. The lists were somewhat specific... they gave you specific pieces of software, or enterprise 'security issues' (failure to properly backup, failure to properly log) that were of a concern. This year, we're presented with 18 categories (that's right... the top 20 contains 18 categories) that are almost as generic as you can get. This years SANS Top-20 List contains 257 unique CVEs... and that doesn't include the fact that they have included configuration sections that don't include any CVEs. Someone made the comment that next year they will release the "SANS Number #1" and the single entry will be "Computer". They are starting to get pretty close. The fix will probably be "Unplug the computer".

So if you're in an enterprise... how can you find any meaning in the SANS Top 20... they've essentially told you that users are stupid and that every piece of software you have deployed is flawed. It seems to me that calc.exe is safe... and perhaps sol.exe but nearly *everything* else fits into one of those categories. There are actually some well respected individuals on the team that composed the SANS Top 20... people that I would not normally associate with this sort of drivel... but really that's what this has become... I almost want to call it a 'FUD Missile'. It's telling me that all backup software is vulnerable, all AV software is vulnerable... my web browser is vulnerable.. my IM and Media Players are vulnerable... Yet they somehow let network infrastructure off the list. DNS Rebinding has been fairly popular this year, yet DNS isn't listed... it's mentioned twice in the entire report... once under phishing / spear phishing... and once under 0-days for the Windows DNS 0-day. They don't even mention DNS Rebinding as an issue... the phishing section says, "While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy"

So my question... Do people out there still find meaning in the SANS Top 20? Has it outlived it's usefulness?

11.27.07

Quicktime RSTP Response Vulnerability

Posted in IT, Security, Vulnerabilities at 5:13 pm by Tyler Reguly

Yet another one of these exploits... I find this one to be somewhat humourous... if for no reason other than I see it as a massive Apple failing... Apple has failed miserably. How did they fail? In two ways.

1. Quicktime was not compiled to take advantage of ASLR on Vista.

This is simple enough, you pass in the /dynamicbase switch to the linker... Visual Studio 2005 SP1 will even let you set it up in the linker options.

2. Apple saw this issue or a damn similar one back in 2002.

Thanks goes to Joel Esler for pointing this one out. CVE-2002-0252 describes a buffer overflow in the Content Type header. The SecurityFocs description of this vulnerability reads:

Apple QuickTime For Windows does not perform sufficient bounds checking of the "Content-Type" header. This issue may be exploited if a server responds with a maliciously crafted "Content-Type" header to a HTTP request for a media file. A "Content-Type" header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process.

With this new vulnerability, we see that the overflow is again in the Content-Type... as one of the vulns on milw0rm makes evident:

header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')

So I'm saying it.... Apple failed.

11.24.07

Lax Web Application Security

Posted in IT, Security, Vulnerabilities at 8:10 pm by Tyler Reguly

I know it shouldn't surprise me anymore... but it still does. Every time I visit a site and see a massive, gapping hole in their webapp security. I can get missing an XSS or some other input validation... it's not good, but it happens... what I don't get is shopping cart apps that allow the customer to change the purchase price.

I was visiting the online ordering system of local pizza/pasta place and noticed the links I was clicking on for the first time. The query looked something like this:
'add=310,1,8.95,Sandwiches,veggie&returnto=/top.php'

This translates to: item number, quantity, price, category, description.

Now the first obvious problem is that we've got an open redirect on the 'returnto' field. The second problem is that we can modify the price (change field three) and we can inject text via either category, description and price, all of which are printed to the page. I did notice that the '<' character was stripped, but that's the only character that I noticed.

As I said, this probably shouldn't surprise me anymore but it still does. The kicker... there's no administrative contact info on the website to point out these flaws to them.

11.14.07

Yahoo! Security impressed me.

Posted in IT, Security, Vulnerabilities at 2:24 pm by Tyler Reguly

I got an early Christmas gift this year. My fiance bought me a subscription to Yahoo! Music Unlimited, 2 million songs that I can stream / download on demand (which is awesome, if anyone's been thinking about buying it). Now in order to use Yahoo! Music Unlimited, I had to install Yahoo! Music Jukebox. The program's search feature was obviously web based, so I became a little curious. I started testing various inputs into the search box. Now basics like <script> were filtered out but I wanted to see where I could take this. In my 30 minutes or so of search, I found two issues.

  1. %00 was accepted into the search box and would cause early termination of the search page when it was loading.
  2. test%3Cimg%09src%3Djavascript%3Aalert(document.cookie)%3EFaith was a valid XSS. The 'Faith' had to be appended to the end because it would still attempt to search for an artist, and would actually find a match with the data provided prior to 'Faith' using some sort of guessing algorithm. 'Faith' caused the guessing algorithm to not match.

I reported these issues to Yahoo! Security on Nov. 9th and received a same day response. It didn't have the same personalized feel that a report to Microsoft has, but it was speedy.  Yesterday (Nov. 13th), I received another email from Yahoo! Security telling me that a fix had been implemented and asking me to test it.  I tested it and it was indeed fixed, I was rather impressed.

