Another Patch Tuesday and another set of patches. This time we have 11 CVEs patched in 6 updates and we've got a couple of interesting ones.

The most interesting, to me, has to be the DoS / Remote Code Execution in Active Directory (MS07-039), especially since an anonymous user could take advantage of this on Windows 2000. In an enterprise environment, I'd say that Active Directory is God... and having control over God can't be good for anyone involved. Peoples still running Windows 2000 Server may want to block access to their LDAP server (Filtering TCP ports 389 and 3268) if they are unable to apply the patch in a reasonable time frame. The good news here is that, in most cases, your Domain Controllers aren't internet facing, which limits the risk to improperly configured networks and insider threats. Given the increase in insider threats, that may or may not help you sleep better at night. Another thing to consider is the affect this has on Small Business Server. Microsoft provides SBS as an all in one, which includes Exchange, and many small businesses place their SBS directly on their internet connection, these small business users (who are generally more lax when it comes to applying patches) may feel a little extra pain from this vulnerability. More information on these vulns, CVE-2007-3028 and CVE-2007-3028, is available here.

The second one of interest, from a WebAppSec point of view, is the ASP.NET Null Byte Termination Vulnerability patched in MS07-040. This vulnerability could lead to information disclosure and in the words of Microsoft, "An attacker who successfully exploited this vulnerability could gain unauthorized access to parts of a Web site." I see gaining access to unauthorized portions of a web site as more than information disclosure but I suppose you could spin it either way. Given the number of ASP powered web pages employed on the internet and the multiple versions of the .Net Framework that this affects, this could provide malicious individuals with access to plenty of private information. This information could include usernames and passwords, corporate secrets or even credit card and billing information. Those businesses applying for PCI certification may want to ensure that you have the proper patches in place. More information on this vuln, CVE-2007-0042, and the other two vulns patched by MS07-040, CVE-2007-0041 and CVE-2007-0043, can be found here.

Given the widespread use of "home routers" or NAT devices, I don't think that the remote code execution in MS07-041 will be overly popular or dangerous, however there are a large number of home users that are running web servers from their Windows XP boxes. Information on this vuln, CVE-2005-4360, is available here. We're also seeing another Vista patch, an example of Microsoft commitment to quickly patch Vista related problems. Since this issue affects the Teredo interface, I don't see it as being overly popular and it is just an information disclosure... Again information can be found on the advisory web page for this vuln, CVE-2007-3038. The last two patches cover a smattering of office products, this time around it's Publisher and Excel (which has been coming up quite a bit lately).

That's all for now... enjoy your patching.

Once again full (read: irresponsible) disclosure rears it's ugly head. Thursday night a PoC for remote file deletion found it's way onto milw0rm. The vulnerability lies in the ScanCtrl ActiveX Control installed by Nessus. The "reporter" (if he can be called that, given his disclosure methods) identified IE 6 on XP SP 2 (Polish) running the version of ScanCtrl shipped with Nessus 3.0.6 as vulnerable. I have also been able to confirm the vulnerability in Nessus 3.0.5 and on IE7 under XP SP 2. As an interesting side effect, the PoC will crash IE7 on Vista, however I'm not sure that Nessus actually supports Vista.

Let's get right down to mitigation, since (to my knowledge), there is not yet a patch available. The easiest way is to use Firefox, since this is an ActiveX control. You can also disable the ActiveX control in question by locating the ScanCtrl Control in Tools --> Internet Options --> Programs --> Manage Add-ons and setting it to disabled. The last bit of advice would be the standard don't visit websites you don't trust.

Now the exploit itself. The PoC is taking advantage of a path traversal vulnerability, that essential provides for access to the complete file system. In the PoC the deleteReport function is called, and passed a single argument, the "report" to delete. This can be any file. There are other functions that can also take advantage of this, however they don't appear to be as dangerous. One of these functions is importReport which takes two arguments, 'target' and 'path'. The target relates to associating a report with a known target in Nessus, and path is once again the path to the file. Given the nature of the exploit, it's import to note that this requires the attacker to have knowledge of your file system, or to target "standard" file locations. Additionally the importReport function appears to limit the type of file that can be accessed to *.xml, *.nbe, and *.nsr.

What I find more interesting than the PoC (since it's easily mitigated and limited in attack scope) is that a VM solution is being targeted, being in the VM space this may interest me more than others. In the past couple of years, AV solutions have become a real target, generally the management software and AV proxies. However, you don't usually see vulnerabilities and exploits found in products in the VM space. Could it be that VM solutions are becoming a target as more and more companies employ them? After all, as these various solutions are used more frequently, their customers are aware of vulnerabilities in their workstation and server solutions. This awareness ensures that patches are applied properly and promptly, cutting down on the number of machines that an attacker could target. Does that logic, make VM the next popular target for malicious individuals? I guess we'll have to wait and see.

Now with regards to vulnerabilies and disclosure / discovery there seem to be two schools of thought: i) Vulnerabilities are better left undiscovered and ii) Vulnerabilities should be discovered and patched. I subscribe to the second school of thought. Why? If responsible disclosure is used, the vulnerability is reported and patched and the end user is never affected. Knowing that malicious individuals are out there, searching for these vulnerabilities means it's only a matter of time before they find one in your product and take advantage of it. After all, vulnerabilities are flaws, flaws are mistakes, and mistakes are human.

I found some interesting things during my research which I have shared with the vendor. I'll post more details in the future as they have a chance to address my findings internally. While not everyone believes in responsible disclosure anymore, I'm happy to say that I do. That being said, responsible disclosure isn't perfect and it does have it's flaws. A major one being that companies can choose to ignore vulnerabilities that are responsibly disclosed. It's times like that when further action needs to be taken, and that's a flaw in responsible disclosure that still has to be worked out, beyond that though, there's never really a reason to *NOT* responsibly disclose discoveries to the vendor.

[Update]
I had originally written this Friday morning, however I didn't get around to posting it. In between my initial write-up and the time of posting it seems that a second PoC for Nessus has been posted on milw0rm. This time using the ScanCtrl Control to execute code on the target PC. Again due to the fact that the ScanCtrl control must be installed and that you must be in Internet Explorer, the attack scope is limited but for those of you that are affected, I recommend you check out the mitigation techniques I had listed above.

[Update 2]
This has been patched in Nessus 3.0.6.1. You can get it from the Nessus download page.