![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
|
|
|
 Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsIs it moot?. m-o-o-t is an interesting security project in a nascent phase. The project is based in the UK and spurred on by the passing of the RIPAPart3 law, which gives the government broad power to demand plaintext copies or cryptographic keys for deciphering encrypted content. Between this type of law and activities such as the US FBI's Carnivore, people are quickly finding the truth of the old saying, "the only safe place is inside your head". Well, even if the m-o-o-t project had a working prototype, we can't say it would be everyone's cup of tea for every day activity. M-o-o-t would be burned to a CD, from which the system would be rebooted in order to use it. No data would be written to the local disk, only to RAM. Transmitted information would be entirely encrypted and only stored in "off-shore havens", data storage facilities located in areas where the laws did not interfere. Even there, the safe havens would only be allowed to store portions of the data, in case a given off-shore haven is compromised. Given such restrictions, m-o-o-t is likely to be used only when you really, really care. Some of their starting concepts should be examined closely. For example, a m-o-o-t system must connect to another m-o-o-t system in order to work. As part of this, they intend to build protection into the CD so that on this end, you can tell whether or not the remote side is really using a valid m-o-o-t CD. After all, if the remote system has been compromised, you've gained no security. That's true, but verifying that the remote CD is the real thing could be as difficult as, well, preventing a DVD from being transferred from a CD to a disk, for example. In addition, they envision only producing a type of m-o-o-t CD every three years or more -- hmm, they aren't anticipating potential security problems or programming errors, are they? It won't be compatible with any other kind of security software -- say what? Then they'll be reinventing the wheel and using software that won't be heavily used, audited or vetted by other security experts, greatly increasing the potential for as-yet-undiscovered security flaws. We repeat again, though, that this project is in a design phase, prior to the development of a prototype. They're asking for feedback and we certainly hope that the community will provide it. Whether it is this tool or another, software to enhance the privacy of people's communication is a good thing. Cross-site scripting issues exemplified. This week, an alert went out regarding security problems with Charles Schwab's on-line trading system. The security issue at hand is an application of cross-site scripting, a security problem that we've discussed several times this past year. Although Apache and other web browsers have provided patches to make cross-site scripting more difficult, security experts have always known that this security issue has not gone away. The current example at Charles Schwab can result in an attacker taking control of a user's on-line trading session or possibly tricking a user into taking an action they did not intend to take. Charles Schwab should not be singled out in this case; similar problems were reported with E*Trade's system in the recent past. The likelihood is high that other systems will eventually be found vulnerable as well. So what is a cross-site scripting vulnerability and why is it so difficult to prevent? A cross-site scripting vulnerability is based on the unsanitized use of provided input. A server is vulnerable to cross-site scripting when it runs programs that generate dynamic webpages without checking their data sources carefully enough. As a result, the server can be tricked into generating malicious HTML. CERT provided an advisory on this problem in early February. Prevention of cross-site scripting vulnerabilities lies upon the applications programmer, someone who may or may not be trained to thoroughly understand security issues. As a result, every dynamic web-based application has the potential for problems, if not properly designed and implemented. In this case, however, it appears that Charles Schwab took close to five months to respond to the initial security report. Given the large sums of money involved, this is totally unacceptable. Just like any bank, on-line brokerages will fail if they cannot maintain the trust of their customers. The security of their web-based systems is a growing portion of that trust. Meanwhile, everyone developing a web site of any kind needs to be aware of this issue and program defensively to handle it. For those interested, here is some commentary from Elias Levy on the topic. Norwegian Carnivore. Norway is facing its own "Carnivore-style" controversy as information surfaced recently that Norwegian military, police intellicence and the country's top 15 companies have been cooperating in internet surveillance for some unknown length of time -- without the knowledge of the Norwegian National Assembly. As usual, the initial claims about the purpose and capabilities of the system are relatively benign, but the secrecy of the collaboration and the potential capabilities are wide enough to have generated demands for review of the system. Yet more fun ... and another spur for international cooperation to enhance individual privacy. CERT advisory on LPRng. Format string vulnerabilities in LPRng were first reported in this Security Summary in September. Now, CERT has issued an advisory about the problem. As usual, this means that they are continuing to see active exploitation of this vulnerability. If you have not yet upgraded your version of LPRng, don't put it off any longer. Updates are available for most flavors of BSD and Linux. Check our October 19th edition for our most extensive list of updates. Security ReportsZope security update. All Zope versions up through 2.2.4 have a security vulnerability that could allow anonymous users (i.e. anybody on the net) to do things inside the server that they should not be able to do. A security update has been issued by Digital Creations; it is highly recommended that people running Zope apply this fix.This week's updates: KTH Kerberos vulnerabilities. Multiple vulnerabilities have been reported in KTH Kerberos, the implementation of Kerberos used in FreeBSD and OpenBSD. Note that one of these vulnerabilities may also impact the MIT version of Kerberos, popular in Linux distributions, but that has not been confirmed. An upgrade to KTH Kerberos 4 version 1.0.4 should resolve the problems. Check BugTraq IDs 2090, 2091, 2092 and 2093 for more details.DNS-based IRC server denial-of-service vulnerabilities. Multiple IRC clients, including BitchX 1.0c17-2 and earlier, are vulnerable to both a denial-of-service attack and possibly remote access by someone in control of their own reverse DNS mapping, due to a buffer overflow in the resolver code included in the clients. Check the original report or BugTraq ID 2086 and BugTraq ID 2087 for more details.This week's updates: rp-pppoe denial-of-service vulnerability. Roaring Penguin Software's PPPoE client (a user-space PPP-over-ethernet client) contains a boundary condition exception that can be exploited to cause the connection to drop when a malformed TCP packet is received. rp-pppoe 2.5 has been released to fix the problem. Check the problem report, BugTraq ID 2098 or the Roaring Penguin home page for more details.
APC apcupsd denial-of-service vulnerability. apcupsd is a daemon provided by APC with its UPS products. It is used to monitor the UPS and start system shutdowns upon power failure. Its key configuration file is world-writable by default, allowing a local user to modify it and use it to crash other portions of the system. An upgrade to apcupsd Version 3.8.0 will fix the problem (as will, presumably, modifying the permissions on the configuration file). Check the original problem report by Mattias Dartsch or BugTraq ID 2070 for more details. This week's updates: pico symbolic link vulnerability. Joining the ranks of joe, tcsh, bash and other long-time Unix/Linux commands, this week pico was found to contain a symbolic link vulnerability as well. Pico is a very basic text editor from the University of Washington. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.ssldump format string vulnerability. ssldump is an SSLv3/TLS network protocol analyzer. A format string vulnerability in ssldump was reported to BugTraq on December 8th. This vulnerability could be exploited to execute arbitrary commands. No fix for this has been reported, as of yet. Using tcpdump to capture packets and then running ssldump off-line was recommended unofficially as a workaround.Oops buffer overflow. Oops is a GPL'd proxy server. A buffer overflow in oops 1.4.22 and earlier was reported this week, which can be exploited to execute arbitrary commands under the uid of the oops server. Version 1.5.1 has been released with a fix for this problem.Multiple vulnerabilities in bftpd. Both a format string vulnerability and multiple additional buffer overflows were reported in the bftpd server this week. bftpd 1.0.13 was released with many bug fixes, including, hopefully, fixes for all of these problems. An upgrade is strongly recommended. Check BugTraq ID 2120 for more details.Lexmark MarkVision printer driver local root vulnerability. Secure Reality Pty Ltd put out an advisory warning of a local root vulnerability introduced via buffer overflows in the Lexmark MarkVision printer drivers. Note that, though these are distributed by Lexmark, they are included automatically in a number of Linux distributions, such as Red Hat and Caldera (as well as other Unix systems). An upgrade to version 4 of the drivers will resolve the problem. Check BugTraq ID 2075 for more details.cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
Updatespam_localuser buffer overflow. A buffer overflow was reported in the pam_localuser module last week.This week's updates: Previous updates:
ezmlm-idx cgi vulnerability. Reported last week, ezmlm-idx contains a script, ezmlm-cgi, which, if installed setuid to a user other than root, can be exploited to execute arbitrary code under that user id.This week, ezmlm-idx author Frederik Lindberg posted a security advisory for the problem, which includes a patch for ezmlm-cgi for those who wish to run it setuid to a user other than root. Note that it disables support for the execution of banner programs. Alternately, run ezmlm-cgi in its default mode, setuid root. ed symlink vulnerability. Originally reported on November 30th, Alan Cox noticed that GNU ed, a basic line editor, creates temporary files unsafely. The problem has subsequently been fixed in ed 0.2-18.1.This week's updates: Previous updates:
bash tmpfile vulnerability. Check the November 30th LWN Security Summary for the original report. This is similar to the tmpfile problems reported in /bin/sh and /bin/tcsh.This week's updates: Previous updates:
ghostscript vulnerabilities. Two vulnerabilities were reported in ghostscript the week of November 30th. Both could potentially lead to elevated privileges.This week's updates: Previous updates:
cons.saver/mc file overwrite vulnerability. Maurycy Prodeus reported a problem in cons.saver which can be used to write a NUL character to the file given as its parameter. This was originally reported in our November 30th edition. The problem has been fixed in mc version 4.5.42-11.This week's updates: Previous updates:
joe symlink vulnerability. Check the November 23rd LWN Security Summary for the original report.This week's updates: Previous updates:
tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details. This week's updates: Previous updates:
diskcheck 3.1.1 symlink vulnerability. Check the August 10th LWN Security Summary for the original report of this problem. This week's updates:
ResourcesReal World Linux Security: Intrusion Prevention, Detection and Recovery. Bob Toxen kindly dropped us a note announcing the publication of his book, "Real World Linux Security: Intrusion Prevention, Detection and Recovery", by Prentice Hall PTR. "Most of the problems raised in Bruce Schneier's new book, "Secrets and Lies: Digital Security in a Networked World", are addressed in my book and solutions are offered and explained". Eric Raymond has reviewed the book and written the foreword for it: "You have in your hands a book I've been waiting to read for years -- a practical, hands-on guide to hardening your Linux system which also manages to illuminate the larger issues in Unix security and computer security in general." We're looking forward to the chance to review it ourselves. Best of luck, Bob. Overwriting the .dtors section. Juan M. Bello Rivas posted a description of a new technique for exploiting buffer overflows based on overwriting the .dtors section of gcc-compiled programs. This technique has the advantage of getting past stackguard-style non-executable stacks, but has a strong disadvantage: an overwrite that severe is very likely to put an end to the attacked process before it gets far enough to run the destructors. EventsUpcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
December 14, 2000
LWN Resources | |||||||||||||||
Copyright © 2000
Eklektix, Inc., all rights reserved
Next: Kernel