Monthly Binary Analysis Update (November)

By Carsten Eiram

Another month has passed and it's again time for our new initiative with me ranting a bit about the monthly achievements of the Secunia Binary Analysis team.

A Small Recap…
In my previous (and first) blog, I talked a bit about what the Secunia Binary Analysis Service actually is and the purpose of it. Should anyone have missed it and thus feel a bit less informed than the rest, then don't dispair – you can find the previous blog at:

Exciting Vulnerabilities This Month
Last month, we were extremely busy and cranked out 28 analyses, but this month it was fairly quiet on the Binary Analysis front. We issued only 15 analyses in total, which is probably (without checking) the most quiet month we've had ever since the service launch about two years ago.

However, that does not mean that I caught a lucky break and can stop writing after only three paragraphs and go back to finding a new vulnerability; there were still plenty of interesting vulnerabilities to analyse this month and thus blog about.

The analyses issued this month cover vulnerabilities in interesting products like OpenOffice, IBM Tivoli Storage Manager Client, Adobe Acrobat/Reader, Microsoft XML Core Services, Trend Micro ServerProtect, and Symantec Backup Exec for Windows Servers.

This month, I've chosen to highlight the following three:

* Adobe Acrobat/Reader "util.printf()" Buffer Overflow (SA29773 / CVE-2008-2992)
I'm actually cheating a bit when counting this one as a binary analysis done this month; we made it ready back in April when initially discovering the vulnerability and issued it in November when Adobe published their patches.

The vulnerability is very similar to a vulnerability also discovered by Secunia Research in Foxit Reader (SA29941 / CVE-2008-1104), published in May when patches were made quickly available by the vendor.

At that time, we also issued a binary analysis for Foxit Reader. Since the vulnerabilities in the two products are so similar, all Secunia Binary Analysis Service customers, who followed the detection guidelines in the analysis when creating signatures for the Foxit Reader vulnerability back in May, already had a solid signature in place for the Adobe Acrobat/Reader vulnerability as well. They could therefore sit back and relax while everyone else were scrambling to create signatures in November to detect the public exploits and malware targeting the Adobe Acrobat/Reader vulnerability.

Since this vulnerability is being actively exploited, it is naturally a must-have signature.

* Trend Micro ServerProtect Configuration Request Buffer Overflows (SA32618 / CVE-2008-0014)
These vulnerabilities were not that interesting from a technical point of view, but more due to the conflicting information made available by the reporter (IBM ISS X-Force) and the vendor (Trend Micro). IBM ISS X-Force claimed that the vulnerabilities were not fixed, but did not provide any details to back this up, while Trend Micro stated that they were fixed in a "satisfactory manner" (naturally, with the term "satisfactory" being very open to interpretation).

I already commented on this disagreement in a previous blog:

Even though we consider IBM ISS X-Force as a "trusted source" (i.e. a party considered as providing reliable vulnerability reports), we naturally still have to get to the bottom of issues like these when we have conflicting information. The Secunia BA (Binary Analysis) team was therefore tasked with figuring out what code changes the issued patches implemented as well as if these changes were actually done in a "satisfactory" (by our terms) manner.

We were quickly able to determine the changes implemented by the patches, locate the vulnerabilities, and bypass the protection added by the patches. After having verified the claims by IBM ISS X-Force and been in dialogue with them, both an advisory and binary analysis were issued. The vulnerabilities are still not fixed, but Trend Micro has indicated that they will take an extra look at this after having been in further dialogue with both IBM ISS X-Force and Secunia Research.

* Symantec Backup Exec for Windows Servers Authentication Bypass (SA32810)
The authentication bypass vulnerability reported in Symantec Backup Exec for Windows Servers was probably the most interesting vulnerability this month from a technical point of view. Most of the analysed vulnerabilities are fairly straight-forward to handle, but design problems like this vulnerability are sometimes a bit more challenging. However, eventually all the pieces to the puzzle fell into place nicely.

Basically, this design problem allows anonymous users to create a session, which incorrectly will be considered a properly authenticated session. This allows anyone to either run various administrative commands or exploit both patched and currently unpatched buffer overflows in the implementations of these commands.

That sums up this month's adventures of the Secunia BA team. I encourage security vendors and others, who don't already have signatures in place for these vulnerabilities, to implement these quickly. Naturally, there are many other relevant vulnerabilities for which signatures should also be developed – a complete list of this month's binary analyses is available at:

Before signing off I should treat you all to an early Xmas present. A binary analysis for "Foxit Reader "util.printf() Buffer Overflow" (SA29941 / CVE-2008-1104) has therefore been posted to our sample page for your viewing pleasure:

Stay secure,

Carsten Eiram
Chief Security Specialist