MalwareTeks Blog » Vulnerabilities

Posts tagged as ' Vulnerabilities ' ...

 18 Apr 2008 @ 6:13 AM 
 

Microsoft Security Advisory (951306)

 

Microsoft Security Advisory (951306)

Vulnerability in Windows Could Allow Elevation of Privilege

Published: April 17, 2008

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

General Information

Overview

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification

Microsoft Knowledge Base Article

951306

CVE Reference

CVE-2008-1436

This advisory discusses the following software.

Related Software

Windows XP Professional Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

Frequently Asked Questions

What is the scope of the advisory?
This advisory clarifies public reports of a potential vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista, and Windows Server 2008. The issue affects the software listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process.

What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
ASP.NET configured to run with a trust level lower than Full Trust.
Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

Are there other vectors that an attacker could leverage?
Yes. On Windows Server 2003, an attacker can leverage the Microsoft Distributed Transaction Coordinator (MSDTC) service that runs as NetworkService to acquire a NetworkService token into a process that is running as an identity other than a service identity. An attacker can then use this NetworkService token to elevate to System if this process identity possesses the SeImpersonatePrivilege. This vector does not exist on Windows Server 2008 or Windows Vista.

What additional applications may be affected?
Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546, which loads and runs user-provided code may be susceptible to an elevation of privilege attack as described in this advisory.

What systems are primarily at risk from the vulnerability?
Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008 may be at risk if IIS is enabled or SQL Server is installed and configured or deployed in a vulnerable state as described by this advisory. IIS systems that allow users to upload code are at increased risk. SQL Server systems are at risk if untrusted users are granted privileged account access. This may include Web hosting providers or similar environments.

Suggested Actions

Workarounds

IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

Perform the following steps:

1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.
2. Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.
3. Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.
3. Double-click Services.
4. Double-click Distributed Transaction Coordinator.
5. In the Startup type list, click Disabled.
6. Click Stop (if started), and then click OK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.

IIS 7.0 - Specify a WPI for an application pool in IIS Manager

1. In IIS Manager, expand the server node, click Application Pools, right-click the application pool, and then click Advanced Settings…
2. .Find the Identity entry, and click the button to open the Application Pool Identity dialog box.
3. Select the Custom account option and click Set to open the Set Credentials dialog box. Type in the selected Account name and Password in the user name and password text boxes. Retype the Password in the Confirm password text box, then click OK.

Note Application pool identities are dynamically added to IIS_WPG group in IIS7 and don’t need to be manually added.

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.

IIS 7.0 - Specify a WPI for an application pool using the Command Line utility APPCMD.exe

1. From a command prompt, change to the %systemroot%\system32\inetsrv directory.
2. Execute the APPCMD.exe command using the following syntax: string is the name of the application pool; Username string is the user name of the account assigned to the application pool; Password string is the password for the account.

appcmd set config /section:applicationPools /
[name='string'].processModel.identityType:SpecificUser  /
[name='string'].processModel.userName:string /
[name='string'].processModel.password:string

Note Application pool identities are dynamically added to IIS_WPG group in IIS 7.0 and don’t need to be manually added.

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.

Resources:

You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

April 17, 2008: Advisory published
Tags Tags: , , , ,
Categories: Security Posted By: ShadowPuterDude
Last Edit: 18 Apr 2008 @ 06 13 AM

E-mailPermalinkComments (0)
 14 Apr 2008 @ 8:26 PM 
 

SecurityFocus SQL Injection Bogus

 

Originally posted at Photo Matt

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.  [More ...]

Tags Tags: , , ,
Categories: Security Posted By: ShadowPuterDude
Last Edit: 14 Apr 2008 @ 08 26 PM

E-mailPermalinkComments (0)
 27 Mar 2008 @ 6:53 AM 
 

Mozilla Firefox Multiple Vulnerabilities

 

Secunia Advisory: SA29526
Release Date: 2008-03-26
Critical: Highly critical

Description:
Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user’s system.

1. An unspecified error in the handling of “XPCNativeWrappers” can lead to the execution of arbitrary Javascript code with the user’s privileges via “setTimeout()” calls.

2. Various errors in the handling of Javascript code can be exploited to conduct cross-site scripting attacks or execute arbitrary code.

3. Various errors in the layout engine can be exploited to cause a memory corruption.

4. Various errors in the Javascript engine can be exploited to cause a memory corruption.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

5. An error within the handling of HTTP “Referer:” headers sent with requests to URLs containing “Basic Authentication” credentials having an empty username can be exploited to bypass cross-site request forgery protections.

6. The problem is that Firefox offers a previously configured private SSL certificate when establishing connections to webservers requesting SSL Client Authentication. This can potentially be exploited to disclose sensitive information via a malicious webserver.

