User: Password:
Subscribe / Log in / New account


Linux botnets

By Jake Edge
March 25, 2009

It will come as no surprise to long-time readers of this page (or others who have followed embedded device security), but recent reports of the "first Linux botnet" are making the subject of router/modem security more visible to the general public. As we have reported previously, embedded, network-facing devices make tempting targets. It appears that a botnet herder noticed that and is trying to take advantage of Linux-based devices.

Perhaps the most surprising part about the attack is the simplicity of the vulnerability it is exploiting. As far as anyone has found "psyb0t", as the botnet is known, just brute forces username/password pairs over telnet, ssh, or http. The earliest research [PDF] of the botnet was from January; at that time it was only known to be exploiting a particular ADSL modem (Netcomm NB5) that, at one time, had non-existent authorization on its WAN-facing administrative web interface.

More recently, DroneBL found more infected routers when investigating a distributed denial of service (DDOS) against its servers. The botnet is targeting Linux devices using the mipsel (MIPS little-endian) architecture, which includes many Linux-based home routers. OpenWRT, DD-WRT, and other projects all provide Linux-mipsel firmware for a variety of potentially vulnerable devices.

Once the infecting program gets access to the device, it downloads the botnet code and disables access to the device via telnet, ssh, or http.

While its method of getting access is simple, the botnet code itself is very capable. It connects to a command and control IRC channel (#mipsel) on a particular host under the control of the botnet herder. Commands on that channel can order the botnet nodes to do various denial of service attacks, scan for vulnerable MySQL and phpMyAdmin sites and subvert them, port scan particular hosts, update the botnet code, and more. The IRC channel has shut down with a message indicating that psyb0t was strictly a research project by someone known as DRS. The message also claimed that no DDOS or phishing was done and that the botnet reached 80,000 nodes.

While it may well be that the danger of this particular threat has passed, the more general issue of router, especially home router, security persists. A fully capable, always-on Linux device is a very attractive target for botnet herders or other types of attackers. Trying to put together a botnet of Linux desktops and servers might be a much more difficult task as there is a much wider diversity of distributions and kernel versions, as well as different architectures and configurations. To a great extent, the Linux-based home router landscape is much more homogeneous, as psyb0t has shown.

Clearly default and/or weak passwords are a serious problem—not just for Linux-based devices—but it would not be surprising to find that other vulnerabilities (such as authentication bypass) are available on many of these devices. Unlike a simple password change, those kinds of flaws require an update to the router firmware, which, in turn, requires users to know about the problem and understand where to get—and how to apply—the code to fix it. This is certainly a problem we have not seen the last of.

Comments (6 posted)

New vulnerabilities

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2008-4437 CVE-2008-6098 CVE-2009-0481 CVE-2009-0483 CVE-2009-0484 CVE-2009-0485 CVE-2009-0486 CVE-2009-0482
Created:March 19, 2009 Updated:June 4, 2010
Description: Bugzilla has a number of vulnerabilities. From the Fedora alerts:

Directory traversal vulnerability in in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. (CVE-2008-4437)

Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve." (CVE-2008-6098)

Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. (CVE-2009-0481)

Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. (CVE-2009-0482)

Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. (CVE-2009-0483)

Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. (CVE-2009-0484)

Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. (CVE-2009-0485)

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. (CVE-2009-0486)

Gentoo 201006-19:02 bugzilla 2010-06-04
Fedora FEDORA-2009-2417 bugzilla 2009-03-05
Fedora FEDORA-2009-2418 bugzilla 2009-03-05

Comments (none posted)

compiz-fusion: screen lock bypass

Package(s):compiz-fusion CVE #(s):CVE-2008-6514
Created:March 25, 2009 Updated:March 30, 2010
Description: Compiz-fusion allows local users to simply drag the screen saver out of the way, thus bypassing any associated screen lock.
SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30
Mandriva MDVSA-2009:278 compiz-fusion-plugins-main 2009-10-14
Fedora FEDORA-2009-2986 compiz-fusion 2009-03-25
Fedora FEDORA-2009-3003 compiz-fusion 2009-03-25

Comments (none posted)

drupal-cck: cross-site scripting

Package(s):drupal-cck CVE #(s):
Created:March 23, 2009 Updated:March 25, 2009

From the Drupal advisory:

The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.

