[ISN] Hacker tips CERT's hand on Linux/PDF flaw

From: InfoSec News (isnat_private)
Date: Tue Jun 17 2003 - 00:13:56 PDT

  • Next message: InfoSec News: "Re: [ISN] Recent Gartner Report on IDS/IPS"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.infoworld.com/article/03/06/16/HNhackertip_1.html
    
    By Paul Roberts
    IDG News Service
    June 16, 2003    
     
    Confidential vulnerability information managed by the CERT
    Coordination Center has again been leaked to the public, following a
    flurry of such leaks in March.
    
    The latest information concerns a flaw in PDF (Portable Document 
    Format) readers for Unix and could allow a remote attacker to trick 
    users into executing malicious code on their machines, according to a 
    copy of the leaked vulnerability report. 
    
    As with confidential CERT information that was leaked in March, the 
    latest report was posted to a vulnerability discussion list by an 
    individual using the name "hack4life." 
    
    The leaked information was taken from communication sent from CERT to 
    software vendors affected by the PDF problem, according to Jeffrey 
    Carpenter, manager of the CERT Coordination Center. The information 
    appears to be from a vulnerability report submitted to CERT by a 
    Cincinnati security researcher by the name of Martyn Gilmore. 
    
    Gilmore did not respond to requests for comment and CERT would not 
    comment on how it obtained the PDF vulnerability information or on 
    Gilmore's relationship with the Pittsburgh-based software 
    vulnerability monitoring organization. 
    
    In the report, Gilmore describes a problem in the way that PDF viewing 
    programs for the Unix platform process hyperlinks within valid PDF 
    documents. When processing hyperlinks, common PDF readers use the Unix 
    "shell" command (sh -c) to launch and pass commands to external 
    programs. For example, clicking on a hyperlink for a Web page would 
    launch the associated Web browser, according to the report. 
    
    However, Gilmore found that such programs do not properly check the 
    syntax of such commands, enabling arbitrary shell commands to be 
    executed on the vulnerable machine. 
    
    While attackers are limited by the privilege level of the user 
    clicking the malicious link, the vulnerability could enable a remote 
    attacker to use shell commands to delete files from the user's hard 
    drive or perform other actions without the knowledge of the victim, 
    the report said. 
    
    Adobe Systems Inc.'s Acrobat Reader 5.06 is affected by the problem in 
    addition to the open-source reader Xpdf 1.01, according to the report. 
    
    CERT declined to discuss the details of the vulnerability.
    
    The vulnerability information was scheduled to be released by CERT on 
    June 23, according to an e-mail message purporting to be from 
    hack4life that prefaced the leaked report. 
    
    The release date was obtained from CERT communications with its 
    vendors, as well, but CERT declined to comment on whether it would be 
    releasing an advisory regarding the PDF problem on June 23, according 
    to Carpenter. 
    
    Hack4life cited "college and exams" for the lull in leaked CERT 
    information in recent months and hinted at the likelihood of more 
    disclosures in the future. 
    
    "I'll have plenty of time to keep you all up to date with what those 
    fools at CERT are up to once college is finished," hack4life wrote. 
    
    In March, someone using the same name posted information on four 
    vulnerabilities that CERT was investigating to the vulnerability 
    discussion list Full-Disclosure. Those posts included sensitive 
    information on a vulnerability in the Kerberos Version 4 protocol and 
    a problem reported by Microsoft Corp. regarding spammers' abuse of Web 
    redirectors, which forward users of Web portals such as MSN IP 
    (Internet Protocol) addresses close to their geographic location. 
    
    The PDF information was disclosed to CERT after the vulnerabilities 
    were leaked in March, Carpenter said.
    
    Contacted by e-mail in March, hack4life denied any affiliation with 
    CERT and said that the reports were "stolen in a recent computer 
    intrusion." 
    
    "Fun and amusement" was the primary motivation for stealing and 
    leaking the vulnerability reports. A secondary motivation cited in 
    e-mail by hack4life was anger over CERT's perceived failure to publish 
    vulnerability information in a timely manner. 
    
    At the time, CERT officials cast doubt on hack4life's assertion that 
    the reports were hacked, saying that the information was most likely 
    leaked by a member of one of the development teams CERT works with to 
    evaluate vulnerabilities. 
    
    The latest incident reaffirms CERT's belief that the problem lies with 
    its vendors rather than with its own systems, Carpenter said. While 
    CERT does not yet know which vendor is responsible for the leak, the 
    organization is confident that an insider threat or compromise at one 
    of the companies it deals with is responsible for the leaks, he said. 
    
    CERT is communicating with vendors about the problem, but Carpenter 
    would not comment on whether CERT is working with law enforcement to 
    catch the person responsible for the leaks. 
    
    "I'm not going to get into those specifics at this point," he said.
    
    CERT plans to consult with affected vendors and discuss how to proceed 
    now that the information is public, he said.
     
     
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:26:26 PDT