For all of you smug Linux users out there who think that you need not worry
about the sorts of security issues that plague users of certain proprietary
operating systems: this eWeek
column seeks to bring you back to reality:
Of course, worms such as these don't exist for platforms other than
Windows, but why couldn't they? The executable attachments are
platform-specific and their authors don't write them for less
popular platforms because their comparative rarity makes it less
likely that a recipient will be able to become infected.
Talk about "security through obscurity"! The only thing keeping
these scourges off of Linux and the Mac OS is that it's not worth
the work to get such business. The exact same thing is true of
spyware and adware. Of course you could write such things for the
Mac and Linux and they would work.
So, it seems, the only reason that Linux does not suffer a constant series
of worms, and that Linux users are not continually trying to fight off
spyware and related nastiness, is that we are such a backwater that nobody
even feels a wish to attack us. We're not actually more secure; we're just
too boring to bother messing with.
We don't buy it. The "not popular enough" argument may help make victims
feel better and make them feel that they need not worry about perhaps
changing operating systems, but it does not stand up to scrutiny.
Attackers have numerous reasons for doing the things they do. One of them
is simply attracting attention and becoming in some way famous, even if
that fame, such as it is, only attaches to a pseudonym somewhere. If you
are trying to show your 31337 credentials by compromising Windows systems,
you'll find that the barriers to entry are fairly high: there are, shall we
say, a lot of people playing in that space. Certainly, one would think, at
least one malware author would be attracted by the relatively green,
uncrowded pastures of the Linux world? If nothing else, it would make a
nice break while somebody else's worm is ravishing corporate networks
worldwide.
Along these lines, it's worth noting that the white-hat security
researchers certainly do not find free software to be too obscure to merit
their attention. One need not read Bugtraq for long to see that there is a
steady stream of issues with free software being reported there.
Another reason to attack systems is monetary gain. Access to zombie
networks can now be bought and sold, as can information stolen by spyware
or advertisements delivered by adware. There are millions of Linux systems
attached to the net; many of them are in prominent locations with access to
high-bandwidth network connections. They would make delightful spam relays
or denial-of-service attackers. If an attacker could compromise 1000 of
those millions of systems, he or she would have a nice little corral full
of zombies which, one thinks, would be worth the trouble.
Spammers seem to think that getting around SpamAssassin's tests is worth
the extra effort. Certainly, one might think, being able to dump ads into
Linux browsers, or direct them to unwanted pages, would merit a few minutes
of somebody's time. The ultimate payoff might be smaller, but an
attacker could have the entire field to himself.
There are, in other words, incentives to compromise Linux systems on a wide
scale. Compromises do happen, but the sort of widespread trouble
experienced by others has, so far, been absent from the Linux world. The
idea that nobody with the requisite skills has even tried to create such an
incident is hard to believe. One can only assume that such attempts have
been made, but that they have not succeeded.
Linux systems are not immune from the ills of modern computing. There will
almost certainly be some unpleasant episodes in the future. Recent reports
have made it clear that Linux-based browsers are not free of exploitable
bugs. As the free mail clients become increasingly complex and powerful,
somebody will certainly find a way to compromise them. Last week's Red Hat security update phishing
attempt was clumsy in the extreme - social engineering attacks that
assume a victim simultaneously smart enough to untar and build an attack
program and dumb enough to actually do it are unlikely to go far. As long as our
mail clients do not allow programs in incoming mail to be run, these
attacks will be relatively hard - but somebody, somewhere will probably
figure out how to do it.
Third-party applications could turn out to be an area worthy of special
concern in the future. More home users could lead to more people who will,
without question, install that "cool music download utility" found, without
source, on some obscure web site. Eventually those users will learn the
error of their ways - through hard experience. In the mean time, this risk
can be mitigated by insisting on free applications, and by having the bulk
of interesting applications be available directly from the network of
distribution mirrors. There have been several attempts to put trojan
horses into programs downloaded by free software users, but these attempts
have always been detected quickly, and they have affected very few people.
Our security is insufficient, and, eventually, somebody is going to
demonstrate that to the world. There will, beyond doubt, be lots of snide
columns posted when that happens. We must continue to work to prevent this
occurrence, and to minimize the damage when it happens. In the mean time,
however, we need not accept claims that only obscurity keeps attackers away
from Linux.
