Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pirates and Patches blackhat censorship? IPsec vulnerabilies adding up; Ethereal vulerabilities; Who's SAPing you

Published: 2005-07-27
Last Updated: 2005-07-28 17:41:29 UTC
by donald smith (Version: 1)
0 comment(s)

MicroSoft no longer providing patches to pirates




If you visit windowsupdate today you will probably be invited to install.

Windows Genuine Advantage Validation Tool (KB892130)
From the microsoft website:

"The Windows Genuine Advantage Validation Tool enables you to
verify that your copy of Microsoft Windows is genuine. The tool validates
your Windows installation by checking Windows Product Identification and
Product Activation status. After you install this item, you may have to restart your computer.
Once you have installed this item, it cannot be removed."

"Concerned about privacy? When you check for updates, basic information about your computer,
not you, is used to determine which updates your programs need.
To learn more, see our privacy statement."



This last statement is intended to address privacy issues. While a "nice" statement many of us
would like to know EXACTLY what is collected and transmitted to microsoft by this licence tool.
In my opinion Microsoft is well within their rights to require licence proof before providing patches.

Ethereal vulnerabilities



Upgrade to 0.10.12. Right now! Or at least before you need to use ethereal again.
Due to the severity and scope of the defects
that have been discovered, no workaround is available.


Who's SAPing you


A vulnerabiltiy was announced for SAP/r3

The vulnerability is caused due to an input validation error in the
Internet Graphics Server (IGS) subcomponent when processing document paths.
This can be exploited to access arbitrary files on the system outside the
web root by supplying a document path containing a directory traversal sequence (../).
The vulnerability has been reported in SAP prior to version 6.40 Patch 11.

BlackHat censoring?




This comes from a blog so take it for what it is worth.


The first "scandal" to emerge from Black Hat 2005 (so far, at least)
is the omission of some 30 pages of text from the 1,000-page-plus conference
presentation materials, which were handed out to conference attendees when
they registered on Tuesday. The missing pages -- literally ripped from the
massive handout -- apparently detailed the specifics of a serious security flaw
present in Cisco Systems routers, devices
that route the majority of Internet traffic on the Web today


The only "official" comment on the missing pages on the Cisco flaw
was a photographed copy of a notice distributed with each bundle of
conference materials. The notice states:
"Due to some last minute changes beyond Black Hat's control, and
at the request of the presenter, Michael Lynn,

the included materials aren't up to the standards Black Hat tries to meet.
Black Hat will be the first to apologize. We hope the vendors involved will follow suit."


Who is Mike Lynn?
Mr. Lynn is a well known vulnerability researcher for Internet Security Systems,
He is credited with finding several vulnerabilities in cisco products.

He is quoted here on router worm potential.




Our own Joshua Wright states
Note that Mike Lynn was going to present on exploiting IOS to use vulnerabilities in code
to run arbitrary code of the attacker's choosing. This is a huge deal, since a problem
with IOS that was formerly limited to a DoS could be leveraged to add configuration
commands to the IOS configuration, or other nasty things.



UPDATE!


Mike resigned from ISS and gave his talk.

"Cisco respects and encourages the work of independent research scientists;
however, we follow an industry established disclosure process for communicating
to our customers and partners, the company said in a statement released Wednesday.
It is especially regretful, and indefensible, that the Black Hat Conference organizers
have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

Further Update


Based on what I have read this is basically adding a whole new demention to the router exploit field.
Remote code executation via buffer overflow. That in general has not existed in the cisco world because no one had developed it. In the past most router vulnerabilities were denial of service vulnerabilities.
See

for additional details on this event.

AH MAC vulnerability in freebds





II. Problem Description
A programming error in the implementation of the AES-XCBC-MAC algorithm
for authentication resulted in a constant key being used instead of the
key specified by the system administrator.

III. Impact
If the AES-XCBC-MAC algorithm is used for authentication in the absence
of any encryption, then an attacker may be able to forge packets which
appear to originate from a different system and thereby succeed in
establishing an IPsec session. If access to sensitive information or
systems is controlled based on the identity of the source system, this
may result in information disclosure or privilege escalation.

Patches available here:


Combined with the ESP ipsec vulnerabilty NISCC announced this negates
their recommended mitigation (add ah to esp).

Keywords:
0 comment(s)
Diary Archives