February 2006

Reports say OS X 10.4.5 cracked for non-Apple Intel PCs

According to new RealTechNews article

“… today a hacker named Maxxuss released a patch which updates MacOS to 10.4.5 and enables it to run on non-Apple Intel-based PCs.”

This hasn’t been covered in the news at all, in fact.

The article links to Maxxuss Release Announcements page, which has ‘Last Updated: 23-Feb-2006‘ information, in fact.

The weblog of Maxxuss, announcing ‘non-official information on Mac OS X for the x86 platform’, is located at maxxuss.theblog.cc.

This was only a week after news about a poetry Don’t-Steal-Mac-OS-X embedded into OS X.

Bypassing SSL in Phishing

here is a bit of “new stuff” (now old) that now becomes partially public from our friends at f-secure, and is very disturbing.

rootkits, ssl and phishing:

haxdoor is one of the most advanced rootkit malware out there. it is a kernel-mode rootkit, but most of its hooks are in user-mode. it actually injects its hooks to the user-mode from the kernel — which is really unique and kind of bizarre.

so, why doesn’t haxdoor just hook system calls in the kernel? a recent secure science paper has a good explanation for this. haxdoor is used for phishing and pharming attacks against online banks. pharming, according to anti-phishing working group (apwg), is an attack that misdirects users to fraudulent sites or proxy servers, typically through dns hijacking or poisoning.

we took a careful look at backdoor.win32.haxdoor.gh (detection added 31 jan, 2006). it hooks http functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. most (all?) online banks use ssl encrypted connections to protect transmissions. if haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. by hooking on a high-enough api level it is able to grab the data before it gets encrypted. apparently haxdoor is designed to steal data especially from ie users, and not all tricks it plays work against, for example, firefox.
http://www.f-secure.com/weblog/archives/archive-022006.html#00000821

financial organizations that rely on encryption for security of web transactions can contact me for details on who to actually contact on answers if they haven’t been contacted by now, as this is the least of their worries.

gadi evron,
ge@beyondsecurity.com.

[corrected the title from: bypassing ssh in phishing]

Several bugs fixed in – Bugzilla

Several security advisories have been released about three fixed security issues on the Bugzilla bug-tracking system. Even systems developed for software bug tracking purposes have their own bugs. 😉

More details about these issues is located at new Secunia’s SA18979 advisory (all issues described), BID16738 (Whinedays parameter issue) and BID16745 (user credential redirect issue). There is no separate Bugtraq ID related to RSS reader title encoding issue (this is more a XSS issue related to RSS readers than bug in Bugzilla itself). A more detailed description about SQL injection type ‘Whinedays’ issue is located at Bugzilla Bug #312498 entry. Secunia’s severity level is Moderately Critical; 3/5. It seems that this vulnerability report is the first rated as Moderately Critical after December, 2003 (Secunia’s Product database has more details if You are interested). FrSIRT rated these issues as Moderate Risk.

From the SA18979 advisory:

#1: Input passed to the “whinedays” parameter in “editparams.cgi” isn’t properly sanitised before being used in a SQL query.
What are the risks of this vulnerability?
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
#2: The problem is that some RSS readers decodes encoded HTML in feed titles.

What are the risks of this vulnerability?
This can be exploited to inject arbitrary HTML and script code, which will be executed in a user’s RSS readers session in context of an affected site when the malicious user data is viewed.
#3: The problem is that users may send login requests to an incorrect web site when the URL contains a double slash in the path name.

And what are the risks?
Successful exploitation requires that the login page is a subdirectory of the web root and that the subdirectory is a resolvable address on the user’s network.

Original Bugzilla Security Advisory is located at www.bugzilla.org/security/2.18.4. Because of range of these issues all Bugzilla installations are reportedly advised to upgrade to the latest stable version 2.20.1. The Bugzilla advisory lists old Bugzilla 2.16.x versions as immune, however.

This is interesting:
Related to RSS reader encoding issue Bugzilla “prefers to shift to Atom feeds, where the RFC is unambiguous about HTML markup in feed titles”.

The reporters of these vulnerabilities live in several countries because of worldwide Bugzilla community, for example Teemu Mannermaa is from Finland. Mr. Mannermaa has discovered other Bugzilla issues earlier too, e.g. related to fixed version 2.16.11. Additionally, Myk Melez has been listed at SA17030 published in October too.
The recent Mozilla’s Bugzilla version is 2.20. Linux Kernel project uses version 2.16.10, in turn. Red Hat Bugzilla is one of the popular Bugzilla sites too. According to their Web site version 2.18-rh is in use.

Bugzilla Team didn’t only fixed security issues, the detailed Release Notes pages are located here.