Jose Nazario has provided LWN with a brief wrap up of this year's USENIX
Security 2002 conference. "Linux's LSM kernel features, part of the
Linux Security Module feature kit, were presented by folks from WireX
(makers of Immunix, StackGuard and FormatGuard), NAI labs (part of the
SELinux development team), and others. Their paper gave an overview of the
architecture, some example code, work to bring other Linux security
projects into the LSM architecture, and some benchmarks. Overall an
excellent report, showing how much work and research has gone into the
project."
A followup, addressing implementation issues, to the recent paper on chosen-ciphertext attacks against PGP and GnuPG
by K. Jallad, J. Katz, and B. Schneier is available (PDF
or Postscript format).
Werner Koch posted this partial rebuttal
noting that countermeasures are defined in the OpenPGP drafts since October 2000.
The Mercury News
covers the subject PGP flaw which could allow attackers to read mail intended for
someone else only if they can be tricked into sending
tampored mail back to the attacker after they receive it.
Here's a News.com article about the
Internetworked Security Information Service (ISIS), which brings together
four independent projects--the Open Source Vulnerability Database, the
Alldas.de defacement-tracking service, the PacketStorm software database
and the vulnerability watchdog VulnWatch.
Wired
and
ZDNet covered
the festival of just-for-fun denial of service attacks,
system break-ins and other
activities at this year's Defcon conference in Las Vegas.
The Finnish Oulu University Secure Programming Group (OUSPG) is conducting
a survey of "vendors who receive bug reports, to coordinators of the reporting
process (e.g. mailing list moderators and national CERTs), and to reporters
of software vulnerabilities."
If you do any of these functions we encourage you to participate.
As described in this Bugtraq posting, the source distribution for OpenSSH
3.4p1 contains a trojan horse. Said trojan is apparently activated only
during the build process; people who are running binary versions (from a
trusted source!) should not need to worry. No word as yet on just how this
came to be; stay tuned, we'll update things as we learn more. (Thanks to
Christof Damian).
Updates:
An advisory from the OpenBSD
folks has been issued. "OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have
been trojaned on the OpenBSD ftp server and potentially propagated via the
normal mirroring process to other ftp servers....Anyone who has installed
OpenSSH from the OpenBSD ftp server or any mirror within that time frame
should consider his system compromised."
Tomi Nylund has compiled this list
of mirrors that carried the trojaned OpenSSH.
Ulf Harnhammar reports that L-Forum version 2.4.0,
and possibily others, has got two different XSS (Cross-Site Scripting) holes
and a distinct upload spoofing vulnerabiity
In a separate report, Matthew Murphy discovered an SQL injection flaw in L-Forum.
TinySSL version 1.03 has
a server side fix for this IE SSL vulnerability. TinySSL is an open source, compact (125k jar), SSLv3 client
implementation written in Java (1.1+).
An integer overflow in xdr_array() function when deserializing the XDR stream
that originated in the SunRPC library has been propagated into, at least,
glibc, Kerberos 5, OpenAFS and dietlibc. The result, in most cases,
is a potential remote code or root access vulnerability.
According to the CERT Vulnerability Note,
"this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information."
The result, so far, is the four new vulnerabilities (below) for
glibc, Kerberos 5, OpenAFS and dietlibc.
News.com
covers
the bug and its impact on
Kerberos Key Distribution Center authentication functions.
"Several sellers of Unix and Unix-like operating systems, including Red Hat, Debian, FreeBSD, Sun and NetBSD, said that their software was affected by the issue, and issued fixes. HP said it was investigating the bug's impact."
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
Kerberos 5 unauthorized root access to KDC host vulnerability
Package(s):
krb5
CVE #(s):
Created:
August 14, 2002
Updated:
October 29, 2002
Description:
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
The OpenAFS database server is subject to the
integer overflow bug in code derived from the SunRPC library.
This bug could be exploited to crash certain OpenAFS servers
(volserver, vlserver, ptserver, buserver) or to obtain unauthorized
root access to a host running one of these processes.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places including openafs.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
A local user can stop local mail service
by holding an exclusive read
lock on specific sendmail files.
The user must have permission to read
a file such as /var/log/sendmail.st, which
is world readable by default.
Buffer overflow and format string vulnerabilities in ipppd
Package(s):
i4l
CVE #(s):
Created:
August 14, 2002
Updated:
August 14, 2002
Description:
The ipppd program, in the i4l package, has
various buffer overflows and format string bugs. Since ipppd
is installed setuid to root,
attackers with appropriate group membership may be able to execute
arbitrary commands as root.
The i4l package for ISDN connectivity is installed by default
in at least one distribution; you are vulnerable even if
you do not have an ISDN connection.
The SuSE Security Team is aware of a published exploit for ipppd
that gives a local attacker root privileges so you should either update
the package or remove the setuid bit from ipppd.
gaim versions prior to 0.58
contained a buffer overflow in the Jabber plug-in module.
The problem is fixed in
gaim 0.59 which is available here.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL."
Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries
in /var/tmp before searching in other directories.
A local user could
gain root privleges by inserting a Trojan horse library
in /var/tmp and then getting the root user to run mkpasswd.
l2tpd, a layer 2 tunneling client/server program,
does not initialize the random generator.
Since this makes all generated random number 100% guessable,
the oversight could lead to remote exploits.
There is also a buffer overflow vulnerability.
Both problems are fixed in the updates below.
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
A remote attacker could execute commands under the uid
of the web server by passing in the GALLERY_BASEDIR variable remotely.
Gallery is a web-based photo album toolkit.
A problem has been discovered in interchange which may allow
a remote attacker to read any file for which the user of the Interchange
daemon has sufficient permissions.
Interchange must be running in "INET
mode" (internet domain socket) to be vulnerable.
This is not the default setting, at least in
Debian packages.
Interchange is an e-commerce and general HTTP database display system.
Remote arbitrary code execution vulnerability in mantis
Package(s):
mantis
CVE #(s):
Created:
August 14, 2002
Updated:
August 20, 2002
Description:
Mantis is a php based bug tracking system.
Joao Gouveia and the Debian Security Team found
multiple insecure uses of uninitialized variables in mantis.
When these occasions are exploited, a remote user is able
to execute arbitrary code under the webserver user id on the web
server hosting the mantis system.
A format string bug in super may allow a local user to
gain unauthorized root accesss.
Super is a setuid-root program that offers
restricted setuid-root access to executables and
a relatively secure environment for scripts.
The munpack program is used in the Debian distribution
for decoding binary files
in MIME (Multipurpose Internet Mail Extensions) format mail messages.
Eckehard Berns discovered a buffer overflow in munpack
which may allow a mailiciously formed email
to run arbitrary code.
Potential arbitrary code execution vulnerability in tinyproxy
Package(s):
tinyproxy
CVE #(s):
Created:
August 14, 2002
Updated:
August 15, 2002
Description:
Tinyproxy, a lightweight HTTP proxy, handles some
invalid proxy requests incorrectly.
Under some
circumstances, an invalid request may result in a allocated memory
being freed twice. This can potentially result in the execution of
arbitrary code.
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd.
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
The SMB dissector could potentially dereference a NULL pointer in two cases.
The X11 dissector could potentially overflow a buffer while parsing keysyms.
The DNS dissector could go into an infinite loop while reading a malformed packet.
The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors.
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
Versions of libpng prior to
1.2.4 and 1.0.14 have a buffer
overflow vulnerability that could lead to remote code execution.
Since libpng is used by programs that talk to the outside
world (i.e. mozilla), it is worth upgrading.
libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
The OSSP mm library (libmm) is frequently used in Apache
setups using mod_ssl and/or mod_php.
A temporary file vulnerabiity in OSSP mm library (libmm) before
version 1.2.0
permits a local Apache user to gain privileges.
It can be exploited to obtain root privilege in some circumstances.
Upgrading sooner, rather than later, is recommended.
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism.
Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in
CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing
to do today.
Mitel Networks has an update available which
closes this vulnerabilty for their SME Server software.
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
Package(s):
squid
CVE #(s):
Created:
July 8, 2002
Updated:
November 15, 2002
Description:
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
Security fixes in how Squid parses FTP directory listings into
HTML
FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
A security issue in how Squid forwards proxy authentication
credentials has been fixed
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable.
Ofir Arkin announces the release of the Xprobe2 source code
and white paper (PDF format). The code is licensed under the GPL.
Xprobe2 is an active operating system fingerprinting tool with a
different approach to operating system fingerprinting. Xprobe2 rely on
fuzzy signature matching, probabilistic guesses, multiple matches
simultaneously, and a signature database.
Nmap is a utility for network exploration or security auditing. It
supports ping scanning (determine which hosts are up), many port
scanning techniques (determine what services the hosts are offering),
and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port
specification, decoy/stealth scanning, sunRPC scanning, and more. Most
UNIX and Windows platforms are supported in both GUI and command-line
modes.
The 'Security Digest' Archives
is attempting to build "a history of the early 'Security Digest' archives, from the Unix 'Security Mailing List', through the Zardoz 'Security Digest' to the Core 'Security List'."
If you're interested in contributing, or just curious, please take a look.
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
