Date: Mon, 14 Aug 2000 14:37:27 -0500 From: InfoSec News <isn@C4I.ORG> Subject: [ISN] Linux Security Week - August 14, 2000 To: ISN@SECURITYFOCUS.COM +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 14, 2000 Volume 1, Number 16 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, advisories for VariCAD, diskcheck, Netscape, usermode, perl, gopherd, Zope, MandrakeUpdate, pam, umb-scheme, knfsd, mopd, and ntop were released. Of these, perl, usermode, gopherd, and knfsd can be exploited to gain root access. Recently, part of our staff left to attend the Linux Expo in San Jose, California. They will be in the OpenSales booth, #338. Stop by and pick up an offical LinuxSecurity.com Quick Reference Card. Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version: http://www.linuxsecurity.com/newsletter.html --------------------- Advisories This Week: --------------------- * VariCAD 7.0 permission vulnerability August 12th, 2000 Several binary files and two directorys are world writeable. Anyone could replace them with a trojan and wait until someone executes the trojaned binary files. http://www.linuxsecurity.com/advisories/other_advisory-617.html * Conectiva: diskcheck file creation vulnerability August 12th, 2000 The diskcheck package includes a perl script which checks for available disk space. It is run as root by cron every hour. This script creates a file in /tmp in an insecure manner, allowing an attacker to use symlink attacks to write anywhere in the system. http://www.linuxsecurity.com/advisories/other_advisory-618.html * Conectiva: Netscape Vulnerability August 12th, 2000 Netscape version 4.73 and below have a flaw in the processing of JPEG images that could result in commands being executed in the client machine. http://www.linuxsecurity.com/advisories/other_advisory-620.html * Conectiva: usermode vulnerability August 12th, 2000 The usermode package, along with pam_console, allows console users to execute some privileged commands, like reboot or halt. It is required that these users have shell and console access and that they provide their password. The shutdown command is one of those privileged commands, and console users can issue this command to switch to runlevel 1, thus obtaining root privileges. http://www.linuxsecurity.com/advisories/other_advisory-622.html * Conectiva: perl vulnerability August 12th, 2000 sperl, shipped with the perl package, is a SUID root program that, under certain conditions, uses /bin/mail to send out a warning. This is done in an insecure manner and can be exploited to obtain root privileges. http://www.linuxsecurity.com/advisories/other_advisory-624.html * Gopherd: authentication vulnerability August 12th, 2000 There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN gopherd) creates a gopher DES key for authentication. If properly exploited, this vulnerability allows a remote user to gain unauthorized root access to affected systems. http://www.linuxsecurity.com/advisories/other_advisory-626.html * FlagShip: insecure permission vulnerability August 12th, 2000 Several binary files are world writeable. Anyone could replace them with a trojan and trick someone to execute the trojaned binary files. http://www.linuxsecurity.com/advisories/other_advisory-628.html * Mandrake: MandrakeUpdate vulnerability August 12th, 2000 There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp. http://www.linuxsecurity.com/advisories/mandrake_advisory-629.html * RedHat: Zope Vulnerability August 12th, 2000 This HotFix corrects issues in the getRoles method of user objects contained in the default UserFolder implementation. Users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing. http://www.linuxsecurity.com/advisories/redhat_advisory-621.html * RedHat: usermode vulnerability August 12th, 2000 The usermode package allows unprivileged users logged in at the system console to run the halt, poweroff, reboot, and shutdown commands without needing to know the superuser's password. While being able to halt, poweroff, and reboot is a desirable thing, an unprivileged user can also bring the system to single-user mode by running "shutdown now" with no additional flags. This update removes the "shutdown" command from the list of commands unprivileged users can run. http://www.linuxsecurity.com/advisories/redhat_advisory-623.html * TurboLinux: UPDATED: pam-0.70-2 and earlier vulnerability August 11th, 2000 This is an update to TurboLinux Security Advisory TLSA2000009-1. Our pam package (0.70 up to and including 0.72-4) incorrectly lacked one configuration file (/etc/pam.d/other). Without this configuration file, a denial of service attack can be made. http://www.linuxsecurity.com/advisories/turbolinux_advisory-615.html * Debian: zope vulnerability August 11th, 2000 On versions of Zope prior to 2.2beta1, it was possible for a user with the ability to edit DTML can gain unauthorized access to extra roles during a request. http://www.linuxsecurity.com/advisories/debian_advisory-616.html * Mandrake: netscape vulnerability August 10th, 2000 There exists a problem in all versions of Netscape with Java enabled. Under certain conditions, Netscape can be turned into a server that serves files on your local hard drive that Netscape has read access to and remote people can access it by connecting their web client to port 8080 on your machine if they know the IP address. http://www.linuxsecurity.com/advisories/mandrake_advisory-613.html * Mandrake: umb-scheme vulnerability August 10th, 2000 The umb-scheme package included with Red Hat Linux 6.2 included two world-writable files. Linux-Mandrake is not affected by this problem. http://www.linuxsecurity.com/advisories/mandrake_advisory-611.html * SuSE: knfsd vulnerability August 10th, 2000 Due to incorrect string parsing in the code, a remote attacker could gain root priviledges on the machine running the vulnerable rpc.kstatd. http://www.linuxsecurity.com/advisories/suse_advisory-614.html * TurboLinux: perl vulnerability August 10th, 2000 A component of perl, sperl, runs suid root to enable execution of perl code by a file's owner. When sperl is used in an improper manner, it will alert the root user via /bin/mail that illegal use of sperl has been attempted. A widely available exploit utilizes this behavior to gain root access. http://www.linuxsecurity.com/advisories/turbolinux_advisory-627.html * Debian: mailx local exploit August 9th, 2000 mailx is a often used by other programs to send email. Unfortunately mailx as distributed in Debian GNU/Linux 2.1 has some features that made it possible to execute system commands if a user can trick a privileged program to send email using /usr/bin/mail. http://www.linuxsecurity.com/advisories/debian_advisory-608.html * Mandrake: perl vulnerability August 9th, 2000 There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx. http://www.linuxsecurity.com/advisories/mandrake_advisory-610.html * NetBSD: netscape vulnerability August 9th, 2000 Netscape's processing of JPEG comments trusted the length parameterfor comment fields; by manipulating this value, it is possible to cause netscape to read in an excessive amount of data, overwriting memory. Specially designed data could allow a remote site to execute arbitrary code as the user of netscape. http://www.linuxsecurity.com/advisories/netbsd_advisory-609.html * RedHat: mopd-linux buffer overflow August 9th, 2000 This vulnerability allows long file names to be sent from the client to the server, causing the buffer overflow. The server also used filenames supplied from the client directly as a part of a format string in a syslog function call. http://www.linuxsecurity.com/advisories/redhat_advisory-606.html * Caldera: sperl vulnerability August 9th, 2000 When sperl detects that an attacker is trying to spoof it, it sends a mail message to the super user account using /bin/mail. By exploiting a flaw in the way sperl interacts with /bin/mail, any local user is able to obtain root privilege on the local machine. http://www.linuxsecurity.com/advisories/caldera_advisory-607.html * OpenBSD/NetBSD: mopd buffer overflow August 8th, 2000 The mopd (Maintenance Operations Protocol loader daemon) implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in which the daemon receives a file name from a client elsewhere on the network. I found one point at which the client can overflow a buffer in the server by sending a long file name. Also, I found two points at which the server uses the client-supplied file name directly as part of a format string in a syslog(3) function call (this is potentially problematic if the file name contains any % characters). http://www.linuxsecurity.com/advisories/openbsd_advisory-604.html * RedHat: umb-scheme vulnerability August 8th, 2000 The umb-scheme package included with Red Hat Linux 6.2 included two world-writable files. http://www.linuxsecurity.com/advisories/redhat_advisory-602.html * RedHat: mailx and perl vulnerabilities August 8th, 2000 Under certain conditions, suidperl will attempt to send mail to the local superuser account using /bin/mail. A properly formatted exploit script can use this facility, along with mailx's tendency to inherit settings from the This update changes suidperl's behavior to use syslog instead of mail, and restricts the list of variables /bin/mail will read from the environment. http://www.linuxsecurity.com/advisories/redhat_advisory-603.html * Debian: ntop vulnerability August 8th, 2000 Using ntop to distribute network traffic through the network, it is possible to access arbitrary files on the local filesystem. Since ntop runs as root uid, guess what that means, even /etc/shadow got unsecured. http://www.linuxsecurity.com/advisories/debian_advisory-600.html * RedHat: ntop vulnerability August 8th, 2000 If ntop is run with the Web interface it allows any user to connect and access all files on the host machine. http://www.linuxsecurity.com/advisories/redhat_advisory-605.html ----------------------- Top Articles This Week: ----------------------- * UK group slams Sophos Linux virus threat claims August 11th, 2000 Anti-virus software developer Sophos has been accused of spreading fear, uncertainty and doubt over the safety of Linux systems by UK pro-open source organisation NetProject. Sophos wrote to UK newspaper Computer Weekly t'other week to claim that viruses targeting Linux are already circulating. Not so, responded NetProject director Eddie Bleasdale. Yes, anti-Linux viruses can be written, but Linux, like Unix, has sufficient systems in place to prevent unauthorised software from running on any "correctly configured and administered Linux computer". http://www.linuxsecurity.com/articles/general_article-1332.html * Read them the riot act August 8th, 2000 "With hacking on the rise, concerns have also arisen about employees making inappropriate or illegal use of computers in the workplace. Information systems managers need to ensure that all users are informed of the conditions of their at-work computer use. Systems managers can read the riot act to users before they log in. Unix systems have been able to display pre-login messages for a long time, and Linux, as a Unix operating system, has the same abilities. Indeed, Linux's flexibility and ability to run X-based applications from shell scripts make it possible to provide your own custom solutions." http://www.linuxsecurity.com/articles/host_security_article-1304.html * Another massive Net attack looming? August 12th, 2000 Do you think there should be network security standards set by the government? According to MSNBC, "insurance companies and the security industry are considering quasi-government regulation to try to compel Internet firms to take basic security steps." This was probably complled by the fact that there are "125,000 networks with the same flaw that allowed the attacks" that occured six months ago on major US websites. http://www.linuxsecurity.com/articles/government_article-1334.html * Secure your box - Part 2 August 10th, 2000 This is a quick-start guide on setting up and configuring the OpenWall kernel patch and TCP Wrappers. "TCP wrappers run from inetd, the way they work is as follows. When somebody connects to a port on your system, inetd will look into /etc/services for the port number. If the port number is found, it will look in /etc/inetd.conf for that service, and starts it. Inetd then checks your access control files, to decide whether to grant or deny the connection." http://www.linuxsecurity.com/articles/documentation_article-1325.html * Openhack: Lessons learned August 8th, 2000 eWEEK Labs' Openhack.com e-business site was built from the ground up with security in mind, and the site was co-designed and co-maintained by security company Guardent Inc. Yet Openhack was cracked--by two different people in less than one month. After we reported the hacks, a reader asked despairingly whether there was hope for anyone to stay secure. There is hope, but only for organizations that acknowledge the risk and work to manage it--constantly. http://www.linuxsecurity.com/articles/network_security_article-1306.html * The Danger of Script Kiddies August 7th, 2000 There has often been a tendency among System Administrators to discount the danger of script kiddies, and this can be a misleading and dangerous thing to do. Script kiddies can have a much greater capability to cause problems then their skills alone would indicate. http://www.linuxsecurity.com/articles/host_security_article-1298.html * Why Are Keys Certified? August 8th, 2000 Key certificates are an important element in the use of public-key cryptography (PKC). Your browser, when it visits a secure site, checks for a key certificate from a small number of commercial certificate providers. The instructions that came with PGP described how to sign keys, and explained the importance of doing so. The concept of a public-key infrastructure (PKI) refers to what is essentially a way