10.31.07

IE 7 Install on XP Potentially Confusing to End Users

Posted in IT, Security, Vulnerabilities at 9:13 am by Tyler Reguly

While building a fully patched Windows XP VM the other day, I decided to also install IE7, however for the sake of "snapshotting", I performed a full update (via Windows Updates) but unchecked IE7. After I rebooted and took a snapshot, I went back to install IE7. Windows Updates downloads the file and kicks off the installer, but then you're left with the IE7 standalone installer. I start clicking through the various options and get to a screen: "Would you like to download the latest updates for Internet Explorer 7?" I want this VM fully patched, so I check the box and the next screens I see say "Downloading Updates" and "Installing Updates". The install finishes (IE Version: 7.0.5730.13) and I figure I'm good to go, however I always do one last running of Windows Update to check the "Optional" updates to see if there's anything I need. I run Windows Update and, low and behold, I have a new critical update waiting for me... it's the patch for MS07-050. Apparently download and install updates, doesn't mean all updates to Microsoft, just the ones they want to give you. This leaves me slightly concerned; if, as a regular user, I go and use Windows Updates to obtain IE7, I could be vulnerable until I decide to visit the page again. So let's say I'm anti-Automatic Updates, but I still browse to Windows Update once a month, that's a potential 30 day window where the system is vulnerable. If I only check every couple of months, that window increases. Bottom line, if a piece of software tells you that it is checking for updates... it should obtain all updates, not a subset of them.

09.26.07

Adobe.com Vulnerability

Posted in IT, Security, Vulnerabilities at 3:08 pm by Tyler Reguly

I'm not going to talk about this, just a link to Ryan's post on the subject.

07.24.07

Awesome Blog Post on Uncovering Vulnerabilities

Posted in IT, Security, Vulnerabilities at 11:01 pm by Tyler Reguly

I just wanted to share a great blog post I found over on the TippingPoint Blog. Cody Pierce does a walk-through on how he found a vulnerability in Borland Interbase 2007. He sums up the post by saying, " I hope this has shed some light on how we go from 0 to 0day in under 30 minutes.".

Intro:

So one of our advisories, TPTI-07-013 went out today. The issue is a remote code execution in Borland Interbase 2007. This is an interesting target for us because we accidentally stumbled on it. The story goes like this...

I was up late on wednesday night, as usual since we are all up late on wednesday nights, and decided to take a look at BakBone NetVault. Upon installing NetVault, I noticed a process listening on TCP port 3050. This process turned out to be the "Firebird SQL Server". When I found a vulnerability in that process, TPTI-07-11, I did some research on what Firebird SQL is. It turns out that at one point Borland open sourced Interbase. This is when the guys at Firebird decided to branch that source tree and start a free, open source version under the Firebird SQL moniker. So hey, if one product has a vulnerability, and it was forked from another products source, then maybe we should look at the other vendor. That's where Borland Interbase 2007 comes in. Since it has the same code base, I downloaded a trial and decided to play with it for a few minutes.

So what im trying to do in this blog post is go over how I found this bug. Hopefully some of this will serve as a "Auditing 101" how-to for network services. This bug was fairly easy to find, and should be good practice. Hey, maybe it will help you find other Interbase bugs.

Read The Rest

06.20.07

CVSS v2 Official

Posted in IT, Security, Vulnerabilities at 11:14 pm by Tyler Reguly

Anyone who's worked with CVSS knows that it has some serious flaws... Today we can change that statement to had some serious flaws, at least until we find problems with CVSS v2 which was announced today (via SSAATY). The incorporated changes from v1 are fairly substantial and a huge step in the right direction.

They include:

  • AccessComplexity changed from a high/low rating to a high/medium/low rating.
  • ImpactBias moved from the base metric to the environmental metric.
  • Vulnerabilites giving root (or equiv.) access means each CIA component is set to 'complete', while user access would be rated as 'partial'
  • AccessComplexity rewritten to indicate that it means difficult to exploit with working exploit code, not difficulty to generate exploit code.
  • In the environmental metric, TargetDistribution has changed from none/low/high to none/low/low-medium/medium-high/high
  • AccessVector has changed from Local/Remote to Local Access/Local Network Access/Network Access
  • In the environmental metric, CollateralDamagePotential has changed to none/low/low-medium/medium-high/high.
  • In the base metric, AccessVector/AuthenticationVector now include No Auth/Single Auth/Multiple Auth
  • Wording changes to indicate that CVSS should always be applied to the service that is directly vulnerable and not any secondary systems or indirectly affected users.
  • Wording changes to indicate that CVSS should always affect the configuration that is most likely used ("most probable"), not the best practice. The example given is a web browser. More often than not browsers are owned by administrator when best practice would tell us otherwise. If you can't determine "best probable", then the default configuration should be used.
  • Explanation of proper method of handling multiple methods of exploiting a vulnerability. The score should be calculated for each method and the highest score should be used.
  • CIA measurements for ImpactBias are now Low/Medium/High
  • The Difficulty and Impact sub-equations are now combined with a waiting of .4 for Difficulty and .6 for Impact.

The detailed version change history can be found here.
Full CVSS v2 Documentation can be found here.

« Previous entries