![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 14 Aug 2000 14:37:27 -0500
From: InfoSec News <isn@C4I.ORG>
Subject: [ISN] Linux Security Week - August 14, 2000
To: ISN@SECURITYFOCUS.COM
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 14, 2000 Volume 1, Number 16 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories.
This week, advisories for VariCAD, diskcheck, Netscape, usermode,
perl, gopherd, Zope, MandrakeUpdate, pam, umb-scheme, knfsd, mopd, and
ntop were released. Of these, perl, usermode, gopherd, and knfsd can
be exploited to gain root access.
Recently, part of our staff left to attend the Linux Expo in San Jose,
California. They will be in the OpenSales booth, #338. Stop by and
pick up an offical LinuxSecurity.com Quick Reference Card.
Our sponsor this week is WebTrends. Their Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux. It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
HTML Version: http://www.linuxsecurity.com/newsletter.html
---------------------
Advisories This Week:
---------------------
* VariCAD 7.0 permission vulnerability
August 12th, 2000
Several binary files and two directorys are world writeable. Anyone
could replace them with a trojan and wait until someone executes the
trojaned binary files.
http://www.linuxsecurity.com/advisories/other_advisory-617.html
* Conectiva: diskcheck file creation vulnerability
August 12th, 2000
The diskcheck package includes a perl script which checks for
available disk space. It is run as root by cron every hour. This
script creates a file in /tmp in an insecure manner, allowing an
attacker to use symlink attacks to write anywhere in the system.
http://www.linuxsecurity.com/advisories/other_advisory-618.html
* Conectiva: Netscape Vulnerability
August 12th, 2000
Netscape version 4.73 and below have a flaw in the processing of JPEG
images that could result in commands being executed in the client
machine.
http://www.linuxsecurity.com/advisories/other_advisory-620.html
* Conectiva: usermode vulnerability
August 12th, 2000
The usermode package, along with pam_console, allows console users to
execute some privileged commands, like reboot or halt. It is required
that these users have shell and console access and that they provide
their password. The shutdown command is one of those privileged
commands, and console users can issue this command to switch to
runlevel 1, thus obtaining root privileges.
http://www.linuxsecurity.com/advisories/other_advisory-622.html
* Conectiva: perl vulnerability
August 12th, 2000
sperl, shipped with the perl package, is a SUID root program that,
under certain conditions, uses /bin/mail to send out a warning. This
is done in an insecure manner and can be exploited to obtain root
privileges.
http://www.linuxsecurity.com/advisories/other_advisory-624.html
* Gopherd: authentication vulnerability
August 12th, 2000
There is a vulnerability in the way the standard Unix gopherd 2.x
(a.k.a. UMN gopherd) creates a gopher DES key for authentication. If
properly exploited, this vulnerability allows a remote user to gain
unauthorized root access to affected systems.
http://www.linuxsecurity.com/advisories/other_advisory-626.html
* FlagShip: insecure permission vulnerability
August 12th, 2000
Several binary files are world writeable. Anyone could replace them
with a trojan and trick someone to execute the trojaned binary files.
http://www.linuxsecurity.com/advisories/other_advisory-628.html
* Mandrake: MandrakeUpdate vulnerability
August 12th, 2000
There is a possible race condition in MandrakeUpdate that has the
potential for users to tamper with RPMs downloaded by MandrakeUpdate
prior to them being installed. This is due to files being stored in
the /tmp directory. This is a very low security-risk as most servers
that provide user logins shouldn't be using MandrakeUpdate. These
updated versions provide a fix for the problem by using /root/tmp
instead of /tmp.
http://www.linuxsecurity.com/advisories/mandrake_advisory-629.html
* RedHat: Zope Vulnerability
August 12th, 2000
This HotFix corrects issues in the getRoles method of user objects
contained in the default UserFolder implementation. Users with the
ability to edit DTML could arrange to give themselves extra roles for
the duration of a single request by mutating the roles list as a part
of the request processing.
http://www.linuxsecurity.com/advisories/redhat_advisory-621.html
* RedHat: usermode vulnerability
August 12th, 2000
The usermode package allows unprivileged users logged in at the
system console to run the halt, poweroff, reboot, and shutdown
commands without needing to know the superuser's password. While
being able to halt, poweroff, and reboot is a desirable thing, an
unprivileged user can also bring the system to single-user mode by
running "shutdown now" with no additional flags. This update removes
the "shutdown" command from the list of commands unprivileged users
can run.
http://www.linuxsecurity.com/advisories/redhat_advisory-623.html
* TurboLinux: UPDATED: pam-0.70-2 and earlier vulnerability
August 11th, 2000
This is an update to TurboLinux Security Advisory TLSA2000009-1. Our
pam package (0.70 up to and including 0.72-4) incorrectly lacked one
configuration file (/etc/pam.d/other). Without this configuration
file, a denial of service attack can be made.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-615.html
* Debian: zope vulnerability
August 11th, 2000
On versions of Zope prior to 2.2beta1, it was possible for a user
with the ability to edit DTML can gain unauthorized access to extra
roles during a request.
http://www.linuxsecurity.com/advisories/debian_advisory-616.html
* Mandrake: netscape vulnerability
August 10th, 2000
There exists a problem in all versions of Netscape with Java enabled.
Under certain conditions, Netscape can be turned into a server that
serves files on your local hard drive that Netscape has read access
to and remote people can access it by connecting their web client to
port 8080 on your machine if they know the IP address.
http://www.linuxsecurity.com/advisories/mandrake_advisory-613.html
* Mandrake: umb-scheme vulnerability
August 10th, 2000
The umb-scheme package included with Red Hat Linux 6.2 included two
world-writable files. Linux-Mandrake is not affected by this
problem.
http://www.linuxsecurity.com/advisories/mandrake_advisory-611.html
* SuSE: knfsd vulnerability
August 10th, 2000
Due to incorrect string parsing in the code, a remote attacker could
gain root priviledges on the machine running the vulnerable
rpc.kstatd.
http://www.linuxsecurity.com/advisories/suse_advisory-614.html
* TurboLinux: perl vulnerability
August 10th, 2000
A component of perl, sperl, runs suid root to enable execution of
perl code by a file's owner. When sperl is used in an improper
manner, it will alert the root user via /bin/mail that illegal use of
sperl has been attempted. A widely available exploit utilizes this
behavior to gain root access.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-627.html
* Debian: mailx local exploit
August 9th, 2000
mailx is a often used by other programs to send email. Unfortunately
mailx as distributed in Debian GNU/Linux 2.1 has some features that
made it possible to execute system commands if a user can trick a
privileged program to send email using /usr/bin/mail.
http://www.linuxsecurity.com/advisories/debian_advisory-608.html
* Mandrake: perl vulnerability
August 9th, 2000
There is a vulnerability that exists when using setuidperl together
with the mailx program. In some cases, setuidperl will warn root
that something has going on. The setuidperl program uses /bin/mail
to send the message, as root, with the environment preserved. An
undocumented feature of /bin/mail consists of it interpretting the ~!
sequence even if it is not running on the terminal, and the message
also contains the script name, taken from argv[1]. With all of this
combined, it is possible to execute a command using ~! passed in the
script name to create a suid shell. The instance of setuidperl
sending such a message can only be reached if you try to fool perl
into forcing the execution of one file instead of another. This
vulnerability may not be limited to just the mailx program, which is
why an upgrade for perl is provided as opposed to an upgrade for
mailx.
http://www.linuxsecurity.com/advisories/mandrake_advisory-610.html
* NetBSD: netscape vulnerability
August 9th, 2000
Netscape's processing of JPEG comments trusted the length
parameterfor comment fields; by manipulating this value, it is
possible to cause netscape to read in an excessive amount of data,
overwriting memory. Specially designed data could allow a remote
site to execute arbitrary code as the user of netscape.
http://www.linuxsecurity.com/advisories/netbsd_advisory-609.html
* RedHat: mopd-linux buffer overflow
August 9th, 2000
This vulnerability allows long file names to be sent from the client
to the server, causing the buffer overflow. The server also used
filenames supplied from the client directly as a part of a format
string in a syslog function call.
http://www.linuxsecurity.com/advisories/redhat_advisory-606.html
* Caldera: sperl vulnerability
August 9th, 2000
When sperl detects that an attacker is trying to spoof it, it sends a
mail message to the super user account using /bin/mail. By exploiting
a flaw in the way sperl interacts with /bin/mail, any local user is
able to obtain root privilege on the local machine.
http://www.linuxsecurity.com/advisories/caldera_advisory-607.html
* OpenBSD/NetBSD: mopd buffer overflow
August 8th, 2000
The mopd (Maintenance Operations Protocol loader daemon)
implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in
which the daemon receives a file name from a client elsewhere on the
network. I found one point at which the client can overflow a buffer
in the server by sending a long file name. Also, I found two points
at which the server uses the client-supplied file name directly as
part of a format string in a syslog(3) function call (this is
potentially problematic if the file name contains any % characters).
http://www.linuxsecurity.com/advisories/openbsd_advisory-604.html
* RedHat: umb-scheme vulnerability
August 8th, 2000
The umb-scheme package included with Red Hat Linux 6.2 included two
world-writable files.
http://www.linuxsecurity.com/advisories/redhat_advisory-602.html
* RedHat: mailx and perl vulnerabilities
August 8th, 2000
Under certain conditions, suidperl will attempt to send mail to the
local superuser account using /bin/mail. A properly formatted
exploit script can use this facility, along with mailx's tendency to
inherit settings from the This update changes suidperl's behavior to
use syslog instead of mail, and restricts the list of variables
/bin/mail will read from the environment.
http://www.linuxsecurity.com/advisories/redhat_advisory-603.html
* Debian: ntop vulnerability
August 8th, 2000
Using ntop to distribute network traffic through the network, it is
possible to access arbitrary files on the local filesystem. Since
ntop runs as root uid, guess what that means, even /etc/shadow got
unsecured.
http://www.linuxsecurity.com/advisories/debian_advisory-600.html
* RedHat: ntop vulnerability
August 8th, 2000
If ntop is run with the Web interface it allows any user to connect
and access all files on the host machine.
http://www.linuxsecurity.com/advisories/redhat_advisory-605.html
-----------------------
Top Articles This Week:
-----------------------
* UK group slams Sophos Linux virus threat claims
August 11th, 2000
Anti-virus software developer Sophos has been accused of spreading
fear, uncertainty and doubt over the safety of Linux systems by UK
pro-open source organisation NetProject. Sophos wrote to UK
newspaper Computer Weekly t'other week to claim that viruses
targeting Linux are already circulating. Not so, responded
NetProject director Eddie Bleasdale. Yes, anti-Linux viruses can be
written, but Linux, like Unix, has sufficient systems in place to
prevent unauthorised software from running on any "correctly
configured and administered Linux computer".
http://www.linuxsecurity.com/articles/general_article-1332.html
* Read them the riot act
August 8th, 2000
"With hacking on the rise, concerns have also arisen about employees
making inappropriate or illegal use of computers in the workplace.
Information systems managers need to ensure that all users are
informed of the conditions of their at-work computer use. Systems
managers can read the riot act to users before they log in. Unix
systems have been able to display pre-login messages for a long
time, and Linux, as a Unix operating system, has the same abilities.
Indeed, Linux's flexibility and ability to run X-based applications
from shell scripts make it possible to provide your own custom
solutions."
http://www.linuxsecurity.com/articles/host_security_article-1304.html
* Another massive Net attack looming?
August 12th, 2000
Do you think there should be network security standards set by the
government? According to MSNBC, "insurance companies and the
security industry are considering quasi-government regulation to try
to compel Internet firms to take basic security steps." This was
probably complled by the fact that there are "125,000 networks with
the same flaw that allowed the attacks" that occured six months ago
on major US websites.
http://www.linuxsecurity.com/articles/government_article-1334.html
* Secure your box - Part 2
August 10th, 2000
This is a quick-start guide on setting up and configuring the
OpenWall kernel patch and TCP Wrappers. "TCP wrappers run from inetd,
the way they work is as follows. When somebody connects to a port on
your system, inetd will look into /etc/services for the port number.
If the port number is found, it will look in /etc/inetd.conf for
that service, and starts it. Inetd then checks your access control
files, to decide whether to grant or deny the connection."
http://www.linuxsecurity.com/articles/documentation_article-1325.html
* Openhack: Lessons learned
August 8th, 2000
eWEEK Labs' Openhack.com e-business site was built from the ground up
with security in mind, and the site was co-designed and co-maintained
by security company Guardent Inc. Yet Openhack was cracked--by two
different people in less than one month. After we reported the
hacks, a reader asked despairingly whether there was hope for anyone
to stay secure. There is hope, but only for organizations that
acknowledge the risk and work to manage it--constantly.
http://www.linuxsecurity.com/articles/network_security_article-1306.html
* The Danger of Script Kiddies
August 7th, 2000
There has often been a tendency among System Administrators to
discount the danger of script kiddies, and this can be a misleading
and dangerous thing to do. Script kiddies can have a much greater
capability to cause problems then their skills alone would indicate.
http://www.linuxsecurity.com/articles/host_security_article-1298.html
* Why Are Keys Certified?
