This worm has been referred to by at least four different names:
Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm.
On Friday September 13th the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow
vulnerability reported at the end of July.
The next day CERT issued Advisory CA-2002-27Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
By Sunday
September 15th, at 17:00 GMT, F-Secure Corporation reported 13,000 infected servers
out of "over 1,000,000 active OpenSSL
installations in the public web."
Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month
from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.
SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format).
F-Secure is maintaining a "Virus Description" of
this worm with lots of interesting information.
The first reports in the press appeared Friday,
the day the worm was first seen, in
CNET
and
Network World Fusion.
The next day CNET put up another story with
additional information. By Monday evening both the Register and
TechWeb
had published their reports on events to date. On Tuesday Network World Fusion reported that the worm has infected at least 30,000 Linux Apache Web servers.
According to Dan Ingevaldson, team lead of the X-Force R&D division at ISS, the first version may be a test to see how well the worm works before more deadlier versions surface. "Unlike Code Red and Nimda, where virus writers didn't have immediate access to the source code, the source code for this worm is already widely public," he says. "I'd expect new versions to start to surface."
RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has
observed behavior different from what that tool expects.
In the unlikely event that you haven't already, applying the appropriate OpenSSL update might be a very good thing to do before reading any further.
CNET has a short article about a little privacy bug in Mozilla's handling of referers. "The bug reveals the URL of the page someone is viewing to the Web server of the site last visited. This allows a Web server to track where people go after they leave the site, even if the next Web address comes from a bookmark or is manually typed into the browser." If you are using a Gecko-based browser, you can see the bug in action on this page.
Bruce Schneier's CRYPTO-GRAM newsletter for September is out. It looks at
possible new attack strategies for algorithms like AES, the Word97
vulnerability, and more. "We're seeing more and more of this:
vulnerabilities in products that
are no longer supported. When the SNMP vulnerabilities were published
earlier this year, many products with the vulnerability were no longer
supported. Some were made by companies no longer in business."
Ulf Harnhammar reports potential cross-site scripting problems in
ht://Check version 1.1,
and possibly earlier versions as well.
"It doesn't remove HTML tags before displaying the crawled web servers' "Server:" headers and other information."
ht://Check is a link checker derived from ht://Dig. It can retrieve
information through HTTP/1.1 and store it in a MySQL database so
that after a "crawl", ht://Check can return broken links, anchors
not found, content-types, and HTTP status codes summaries. A PHP
interface lets the user to query and view the results directly via
the web
Marco van Berkum reports a symlink vulnerability in
the xbreaky
breakout game for X.
If xbreaky is installed as suid, the vulnerabilty can be abused
by any user to overwrite any file on the filesystem. Distributions
which include xbreaky may or may not install it suid root.
The folks at Roaring Penguin Software have released, under the GPL,
version 2.21 of MIMEDefang
to deal with this Outlook Express based attack to bypass
SMTP-based content filter engines.
MIMEDefang is a program for inspecting and modifying e-mail messages as they pass through your mail relay. MIMEDefang is written in Perl, and its filter actions are expressed in Perl, so it's highly flexible.
A patched version of MIME-Tools that addresses the problem is
also avilable as well as version 1.2-F17 of Roaring Penguin's commercial CanIt
anti-spam solution based on MIMEDefang 2.21.
A race condition in TolisGroup's BRU Workstation 17.0 can be used to clobber any system file." According to this followup post, TolisGroup have responded with confirmation of an update for a
race condition reported previously, and an estimated date
for a new update for this one.
Stefan Bagdohn reports a file disclosure vulnerability in
the DB4Web high-performance application server from
Guardeonic Solutions AG.
The DB4Web team has already provided an update which is
available from here.
Local privilege escalation vulnerability in XFree86
Package(s):
xf86 xfree86
CVE #(s):
Created:
September 18, 2002
Updated:
October 27, 2002
Description:
XFree86 version 4.2.1 fixes a problem in
Xlib that made it possible to execute arbitrary code in privileged clients.