According to an Apache
announcement, a vulnerability exists in the Apache HTTP server, version
1.3. The problem is a potential buffer overflow in the "get_tag" function
of Apache's SSI module "mod_include". It allows local users who can create
SSI documents to execute arbitrary code as the Apache run-time user via SSI
documents that trigger a content length calculation error.
Archive::Zip can be used by email scanning software (like amavisd-new) to
uncompress attachments before virus scanning. By modifying the
uncompressed size of archived files in the global header of the ZIP file,
it is possible to fool Archive::Zip into thinking some files inside the
archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus
file and evade detection on some email virus-scanning software relying on
Archive::Zip for decompression.
The xlsview utility in catdoc has a vulnerability that
may allow local users to
overwrite arbitrary files using a
symlink attack on predictable temporary file names.
Florian Schilhabel from the Gentoo Linux Security Audit Team found a
format string vulnerability in the cherokee_logger_ncsa_write_string()
function. Using a specially crafted URL when authenticating via auth_pam,
a malicious user may be able to crash the server or execute arbitrary code
on the target machine with permissions of the user running Cherokee.
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program.
According to this RoaringPenguin advisory,
there's a bug in MIME-tools: It mis-parses things like boundary="" and
apparently there's a virus that uses an empty boundary.
Trustix Secure Linux has discovered some vulnerabilities in the perl
package. The utility "instmodsh", the Perl package "PPPort.pm", and several
test scripts (which are not shipped and only used during build) created
temporary files in an insecure way, which could allow a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program, or building the perl package, respectively.
Improper verification of header fields lets an attacker make the pppd
server access memory it isn't allowed to, and crash the server. There is
no possibility of code execution, as there is no data being copied, just a
pointer dereferenced. It is not even entirely clear that this vulnerability can be exploited to deny service to anybody other than the attacker.
Versions of proxytunnel prior to 1.2.3 contain a format string vulnerability which could be exploited by a hostile remote server to execute arbitrary code.
Speedtouch USB driver: Privilege escalation vulnerability
Package(s):
Speedtouch USB driver
CVE #(s):
Created:
November 2, 2004
Updated:
November 11, 2004
Description:
The Speedtouch USB driver contains multiple format string vulnerabilities
in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made
syslog() system call. A malicious local user could exploit this
vulnerability by causing a buffer overflow, and potentially allowing the
execution of arbitrary code with escalated privileges.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
compress and uncompress do not properly check bounds on command line
options, including the filename. Large parameters would trigger a buffer
overflow. By supplying a carefully crafted filename or other option, an
attacker could execute arbitrary code on the system. A local attacker could
only execute code with his own rights, but since compress and uncompress
are called by various daemon programs, this might also allow a remote
attacker to execute code with the rights of the daemon making use of
ncompress.
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable.
The ecartis mailing list manager has a vulnerability in which
an attacker in the same domain as the list admin can gain
administrator privileges and alter list settings.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer.
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
The send-pr.sh script creates temporary files in world-writeable
directories with predictable names. A local attacker could create symbolic
links in the temporary files directory, pointing to a valid file somewhere
on the filesystem. When send-pr.sh is called, this would result in the file
being overwritten with the rights of the user running the utility, which
could be the root user.
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
The etc2ps.sh script creates temporary files in world-writeable
directories with predictable names. A local attacker could create symbolic
links in the temporary files directory, pointing to a valid file somewhere
on the filesystem. When etc2ps.sh is executed, this would result in the
file being overwritten with the rights of the user running the utility,
which could be the root user.
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user).
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
The make_oidjoins_check script insecurely creates temporary files in
world-writeable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When make_oidjoins_check is called, this
would result in file overwrite with the rights of the user running the
utility, which could be the root user.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
The 'rssh' restricted remote shell utility contains a format string vulnerability which can be exploited to execute arbitrary code with the rights of the user. Version 2.2.2 fixes the problem.
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written.
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs.
socat up to version 1.4.0.2 contains a syslog() based format string
vulnerability. Further investigation showed that this vulnerability could,
under some circumstances, lead to local or remote execution of arbitrary
code with the privileges of the socat process. See this socat
advisory for additional details.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information.
WordPress: HTTP response splitting and XSS vulnerabilities
Package(s):
wordpress
CVE #(s):
Created:
October 14, 2004
Updated:
December 20, 2004
Description:
WordPress is vulnerable to HTTP response splitting and cross-site scripting
attacks, due to the lack of input validation in the administration panel
scripts. A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory.
