nCircle.com >> 360 Security >> VERT

« MS Tuesday - July | Main | August Patch Tuesday Round-up »

Full... errr... Irresponsible Disclosure: Hurting the community and the end user.

Once again full (read: irresponsible) disclosure rears it's ugly head. Thursday night a PoC for remote file deletion found it's way onto milw0rm. The vulnerability lies in the ScanCtrl ActiveX Control installed by Nessus. The "reporter" (if he can be called that, given his disclosure methods) identified IE 6 on XP SP 2 (Polish) running the version of ScanCtrl shipped with Nessus 3.0.6 as vulnerable. I have also been able to confirm the vulnerability in Nessus 3.0.5 and on IE7 under XP SP 2. As an interesting side effect, the PoC will crash IE7 on Vista, however I'm not sure that Nessus actually supports Vista.

Let's get right down to mitigation, since (to my knowledge), there is not yet a patch available. The easiest way is to use Firefox, since this is an ActiveX control. You can also disable the ActiveX control in question by locating the ScanCtrl Control in Tools --> Internet Options --> Programs --> Manage Add-ons and setting it to disabled. The last bit of advice would be the standard don't visit websites you don't trust.

Now the exploit itself. The PoC is taking advantage of a path traversal vulnerability, that essential provides for access to the complete file system. In the PoC the deleteReport function is called, and passed a single argument, the "report" to delete. This can be any file. There are other functions that can also take advantage of this, however they don't appear to be as dangerous. One of these functions is importReport which takes two arguments, 'target' and 'path'. The target relates to associating a report with a known target in Nessus, and path is once again the path to the file. Given the nature of the exploit, it's import to note that this requires the attacker to have knowledge of your file system, or to target "standard" file locations. Additionally the importReport function appears to limit the type of file that can be accessed to *.xml, *.nbe, and *.nsr.

What I find more interesting than the PoC (since it's easily mitigated and limited in attack scope) is that a VM solution is being targeted, being in the VM space this may interest me more than others. In the past couple of years, AV solutions have become a real target, generally the management software and AV proxies. However, you don't usually see vulnerabilities and exploits found in products in the VM space. Could it be that VM solutions are becoming a target as more and more companies employ them? After all, as these various solutions are used more frequently, their customers are aware of vulnerabilities in their workstation and server solutions. This awareness ensures that patches are applied properly and promptly, cutting down on the number of machines that an attacker could target. Does that logic, make VM the next popular target for malicious individuals? I guess we'll have to wait and see.

Now with regards to vulnerabilies and disclosure / discovery there seem to be two schools of thought: i) Vulnerabilities are better left undiscovered and ii) Vulnerabilities should be discovered and patched. I subscribe to the second school of thought. Why? If responsible disclosure is used, the vulnerability is reported and patched and the end user is never affected. Knowing that malicious individuals are out there, searching for these vulnerabilities means it's only a matter of time before they find one in your product and take advantage of it. After all, vulnerabilities are flaws, flaws are mistakes, and mistakes are human.

I found some interesting things during my research which I have shared with the vendor. I'll post more details in the future as they have a chance to address my findings internally. While not everyone believes in responsible disclosure anymore, I'm happy to say that I do. That being said, responsible disclosure isn't perfect and it does have it's flaws. A major one being that companies can choose to ignore vulnerabilities that are responsibly disclosed. It's times like that when further action needs to be taken, and that's a flaw in responsible disclosure that still has to be worked out, beyond that though, there's never really a reason to *NOT* responsibly disclose discoveries to the vendor.

[Update]
I had originally written this Friday morning, however I didn't get around to posting it. In between my initial write-up and the time of posting it seems that a second PoC for Nessus has been posted on milw0rm. This time using the ScanCtrl Control to execute code on the target PC. Again due to the fact that the ScanCtrl control must be installed and that you must be in Internet Explorer, the attack scope is limited but for those of you that are affected, I recommend you check out the mitigation techniques I had listed above.

[Update 2]
This has been patched in Nessus 3.0.6.1. You can get it from the Nessus download page.

Posted by Tyler Reguly on July 28, 2007 12:50 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/236

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on July 28, 2007 12:50 PM.

The previous post in this blog was MS Tuesday - July.

The next post in this blog is August Patch Tuesday Round-up.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]