Security
Linux botnets
Collections of subverted machines, called botnets are typically associated with Windows; thousands of zombie desktops sending spam and causing other internet mayhem. Unfortunately, it is increasingly clear that Linux boxes (as well as MacOS X and other UNIX boxes) are participating in botnets, but in a bit of a twist, it is mostly servers that have been subverted. Botnets are an enormous problem that Vint Cerf recently estimated may involve up to one quarter of all internet connected computers. This translates to a botnet controller's fondest wish: 150 million zombie machines to rent to the highest bidder.
Desktops are usually infected with a bot by an email-borne virus or a trojan attached to some application that the user installs, much like adware and spyware infect machines. The bot software then connects to a 'command and control' (C&C) infrastructure, that often use Internet Relay Chat (IRC) servers, to get instructions on what they should do. The 'owner' of a botnet (known as a bot herder) can then instruct the bots to do whatever they, or more likely their client, want. Because the traffic generated from a botnet comes from all over the Internet, it is difficult or impossible to recognize it for what it is. This allows botnets to be used for spamming, distributed denial of service (DDOS) attacks, click fraud and other malicious activities in a largely untraceable way.
The desktop infection methods are not typically as useful for Linux boxes and so bot herders have turned to web application exploits as a means for collecting subverted machines. Attacking servers has the additional advantage that they are usually machines with much greater resources: faster network connectivity, more storage, faster processors, etc. The attacks are largely targeted at everyone's favorite Internet security whipping boy, PHP applications. Open source PHP applications are the main target as they are ubiquitous and typically easy to exploit as some recent research indicates. An additional benefit of targeting a higher level application is that it is a cross-platform exploit; the operating system and web server software are immaterial if the target is a PHP application.
The easiest type of vulnerability to exploit is often Remote File Inclusion (RFI) which allows an attacker to run code on a vulnerable server with the permissions of the webserver. Generally, those permissions are sufficient to allow the bot to do anything the herder might wish it to; sending email and other network traffic is not normally a privileged activity. Even a cursory glance at the Bugtraq mailing list will reveal numerous RFI vulnerabilities; they are reported regularly and each can lead to bot exploitation if not patched.
Many different types of malware can be installed on a vulnerable machine, depending on the intent of the herder. As with the exploit itself, the installed code tends to be written in a scripting language so that it is cross-platform. The malware can range from simple test tools that indicate vulnerable servers to sophisticated shells that allow the attacker to effectively login to the server and perform any allowed operation.
The most serious damage that these botnets have caused is to our inbox; bots seem to be the preferred way to deliver spam these days. Diligent anti-spam efforts tend to get spamming accounts or systems shut down within hours but there is no easy way to shut down a spam-delivering botnet. A less visible, but potentially more damaging effect is DDOS attacks on internet sites. By attacking a site and working their way up the chain of DNS servers and registrars, a botnet can silence a site the herder does not like or hold sites hostage until they pay a ransom.
Past efforts to thwart botnets have often focused on destroying the C&C servers by shutting down the affected IRC sites, but botnets are moving toward using HTTP for C&C which allows that traffic to hide amongst the sea of similar traffic; it also has the advantage of getting through most firewalls. Botnets will be a serious problem going forward, and Linux systems are not immune to participation in them. The financial incentive is large and the means of prevention are weak, at least so far. As we have learned by trying to deal with spam, money makes our adversaries much more inventive which makes long-term solutions hard to come by.
Brief items
An update on the Solaris telnet vulnerability
For those who are interested in the Solaris telnet vulnerability, Gadi Evron has put together a comprehensive summary of the problem, how Sun responded, where to get fixes, etc. "Whatever my thoughts are on how silly, sad or funny this vulnerability is (quaint really), how they use telnet (?!) and how Sun should be smacked on the back of the head for it, I have to honestly admit Sun's response and the level they were open to the community and industry on this without too many PR/legal blocks getting in their way are very encouraging..."
New vulnerabilities
ImageMagick: buffer overflow
| Package(s): | imagemagick | CVE #(s): | CVE-2007-0770 | ||||||||||||||||
| Created: | February 12, 2007 | Updated: | February 16, 2007 | ||||||||||||||||
| Description: | Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and ImageMagick allows user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
MoinMoin: cross-site scripting
| Package(s): | moinmoin | CVE #(s): | CVE-2007-0857 | ||||
| Created: | February 12, 2007 | Updated: | February 14, 2007 | ||||
| Description: | Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action. | ||||||
| Alerts: |
| ||||||
rar: buffer overflow
| Package(s): | rar | CVE #(s): | CVE-2007-0855 | ||||
| Created: | February 14, 2007 | Updated: | February 14, 2007 | ||||
| Description: | The rar archive utility contains a buffer overflow in its processing of password-protected archives. Version 3.7.3 contains the fix. | ||||||
| Alerts: |
| ||||||
smb4k: multiple vulnerabilities
| Package(s): | smb4k | CVE #(s): | CVE-2007-0472 CVE-2007-0473 CVE-2007-0474 CVE-2007-0475 | ||||||||
| Created: | February 13, 2007 | Updated: | March 12, 2007 | ||||||||
| Description: | The Smb4K 0.8.0 release announcement notes that several security weaknesses in the utility programs (stack overflows / the use of strcpy instead of strncpy / a design error in smb4k_kill) and in the Smb4KFileIO class (use of mktemp instead of mkstemp for creation of the temporary files which could lead to both a race and an information leak / a race in the code that handles the lock file). Fixes for all of these issues are included in Smb4K 0.8.0 and in the patches that have been prepared for Smb4K 0.7.5 and 0.6.10a. Other versions are not supported anymore. | ||||||||||
| Alerts: |
| ||||||||||
snort: denial of service
| Package(s): | snort | CVE #(s): | CVE-2006-6931 | ||||||||
| Created: | February 14, 2007 | Updated: | March 1, 2007 | ||||||||
| Description: | From the Gentoo advisory: Randy Smith, Christian Estan and Somesh Jha discovered that the rule matching algorithm of Snort can be exploited in a way known as a "backtracking attack" to perform numerous time-consuming operations. Version 2.6.1.2 contains the fix. | ||||||||||
| Alerts: |
| ||||||||||
twiki: arbitrary code execution
| Package(s): | twiki | CVE #(s): | CVE-2007-0669 | ||||
| Created: | February 12, 2007 | Updated: | February 14, 2007 | ||||
| Description: | According to this vendor security advisory, a vulnerability exists in the SessionPlugin extension of the Wiki engine TWiki, version up to and including 4.1.0. The vulnerability allows local users to cause TWiki to execute arbitrary Perl code with the privileges of the web server process by creating CGI session files on the local filesystem. | ||||||
| Alerts: |
| ||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2007-0262 CVE-2007-0539 CVE-2007-0541 | ||||
| Created: | February 13, 2007 | Updated: | February 14, 2007 | ||||
| Description: | Wordpress does not properly verify that the m parameter value has the
string data type, which allows remote attackers to obtain sensitive
information via an invalid m[] parameter, as demonstrated by obtaining the
path, and obtaining certain SQL information such as the table
prefix. (CVE-2007-0262)
WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint. (CVE-2007-0539) WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment. (CVE-2007-0541) | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>