12:24 CET, 3rd November 2008 By Carsten Eiram.
With my arm twisted in a tight lock, I was kindly asked to write a blog today about this month's analyses issued via our Secunia Binary Analysis (BA) service.
Secunia Binary Analysis
Many are already quite familiar with this service, but for the uninitiated, I can inform that it is a service that we've been providing for about two years to certain players in the security industry, larger organisations, and government institutions responsible for developing IDS/IPS signatures.
Basically, it builds on our advisory service, but just takes it a step further by providing very detailed reports about selected critical vulnerabilities in high-profile products, how the vulnerabilities can be exploited, and (more importantly) how to reliably detect attacks.
More information about the service is available at:
Exciting Vulnerabilities This Month
This month has been quite interesting for the Secunia BA team with a Microsoft Tuesday weighing in at the heavy end of the scale, nicely accompanied by other critical vulnerabilities in e.g. Sun Java System Web Proxy Server, CUPS, Trend Micro OfficeScan, Adobe PageMaker, and OpenOffice to name a few.
In total, my team managed to issue 28 analyses this month, which is almost one analysis per day; a number I'm quite satisfied with and that is a bit higher than our average (but still very decent) output of about 20 analyses/month.
If someone told me (and they did) to highlight one or two BA reports my team and I really enjoyed doing this month, I would have to mention the following:
* Microsoft Windows Path Canonicalisation Vulnerability (SA32326 / CVE-2008-4250)
With 12,017 views of the Secunia Advisory at the time of writing, this vulnerability has received a lot of attention and rightly so as it was reported as a 0-day.
Knowing that a vulnerability is currently being actively exploited always makes it a bit more interesting to analyse it. Particularly entertaining is it that someone most likely found this vulnerability by chance when fuzzing the vulnerable interface for directory traversal vulnerabilities and instead ended up with a memory corruption vulnerability dropping straight into their lap.
* Sun Java System Web Proxy Server "Vary" Header Buffer Overflow (SA32227#2 / CVE-NO-MATCH)
This one was noticed while analysing another vulnerability fix (SA32227#1 / CVE-2008-4541). Apparently, Sun decided to mention only one vulnerability in their Sun Alert and instead silently fixed this one with a vague "Proxy 4.0: improper handling of 'Vary' header" comment casually included in the list of problems fixed by the patch.
However, they were definitely correct that the handling of the "Vary" header indeed was improper, causing a heap-based buffer overflow.
The two mentioned vulnerabilities are both exploitable and customers, who haven't already enjoyed these analyses and created signatures from them, are highly encouraged to do so. Most of the other issued analyses also cover vulnerabilities proven to be exploitable, though. It's therefore highly recommended that IDS/IPS vendors are on top of these as well.
For readers without access to our BA service, I've allowed myself to upload another interesting analysis ("Trend Micro OfficeScan CGI Parsing Buffer Overflow") to the sample page:
As the eagle-eyed reader may have noticed, then the title of this blog reads: "Monthly Binary Analysis Update", which means that I'll be back at the end of next month with another update on the most exciting vulnerabilities of the month.
Until then - Stay Secure
Chief Security Specialist