“A format for honest dialogue between political leaders and security experts is long overdue but I’m glad to be invited to participate in Spain’s initiative to break the silence.” Nuwere said. “Combating terrorism in the digital age requires a different thought process- one that political outsiders can best contribute to.”

The conference is organized on the one year anniversary of the terrorist attacks in Madrid which killed 190 people and injured more then 2,200. The Summit will bring together the world’s leading experts and most influential policymakers to develop “The Madrid Agenda” a set of guidelines and principles to help political leaders confront terrorism. The conference includes leaders from more then 52 countries.

What: International Summit on Democracy, Terrorism and Security
When: March 10th, Terrorism, Democracy and the Open Internet
Where: Madrid SPAIN - Palacio Municipal de Congresos, Avenida Capital de Españs/n, 28042

Boston, MA–November 10, 2004: SecurityLab Technologies Inc, provider of enterprise security training products and consulting services, today announced that CTO, Ejovi Nuwere, will present the findings from his audit of Japan.s National ID system Juki-Net at the PacSec Security Conference in Tokyo, Japan. During Nuwere.s audit, from September to November 2003, his identity was kept secret from the media during a heated political battle in Japan. For the first time, Nuwere is revealing his identity as the only foreign member of the original three-man audit team and will present his findings and personal opinion of the state of Japan.s computerized National ID system.

“The greatest concern was if the Juki network could be successfully hacked, therefore, compromising the identity of residents. Our comprehensive test proved that the system could be compromised but the media did not cover how” said Ejovi Nuwere, SecurityLab’s founder and CTO. “The fact that a nefarious person could walk out of a government office with the personal identity of anyone within the prefecture was obscured by the highly politicized test environment. In simple terms, I will present the findings and threats to citizens in Japan”

The audit was conducted to access the vulnerability of the National ID system to outside hackers and potentially corrupt employees. During testing Nuwere was able to successfully compromised servers that maintain National ID information. The audit team.s detailed report raised concerns about Juki-Net implementation and setup, showing the network could be easily compromised at multiple points. Though the findings were relevant to prefectures across the country, it was mostly ignored. Since the test, at least three prefectures have suffered security compromises and numerous privacy related lawsuits.

“Nuwere’s efforts are indicative of a new and important trend in awareness of security for the design of the information system of Japan, that will hopefully lead to better and more reliable systems”, said Dragos Ruiu, CEO of PacSec Japan. With first hand knowledge of the need for security awareness SecurityLab Technologies Inc. provides security training products and consulting services, as well as on-line courses making it convenient for customers to reach and gain knowledge of computer security from comfort of there home or office. Unconventional on-line security courses provide a variety of programs from security basics to more advanced penetration and audit techniques.

Advisory Name: NetBSD / OpenBSD kernfs_xread patch evasion
Release Date: February 02, 2006
Application: kernfs
Platform: NetBSD / OpenBSD
Severity: Severe
Author: SLAB Research
Vendor Status: Patched
Reference: http://www.securitylab.net/research/

Overview:

Due to a flaw in the original patch implemented by the NetBSD team in
release 2.0.3 the kernfs_xread function was still vulnerable to
exploitation. The original patch failed to manage the truncation of
64bit integers. Prior to the 2.0.3 patch kernfs_read neglected to test
for a negative file offset value. The 2.0.3 patch enforced the testing
of negative offsets but failed to test for negative 32bit values. Since
the kernfs_xread function truncates the 64bit offset to a 32bit value it
was possible to have a negative 32bit offset bypass the security
employed. This negative offset flaw made continued disclosure of kernel
memory possibly.

OpenBSD’s 3.8 kernel release contained the same vulnerability and the
same type of patch as NetBSD 2.0.3. It checked for the negative value in
a 64bit read offset. However, kernfs is no longer included in the
current OpenBSD generic kernel.

Vendor response:

OpenBSD:
OpenBSD believes this issue is not a vulnerability, because kernfs was
not linked into the GENERIC kernel by default. The OpenBSD team has
chosen to remove the kernfs tree from the current kernel code, rather
than implementing a patch.

NetBSD:
In response to this advisory the NetBSD team patched kernfs_vnops.c
version 1.114. The fix is available in the current source tree. NetBSD
3.0 recently released is not affected by this flaw. The NetBSD team has
issued an advisory:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.txt.asc

Site of the day:
FON http://www.fon.com
A wireless movement

Copyright 2006 SecurityLab Technologies, Inc. You may distribute freely
without modification.

Security Advisory
Advisory Name: Buffer Overflow in MultiTech VoIP Implementations
Release Date: December 05, 2005
Application: MultiVoIP Gateway
Platform: Multiple
Severity: Moderate
Author: Ejovi Nuwere
Vendor Status: Patched in Version x.08
Reference: http://www.securitylab.net/research/

Overview:
The MultiVOIP voice over IP gateway provides toll-free voice and fax communications over the Internet or Intranet. Occasionally MultiTech develops and licenses their VoIP Gateways and VoIP related stacks for inclusion in third party platforms. Therefore, this bug may affect products outside of the MultiTech line.

SecurityLab technologies has discovered a remote buffer overflow in MultiTech’s MultiVOIP product line that may lead to remote code
execution.

Details:
The buffer overflow occurs in the SIP packet INVITE field with a string greater than 60 characters. Testing was performed on an embedded device with limited debug environment. Source code was not avaible for further analysys.

Vendor Response:
Patched. Version x.08

Recommendation:
Contact vendor for current release.

Site of the day:
InfoSecDaily http://www.infosecdaily.net
security news for security professionals

Copyright 2005 SecurityLab Technologies, Inc. You may distribute freely without modification.

Presentation file (PDF) from our presentation at Blackhat.

BlackHat Briefings USA 2005 - The Art of SIP Fuzzing and vulnerabilities found in VoIP.

Example test cases for applying different types of anomalies to SIP
messages. Use at your own risk. In many ways these messages are
similar to those presented in SIP torture tests draft. These test
cases are released to be public domain.

For the test cases to be usable beyond example, it is expected that
the e.g. request line, From, To, Via, Contacr and optionally SDP
portion are modified according to your setup.

Test cases are as follows:
—————————————————————————-
0000.txt - SIP specific token anomaly ‘;’ applied to SIP request line
0001.txt - SIP header parameter underflow in Contact header
0002.txt - Integer anomaly in CSeq header
0003.txt - Integer anomaly in CSeq header
0004.txt - Integer anomaly in CSeq header
0005.txt - ASCII overflow in CSeq header
0006.txt - C-Style formar string in CSeq header
0007.txt - Control characterls (bell / 0×07) in CSeq header
0008.txt - ANSI Control characters in CSeq header
0009.txt - UTF8 overflow in CSeq header
0010.txt - Basic value repetition in CSeq header
0011.txt - Basic CSeq Header repetition in OPTIONS message
0012.txt - C-Formats string in Date header with SIP line continuation
0013.txt - Unexpected scheme in SIP URI in Route header
0014.txt - Underflow of SIP message
0015.txt - Unexpected requets method in what looks like an INVITE message
0016.txt - Unexpected short header (m:)
0017.txt - Repetition of ‘@’ inside a SIP URI in Contact header
0018.txt - ANSI Control characters inside SIP URI in Contact header
0019.txt - Invalid port value in hostport component of Contact Headers SIP URI
0020.txt - Repetition of ‘>’ after a SIP URI
0021.txt - Repetition of values in Require header
0022.txt - URI escape in user component of SIP request line
0023.txt - Overflow inside BASE64 encoding in Authorization header

—————————————————————————–

Overview:

Ethereal is a popular open source network sniffer. It has the ability to inspect and dissect more then 600 protocols. Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It runs on all popular computing platforms, including Unix, Linux, and Windows.

SecurityLab Technologies has discovered a exploitable overflow in Ethereal’s SIP dissector resulting from the strcpy() of a overly long string into a fixed buffer.

To exploit this vulnerability an attacker does not need to know the location of the sniffing Ethereal. As long as the hostile packet is directed at the network being observed by the victim.

Successful exploitation of this vulnerability will lead to execution of arbitrary commands on a system running the sniffer with the privileges of the user running Ethereal.

Details:

The overflow occurs while parsing the value of cseq_method, the guilty code can be found in Packet-sip.c

/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value); value_offset++)
{
if (isalpha((guchar)value[value_offset]))
{
strcpy(cseq_method,value+value_offset);
break;
}

value is controlled by the attacker and cseq_method is a fixed
buffer:
char cseq_method[16] = “”;

Vendor Status:

The Ethereal development team has released a patched version of Ethereal (0.10.11) which can be downloaded from: http://ethereal.com/download.html

Special thanks:
Tim Newsham for:
1) Being one of the smartest people we know.
2) His assistance in debugging this vulnerability.

Disclamer:

The contents of this advisory are copyright (c) 2005 SecurityLab Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

About SecurityLab
SecurityLab Technologies Inc. provides security services for government agencies and corporations requiring expert assistance with technology threat management. The company is headquartered in Boston, MA, more information about SecurityLab is available at, www.securitylab.net