Simson Garfinkel has written another
story on the interesting things he has found on used disk drives; this
one appears in CSO magazine. He looked at some 150 drives, and found that
only 10% of them had been sanitized.
One of the drives once lived in an ATM. It contained a year's worth
of financial transactions--including account numbers and
withdrawal amounts--from a organization that had a legal
requirement to not divulge such information. Two other drives
contained more than 5,000 credit card numbers--it looked as
if one had been inside a cash register. Another had e-mail and
personal financial records of a 45-year-old fellow in Georgia. The
man is divorced, paying child support and dating a woman he met in
Savannah. And, oh yeah, he's really into pornography.
In general, one need not think to long before realizing that letting an
unsanitized disk out of your possession is not a particularly good idea.
One might well wonder, however, what the best method is for cleaning up a
disk. There are a few different options available. Note that running
fdisk or mkfs is not an option, however; those utilities
leave most of the information on the disk intact.
The safest way, perhaps, is to encrypt the contents of your disks from the
beginning. Such disks should be safe even if they leave your possession in
an unexpected, undesired way. Most Linux distributions do not come with
easy disk encryption options now, but that is likely to change within the
next year or so. The inclusion of the crypto-API code in the 2.6 kernel,
combined with the block encryption capabilities being patched into the
device mapper code, should make this capability widely available.
The GNU
shred utility is part of the "coreutils" package. It can be used to
overwrite the contents of a single file or an entire device. The single
file mode can be tripped up by things like journaling filesystems and
should not be relied upon for too much security. When shred is applied to
an entire block device, however, it should be effective.
Lacking a tool like shred, one could always overwrite a device with a
command like:
dd if=/dev/urandom of=/dev/disk-to-wipe
The truly paranoid among us will want to run that command more than once.
Another option is the standalone disk wiper, which boots from a diskette or
CD to do its cleanup work. This sort of utility is useful when an entire
computer is being surplussed, and the person doing the cleanup does not,
necessarily, know how to log into and clean the system. Besides, wiping
the root disk on a running system can be a difficult operation to
complete. A couple of offerings in this area are autoclave and Secure
Harddisk Eraser. Both of these are compact Linux systems which boot in
a standalone mode and trash the disk. Autoclave goes to some lengths to
ensure that the user knows what is about to happen; Secure Harddisk Eraser,
instead, simply waits a minute and goes to work.
The final option is the physical destruction of the disk drive. Modern
drives can be surprisingly hard to destroy, however.
The one course which is not an option is getting rid of drives without
cleaning them up first. It has become clear to a lot of people that used
drives can be gold mines of information which should not be disclosed. If
you throw away a loaded disk, chances are good that somebody else will go
digging through it.
The ecartis mailing list manager (version 1.0) suffers from an input validation vulnerability which can result in the disclosure of list passwords. Ecartis also has several buffer overflow vulnerabilities. See this advisory for more information.
The Apache Software Foundation and the Apache HTTP Server Project have
announced the release of version 2.0.49 of the Apache HTTP Server
("Apache"). More on the vulnerabilities fixed in this release can be found
in this announcement.
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details.
Calife, a program which provides super user privileges to specific
users, was found to contain a buffer overflow related to the
getpass(3) library function. A local attacker could potentially
exploit this vulnerability, given knowledge of a local user's password
and the presence of at least one entry in /etc/calife.auth, to execute
arbitrary code with root privileges.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue.
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue.
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details.
mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue.
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Rootkit Hunter 1.0.0 has been released; this package will scan a system for
signs of compromise. The release contains a long list of "supported"
malware that Rootkit Hunter can detect; that list does not include the
Adore rootkit discussed here last week,
however.
