Sunday, September 21, 2008

Vulnerability rediscovery, XSS and a WebEx bug

Every security researcher who is hunting for bugs hates this particular situation: a vulnerability that you have found and reported to the vendor gets rediscovered and publicly disclosed by someone else. This just happened to me again but this time I decided to also disclose an advisory for the vulnerability.

The vulnerability I'm talking about affects an activex component of WebEx (CVE-2008-2737). See my advisory for a detailed technical description.

I found the vulnerability in april 2008 and Elazar Broad rediscovered it in june 2008. He also informed WebEx/Cisco about the vulnerability but then publicly disclosed it the full disclosure way. In his advisory he states: "When I reported this issue to the vendor, they had stated that they were aware of it, but would not say whether it was the result of an internal audit or an independent researcher". Well, that independent researcher was me ...

Now to the vulnerability: it is a classical stack overflow that can be reliably exploited to execute arbitrary code in the browser of the victim. As WebEx is *the* web conferencing tool there should be a lot of vulnerable browsers out there.

One interesting thing regarding the vulnerability is that while this control is marked as safe for scripting, it has been designed so that it can only be run from the "webex.com" domain. In practice this requirement can be bypassed through the use of any Cross Site Scripting (XSS) vulnerabilities in the WebEx domain. Well, at least in this scenario reflected (non-persistent) XSS turns out to be a *real* security threat ;)

Wednesday, September 17, 2008

Finally fixed ...

The vulnerability described in TKADV2008-008 can be exploited to get reliable code execution in kernel mode under all Windows versions supported by G DATA. See this fancy poc flash movie. The movie is from 2007 as G DATA needed 294 days (!) to provide a fixed version of their products.

The vulnerability is only fixed in the *new* G DATA 2009 products. As far as I know G DATA will *not* provide a fix for AntiVirus, InternetSecurity or TotalCare 2008.

Tuesday, September 09, 2008

Linux Kernel and silent fixes

The Linux Kernel 2.6.26.4 provides a patch called "sctp: fix potential panics in the SCTP-AUTH API" that fixes some NULL pointer dereferences and an information disclosure vulnerability I found in the SCTP-AUTH API.

The NULL pointer dereferences can be used to cause a kernel panic (denial of service) as an unprivileged user but seem not to be exploitable to execute code in the kernel context.

The information disclosure vulnerability - which is btw. not mentioned at all in the patch nore in the kernel changelogs - can be reliably exploited to read arbitrary (kernel) memory as an unprivileged user.

It's quite disturbing to see that security vulnerabilites are indeed silently fixed by some linux kernel developers / maintainers.