7. An error in the handling of the “jar:” protocol can be exploited to establish connections to arbitrary ports on the local machine.

8. An error when displaying XUL pop-up windows can be exploited to hide the window’s borders and facilitate phishing attacks.

The vulnerabilities are reported in versions prior to 2.0.0.13.

Solution:
Update to version 2.0.0.13.

Provided and/or discovered by:
1. moz_bug_r_a4
2. moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback
3. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett, and Mats Palmgren
4. georgi, tgirmann, and Igor Bukanov
5, 7. Gregory Fleischer
6. Peter Brodersen and Alexander Klink
8. Chris Thomas

Original Advisory:
http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
http://www.mozilla.org/security/announce/2008/mfsa2008-15.html
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
http://www.mozilla.org/security/announce/2008/mfsa2008-17.html
http://www.mozilla.org/security/announce/2008/mfsa2008-18.html
http://www.mozilla.org/security/announce/2008/mfsa2008-19.html

Other References:
SA27311: http://secunia.com/advisories/27311/

Tags Tags: , , ,
Categories: Firefox Posted By: ShadowPuterDude
Last Edit: 27 Mar 2008 @ 06 53 AM

E-mailPermalinkComments (0)
 18 Feb 2008 @ 9:29 PM 
 

Mozilla Firefox IFrame Recursion Remote Denial of Service Vulnerability

 

Bugtraq ID: 27812
Class: Design Error
Remote: Yes
Local: No
Published: Feb 15 2008 12:00AM
Updated: Feb 15 2008 11:05PM
Credit: carl hardwick is credited with the discovery of this issue.

Mozilla Firefox is prone to a remote denial-of-service vulnerability because of the way the browser handles IFrames.

Attackers can exploit this issue to make the browser unresponsive and cause denial-of-service conditions.

Firefox 2.0.0.12 is vulnerable; other versions may also be affected.

Tags Tags: , , , ,
Categories: Firefox Posted By: ShadowPuterDude
Last Edit: 17 Mar 2008 @ 10 32 PM

E-mailPermalinkComments (0)
 19 Oct 2007 @ 9:13 PM 
 

Bad day for Alternative Browsers

 

Bad day for Firefox, Opera, and SeaMonkey users. All three browsers received updates today to patch multiple vulnerabilities.

Some vulnerabilities have been reported in Opera, where one vulnerability has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a user’s system.

Opera may launch external email or newsgroup clients incorrectly. This can be exploited to execute arbitrary commands by e.g. visiting a malicious website.

Successful exploitation requires that the user has configured an external email or newsgroup client.

An error when processing frames from different websites can be exploited to bypass the same-origin policy. This allows to overwrite functions of those frames and to execute arbitrary HTML and script code in a user’s browser session in context of other sites.

An unspecified error exists in Opera in combination with Adobe Flash Player 9.0.47.0 and earlier on Mac OS X. No further information is currently available.

The vulnerabilities are reported in all versions of Opera for Desktop prior to version 9.24.

Opera users are urged to update to version 9.24 http://www.opera.com/download/

Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user’s system.

Various errors in the browser engine can be exploited to cause a memory corruption.

Various errors in the Javascript engine can be exploited to cause a memory corruption.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

An error in the handling of onUnload events can be exploited to read and manipulate the document’s location of new pages.

Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user’s request when a proxy is used.

An error when displaying web pages written in the XUL markup language can be exploited to hide the window’s title bar and facilitate phishing attacks.

An error exists in the handling of “smb:” and “sftp:” URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server.

Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.

An unspecified error in the handling of “XPCNativeWrappers” can lead to execution of arbitrary Javascript code with the user’s privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).

Firefox users are urged to update to version 2.0.0.8.

SeaMonkey users are urged to update to version 1.1.5

NOTE: Additional fixes have been added to prevent the exploitation of a URI handling vulnerability in Microsoft Windows.

Thunderbird users are urged to update to version 2.0.0.8. Thunderbird uses the Firefox engine and is susceptible to the same exploits.

Note: (Saturday, 20 October, 2007) Thunderbird 2.0.0.8 has not yet been released.

Update: (Wednesday, 24 October, 2007) Thunderbird 2.0.0.8 release on hold. Possible forth coming release of Firefox 2.0.0.9 to fix bugs introduced in FF 2.0.0.8.

Tags Tags: , , , , , ,
Categories: Uncategorized Posted By: ShadowPuterDude
Last Edit: 24 Oct 2007 @ 08 06 PM

E-mailPermalinkComments (0)
\/ More Options ...
Last 50 Posts
Back
Register an account
Change Theme...
  • Users » 9
  • Posts/Pages » 187
  • Comments » 116
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LiteLight
  • No Child Pages.
  • No Child Pages.
  • No Child Pages.
  • No Child Pages.
  • No Child Pages.
  • No Child Pages.