to facilitate key certification, perhaps with government assistance. http://www.linuxsecurity.com/articles/cryptography_article-1305.html * Free software would block FBI's Carnivore August 10th, 2000 "Carnivore really underscored that there was an urgent need for everyone to have their e-mail encrypted," said Rick Gordon, president and chief executive officer of ChainMail. Though he insists he is not anti-FBI, he said allowing the agency to scan personal e-mail can be dangerous. "Government agencies have a history of misusing the power they've been given," Mr. Gordon said. The Antivore software, whose formal name is Mithril Secure Server, can be downloaded by Internet service providers. The ISPs use the software to encrypt users' e-mail messages. http://www.linuxsecurity.com/articles/vendors_products_article-1323.html * WireX Introduces "Immunized" Workgroup Server Appliance Software August 9th, 2000 WireX, a developer of software for 'purpose-specific' servers, commonly known as server appliances, today announced the availability of its latest configuration: Immunix Workgroup Server Appliance. This easy-to-administer, inexpensive, "all-in-one" workgroup server appliance integrates web, email, file and print server functionality, as well its ability to protect servers from future and unknown hacker attacks. http://www.linuxsecurity.com/articles/vendors_products_article-1315.html * Hackers won't give Pentagon a break August 11th, 2000 U.S. Defense Department pleas to computer hackers to quit mischief-making appear to be falling largely on deaf ears, making spotting potential national security threats more difficult, a top Pentagon expert says. Despite recent appeals, "we're not seeing any diminishing" of the pace of attacks on Defense Department systems, on Tuesday said Richard Schaeffer, who heads the cyber-security office in the Pentagon arm responsible for command, control, communications and intelligence. http://www.linuxsecurity.com/articles/government_article-1333.html * Will the real Linux users please stand? August 10th, 2000 To what extent are Fortune 500 companies already using Linux? Open-source champions Oracle, IBM and VA Linux have differing opinions. That Linux has appeal among Internet service providers and application hosting firms is a given. But just how much of a hold Linux already has established among Fortune 500 companies continues to be up for debate. If you believe Oracle Corp., the self-proclaimed king of the enterprise Linux realm, Linux is already well entrenched in corporate America. But other Linux backers, such as IBM Corp. and VA Linux Systems Inc., are more conservative in their claims as to where Linux is installed today -- and by whom -- and where it might be installed tomorrow. http://www.linuxsecurity.com/articles/general_article-1327.html * Government Wants Internet Emergency Preparedness August 10th, 2000 Attempting to expand a system that allows disaster-relief agencies to place prioritized phone calls in times of emergency, a US government agency earlier this month asked engineers to build similar capabilities into the technology that runs the Internet. At an Aug. 1 meeting of the Internet Engineering Task Force (IETF), officials from the US National Communications System asked programmers to build emergency preparedness capabilities into upcoming versions of the Internet Protocol (IP) that facilitates nearly all online transmissions. http://www.linuxsecurity.com/articles/government_article-1324.html * Attorney General Accused of Treason August 9th, 2000 US Representative James Traficant accused Attorney General Janet Reno of treason, sexual improprieties and ties to the mob Monday night on a Fox television news show. Supporters of Traficant say that the Congressman has been targeted by the Clinton White House and the FBI because of his criticism of federal handling of controversies such as the Vince Foster death, the crash of TWA 800 and the Waco cover-up. http://www.linuxsecurity.com/articles/government_article-1318.html * A hacker crackdown? August 7th, 2000 As the long arm of the law reaches Napster and its lookalikes, programmers could be held responsible for what others do with their code. Shawn C. Reimerdes awoke on July 26, confident that his own fate had nothing to do with Napster's. He had just released Yo!NK, a file-sharing program that could be used to trade copyrighted MP3s, but since the Yo!NK network consists of various servers whose owners voluntarily host the program, Reimerdes figured he was safe. http://www.linuxsecurity.com/articles/hackscracks_article-1300.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".