[Sunnet Alert] Advisory #209 - PHP (Multiple), Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Fri Mar 9 16:06:20 EST 2007 

Sûnnet Beskerming Alert List Advisory #209

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	PHP (Multiple)
	- Remote Hacker Automatic Data Theft
	- Time Since Discovery - 1 Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Pay For Disclosure
2.2	Political Candidates And Weak Security
2.3	New Exploit Samples
=======================================

1.	SECURITY

1.1	PHP (Multiple) - Remote Hacker Automatic Data Theft

	-- Products Affected --
	PHP 5.2.1 and earlier

	-- Technical Description --
	MOPB-14-2007 - Information leak associated with susbtr_compare() in  
PHP 5.2.1 and earlier.
	MOPB-15-2007 - Information leak associated with shared memory  
functions in PHP versions before 5.2.1 and 4.4.5.

	-- Description --
	The most recent vulnerabilities identified by the MOPB project deal  
with information leakage from various PHP components, which could  
allow remote attackers to gain access to potentially vulnerable data  
passing through the PHP server.  It has been disclosed that  
MOPB-14-2007 can be used to make arbitrary code execution attempts  
much simpler, thus the Very High Threat Matrix.

	-- Recommended Action --
	Update to PHP 4.4.6 or 5.2.2 or later.

	-- Source --
	http://www.php-security.org

	-- Threat Matrix --
			U	O
	Home User	6	7 (High - Very High)
	Corporate	6	7 (High - Very High)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Pay For Disclosure

Once again the issue of payment for vulnerability disclosure has been  
raised.  This time, the discussion has been prodded into life by a  
posting to the sla.ckers.org forum by Microsoft requesting that  
researchers continue to use the 'Responsible Disclosure' methods that  
Microsoft supports and recommends (which are subtly different from  
other responsible disclosure methods).

While there is a strong case for seeking compensation for what is  
essentially unpaid work for a company or group of developers, such as  
the 'free market' value of a vulnerability on the black market could  
be upwards of $10,000 USD per vulnerability.  The cost to a  
researcher could be in the thousands (cost of obtaining software /  
hardware for research, along with hours of work) of dollars, so there  
is a real cost to investigating and providing the work (and companies  
also pay their own employees for this kind of work).

Countering this argument is the observation that 'selling'  
vulnerability data makes the researcher no better than the 'black  
hat' hackers who are busy exploiting the vulnerability for their own  
profit.  There are companies and groups that specialise in the trade  
of vulnerabilities, though the ethical grounds for doing so are  
somewhat murky.  Holding a vulnerability at 'ransom' until a company  
pays for the release of the information is also ethically corrupt.

Perhaps a good middle ground will be companies compensating  
researchers out of gratitude, rather than out of necessity.  Rather  
than cash payment, perhaps software or hardware gifts could be seen  
as more appropriate (and researchers could then be encouraged to  
continue their work on the new gifts).  By using this metric, it  
means that companies are out of pocket only what the software costs  
them to produce (which, in the case of Microsoft can almost be zero),  
whilst it provides the researcher with compensation that could be  
worth hundreds or thousands of dollars at market value.  Recognition  
that a freelance Information Security researcher is not an evil line  
of work will also go a long way to ensuring a professional and  
respectable working relationship.


2.2	Political Candidates And Weak Security

Political candidates and serving politicians are always in the public  
eye and, more often than not, a target of spite for at least some  
disgruntled constituents and special interest groups.  In Australia  
there have been numerous cases where sitting state and federal  
politicians have had their web presence attacked and defaced,  
including some of the major Federal political groups, though this is  
normally the limit of visible attack against political interests.

As the race for the US Presidential nomination heats up within the  
Democratic and Republican parties, interested observers have looked  
at the Internet presence for most of the primary candidates in the  
nomination race and have found that many of their sites fail the US  
Federal ADA (access for disabled users) guidelines, and many have  
interesting weaknesses in the software that has been used to develop  
and present the site for online visitors.  While these sites are more  
than likely going to be closely monitored by dedicated IT security  
staff, they will make tantalising targets as the race for the  
Presidency heats up.

In the race for the French Presidency, the far right candidate, Jean- 
Marie Le Pen, has come under attack from external sources, when an  
attacker managed to gain access to a list of officials who had  
tentatively agreed to support him.  While the initial suspicion was  
that an internal mole had leaked the data, it is now suspected that  
an external attacker had gained access to one of the systems within  
the National Front Party, who Le Pen represents.


2.3	New Exploit Samples

A number of new detailed exploit samples have been released over the  
last few days targeting a range of well known (and not so well known)  
vulnerabilities.

An exploit for a Winamp playlist UNC Path Computer Name overflow,  
which results in complete control over a vulnerable system, has been  
released.  This particular vulnerability affects version 5.12 of Winamp.

An exploit targeting PHP, but unrelated to the Month of PHP Bugs  
project, has been released.  This particular exploit targets  
inconsistencies in the way that PHP on Windows handles 'safe_mode'.   
Through the use of the COM extension, it is possible to pass  
arbitrary commands to the Win32 shell, even though PHP's safe_mode is  
enabled.  This exploit is not consistent, but should provide for some  
interesting exploit attempts.  Affected PHP versions have not been  
identified.

An updated WinZip exploit has been released, which can be executed  
via a web page, and which provides a different method of exploitation  
to previous versions.  If users have not already updated their WinZip  
versions (which should have been updated through the Microsoft  
updates), it is important to update as soon as possible.

Finally, a corrupted Word Document has been released which  
demonstrates a Denial of Service attack against Word (application  
crash).  This particular vulnerability is a malformed pointer  
vulnerability with the ole32.dll library and can be triggered on  
mouse movement.  Although the demonstration is for Denial of Service  
only, memory locations can be reliably overwritten, and there is a  
risk that this exploit could possibly be extended into arbitrary code  
execution (though remote).

Details to exploit some of the vulnerabilities patched by the recent  
QuickTime update have also been made public.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list