Fedora FEDORA-2009-2869 drupal-cck 2009-03-20
Fedora FEDORA-2009-2873 drupal-cck 2009-03-20

Comments (none posted)

ejabberd: cross-site scripting vulnerability

Package(s):ejabberd CVE #(s):CVE-2009-0934
Created:March 19, 2009 Updated:April 17, 2009
Description: ejabberd has a cross-site scripting vulnerability. From the Fedora alert:

Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to links and MUC logs.

Debian DSA-1774-1 ejabberd 2009-04-17
Fedora FEDORA-2009-2746 ejabberd 2009-03-16
Fedora FEDORA-2009-2747 ejabberd 2009-03-16

Comments (none posted)

ffmpeg: unspecified vulnerabilities

Package(s):ffmpeg CVE #(s):CVE-2008-4868 CVE-2008-4869
Created:March 20, 2009 Updated:December 7, 2009
Description: From the CVE entries:

Unspecified vulnerability in the avcodec_close function in libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, has unknown impact and attack vectors, related to a free "on random pointers."

FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a "Tcp/udp memory leak."

Mandriva MDVSA-2009:297-1 ffmpeg 2009-12-05
Mandriva MDVSA-2009:297 ffmpeg 2009-11-13
Gentoo 200903-33 ffmpeg 2009-03-19

Comments (none posted)

ghostscript: integer overflows

Package(s):ghostscript CVE #(s):CVE-2009-0583 CVE-2009-0584
Created:March 19, 2009 Updated:December 4, 2009
Description: Ghostscript has several integer overflow vulnerabilities. From the Red Hat alert:

Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which could cause Ghostscript to crash, or, potentially, execute arbitrary code when opened by the victim. (CVE-2009-0583, CVE-2009-0584)

Mandriva MDVSA-2009:311 ghostscript 2009-12-03
Slackware SSA:2009-181-01 ghostscript 2009-06-30
Mandriva MDVSA-2009:096-1 printer-drivers 2009-04-24
Red Hat RHSA-2009:0421-01 ghostscript 2009-04-14
Red Hat RHSA-2009:0420-01 ghostscript 2009-04-14
CentOS CESA-2009:0420 ghostscript 2009-04-15
Ubuntu USN-757-1 ghostscript, gs-esp, gs-gpl 2009-04-15
Fedora FEDORA-2009-3435 argyllcms 2009-04-09
Fedora FEDORA-2009-3430 argyllcms 2009-04-09
Fedora FEDORA-2009-3011 argyllcms 2009-03-25
Fedora FEDORA-2009-3031 argyllcms 2009-03-25
Ubuntu USN-743-1 ghostscript, gs-gpl 2009-03-23
SuSE SUSE-SR:2009:007 vim, gvim, apache2, opera, multipath tools, java-1_6_0-openjdk, imp, horde, lcms, moodle, ghostscript 2009-03-24
Gentoo 200903-37 ghostscript-gpl 2009-03-23
Fedora FEDORA-2009-2885 ghostscript 2009-03-21
Fedora FEDORA-2009-2883 ghostscript 2009-03-21
Debian DSA-1746-1 ghostscript 2009-03-20
rPath rPSA-2009-0050-1 ghostscript 2009-03-19
CentOS CESA-2009:0345 ghostscript 2009-03-19
Red Hat RHSA-2009:0345-01 ghostscript 2009-03-19
Mandriva MDVSA-2009:096 printer-drivers 2009-04-24
Mandriva MDVSA-2009:095 ghostscript 2009-04-24
CentOS CESA-2009:0421 ghostscript 2009-04-20
Fedora FEDORA-2009-3709 ghostscript 2009-04-15
Fedora FEDORA-2009-3710 ghostscript 2009-04-15

Comments (none posted)

jasper: insecure temp files

Package(s):jasper CVE #(s):CVE-2008-3521
Created:March 20, 2009 Updated:April 19, 2010
Description: From the Ubuntu advisory: It was discovered that JasPer created temporary files in an insecure way. Local users could exploit a race condition and cause a denial of service in libjasper applications.
Debian DSA-2036-1 jasper 2010-04-17
Mandriva MDVSA-2009:142-1 jasper 2009-12-03
Mandriva MDVSA-2009:164 jasper 2009-07-28
Mandriva MDVSA-2009:142 jasper 2009-06-26
Ubuntu USN-742-1 jasper 2009-03-19

Comments (none posted)

kernel: multiple ext4 denial of service vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748
Created:March 23, 2009 Updated:September 16, 2009

From the Debian advisory:

CVE-2009-0745: Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation.

CVE-2009-0746: Sami Liedes reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when accessing a specially crafted corrupt filesystem.

CVE-2009-0747: David Maciejak reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem.

CVE-2009-0748: David Maciejak reported an additional issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem.

CentOS CESA-2009:1243 kernel 2009-09-15
Red Hat RHSA-2009:1243-02 kernel 2009-09-02
Debian DSA-1787-1 linux-2.6.24 2009-05-02
Ubuntu USN-751-1 linux, linux-source-2.6.22 2009-04-07
Debian DSA-1749-1 linux-2.6 2009-03-20

Comments (none posted)

lcms: multiple vulnerabilities

Package(s):lcms CVE #(s):CVE-2009-0581 CVE-2009-0723 CVE-2009-0733
Created:March 19, 2009 Updated:December 3, 2009
Description: lcms has three vulnerabilities. From the Red Hat alert:

Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim. (CVE-2009-0723, CVE-2009-0733)

A memory leak flaw was found in LittleCMS. An application using LittleCMS could use excessive amount of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581)

Mandriva MDVSA-2009:121-1 lcms 2009-12-02
Mandriva MDVSA-2009:162 java-1.6.0-openjdk 2009-07-28
Mandriva MDVSA-2009:137 java-1.6.0-openjdk 2009-06-20
Mandriva MDVSA-2009:121 lcms 2009-05-21
Fedora FEDORA-2009-3967 lcms 2009-04-27
Fedora FEDORA-2009-3914 lcms 2009-04-27
Debian DSA-1769-1 openjdk-6 2009-04-11
CentOS CESA-2009:0377 java-1.6.0-openjdk 2009-04-08
Red Hat RHSA-2009:0377-01 java-1.6.0-openjdk 2009-04-07
Fedora FEDORA-2009-3034 java-1.6.0-openjdk 2009-03-25
Debian DSA-1745-2 lcms 2009-03-25
Slackware SSA:2009-083-01 lcms 2009-03-25
Ubuntu USN-744-1 lcms 2009-03-23
SuSE SUSE-SR:2009:007 vim, gvim, apache2, opera, multipath tools, java-1_6_0-openjdk, imp, horde, lcms, moodle, ghostscript 2009-03-24
Fedora FEDORA-2009-2983 java-1.6.0-openjdk 2009-03-24
Fedora FEDORA-2009-2982 java-1.6.0-openjdk 2009-03-24
Fedora FEDORA-2009-2903 lcms 2009-03-23
Fedora FEDORA-2009-2970 lcms 2009-03-23
Fedora FEDORA-2009-2928 lcms 2009-03-23
Fedora FEDORA-2009-2910 lcms 2009-03-23
Debian DSA-1745-1 lcms 2009-03-20
Red Hat RHSA-2009:0339-01 lcms 2009-03-19
Gentoo 200904-19 lcms 2009-04-19

Comments (3 posted)

libvirt: privilege escalation

Package(s):libvirt CVE #(s):CVE-2009-0036
Created:March 19, 2009 Updated:March 25, 2009
Description: libvirt has a privilege escalation vulnerability. From the Red hat alert:

libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036)

Red Hat RHSA-2009:0382-01 libvirt 2009-03-19

Comments (none posted)

muttprint: insecure temporary files

Package(s):muttprint CVE #(s):CVE-2008-5368
Created:March 24, 2009 Updated:March 25, 2009
Description: From the Gentoo advisory: Dmitry E. Oboukhov reported an insecure usage of the temporary file "/tmp/muttprint.log" in the muttprint script. A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.
Gentoo 200903-35 muttprint 2009-03-23

