Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Top Ten Vulnerabilities of 1st Quarter 2002

Top Ten Vulnerabilities of 1st Quarter 2002

by Nikola Strahija on May 12th, 2002 SecurityFocus research released a document called Top Ten Vulnerabilities of 1st Quarter 2002.First place was reserved for Multiple Vendor SNMP Implementation Vulnerabilities.


1. SNMP requests are messages sent from manager to agent systems. They typically poll the agent for current performance or configuration information, ask for the next SNMP object in a Management Information Base (MIB), or modify the configuration settings of the agent.

Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP request messages.

Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. There are approximately 300 vulnerable networking devices and networking software products.

2. PHP is a widely deployed scripting language, designed for web based development and CGI programming. PHP does not perform proper bounds checking on functions related to Form-based File Uploads in HTML (RFC1867). Specifically, these problems occur in the functions which are used to decode MIME encoded files. There are numerous stack overflows, heap overflows, and off-by-one conditions.

Each of these conditions may be exploitable by remote attackers to execute arbitrary code on target systems with the privileges of the webserver process. Successful exploitation may result in the remote attackers gaining local access to the target webserver.

PHP is invoked through webservers remotely. It may be possible for remote attackers to execute this vulnerability to gain access to target systems. A vulnerable PHP interpreter module is available for Apache servers that is often enabled by default.

The attacker identifies a host which is running vulnerable versions of PHP, then executes a custom exploit against the host, causing locations in memory to be overwritten with attacker-supplied instructions. As a result, the attacker gains local access to the host running the vulnerable software.

3. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for OpenBSD, but is also widely used for Linux, Solaris and other Unix operating systems.

A vulnerability has been found in some versions of OpenSSH, manifesting itself as an off-by-one error in the channel code.

A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, as the exploitable condition reportedly occurs after successful authentication. Exploitation of the condition may allow for the execution of arbitrary instructions.

If a client program is exploited, the code will run with the privileges of the client process (typically those of the user invoking it). This will provide local access for the attacker in control of the malicious server. If the server process is subverted, code will run as the root user. Because valid credentials are believed to be required, this may allow for an escalation of privileges.

4. Multiple vulnerabilities (21) exist in Oracle 9i products, these include many of the Oracle 9i products and supports services. These may cause buffer overflows, denial of service, permissions, administrator, user, and information disclosure vulnerabilities.

5. Java virtual machine implementations contain a vulnerability that may allow for malicious Java applets to escape the security sandbox. The vulnerability is due to a data casting error. It is possible for an applet constructed at the bytecode-level to perform an illegal casting operation. By doing so, the security sandbox intended to limit the operations that can be performed by an applet may be escaped. This can result in the unrestricted execution of system-level code with the privileges of the user running the virtual machine (possibly through a browser).

6. In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows.

Microsoft Internet Explorer contains a vulnerability related to this protection in its implementation of the VBScript scripting language.

It is possible for malicious VBScript code in one frame to access the properties of another frame in a different domain. The condition is due to a flaw in the calculation of domain boundaries, which attempt to group content from common domains across different frames together.

Exploitation of this vulnerability may result in disclosure of sensitive information from other domains to remote attackers. Attackers may be able to obtain sensitive information from content belonging to other websites (such as usernames, passwords, etc). It is also possible to for attackers to read the contents of files on client systems if the complete path to the file is known.

7. Gator is a software package for Windows computers designed to automatically populate web based forms. It is installed through an ActiveX control, which downloads and executes an installation program from the Gator web site. This ActiveX control remains installed after the Gator installation is complete.

ActiveX control may be passed a url to any file named 'setup.ex_', and may be called by arbitrary web pages. A malicious web page may use this control to download and execute arbitrary code on a vulnerable client machine. User interaction is not required.

Exploitation of this vulnerability can immediately lead to local access on the vulnerable machine, from which point further elevation of privileges may be possible.

8. The zlib compression library is reportedly vulnerable to a heap corruption vulnerability. Under some circumstances, a block of dynamically allocated memory may have the 'free()' routine called on it twice. This may occur during decompression.

An exploitable condition may result if the 'free()' function is used on memory that has already been freed. Under some circumstances, it is possible for an attacker to manipulate data layout in the heap so that an arbitrary word in memory is overwritten with a custom value when 'free()' is called for the second time.

Arbitrary code may be executed if critical values such as function return addresses, GOT entries, etc., are overwritten. Several programs use zlib or vulnerable code borrowed from the library, including: SSH / OpenSSH, OpenPKG, rsync, popt / rpm, the Linux Kernel.

9. Microsoft Commerce Server 2000 is a web server geared towards building e-commerce websites. It uses Microsoft Internet Information Server to provide basic web server functionality, but also includes additional features and functions.

AuthFilter is an ISAPI filter used by Commerce Server to support various methods of user authentication and been found to contain an unchecked buffer which could be exploited to cause a failure of the Commerce Server or execution of arbitrary code.

10. A kernel stack overflow condition reportedly exists in the packet filtering module included with BlackIce and RealSecure Server Sensor.

When a small number of large (fragmented) ICMP echo request packets are received, a data handling error may result in the corruption of the kernel stack and it may be possible to execute arbitrary code within kernel memory by replacing a return address with a pointer to instructions.

- Full article available at securityfocus.com




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »