[7135] in SIPB bug reports
exmh bug
daemon@ATHENA.MIT.EDU (Kev)
Tue Jan 19 21:46:58 1999
To: bug-sipb@MIT.EDU
Date: Tue, 19 Jan 1999 21:46:52 EST
From: Kev <klmitch@MIT.EDU>
version 2.0.2 2/24/98
SunOS mary-kay-commandos.mit.edu 5.6 Generic_105181-05 sun4m sparc SUNW,SPARCstation-5
Tk 8.0 Tcl 8.0
`Enable MIME display' is off, but:
(application/pgp)
This is a application/pgp
It might be displayable with metamail. (Invoke menu with right button.)
format = text
x-action = sign
And of course, it's plain text; the message in question follows:
Received: from SOUTH-STATION-ANNEX.MIT.EDU by po9.MIT.EDU (5.61/4.7) id AA18026; Tue, 19 Jan 99 13:28:33 EST
Received: from brimstone.netspace.org by MIT.EDU with SMTP
id AA07273; Tue, 19 Jan 99 13:28:10 EST
Received: from netspace.org ([128.148.157.6]:59154 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <75452-11916>; Tue, 19 Jan 1999 12:43:59 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with
spool id 184033 for BUGTRAQ@NETSPACE.ORG; Tue, 19 Jan 1999 17:34:33
+0000
Approved-By: aleph1@UNDERGROUND.ORG
Received: from underground.org (underground.org [209.179.181.153]) by
netspace.org (8.8.7/8.8.7) with SMTP id LAA14457 for
<bugtraq@netspace.org>; Tue, 19 Jan 1999 11:55:17 -0500
Received: (qmail 3580 invoked by uid 500); 19 Jan 1999 18:07:11 -0000
Received: (qmail 611 invoked by alias); 19 Jan 1999 06:45:36 -0000
Delivered-To: T@underground.org
Received: (qmail 605 invoked from network); 19 Jan 1999 06:45:35 -0000
Received: from phoenix.iss.net (HELO iss.net) (208.21.0.13) by underground.org
with SMTP; 19 Jan 1999 06:45:35 -0000
Received: (qmail 4154 invoked by alias); 18 Jan 1999 18:39:32 -0000
Delivered-To: alert-out-link@iss.net
Received: (qmail 4151 invoked by alias); 18 Jan 1999 18:39:32 -0000
Delivered-To: alert-out@iss.net
Received: (qmail 4146 invoked by uid 15); 18 Jan 1999 18:39:31 -0000
Mime-Version: 1.0
Old-Content-Type: TEXT/PLAIN; charset=US-ASCII
Precedence: bulk
Content-Type: application/pgp; format=text; x-action=sign
Message-Id: <19990119180711.3579.qmail@underground.org>
Date: Tue, 19 Jan 1999 10:07:11 -0800
Reply-To: X-Force <xforce@iss.net>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Comments: Resent-From: aleph1@underground.org
Comments: Originally-From: X-Force <xforce@iss.net>
From: aleph1@UNDERGROUND.ORG
Subject: ISSalert: ISS Security Advisory: Vulnerability in the BackWeb
Polite Agent Protocol
X-Cc: X-Force <xforce@iss.net>
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory
January 18, 1999
Vulnerability in the BackWeb Polite Agent Protocol
Synopsis:
Internet Security Systems (ISS) X-Force discovered a vulnerability in the
BackWeb Technologies (http://www.backweb.com/home.html) BackWeb Polite
Agent Protocol that allows a user on a local network on which BackWeb
clients operate to spoof a BackWeb server. Hardware and software vendors
often include BackWeb software in their distribution to facilitate remote
distribution of software updates.
Affected versions:
ISS X-Force has confirmed that this vulnerability exists on all versions
of the BackWeb client using the Polite Agent Protocol for communication
with BackWeb servers.
Fix Information:
Until a suitable security mechanism is made available by the vendor, ISS
recommends upgrading to BackWeb 5.0, which supports VeriSign digital
certificates for enhanced security.
Description:
The BackWeb Polite Agent Protocol is a UDP-based protocol that BackWeb
clients use to communicate with BackWeb servers. BackWeb's "anti-spoofing
mechanism" for delivery of UDP data to the client and server is the
exchange of a 32-bit integer, randomly generated by the client each time
it requests data from the server. This integer is appended to each packet
of a specific piece of BackWeb data (InfoPak). By examining these packets
in transport, an attacker may send false data to a BackWeb client, acting
as the real BackWeb server.
Exploit Information:
BackWeb uses a sequencing method to maintain packet data integrity. Any
attacker who can examine a local network can determine the 32-bit integer
and sequence numbers. A race condition exists where the attacker may
deliver a false response to the client 'match request,' which is the
first packet delivered by the client to determine whether or not the
server should send data to it. If this spoofed response reaches the
client before the real BackWeb server responds, the attacker may
continuously write realistic-looking BackWeb packets to the network in
response to the client request. These packets may direct the client to
update files on its drive, execute programs, or display messages on the
client screen. While client security settings may not be changed, other
client settings such as displayed data may be changed. Depending on the
client security settings, an attacker may send executable files to be
executed on the client machine. By default, BackWeb's security settings
disable automatic execution of downloaded files. BackWeb strongly
recommends that customers do not enable automatic execution of downloaded
files when using software prior to version 5.0 unless other security
mechanisms are implemented separate from the BackWeb system. Customers
using BackWeb client version 5.0 and above can enable automatic execution
of files that will only automatically execute a file after verifying that
the file is digitally signed and that the signing certificate is
approved.
__________
Copyright (c) 1999 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of X-Force. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to: X-Force
<xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNqNr6TRfJiV99eG9AQEqqwP8DzeL1po1edkVYlAtbLEoGLGxqdHjJIam
LmbIL2Be0b2D09ovZXPc+r5muvs184kYAUbu1eDPS25W8ti9XFYW2VJIYEWHl6eB
qzCi/ZDr76szOQealai8q/RqtN6q9qVypVhAOgDsh/C/SUi2mEs1Z6gbXnsV73VT
DcF9EZ9C+Qo=
=cC4a
-----END PGP SIGNATURE-----
--
Kevin L. Mitchell <klmitch@mit.edu>
------------------------- -. .---- --.. ..- -..- --------------------------
http://web.mit.edu/klmitch/www/ (PGP keys availiable from here)
RSA AE87D37D/1024: DE EA 1E 99 3F 2B F9 23 A0 D8 05 E0 6F BA B9 D2
DSS ED0DB34E/1024: D9BF 0E74 FDCB 43F5 C597 878F 9455 EC24 ED0D B34E
DH 2A2C31D4/2048: 1A77 4BA5 9E32 14AE 87DA 9FEC 7106 FC62 2A2C 31D4
