ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 23



> 
> *****************************
> Widely Deployed Software
> *****************************
> 
> (1) HIGH: Apple QuickTime Multiple Vulnerabilities
> Affected:
> Apple QuickTime versions prior to 7.1.6 for Apple Mac OS X 
> and Microsoft Windows
> 
> Description: Apple Quicktime, Apple's cross-platform streaming media
> layer, contains a flaw in its interaction with Sun's Java Runtime
> Environment. A specially-crafted web page that instantiates QuickTime
> for Java objects could exploit this vulnerability and potentially
> corrupt memory in such a way that an attacker could execute arbitrary
> code with the privileges of the current user. Depending on
> configuration, no user interaction other than viewing a malicious web
> page would be necessary for exploitation. Note that QuickTime is
> installed by default on Mac OS X and is installed as part of Apple's
> iTunes for Windows. This vulnerability is distinct from the
> vulnerability discussed in the previous issues of @RISK.
> 
> Status: Apple confirmed, updates available.
> 
> Council Site Actions:  Most of the reporting council sites are
> responding.  At most sites the Quicktime users have 
> auto-update enabled.
> Other sites plan to push the updates during the next 
> regularly scheduled
> system maintenance.
> 
> References:
> Apple Security Advisory
> http://docs.info.apple.com/article.html?artnum=305531 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24221 
> 
> **************************************************************
> ***********
> (3) HIGH: Multiple F-Secure Products LHA Archive Processing 
> Buffer Overflow
> Affected:
> F-Secure Antivirus Products for Microsoft Windows and Linux
> 
> Description: Multiple products based on the F-Secure antivirus engine
> for Microsoft Windows and Linux contain a flaw in their processing of
> LHA archives. LHA is a popular archive format similar to ZIP or RAR. A
> specially-crafted LHA archive file could trigger this flaw, 
> and exploit
> a buffer overflow to execute arbitrary code with the privileges of the
> scanning process. Note that, since some products using the vulnerable
> engine scan large amounts of traffic (including email), 
> simply having a
> specially-crafted email transit a vulnerable server would be 
> sufficient
> to trigger this vulnerability. In many cases, the vulnerable software
> may run with elevated (root or SYSTEM) privileges.
> 
> Status: F-Secure confirmed, updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
> 
> References:
> F-Secure Security Bulletin
> http://www.f-secure.com/security/fsc-2007-1.shtml 
> Wikipedia Article on LHA
> http://en.wikipedia.org/wiki/LHA_%28file_format%29 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24235 
> 
> **************************************************************
> ***********
> 
> (4) MODERATE: Apache Web Server Multiple Vulnerabilities
> Affected:
> Apache versions 1.3.x, 2.0.x, and 2.2.x
> 
> Description: According to a PNSC security advisory, the Apache web
> server contains multiple vulnerabilities. Flaws in processing requests
> could lead to multiple denial-of-service conditions. By sending a
> specially-crafted request, an attacker could cause a denial-of-service
> condition in the Apache process or related processes. Depending on
> configuration, an attacker may be able to exhaust processor resources,
> leading to a system-wide denial-of-service attack, or be able 
> to send a
> POSIX "SIGUSR1" signal to an arbitrary process, leading to a
> denial-of-service condition in an arbitrary process on the vulnerable
> system. Note that, because Apache is open source, technical 
> details for
> these flaws are available via source code analysis.
> 
> Status: Apache has not confirmed, no updates available.
> 
> Council Site Actions: All of the reporting council sites are using the
> affected software and plan to distribute patches once they are
> available.
> 
> References:
> PSNC Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2007-05/0415.html 
> Wikipedia Article on the POSIX "SIGUSR1" signal
> http://en.wikipedia.org/wiki/SIGUSR1 
> Wikipedia Article on POSIX-style Signals
> http://en.wikipedia.org/wiki/Signal_%28computing%29 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24215 
> 
> **************************************************************
> ***********
> (5) MODERATE: Mozilla-Based Browsers Multiple Vulnerabilities
> Affected:
> Mozilla Firefox versions prior to 2.0.4 and 1.5.12
> Mozilla SeaMonkey versions prior to 1.1.2 and 1.0.9
> Mozilla Thunderbird versions prior to 2.0.4 and 1.5.12
> 
> Description: Applications based on the Mozilla framework contain
> multiple vulnerabilities. The most serious of these is a vulnerability
> that leads to memory corruption; it is believed that this may be
> exploitable for remote code execution, though this has not been proven
> yet. Additionally, an attacker may be able to exploit other
> denial-of-service, cross-site scripting, resource denial, or 
> information
> disclosure vulnerabilities. The technical details can be obtained via
> source code analysis.
> 
> Status: Mozilla confirmed, updates available.
> 
> Council Site Actions: All reporting council sites are 
> responding to this
> issue. Although this application is not officially supported 
> at most of
> the council sites,  each site said that their user based 
> either has they
> auto-update feature enabled, or they will work with the users 
> to update
> as appropriate.
> 
> References:
> Mozilla Foundation Security Advisories
> http://www.mozilla.org/security/announce/2007/mfsa2007-17.html 
> http://www.mozilla.org/security/announce/2007/mfsa2007-16.html 
> http://www.mozilla.org/security/announce/2007/mfsa2007-13.html 
> http://www.mozilla.org/security/announce/2007/mfsa2007-14.html 
> http://www.mozilla.org/security/announce/2007/mfsa2007-12.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24242 
> 
> **************************************************************
> ***********
> 
> ****************
> Other Software
> ****************
> 
> (6) HIGH: Avira Antivir Antivirus Multiple Vulnerabilities
> Affected:
> Applications using the Avira Antivir antivirus engine 
> versions prior to 7.4.24
> Known applications include:
> Avira Antivir Workstation Professional
> Avira Antivir Personal Edition Premium
> Avira Antivir Personal Edition Classic
> 
> Description: The Avira Antivir antivirus engine, a popular antivirus
> engine, contains multiple vulnerabilities:
> (1) A flaw in the parsing of LZH formatted archives can lead to
> arbitrary code execution with the privileges of the 
> vulnerable process.
> LZH is an archive file format, similar to ZIP or RAR, and is 
> related to
> the LHA archive file format.
> (2) Flaws in the handling of UPX-compressed executables and 
> tar archives
> can lead to multiple denial-of-service conditions.
> Note that, because the antivirus engine may be running on 
> mail or other
> servers, simply sending a specially crafted email that transits a
> vulnerable system may be sufficient to exploit one of these 
> conditions.
> 
> Status: Avira confirmed, updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
> 
> References:
> n.runs Security Advisories
> http://www.securityfocus.com/archive/1/469805 
> http://archives.neohapsis.com/archives/bugtraq/2007-05/0412.html 
> http://www.securityfocus.com/archive/1/470042  
> Wikipedia Article on LHA
> http://en.wikipedia.org/wiki/LHA_%28file_format%29 
> Vendor Home Page
> http://www.avira.com 
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/24187 
> http://www.securityfocus.com/bid/24239
> 
> **************************************************************
> ********************
> 
> (7) HIGH: Avast! Antivirus SIS File Parsing Integer Overflow
> Affected:
> Avast! Antivirus versions prior to 4.7.700
> 
> Description: Avast! antivirus, a popular antivirus engine, contains an
> integer overflow flaw in the parsing of Symbian Installation Source
> (SIS) files. This file format is used to package applications for
> various mobile devices utilizing the Symbian operating system. A
> specially crafted SIS file could trigger this vulnerability, and
> potentially execute arbitrary code with the privileges of the 
> vulnerable
> process. Note that, because the vulnerable software may be 
> running in a
> mode that results in the automatic scanning of files, simply 
> sending an
> email to a vulnerable user may be sufficient to trigger this
> vulnerability.
