Example Sins

The following entries in Common Vulnerabilities and Exposures (CVE) at http:// cve.mitre.org are examples of Trusting Network Name Resolution.

CVE-2002-0676

From the CVE description:

SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning and supplying Trojan Horse updates.

More information about this problem can be found at the following web site: www.cunap.com/~hardingr/projects/osx/exploit.html. Lets take a look at a quote from the web pagenormal operation of this service is as follows :

When SoftwareUpdate runs (weekly by default), it connects via HTTP to swscan.apple.com and sends a simple GET request for /scanningpoints/ scanningpointX.xml. This returns a list of software and current versions for OS X to check. After the check, OS X sends a list of its currently installed software to /WebObjects/SoftwareUpdatesServer at swquery.apple.com via a HTTP POST. If new software is available, the SoftwareUpdatesServer responds with the location of the software, size , and a brief description. If not, the server sends a blank page with the comment No Updates.

A little ad-hoc threat modeling shows the folly of this approach. The first problem is that the list of things to check for isnt authenticated. An attacker could, whether by intercepting the response or by merely spoofing the server, tell the client anything it wants about what to check for. It could intentionally tell it not to check for something known to be vulnerable, or it could potentially tell it to replace something that isnt vulnerable with something that is.

CVE-1999-0024

From the CVE description: DNS cache poisoning via BIND, by predictable query IDs.

More information can be found at www.securityfocus.com/bid/678/discussion. Essentially, predictable DNS sequence numbers can lead to attackers being able to insert incorrect information into DNS replies. Substantially more background can be found at www.cert.org/advisories/CA-1997-22.html. Before you start thinking that this is old news, take a good look at a BugTraq post entitled The Impact of RFC Guidelines on DNS Spoofing Attacks (July 12, 2004) located at www.securityfocus.com/archive/1/368975. Even though the problems have been known for years , many operating systems continue to repeat these mistakes. It is worth noting that most of the problems reported were not present in Windows 2003 Server when it shipped, and they were also corrected in Windows XP Service Pack 2.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net