[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

The "Hack PC Week" Linux server was compromised, much to the delight of anti-Linux activists everywhere. But before one takes this episode as a condemnation of Linux security in general, it is worthwhile to have a look at how the system was broken into. The following information was posted by the crackers on the PC Week forums; it got split up so one needs to read the first and second parts separately.

The crack happened in two distinct steps. The first was getting to where an arbitrary program could be run on the server. The cracker (identified as "jfs") achieved this by expoiting a vulnerability in the "photoads" CGI script which was being used by PC Week to run advertisements on the target site. Nothing inherent in Linux or Apache was exploited to get in; the door was opened by a third-party, commercial package.

Once able to run programs on the target system, the cracker needed root access. It turns out that the (Red Hat) system being used in the challenge was lacking a number of security updates. In particular, the update to cron, issued by Red Hat on August 25, had not been applied. Jfs simply needed to run a canned exploit program from the net, and root access was his. End of story.

One clear conclusion is that the Linux system used in this challenge was not properly secured. A system being put on the front lines of a security challenge should at least have the security updates installed. And the inclusion of vulnerable, third-party software should only have been done with a great amount of thought.

It might also be said that Linux systems are too hard to secure. If nothing else, Red Hat 6.0 is overdue for an update. The official updates to that release now make up a substantial portion of the whole distribution, far more than most users will want to dig through. Updates will always go unapplied; it is better to eliminate the need.

Security Reports

Linux TCP stack problem found A bug in the 2.2 (and 2.3) kernel TCP stack has been found and posted. A suitably clever attacker could use it to bypass a number of address-based access control mechanisms. The bug has been tracked down and a fix exists; chances are a new 2.2 stable kernel will be released shortly.

Certicom challenge cracked. A group led by INRIA in France has announced the cracking of the code put forward in Certicom's "ECC Challenge." $4000 of their prize money will be going to the Free Software Foundation. (Thanks to Stéfane Fermigier).

A denial of service problem in ssh 1.2.27 has been announced. It's another /tmp link problem that allows a bad guy to make life obnoxious for local users.


Here are the security updates we have seen this week:
  • The Debian Project has released an update to the amd automounter which fixes a nasty security problem. A timely upgrade is recommended.

  • LinuxPPC also has a patch out for amd, as well as updates for proftpd, wu-ftpd, telnet, libtermcap, cron, and lynx. See their security page for details.

  • Linux-Mandrake has issued an update to the GNOME version of nethack which fixes a buffer overflow problem there. They also advise users to simply remove the program if they are not actually using it.

  • Yellow Dog Linux has announced updates to the proftpd and beroftpd FTP servers.


The Linux Administrator's Security Guide has moved to a new location on SecurityPortal.com.


TooRcon 2000, a security-oriented conference, has been announced; it will be happening September 1-3, 2000 in San Diego, California.

Section Editor: Liz Coolbaugh

September 30, 1999

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds