A handful of bugs, a fix, and some good reading

Published: 2004-12-06. Last Updated: 2004-12-07 02:50:36 UTC
by Cory Altheide (Version: 1)
0 comment(s)
CA Unicenter Remote Control Authentication Bypass

Computer Associates has announced an authentication bypass in their Unicenter Remote Control product. From the horse's mouth: "A Unicenter Remote Control (URC) Management Console version 6.0 SP1 may allow any user that has been authenticated by the underlying Operating System to connect to another URC 6.0 Management Server. This may allow unauthorized users to administer and configure the Remote Control Enterprise managed by this management server."

But we all trust our users, right? :-)

For more details and fixes go to CA support:
http://esupport.ca.com/index.html?/public/rco_controlit/infodocs/securitynotice.asp

RSSH/scponly security circumvention

Jason Wies recently discovered weaknesses in the operation of rssh and scponly. Both programs are restricted shells designed to afford secure transfer capabilities to end users without allowing them full shell access. However, end users may pass arguments to several of the programs these shells allow to be executed that will execute any program on the target system.

This problem is fixed in the latest version of scponly. No official fix for rssh is available or expected, as the author has ceased work on the program.

More details are available at Secunia -

For rssh: http://secunia.com/advisories/13363/

For scponly: http://secunia.com/advisories/13364/



Nicholas Gregoire of Exaprobe published a report today which detailed vulnerabilities in "w3who.dll," an IIS ISAPI extension which was until recently available from Microsoft and can reportedly be found in the Windows 2000/XP Resource Kits. I'm not aware of how widely deployed, but it's used to "display the browser client context" and "list security identifiers, privileges, env variables." If you're the person using this DLL, you should probably stop, since one of the vulnerabilities is a buffer overflow.

Exaprobe's advisory: http://www.exaprobe.com/labs/advisories/esa-2004-1206.html

Winamp Fix

A new version of Winamp is available which fixes the vulnerability described in the 11/24 Diary ( http://isc.sans.org/diary.php?date=2004-11-24 ). There is working exploit code circulating for this, so if you're a Winamp user it's recommended that you update.

Changelog available here: http://winamp.com/player/version_history.php

Defeating Encryption

The ISC's very own John Bambenek has authored a paper demonstrating the risks involved with placing blind faith in the security of strong network encryption.*

<i>"There is no dispute about the need for strong encryption, particularly for privileged communications. There is no way to have a high level of assurance that the entire path between endpoints of a message is secure, so the message has to be hidden in transit. While brute-force decryption is possible, modern forms of encryption have made this process too long to be valuable.

However, there is still risk if the endpoints of the communication are vulnerable. Eventually the encrypted message needs to be decrypted in order to be useful, and that process happens at the endpoints of the communication. The problem is, if the endpoints are compromised, the entire message can be stolen even if the plaintext message is not stored on a file on the system."</i>

The (very good) paper can be accessed here: http://www.infosecwriters.com/text_resources/pdf/Defeating_Encryption.pdf

***********************

Cory Altheide

Handler-at-Large

caltheide@isc.sans.org

***********************


*I don't want cryptogeeks jumping on me for being a cryptobigot. I love crypto, but I realize that it's only one cog in the beastly infosec machine.
Keywords:
0 comment(s)

Comments


Diary Archives