Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Update on Word 0-Day Issue

Published: 2006-05-23
Last Updated: 2006-05-25 14:36:34 UTC
by David Goldsmith (Version: 1)
0 comment(s)
Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft's security advisory can be found here.

eEye's advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in 'Safe Mode' to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well.  The eEye advisory mentions that they believe there are two variants of this exploit.  Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

Update 25-May-2006:  eEye has removed Word 2000 from their list of vulnerable products.

0 comment(s)

Possible GNU Strings Denial Of Service Vulnerability

Published: 2006-05-23
Last Updated: 2006-05-24 18:12:26 UTC
by David Goldsmith (Version: 3)
0 comment(s)
SecurityFocus has a vulnerability advisory about an issue with the GNU strings command and a potential Denial of Service attack.  If a file contains certain character strings, the string command will crash due to a failure to properly handle unexpected user-supplied input.

The bugzilla entry 2584 authored by Jesus Olmos Gonzales, who discovered the issue, contains more information. It indicates the the issue actually lies within the bfd_hack_lookup() routine in the BFD library.

The results of initial testing done by several ISC Handlers made it appear that this was only affecting some Linux/Unix distributions and not others.  Further testing indicated that the "exploit" seems sensitive to the content of the triggering file.

If the file contained only the following line:


then running strings on the file would result in a segmentation fault.

If the file contained additional content, such as:

        This file will not crash

then running strings on the file did not result in a segmentation fault.

The potential security impact of this is an attacker might be able to include this character sequence in their executable thereby making it harder to do binary analysis with the strings command.

To test if you system is vulnerable to this issue, you can run the following commands:

       echo "%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc" > evil-file
       strings evil-file

If you get a segmentation fault, you are vulnerable.

Results for some tested operating systems [1]:

        CentOS 4.3 - vulnerable
        Fedora Core 4 - vulnerable
        Mac OS X 10.4.5 - NOT vulnerable
        OpenBSD 3.5 - vulnerable
        OpenBSD 3.9 - vulnerable

       Cygwin - vulnerable
Updates thanks to our readers (5/24/06):
       Gentoo (binutils 2.16.1-r2)
       Ubuntu Linux 5.10
       Ubuntu Linux 5.4
       Debian 3.1
       Gentoo 2006.0
       SuSE Enterprise 9 SP3
       FreeBSD 5.4 (-STABLE and -RELEASE-p10)
       FreeBSD 6.0
       Fedora Core 3
Note: Some systems have strings-GNU (vulnerable) and strings (BSD/not vulnerable)

Update 1:

Here is a workaround that may work for some folks.  Run the strings command with the "-a" option.  This says to scan the whole file instead of just the "initialized and loaded sections of object files".  When "strings -a evil-file" ran, it did not result in a segmentation fault.  (Thanks Swa)

[1] - "vulnerable" meaning that the included version of the "strings" command will segment fault.
0 comment(s)

Metasploit Framework 2.6 Released

Published: 2006-05-23
Last Updated: 2006-05-23 21:06:53 UTC
by David Goldsmith (Version: 1)
0 comment(s)
Version 2.6 of the Metasploit Framework was released today.  The Metasploit Framework is an open-source penetration-testing / vuln-assessment tool, similar to the commercial tools CANVAS and CORE IMPACT.  The latest version now has 3 user interfaces, 143 exploits and 75 payloads.

If you already have an older version of the Framework installed (version 2.2 or newer), you can simply run "msfupdate" to update to the latest and greatest parts and pieces.
0 comment(s)
Diary Archives