Other libraries are dynamically loaded by libX11.so as needed.
When linking against a setuid program, arbitrary code
could be loaded and executed from a pathname controlled by the user.
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
Package(s):
kdelibs
CVE #(s):
Created:
September 17, 2002
Updated:
November 18, 2002
Description:
Konqueror for KDE 3.0.3, and earlier versions, is subject to
this cross-site
scripting vulnerability.
Since the problem is in kdelibs, any other application which
uses the KHTML renderer is also vulnerable.
Javascript code running in one frame can
access other frames which should be inaccessible. The problem is
fixed in kdelibs 3.0.3a.
It seems that the "purity" game isn't entirely pure itself - a couple of
buffer overflows have been found which could be exploited to gain access to
the "games" group on Debian systems. Rather than face the prospect of
people tampering with their nethack scores, the Debian Project released the
first upgrade closing the vulnerability.
AMaViS is vulnerable to a denial of service attack via maliciously crafted input. Patches exist for AMaViS, but the recommended solution is to upgrade to the (actively developed) amavis-perl tool. See this advisory for details.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
Cacti is a PHP front end to rrdtool; it assists in the creation of plots from a MySQL database. This tool does not properly validate all input, leading to a remote code execution vulnerability in certain, limited conditions. See this Bugtraq posting for details.
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.
Ethereal 0.9.4 has multiple buffer overflow and other
vulnerabilities hat are best delt with by upgrading to 0.9.6.
These vulnerabilities may allow remote attackers
to cause a denial of service or execute arbitrary code.
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
The SMB dissector could potentially dereference a NULL pointer in two cases.
The X11 dissector could potentially overflow a buffer while parsing keysyms.
The DNS dissector could go into an infinite loop while reading a malformed packet.
The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
gaim versions prior to 0.58
contained a buffer overflow in the Jabber plug-in module.
The problem is fixed in
gaim 0.59 which is available here.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL."
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
KDE 3.0.3 fixes X.509 certificate check vulnerability
Package(s):
kde
CVE #(s):
Created:
September 4, 2002
Updated:
September 11, 2002
Description:
The SSL implementation used by previous version of KDE
accepted, without alerting the user, any X.509 certificate signed
by any entity under specific conditions.
This bug allows
"for undetected MITM attacks ("man in the mittle"), which
could compromise an encrypted HTTPS session."
Kerberos 5 unauthorized root access to KDC host vulnerability
Package(s):
krb5
CVE #(s):
Created:
August 14, 2002
Updated:
October 29, 2002
Description:
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution.
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism.
Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in
CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing
to do today.
Mitel Networks has an update available which
closes this vulnerabilty for their SME Server software.
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers.
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions.
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
Package(s):
squid
CVE #(s):
Created:
July 8, 2002
Updated:
November 15, 2002
Description:
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
Security fixes in how Squid parses FTP directory listings into
HTML
FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
A security issue in how Squid forwards proxy authentication
credentials has been fixed
Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries
in /var/tmp before searching in other directories.
A local user could
gain root privleges by inserting a Trojan horse library
in /var/tmp and then getting the root user to run mkpasswd.
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable.
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd.
Folks at the Cambridge University Computer Laboratory have
done a good study on different password selection approaches
which is summarized in two papers:
The Memorability and Security of Passwords - Some Empirical Results by Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant (PDF format)
A Note on Proactive Password Checking by Jianxin Jeff Yan (PDF format)
Crispin Cowan also has some interesting comments on
the conclutions reached by the study.
HiverCon 2002 is scheduled for November 26th and 27th, 2002 in Dublin Ireland.
In total ten speakers have been announced as confirmed to speak
at HiverCon 2002. The industry recognized names will be presenting
papers on a myriad of information security topics, introducing new
tools and research, as well as discussing newly highlighted security
problems and solutions.
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