> 
> Status: Vendor confirmed, updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
> 
> References:
> n.runs Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2007-05/0380.html 
> Avast! Changelog
> http://www.avast.com/eng/adnm-management-client-revision-history.html 
> Vendor Home Page
> http://www.avast.com 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24155 
> 
> ********************************************************************
> 
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
> Week 23, 2007
> 
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5465 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
> 
> 07.23.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Active Directory Logon Hours Username Enumeration
> Weakness
> Description: Microsoft Active Directory is an LDAP implementation used
> on the Microsoft Windows operating system. The application is exposed
> to a username enumeration weakness because of a design error in the
> application when verifying user-supplied input. Microsoft Active
> Directory on Microsoft Windows Server 2003 Standard Edition is
> affected.
> Ref: http://www.securityfocus.com/bid/24248
> ______________________________________________________________________
> 
> 
> 07.23.5 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: F-Secure Policy Manager FSMSH.DLL Remote Denial of Service
> Description: F-Secure Policy Manager is a management application
> designed to handle security application installation and policy
> enforcement for company networks. The application is exposed to a
> remote denial of service issue due to a failure of the application to
> properly handle unexpected conditions. F-Secure Policy Manager
> versions prior to 7.01 are affected.
> Ref: http://www.f-secure.com/security/fsc-2007-4.shtml
> ______________________________________________________________________
> 
> 07.23.17 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Avast! Managed Client SIS File Handling Remote Heap Overflow
> Description: Avast! Managed Client is used with Avast! Distributed
> Network Manager to deploy and manage Avast! antivirus software over
> the network. The application is exposed to a heap overflow issue in
> its SIS-processing routines. Avast! Managed Client versions earlier
> than 4.7.700 are affected.
> Ref:
> http://www.nruns.com/advisories/%5Bn.runs-SA-2007.009%5D%20-%2
> 0Avast!%20Antivirus%20SIS%20parsing%20Arbitrary%20Code%20Execu
> tion%20Advisory.pdf
> ______________________________________________________________________
> 
> 07.23.21 CVE: Not Available
> Platform: Linux
> Title: PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to a "safe_mode" and "open_basedir"
> restriction bypass issue. PHP versions prior to 5.2.3 are affected.
> Ref: http://www.securityfocus.com/bid/24259
> ______________________________________________________________________
> 
> 07.23.27 CVE: CVE-2007-2452
> Platform: Unix
> Title: GNU Locate Old Format Locate Database Local Buffer Overflow
> Description: GNU locate is included as part of GNU findutils. It is a
> utility to list files in a database matching certain criteria. The
> application is exposed to a local heap-based buffer overflow issue
> because it fails to properly bounds check user-supplied input before
> using it in a memory copy operation. GNU locate versions as found in
> GNU findutils versions prior to 4.2.31 are affected.
> Ref: http://www.securityfocus.com/archive/1/470108
> ______________________________________________________________________
> 
> 07.23.29 CVE: CVE-2007-2872
> Platform: Cross Platform
> Title: PHP Chunk_Split() Unspecified Integer Overflow
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an integer overflow issue because it
> fails to ensure that integer values aren't overrun. PHP versions prior
> to 5.2.3 are affected.
> Ref: http://www.securityfocus.com/bid/24261
> ______________________________________________________________________
> 
> 07.23.33 CVE: CVE-2007-2917
> Platform: Cross Platform
> Title: Authentium Command Antivirus ActiveX Control ODAPI.DLL Multiple
> Buffer Overflow Vulnerabilities
> Description: Authentium Command Antivirus is an antivirus application
> for multiple platforms. The application is exposed to multiple buffer
> overflow issues because it fails to bounds check user-supplied data
> before copying it into an insufficiently sized buffer. Command
> Antivirus versions 4.93.7 and earlier are affected.
> Ref: http://www.kb.cert.org/vuls/id/563401
> ______________________________________________________________________
> 
> 07.23.34 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple F-Secure Products Packed Executables and Archives
> Denial of Service
> Description: F-Secure Anti-Virus and Internet Gatekeeper are
> antivirus applications developed by F-Secure. Multiple F-Secure
> products are exposed to a denial of service issue because the
> application fails to handle exceptional conditions.
> Ref: http://www.f-secure.com/security/fsc-2007-3.shtml
> ______________________________________________________________________
> 
> 07.23.35 CVE: Not Available
> Platform: Cross Platform
> Title: F-Secure Anti-Virus LHA Processing Buffer Overflow
> Description: F-Secure Anti-Virus is antivirus software available for
> Microsoft Windows and Linux. Multiple F-Secure Anti-Virus applications
> are exposed to a buffer overflow issue when they process malicious LHA
> archive files because the applications fail to properly check
> boundaries on user-supplied data before copying it to an
> insufficiently sized memory buffer.
> Ref: http://www.f-secure.com/security/fsc-2007-1.shtml
> ______________________________________________________________________
> 
> 07.23.36 CVE: Not Available
> Platform: Cross Platform
> Title: F-Secure Multiple Products Real-time Scanning Component Local
> Privilege Escalation
> Description: F-Secure provides multiple antivirus and internet
> security applications for the Microsoft Windows and Linux operating
> systems. Multiple F-Secure workstation and file server products are
> exposed to a local privilege escalation issue due to an improper
> access validation of the address space used by the affected component.
> Ref: http://www.f-secure.com/security/fsc-2007-2.shtml
> ______________________________________________________________________
> 
> 07.23.37 CVE: Not Available
> Platform: Cross Platform
> Title: Avira Antivir Tar Archive Handling Remote Denial of Service
> Description: Avira Antivir Antivirus is an antivirus
> application available for Microsoft Windows, Linux, FreeBSD, OpenBSD,
> and Sun Solaris. The application is exposed to a denial of service
> issue because the application fails to handle certain TAR archives. 
> Avira Antivir version 6.35.0 is affected.
> Ref: http://www.securityfocus.com/archive/1/470042
> ______________________________________________________________________
> 
> 07.23.38 CVE: CVE-2007-2388
> Platform: Cross Platform
> Title: Apple QuickTime for Java Unspecified Remote Heap Buffer
> Overflow
> Description: Apple QuickTime for Java is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied input prior to copying it to an insufficiently
> sized buffer. Apple QuickTime Player version 7.1.6 is affected.
> Ref: http://www.securityfocus.com/bid/24221
> ______________________________________________________________________
> 
> 07.23.39 CVE: CVE-2007-2389
> Platform: Cross Platform
> Title: Apple Quicktime For Java Variant Information Disclosure
> Description: Apple QuickTime for Java is exposed to an
> information disclosure issue which convinces victims to visit a
> malicious web site. Please refer to the advisory for further details.
> Ref: http://www.securityfocus.com/bid/24222
> ______________________________________________________________________
> 
> 07.23.40 CVE: Not Available
> Platform: Cross Platform
> Title: Apache HTTP Server Worker Process Multiple Denial of Service
> Vulnerabilities
> Description: Apache is exposed to multiple denial of service issues
> due to a failure in the application to properly handle malformed or
> malicious worker processes. Apache Software Foundation Apache versions
> 2.2.4, 2.0.59 and 1.3.37 are affected.
> Ref: http://www.securityfocus.com/archive/1/469899
> ______________________________________________________________________
> 
> 07.23.44 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref: http://www.kb.cert.org/vuls/id/773720
> ______________________________________________________________________
> 
> 07.23.45 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Resource Directory Traversal
> Description: Mozilla Firefox is a web browser available for multiple
> operating platforms. The application is exposed to a directory
> traversal issue because it fails to adequately sanitize user-supplied
> data. Mozilla Firefox versions 2.0.0.3 and earlier are affected.
> Ref: http://www.securityfocus.com/bid/24191
> ______________________________________________________________________
> 
> 07.23.46 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based
> Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote heap
> based buffer overflow issue because it fails to properly bounds check
> user-supplied data before copying it to an insufficiently sized memory
> buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref: http://www.kb.cert.org/vuls/id/773720
> ______________________________________________________________________
> 
> 07.23.47 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer
> Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref: http://www.kb.cert.org/vuls/id/773720
> ______________________________________________________________________
> 
> 07.23.48 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. Samba is exposed to a remote
> heap-based buffer overflow issue because it fails to properly bounds
> check user-supplied data before copying it to an insufficiently sized
> memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
> Ref: http://www.kb.cert.org/vuls/id/773720
> 
> 07.23.50 CVE: Not Available
> Platform: Cross Platform
> Title: Avira Antivir Antivirus Multiple Remote Vulnerabilities
> Description: Avira Antivir Antivirus is a multi-platform antivirus
> application. The application is exposed to a buffer overflow issue
> when processing specially crafted LZH archive files due to an integer
> handling flaw and an infinite loop denial of service issue when
> processing TAR archives. Avira Antivir AVPack versions prior to
> 7.03.00.09 and Engine versions prior to 7.04.00.24 are affected.
> Ref: http://www.securityfocus.com/bid/24187
> ______________________________________________________________________
> 
> (c) 2007.  All rights reserved.  The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only.  In some
> cases, copyright for material in this newsletter may be held 
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
> 
> 
> ==============================================================
> ===========
>      SANS Software Security @RISK: Secure Coding Error of the Month
> Vol. 1, Num. 1                                               
> June 3, 2007
> ==============================================================
> ===========
> 
> Millions of problems from one coding error. 
> 
> The apache.org foundation reports that more than 10 million copies its
> Apache Tomcat package have been downloaded, providing Java servlet
> functionality for web servers throughout the world. Moreover, 
> Tomcat is
> frequently used as a standalone web server in high-traffic and
> high-availability environments where sensitive and valuable 
> information
> are stored.
> 
> So a programming error by one of the Tomcat developers is a BIG error.
> If it opens a security hole, millions of people now need to 
> patch their
> systems. It is an even bigger problem because, sadly, 
> thousands or tens
> of thousands of sites will not install the patch, possibly because no
> one will tell them about the need to do so, and will become victims of
> data theft, extortion, and other cyber crimes.
> 
> As you read this first edition of SANS Software Security @RISK
> newsletter, note how little effort would have been needed to avoid the
> problem.
> 
> *****************************************************
> Apache Tomcat JK Web Server Connector Buffer Overflow
> *****************************************************
> 
> What kind of error is it?  A buffer overflow.
> - -------------
> 
> Buffer overflow is one of the oldest types of security vulnerabilities
> discovered as early as mid sixties. As the name suggests, the
> vulnerability arises when a programmer allows more data to be crammed
> into a storage area than the programmer had originally set aside. When
> the data overflows the reserved area, bad things often happen.
> 
> In early March, a critical buffer overflow was disclosed in 
> versions of
> Apache Tomcat JK Web Server Connector.
> 
> This vulnerability is a stack-based buffer overflow. The flaw can be
> triggered by a long URI input to the mod_jk module. An unauthenticated
> user can exploit this overflow by sending a large URI to execute
> arbitrary code of his choice on the server.
> 
> Information about the problem of interest to security professionals --
> the vulnerable versions of Tomcat, damage that can be done, 
> and exploits
> in the wild -- have all been well covered in SANS weekly @RISK
> newsletter and elsewhere (and are referenced at the end of 
> this issue).
> Here we focus instead on the aspect of the problem relevant to
> programmers: the programming error that led to this huge problem?
> 
> 
> What coding error was responsible for this vulnerability?
> - 
> --------------------------------------------------------------
> ----------
> 
> Buffer overflows arise because programmers forget to check that the
> length of data being copied into a buffer is less than or equal to the
> buffer size.
> 
> Let us now look at the vulnerable function that led to the Tomcat
> overflow.
> 
> The buffer overflow was found in the map_uri_to_worker() function that
> is defined in native/common/jk_uri_worker_map.c file.
> 
> #define JK_MAX_URI_LEN              4095 (From jk_uri_worker_map.h)
> 
> *************
> Function code
> *************
> const char *map_uri_to_worker(jk_uri_worker_map_t *uw_map,
>                               const char *uri, jk_logger_t *l)
> {
>     unsigned int i;
>     char *url_rewrite;
>     const char *rv = NULL;
>     char  url[JK_MAX_URI_LEN+1];
> 
>     JK_TRACE_ENTER(l);
> 
>     if (!uw_map || !uri) {
>         JK_LOG_NULL_PARAMS(l);
>         JK_TRACE_EXIT(l);
>         return NULL;
>     }
>     if (*uri != '/') {
>         jk_log(l, JK_LOG_WARNING,
>                 "Uri %s is invalid. Uri must start with /", uri);
>         JK_TRACE_EXIT(l);
>         return NULL;
>     }
> 
> ###############################
> Erroneous Code in this function
> ###############################
> 
>     for (i = 0; i < strlen(uri); i++)
>         if (uri[i] == ';')
>             break;
>         else
>             url[i] = uri[i];
>     url[i] = '\0';
> 
> 
> What is wrong with this function?
> - ---------------------------------
> 
> Notice that "uri" is an input to the function. It is being copied into
> a locally declared variable url. url is a buffer of size 
> 4096. However,
> the copy operation depends on the size of the input uri. There is no
> check in the function to stop copying if the length of uri is greater
> than the maximum length of url buffer i.e. 4096. This results in a
> stack-based buffer overflow, which is usually the simplest buffer
> overflow to exploit.
> 
> What did it take to fix the vulnerable function?
> - ------------------------------------------------
> 
> Introduce a check for the length of the uri that is copied 
> into the url
> variable.
> 
> **********
> Fixed Code
> **********
> 
> for (i = 0; i < strlen(uri); i++) {
>         if (i == JK_MAX_URI_LEN) {
>             jk_log(l, JK_LOG_WARNING,
>                    "Uri %s is invalid. Uri must be smaller 
> then %d chars",
>                    uri, JK_MAX_URI_LEN);
>             JK_TRACE_EXIT(l);
>             return NULL;
>         }
>         if (uri[i] == ';')
>             break;
>         else
>             url[i] = uri[i];
>     }
> 
> As you can see, once the length of uri reaches the max length of 4096,
> the copy operation is terminated.
> 
> Take Away: 
> Programmers who want to avoid this kind of error should follow SANS
> Secure Programming Rule 01.1.1:
> - 
> --------------------------------------------------------------
> -----------
> 
> Input Validation - The programmer must securely process 
> inputs from all
> aspects of the environment, then correctly decode, canonicalize, and
> validate those inputs.
> 
> Source: SANS Secure Coding in C Examination Blueprint,
> (www.sans-ssi.org/ (rest of url))) More granular rules can be found at
> that url, as well.
> 
> References:
> - ----------------
> 
> Zero Day Initiative Advisory
> http://www.zerodayinitiative.com/advisories/ZDI-07-008.html 
> 
> SANS @RISK Posting
> http://www.sans.org/newsletters/risk/display.php?v=6&i=10#widely1 
> 
> Apache Tomcat Homepage
> http://tomcat.apache.org/ 
> 
> Apache Tomcat Code
> http://svn.apache.org/viewvc/tomcat/connectors/tags/jk1.2.x/JK
> _1_2_20/jk/native/common/jk_uri_worker_map.c?revision=513250&v
> iew=markup 
> 
> Secunia Advisory
> http://secunia.com/advisories/24398/ 
> CVE 2007-0774
> 
> The National Vulnerability Database:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0774 
> 
> ============================================================
> Copyright 2007, The SANS Institute
> You may distribute copies of Software Security @RISK to anyone within
> your own organization but you may not post it.
> 
> ______________________________________________________________________
> 
> Subscriptions: @RISK is distributed free of charge to people 
> responsible
> for managing and securing information systems and networks. You may
> forward this newsletter to others with such responsibility inside or
> outside your organization.
> 



 




Copyright © Lexa Software, 1996-2009.