IBM has been pushing the use of the "trusted platform module" chip found in
its laptops (and on other systems as well) for some time; see this report from OLS 2005 for a
summary of the benefits they see from trusted computing. Now IBM's
developers have posted a new set
of security modules which make use of the TPM to lock down a system.
The three modules are:
The simple Linux integrity model, or SLIM. This module
associates two attributes with every process and every file: the
integrity level and the privacy level. The integrity levels are
"system," "user," and "untrusted." Any process may read or execute
any file with an equal or higher integrity level (subject to the usual
permissions). Read and execute access to lower-integrity files is
also allowed, but, as a result, the process will, itself, be demoted
to the lower level. Writing files with a higher integrity level is
not allowed. The integrity levels thus implement a form of simple,
automatic sandboxing; if a process touches untrusted resources, it
also loses trust and has a lowered ability to change things elsewhere
on the system. Network sockets, incidentally, are always considered
to have an "untrusted" integrity level.
The privacy level has four levels: public, user, user-sensitive, and
system-sensitive. Processes can read files of equal or lower
sensitivity. If, instead, a process reads a higher-sensitivity file,
its own sensitivity level is raised to match. Writing
lower-sensitivity files is not allowed. This "high watermark"
mechanism is intended to prevent the leakage of secret data to
less-trusted contexts.
The SLIM module, like SELinux, depends on the extended attributes of
a file to make security decisions. But what if something is able to
change those attributes? The extended verification module
(EVM) is an attempt to keep that from happening. EVM creates its own
extended attribute on each file which is an HMAC hash of the file's
contents and attributes. If the file and the HMAC fail to match, EVM
will deny access to the file.
One might argue that EVM's hash is no less susceptible to tampering
than the other attributes on the file. The difference is that EVM
uses the hardware TPM module to sign the HMAC result. The TPM will
only perform this operation if it is satisfied that the proper "secure
boot" rituals have been followed, and that the integrity of the
running system has not been compromised. Since the TPM key is
specific to that particular chip, it is not possible to remove the
drive and forge HMACs on a different system. If the trusted boot
chain, starting with the BIOS, holds, there should be a high level of
assurance that the system's files and their attributes have not been
tampered with.
The third module is the integrity measurement architecture.
LWN readers have seen IMA
before, so that discussion will not be repeated. In short, IMA is
a remote attestation feature which can provide a convincing proof that
a system is running (only) well-known, trusted versions of approved
software.
The IMA module was not well received when it was last posted. The
developers hope that the largest objections have been addressed, and that
the set of TPM-related modules as a whole can be considered, eventually,
for merging. Before reaching that point, however, these modules have
another obstacle to overcome: they rely on the ability to run multiple
Linux security modules in a "stacked" mode. Stacked security modules have
been a contentious issue for
some time, and that capability has never been merged. The developers claim
that the new modules will make the case for stacking, but that
conversation has yet to take place.
SUSE has a reminder that no security updates will be available for SUSE
Linux 9.0 after December 15, 2005. "As a consequence, the SUSE Linux
9.0 distribution directory on our ftp server ftp.suse.com has been moved
from /pub/suse/i386/9.0/ to the /pub/suse/discontinued/ directory tree
structure to free space on our mirror sites. The 9.0 directory in the
update tree /pub/suse/i386/update/9.0 will follow, as soon as all updates
have been published."
Remco Verhoef has discovered a vulnerability in acidlab, Analysis
Console for Intrusion Databases, and in acidbase, Basic Analysis and
Security Engine, which can be exploited by malicious users to conduct
SQL injection attacks.
Version 21.2 of the EMACS editor has a vulnerability in which
text files containing Lisp code can be executed without warning
the user. Attackers can cause users to execute arbitrary code.
The Mozilla browser Macromedia Flash Player plug-in has a
buffer overflow vulnerability. A user who opens a maliciously
created Macromedia Flash file may be tricked into executing
arbitrary code.
A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer. An attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges.
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Christopher Kunz discovered that local variables get overwritten
unconditionally and are trusted later, which could lead to the inclusion of
arbitrary files. Christopher Kunz also discovered that user-supplied input
is used unsanitized, causing a HTTP Response splitting problem.
Tan Chew Keong reported two vulnerabilities in RAR: a format string error
exists when displaying a diagnostic error message that informs the user of
an invalid filename in an UUE/XXE encoded file and some boundary errors in
the processing of malicious ACE archives can be exploited to cause a buffer
overflow.
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user.
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user.
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute.
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user.
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
A number of security flaws have been discovered in Ethereal. On a system
where Ethereal is running, a remote attacker could send malicious packets
to trigger these flaws and cause Ethereal to crash or potentially execute
arbitrary code.
The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
The Firefox browser has multiple vulnerabilities including problems with
XBM image file processing, Unicode
sequence processing, XMLHttp requests, malicious XBL binding,
a JavaScript engine buffer overflow, about: pages,
opening of new windows, and command line URL processing.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
Mike O'Connor discovered that the default installation of Horde3 on
Debian includes an administrator account without a password. Already
configured installations will not be altered by this update.
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine.
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information.
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code.
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Steve Kemp discovered two format string vulnerabilities in libgda2,
the GNOME Data Access library for GNOME2, which may lead to the
execution of arbitrary code in programs that use this library.
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code.
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Javier Fernández-Sanguino Peña noticed that the pwmconfig script created
temporary files in an insecure manner. This could allow a symlink attack to
create or overwrite arbitrary files with full root privileges since
pwmconfig is usually executed by root.
Mantis contains several vulnerabilities, including a remote file inclusion
vulnerability, an SQL injection vulnerability, multiple cross site
scripting vulnerabilities and multiple information disclosure
vulnerabilities.
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result.
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code.
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update.
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details.
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the
register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process.
Stefan Esser discovered that by calling certain PHP files directly, it
was possible to workaround the grab_globals.lib.php security model and
overwrite the $cfg configuration array. Systems running PHP in safe
mode are not affected. Futhermore, Tobias Klein reported several
cross-site-scripting issues resulting from insufficient user input
sanitizing. A local attacker may exploit this vulnerability by sending
malicious requests, causing the execution of arbitrary code with the rights
of the user running the web server. Furthermore, the cross-site scripting
issues give a remote attacker the ability to inject and execute malicious
script code or to steal cookie-based authentication credentials,
potentially compromising the victim's browser.
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process.
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information.
Thomas Gerisch found that the setuid 'chfn' program contained in the
pwdutils suite insufficiently checks it's arguments when changing the GECOS
field. This bug leads to a trivially exploitable local privilege escalation
that allows users to gain root access.
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart.
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges.
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time.
Bill Stearns discovered a bug in the way sysreport creates temporary files.
It is possible that a local attacker could obtain sensitive information
about the system when sysreport is run.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278)
Javier Fernández-Sanguino Peña from the Debian Security Audit team
discovered that the syslogtocern script from thttpd, a tiny webserver,
uses a temporary file insecurely, allowing a local attacker to craft a
symlink attack to overwrite arbitrary files.
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash.
Masanari Yamamoto discovered that Uim uses environment variables
incorrectly. This bug causes a privilege escalation if setuid/setgid
applications are linked to libuim. This bug only affects
immodule-enabled Qt (if you build Qt 3.3.2 or later versions with
USE="immqt" or USE="immqt-bc").
Unzip has a race condition vulnerability
in the handling of output files.
During file unpacking, a local attacker can modify the permissions
of arbitrary files in the victim's directory.
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information.
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges.
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened.
...is a secure, restricted execution environment for running Linux
programs with the minimum necessary privileges. It is similar to
using chroot jails, but is more lightweight and flexible. You can use
Plash to grant a process read-only or read-write access to specific
files and directories, which can be mapped at any point in its private
filesystem namespace.
This release includes a new "file powerbox" capability which can allow a user to grant access to specific files to an application on the fly.