August 8th, 2000
Key certificates are an important element in the use of public-key
cryptography (PKC). Your browser, when it visits a secure site,
checks for a key certificate from a small number of commercial
certificate providers. The instructions that came with PGP described
how to sign keys, and explained the importance of doing so. The
concept of a public-key infrastructure (PKI) refers to what is
essentially a way to facilitate key certification, perhaps with
government assistance.
http://www.linuxsecurity.com/articles/cryptography_article-1305.html
* Free software would block FBI's Carnivore
August 10th, 2000
"Carnivore really underscored that there was an urgent need for
everyone to have their e-mail encrypted," said Rick Gordon, president
and chief executive officer of ChainMail. Though he insists he is
not anti-FBI, he said allowing the agency to scan personal e-mail can
be dangerous. "Government agencies have a history of misusing the
power they've been given," Mr. Gordon said. The Antivore software,
whose formal name is Mithril Secure Server, can be downloaded by
Internet service providers. The ISPs use the software to encrypt
users' e-mail messages.
http://www.linuxsecurity.com/articles/vendors_products_article-1323.html
* WireX Introduces "Immunized" Workgroup Server Appliance Software
August 9th, 2000
WireX, a developer of software for 'purpose-specific' servers,
commonly known as server appliances, today announced the availability
of its latest configuration: Immunix Workgroup Server Appliance.
This easy-to-administer, inexpensive, "all-in-one" workgroup server
appliance integrates web, email, file and print server functionality,
as well its ability to protect servers from future and unknown hacker
attacks.
http://www.linuxsecurity.com/articles/vendors_products_article-1315.html
* Hackers won't give Pentagon a break
August 11th, 2000
U.S. Defense Department pleas to computer hackers to quit
mischief-making appear to be falling largely on deaf ears, making
spotting potential national security threats more difficult, a top
Pentagon expert says. Despite recent appeals, "we're not seeing any
diminishing" of the pace of attacks on Defense Department systems,
on Tuesday said Richard Schaeffer, who heads the cyber-security
office in the Pentagon arm responsible for command, control,
communications and intelligence.
http://www.linuxsecurity.com/articles/government_article-1333.html
* Will the real Linux users please stand?
August 10th, 2000
To what extent are Fortune 500 companies already using Linux?
Open-source champions Oracle, IBM and VA Linux have differing
opinions. That Linux has appeal among Internet service providers and
application hosting firms is a given. But just how much of a hold
Linux already has established among Fortune 500 companies continues
to be up for debate. If you believe Oracle Corp., the
self-proclaimed king of the enterprise Linux realm, Linux is already
well entrenched in corporate America. But other Linux backers, such
as IBM Corp. and VA Linux Systems Inc., are more conservative in
their claims as to where Linux is installed today -- and by whom --
and where it might be installed tomorrow.
http://www.linuxsecurity.com/articles/general_article-1327.html
* Government Wants Internet Emergency Preparedness
August 10th, 2000
Attempting to expand a system that allows disaster-relief agencies to
place prioritized phone calls in times of emergency, a US government
agency earlier this month asked engineers to build similar
capabilities into the technology that runs the Internet. At an Aug.
1 meeting of the Internet Engineering Task Force (IETF), officials
from the US National Communications System asked programmers to build
emergency preparedness capabilities into upcoming versions of the
Internet Protocol (IP) that facilitates nearly all online
transmissions.
http://www.linuxsecurity.com/articles/government_article-1324.html
* Attorney General Accused of Treason
August 9th, 2000
US Representative James Traficant accused Attorney General Janet Reno
of treason, sexual improprieties and ties to the mob Monday night on
a Fox television news show. Supporters of Traficant say that the
Congressman has been targeted by the Clinton White House and the FBI
because of his criticism of federal handling of controversies such as
the Vince Foster death, the crash of TWA 800 and the Waco cover-up.
http://www.linuxsecurity.com/articles/government_article-1318.html
* A hacker crackdown?
August 7th, 2000
As the long arm of the law reaches Napster and its lookalikes,
programmers could be held responsible for what others do with
their code. Shawn C. Reimerdes awoke on July 26, confident that his
own fate had nothing to do with Napster's. He had just released
Yo!NK, a file-sharing program that could be used to trade
copyrighted MP3s, but since the Yo!NK network consists of various
servers whose owners voluntarily host the program, Reimerdes figured
he was safe.
http://www.linuxsecurity.com/articles/hackscracks_article-1300.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".