Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenOffice.org Vulnerabilities

Published: 2006-06-30
Last Updated: 2006-06-30 21:17:36 UTC
by David Goldsmith (Version: 1)
0 comment(s)
OpenOffice.org released a security bulletin today that addresses three security issues in the OpenOffice.org software which were discovered during an internal code audit.  The vulnerabilities affect both the older 1.1.x and the newer 2.0.x releases.  OpenOffice.org has released version 2.0.3 which resolves the issues.  A patch for version 1.1.5 will be available soon.  Without the patch, one of the issues has a possible workaround to alleviate the issue; the other two do not.

OpenOffice.org has additional security notes on their site that address the three specific issues:

  • Java Applets

    It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained.  The  applet code could potentially have access to the entire system with whatever privileges the current user has.

    A workaround is provided to temporarily disable support for Java applets.  Instructions are provided for both 1.1.x and 2.0.x.
  • Macros

    A flaw with the macro mechanism could allow an attacker to include certain macros that would be executed even if the user has disabled document macros.  Such macros could potentially have access to the entire system with whatever privileges the current user has.

    There is no workaround for this issue
  • File Format

    A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents.  The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.

    There is no workaround for this issue.

Thanks to Juha-Matti for the heads-up.

Keywords:
0 comment(s)

Root-Level Exploit for OSX LaunchD Service

Published: 2006-06-30
Last Updated: 2006-06-30 20:21:20 UTC
by David Goldsmith (Version: 1)
0 comment(s)
The diary entry from June 28th covered the release of the new version of OS X 10.4.7 which addressed various security issues.  There is now a publicly available exploit taking advantage of the format string vulnerability with the LaunchD daemon in versions of OS X up to and including 10.4.6 which can result in an attacker gaining root access on the system.

You can get more information about the vulnerability and exploit from Security Focus.

If you haven't already installed the update, time to get moving.

Thanks to Juha-Matti for the information.

Keywords:
0 comment(s)

Two new Internet Explorer vulnerabilities disclosed including PoC

Published: 2006-06-30
Last Updated: 2006-06-30 07:28:33 UTC
by Bojan Zdrnja (Version: 3)
0 comment(s)
Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

06/28/06
We have been getting comments about the statement of Firefox being vulnerable. After repeated testing, one of the handlers has confirmed that it is definitely vulnerable. The code found at Secunia will not catch vulnerable versions of Firefox but the original PoC found on FullDisclosure will work on Firefox.

UPDATE 06/30/06
After doing more research on this vulnerability and with great help from our readers (thanks to Dan and another reader) it seems that Mozilla Firefox is not affected by this vulnerability.

The (obvious) reason for this is that Firefox doesn't support the outerHTML property at all (innerHTML property is supported). As this property is not supported, the original context can't get any data from the HTML that was loaded into the <object> tag.

If you test this with the original PoC posted on Full Disclosure, you can notice that Firefox will load the target web page into the object tag, but the alert call (which is in the original context) will not be able to get any data. If you use Internet Explorer 6 this is not the case as the original context script can access data that was loaded into the object tag.

The fact that Firefox displays the target web page has nothing to do with this vulnerability (apart from the fact that it can confuse the user, but that's another story); so in this context it's no different than using an iframe.

Internet Explorer 7 is also not affected by this vulnerability.

--
Bojan Zdrnja
William Salusky
Toby Kohlenberg

Keywords:
0 comment(s)
Diary Archives