In-Depth

Briefs: Vulnerabilities in CPanel, ISS products, Symantec Internet Security

New warnings about Web hosting control panel protection, ISS server-response processing, and Symantec's security software

• By Mathew Schwartz
• 03/24/2004

CPanel Vulnerability Could Allow Command Execution

A vulnerability in all versions of CPanel—5.x through 9.x, including 9.1.0 build 34—could allow an attacker “to execute certain system commands on a vulnerable system,” according to security information provider Secunia, which rated the vulnerability as “highly critical.”

CPanel is part of a widely used Web hosting control panel system. It allows hosted or shared server end users to self-administer their Web presence, including adding or removing e-mail accounts, filtering spam, and administering MySQL databases.

“The problem is that user input passed to the ‘user’ parameter in the ‘resetpass’ section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters,” notes Secunia.

The solution is to upgrade to CPanel version 9.1.0 build 41. To mitigate the vulnerability in the interim, in the WebHostManager, a CPanel user can disable the “allow CPanel users to reset their password via e-mail” feature.

For more information:
http://www.CPanel.net/

===

ISS Server Response Processing Vulnerability

eEye Digital Security warns of a new vulnerability affecting multiple Internet Security Systems products. Successful vulnerability exploitation would compromise a system.

Affected products include ISS Proventia A, G, and M Series operating systems; and such software as BlackICE Server Protection 3.x, RealSecure Desktop Protector 3.x and 7.x, Server Sensor 6.x and 7.x, and BlackICE Agent for Server 3.x.

Secunia rates the vulnerability as “highly critical,” noting it’s a boundary error stemming from a Protocol Analysis Module that monitors ICQ server responses. “This can be exploited to cause a buffer overflow by sending a specially crafted response packet with asource port of 4000/UDP to the broadcast address of a network with vulnerable systems.”

“The vulnerability is caused by insufficient size checks on certain protocol fields in ICQ response data,” notes ISS X-Force. The data, however, doesn’t have to be legitimate. “It would not be necessary for ICQ response data to be part of a legitimate ICQ session to trigger this issue.”

If successful, attackers could execute arbitrary code with system-level privileges.

ISS X-Force advisory:
http://xforce.iss.net/xforce/alerts/id/166

===

Symantec Internet Security 2004 Vulnerable

Symantec Internet Security 2004 and Internet Security 2004 Professional are vulnerable to an ActiveX component arbitrary file execution.

Secunia rates the vulnerability as “highly critical.” A successful attacker could compromise a system and gain access remotely.

The Internet Security product includes such features as anti-virus, firewall, personal information protection, and anti-spam.

The problem is due to the WrapUM.dll ActiveX component, which launches URLs. According to Mark Litchfield of NGSSoftware, who discovered the problem, “Using the LaunchURL method, an attacker has the ability to force the browser to run arbitrary executables on the target.” In essence the attacker can trick the target computer into either browsing to a site with malicious code or opening an HTML e-mail containing malicious code.

The attack could even take place through corporate firewalls if the Webdav redirector file system is installed, says Litchfield. “If the UNC path cannot be reached over TCP port 139 or 445 it will switch to TCP port 80 (http).”

Norton has patched this vulnerability via its “live update” feature.