Comments (none posted)

opensc: insufficient access restrictions

Package(s):opensc CVE #(s):CVE-2009-0368
Created:March 19, 2009 Updated:June 1, 2009
Description: opensc has a vulnerability involving insufficient access restrictions on private data. From the Red Hat alert:

OpenSC stores private data without proper access restrictions. User "b.badrignans" reported this security problem on December 4th, 2008. In June 2007 support form private data objects was added to OpenSC. Only later a severe security bug was found out: while the OpenSC PKCS#11 implementation requires PIN verification to access the data, low level APDU commands or debugging tools like opensc-explorer or opensc-tool can access the private data without any authentication. This was fixed in OpenSC 0.11.7.

SuSE SUSE-SR:2009:010 firefox apport evolution freetype2 java_1_4_2-ibm kdegraphics3 libopenssl libsoup xulrunner opensc python-crypto unbound xpdf 2009-05-12
Mandriva MDVSA-2009:089 opensc 2009-04-09
Fedora FEDORA-2009-2266 opensc 2009-03-03
Fedora FEDORA-2009-2267 opensc 2009-03-03

Comments (none posted)

pam: denial of service, possible privilege escalation

Package(s):pam CVE #(s):CVE-2009-0887
Created:March 23, 2009 Updated:May 31, 2011

From the Mandriva advisory:

Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt (CVE-2009-0887).

Ubuntu USN-1140-2 pam 2011-05-31
Ubuntu USN-1140-1 pam 2011-05-30
Gentoo 200909-01 pam 2009-09-07
Fedora FEDORA-2009-3231 pam 2009-04-02
Fedora FEDORA-2009-3204 pam 2009-04-02
Mandriva MDVSA-2009:077 pam 2009-03-21

Comments (none posted)

postgresql: denial of service

Package(s):postgresql CVE #(s):CVE-2009-0922
Created:March 23, 2009 Updated:November 2, 2009

From the Red Hat bugzilla:

A stack overflow was found in how PostgreSQL handles conversion encoding. This could allow an authenticated user to kill connections to the PostgreSQL server for a small amount of time, which could interrupt transactions by other users/clients.

Gentoo 201110-22 postgresql-base 2011-10-25
Fedora FEDORA-2009-9474 postgresql 2009-09-11
Red Hat RHSA-2009:1484-01 postgresql 2009-10-07
CentOS CESA-2009:1484 postgresql 2009-10-09
CentOS CESA-2009:1484 postgresql 2009-10-30
Red Hat RHSA-2009:1067-01 Red Hat Application Stack 2009-05-26
rPath rPSA-2009-0086-1 postgresql 2009-05-19
SuSE SUSE-SR:2009:009 openswan/strongswan, clamav, gstreamer-0_10-plugins-base, gnome-panel, postgresql, acroread_ja, ghostscript-devel, xine-devel/libxine-devel, moodle, gnutls, udev 2009-04-21
Ubuntu USN-753-1 postgresql-8.1, postgresql-8.3 2009-04-07
Mandriva MDVSA-2009:079 postgresql 2009-03-23
Fedora FEDORA-2009-2959 postgresql 2009-03-23
Fedora FEDORA-2009-2927 postgresql 2009-03-23

Comments (none posted)

seamonkey: multiple vulnerabilities

Package(s):seamonkey CVE #(s):
Created:March 25, 2009 Updated:April 14, 2009
Description: Seamonkey 1.1.15 contains fixes for a number of security issues.
Slackware SSA:2009-083-02 seamonkey 2009-03-25

Comments (none posted)

thunderbird: multiple vulnerabilities

Package(s):thunderbird CVE #(s):
Created:March 25, 2009 Updated:March 25, 2009
Description: A number of security issues, generally involving memory corruption, have been fixed in the thunderbird release.
Slackware SSA:2009-083-03 thunderbird 2009-03-25

Comments (none posted)

webcit: format string vulnerability

Package(s):webcit CVE #(s):CVE-2009-0364
Created:March 24, 2009 Updated:March 25, 2009
Description: From the Debian advisory: Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution.
Debian DSA-1752-1 webcit 2009-03-23

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds