See also: last week's Security page.

Security

News and Editorials

InterBase backdoor. A special login account and password was found in the Borland InterBase database source code by German software developer Frank Schlottmann-Goedde and reported this past week. Borland's InterBase was released under an Open Source license last July. Non-Borland developers got access to the source code at that time and were the ones to find and report the login/password problem.

The backdoor was apparently introduced for programmatic reasons, in order to allow one portion of the database to communicate with another portion that was password-protected. The security hole that was subsequently introduced was either not anticipated or not expected to be a problem, since the source code had not been released.

Certainly Borland would not have released the source code in its current state if they had been aware of the backdoor. As a result, their decision to release the source code has done them, and their customers, a service.

Of course, media coverage of the discovery also questioned whether or not the release of the source code increased the risk to the customer. This is based on the premise that the source code was available for six months before the problem was found and presumably an attacker might have also found the backdoor without reporting it.

While possible, this risk is more than offset by the possibility that the backdoor was discovered without access to source, as many vulnerabilities are (check the list of Microsoft vulnerabilities sometime). The backdoor was apparently introduced in 1994, so there has been considerable time in which that discovery could have been made. If not via an examination of the binaries themselves, anyone who worked on the code during that six years may have had knowledge of the security problem. A disgruntled employee, or one bribed for purposes of corporate espionage, etc., could have used or passed on information about the vulnerability.

Now that Borland has issued a patch for the problem (which should be integrated into the next certified release of InterBase 5.X), the issue is moot because the problem is solved. It only took six odd years ... and the release of the source code ... to get it fixed.

See also:

• Vulnerability Note VU#247371 from Carnegie Mellon, 1/9/2001.
• BugTraq ID 2192.
• CERT Advisory
• News.com coverage

Simple administrative issues open up cgi-bin vulnerabilities. This week, Tamer Sahin reported a vulnerability in the Basilix web-based mail system. The issue was the use of ".class" and ".inc" extensions for files that were actually PHP scripts. As a result, any server using the web mail system that did not also modify its web server configuration to properly interpret ".class" and ".inc" files as PHP exposed information inadvertently.

Obviously, an administrative fix for this problem is fairly simple. Alternately, the blame could be shifted to programmers who choose to use non-standard file extensions. However, since our goal is to build toward security by default, it might also be reasonable to consider this to actual be a vulnerability in the web server itself, which is shipped by default to display all files and all file extensions. If the default administrative option was the most secure, e.g., only display files with extensions that have been defined in the configuration files, then the addition of non-standard file names that aren't defined in the web server configuration files would not open any security holes. Of course, the new mail server wouldn't work until the extensions had been added, but that should be considered the preferable option when security is a priority.

CRYPTO-GRAM newsletter for January. Bruce Schneier's CRYPTO-GRAM newsletter for January is available. It covers a wide range of security-related issues, including the story of alleged mobster Nicodemo Scarfo, whose PGP encryption was defeated by the FBI, which installed a keyboard sniffer on his system.

Security Reports

Ramen worm. For coverage on this week's network-based Ramen word, please check our Front Page.

glibc RESOLV_HOST_CONF preload vulnerability. Charles Stevenson at Terrasoft (Yellow Dog Linux) posted notice of a glibc vulnerability in versions 2.1.9 and higher to BugTraq this past week. The issue is a missing comma in the code, which, as a result, allows the RESOLV_HOST_CONF environment variable to be passed to setuid/setgid programs. This can be exploited to gain local root access.

This week's updates:

• Red Hat
• Slackware
• Debian, 2.2 not vulnerable, testing and devel trees are

glibc local write/ld.so.cache preload vulnerability. Red Hat issued another update to glibc this week to fix a preload-related vulnerability. In this vulnerability, the glibc preload check was not applied to libraries that had already been loaded into /etc/ld.so.cache. This can be exploited to create/overwrite files without authorization. Check BugTraq ID 2223 for more details.

This week's updates:

• Red Hat

PHP Apache Module bug. Zend.com posted an advisory reporting a vulnerability in the PHP 4.X Apache Module. The per-directory configuration option to disable the PHP engine incorrectly impacts other directories and can be exploited to expose the source code for PHP scripts. An upgrade to PHP 4.0.4pl1 will fix the problem. Check BugTraq ID 2206 for more details.

dhcp buffer overflow. Caldera released an advisory this week reporting a format string vulnerability in the error logging code for dhcp. They have provided updated packages for OpenLinux. Presumably, this will impact other distributions as well.

SuSE rctab /tmp-related race condition. Paul Starzetz reported a flaw in SuSE's rctab script, provided with SuSE to edit init levels. This flaw can be exploited to overwrite arbitrary files, allowing a denial-of-service attack or, potentially, a local root compromise. Roman Drahtmueller from SuSE confirmed the problem and provided a workaround, along with some corrections to the original report. Updated packages should be forthcoming soon.

Oliver Debon's port of the Macromedia flash plug-in. We have previously reported on problems with the Macromedia flash plug-in and responses from Macromedia. This week, the originally-reported buffer overflow has been recreated in Olivier Debon's unofficial port of Macromedia's flash plug-in to to a variety operating systems, including Linux and FreeBSD. This could potentially be used to remotely execute code under the UID of the Netscape user.

Note that Macromedia also provides their own version of Flash for Linux. A method for determining which flash player you may have installed is provided in the report. If you are using Olivier's version, you will probably want to disable it or replace it with the version from Macromedia until a fix is provided.

jaZip buffer overflow. jaZip, a program for managing Iomega Jazz or Zip drives, has been reported to contain an exploitable buffer overflow. This program is sometimes installed setuid root, increasing the potential impact of the vulnerability, which was tested on TurboLinux systems. For more details, check BugTraq ID 2209.

Multiple vulnerabilities in splitvt. Multiple vulnerabilities were reported in splitvt this week, including several buffer overflows and a format string vulnerability. An upgrade to splitvt 1.6.5 should solve the problems. Check BugTraq ID 2210 for more details.

tinyproxy heap overflow attack. tinyproxy, a small, GPL'd HTTP proxy server, contains a vulnerability to a heap overflow attack. This can be exploited to cause a denial-of-service. tinyproxy 1.3.3a has been released to fix this problem.

exmh symlink vulnerability. A symlink vulnerability in exmh was reported this week. Note that exmh is not a setuid program, so this can only cause a root compromise if root runs exmh directly. However, it could be used by an attacker to cause any user to overwrite a file that they own. No fix for this has been made available so far.

ssh 1.2.30 secure RPC vulnerability. A vulnerability in ssh 1.2.30 was reported this week related to the use of secure-rpc to encrypt private keys. A patch to fix the problem has been made available. Check BugTraq ID 2222 for more details.

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

• The Postaci webmail software, when combined with a PostgreSQL backend, fails to check for malicious SQL code in variables supplied by the user. This can allow the execution of arbitrary SQL queries. Check BugTraq ID 2230 for more details.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• WebMaster's Conference Room, Professional and Developer, a commercial IRC server, is vulnerable to a denial-of-service vulnerability in versions 1.8.1 and earlier. Version 1.8.2 is reported to fix the problem.

• UltraBoard 2000, a commercial bulletin board system, is reported to contain a default permissions vulnerability that can be exploited to remotely install executable files on the server.

• Trend Micro's InterScan VirusWall is reported to pass the administrator login and password information in clear-text during password changes, as well to use a weak encryption scheme to encode passwords when encrypted.

• Trend Micro's InterScan VirusWall is also reported to contain a tmpfile symlink vulnerability that can be exploited to overwrite files with root privileges, possibly allowing a remote root compromise.

• Veritas Backup is reported to contain a denial-of-service vulnerability via its linux agent. This was apparently previously reported in 1998 without receiving a response from the vendor. No response from Veritas has been posted for this latest alert either.

Updates

Multiple package tmp file race problems. Check last week's LWN Security Summary for the initial report. Immunix reported race conditions in twelve packages: apache, tcpdump, squid, linuxconf, mgetty, gpm, wu-ftpd, inn, diffutils, getty_ps, rdist, and shadow-utils.

The response, of course, has been for up to twelve security advisories to come out from each vendor. As a result, we've broken up the responses to this problem according to the package name, to make it easier to see what distributions still have updates pending.

apache:

• Immunix (January 11th)

diffutils/sdiff:

• Immunix (January 11th)
• Linux-Mandrake
• Linux-Mandrake, updated advisory
• Trustix

gpm:

• Immunix (January 11th)
• Linux-Mandrake

getty_ps:

• Immunix (January 11th)
• Linux-Mandrake

inn:

• Immunix (January 11th)
• Linux-Mandrake
• Caldera
• ISC Advisory

mgetty:

• Immunix (January 11th)
• Debian (January 11th)
• Linux-Mandrake
• Caldera

linuxconf:

• Immunix (January 11th)

rdist:

• Immunix (January 11th)
• Linux-Mandrake

shadow-utils:

• Immunix (January 11th)
• Linux-Mandrake

squid:

• Immunix (January 11th)
• Linux-Mandrake
• Trustix

tcpdump/arpwatch:

• Immunix (January 11th)
• Linux-Mandrake, arpwatch

wu-ftpd:

Note that this is not the same wu-ftpd vulnerability currently being exploited by the Ramen Worm. That is an older advisory, covered in more detail below.

• Immunix (January 11th)
• Linux-Mandrake
• Linux-Mandrake, previous update installed the wrong pam support file

Multiple stunnel vulnerabilities. Multiple vulnerabilities in stunnel were reported in December including a potential remote root exploit caused by insecurely-structured calls to syslog and another vulnerability involving the way in which the stunnel process id is logged.

This week's updates:

• FreeBSD

• Trustix (December 21st, 2000)
• Red Hat (December 21st, 2000)
• Conectiva (December 21st, 2000)
• Red Hat (December 28th, 2000)
• Debian (December 28th, 2000)

Zope local role and DTML editing vulnerabilities. Check the December 21st, 2000 LWN Security Summary for the initial report of these two vulnerabilities.

This week's updates:

• FreeBSD

• Red Hat, local role only (December 21st, 2000)
• Conectiva (December 21st, 2000)
• Debian (December 21st, 2000)
• Red Hat, DTML added (December 21st, 2000)
• Linux-Mandrake (December 21st, 2000)

bash tmpfile vulnerability. Check the November 30th, 2000 LWN Security Summary for the original report. This is similar to the tmpfile problems reported in /bin/sh and /bin/tcsh.

This week's updates:

• FreeBSD

• Caldera (November 30th, 2000)
• Red Hat (November 30th, 2000)
• Linux-Mandrake (November 30th, 2000)
• Immunix (December 7th, 2000)
• Conectiva (December 7th, 2000)
• Immunix (December 14th, 2000)
• Caldera (December 14th, 2000)

syslog-ng remote denial-of-service. Check the November 30th, 2000 LWN Security Summary for the original report. Syslog-ng is a syslog replacement with additional functionality. syslog-ng 1.4.9 and higher are no longer vulnerable.

This week's updates:

• FreeBSD

joe symlink vulnerability. Check the November 23rd, 2000 LWN Security Summary for the original report.

This week's updates:

• FreeBSD

• Linux-Mandrake (November 23rd, 2000)
• Red Hat (November 23rd, 2000)
• Immunix (November 23rd, 2000)
• Debian (November 23rd, 2000)
• Red Hat, Alpha packages added for RH7 (November 30th, 2000)
• Debian, the original update didn't work (December 7th, 2000)
• Conectiva (December 14th, 2000)

Hostile server vulnerability in OpenSSH. Check the November 16th, 2000 LWN Security Summary for details. Upgrading to 2.3.0 is recommended.

This week's updates:

• FreeBSD

• Linux-Mandrake (November 16th, 2000)
• Linux-Mandrake, correction to package updates (November 16th, 2000)
• Kondara (November 16th, 2000)
• Trustix (November 16th, 2000)
• Debian (November 23rd, 2000)
• Red Hat (November 23rd, 2000)
• Conectiva (November 30th, 2000)
• SuSE (November 30th, 2000)
• Red Hat, Alpha packages added for RH7 (November 30th, 2000)
• Conectiva, Conectiva 6.0 (December 21st, 2000)

wu-ftp vulnerability. Check the June 15th, 2000 LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.

Note that this is the vulnerability that is currently being exploiting by the Ramen Worm. The wu-ftpd updated listed above under "temp file races" is a new and different vulnerability.

This week's updates:

• Linux Mandrake, updated to include packages for Linux Mandrake 7.2

• WU-FTPD source code patch (June 29th, 2000)
• Debian (June 29th, 2000)
• Caldera (June 29th, 2000)
• Conectiva (June 29th, 2000)
• Red Hat (June 29th, 2000)
• SuSE (June 29th, 2000)
• Slackware (June 29th, 2000)
• Linux-Mandrake (July 6th, 2000)
• NetBSD (July 13th, 2000)
• TurboLinux (July 27th, 2000)
• CERT Advisory CA-2000-13 (October 5th, 2000)
• Slackware (October 5th, 2000)

Resources

Advanced Host Detection. Guido Bakker posted his white-paper on Advanced Host Detection to BugTraq this week. "Advanced host mapping bypasses many forms of intrusion detection systems, filters, and routers, essentially enabling an attacker to map and discover previously unknown firewalled hosts".

Passive System Fingerprinting using Network Client Applications. Along a similar vein, Jose Nazario has posted his white-paper on "Passive System Fingerprinting using Network Client Applications". "Passive target fingerprinting involves the utilization of network traffic between two hosts by a third system to identify the types of systems being used".

mobileBugs mailing list. Lukasz Luzar has started a new mailing list, mobileBugs, dedicated to discussion of security issues related to cellular phones and other forms of mobile computing.

Events

Call-for-Papers extended for the IEEE SMC IA Workshop. An extension to the Call-for-Papers for the IEEE SMC IA Workshop has been posted. The workshop will be held June 5th and 6th, 2001, at West Point, New York, USA and is sponsored by the United States Military Academy (USMA), the University of Virginia Systems and Information Engineering Department, and the IEEE Systems, Man and Cybernetics (SMC) Society. Dr. Gene Spafford from Purdue will be one of the keynote speakers.

Upcoming security events.

Date	Event	Location
February 7-8, 2001.	Network and Distributed System Security Symposium	San Diego, CA, USA.
February 13-15, 2001.	PKC 2001	Cheju Island, Korea.
February 19-22, 2001.	Financial Cryptography 2001	Grand Cayman, BWI.
February 24-March 1, 2001.	InfoSec World 2001	Orlando, FL, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel