Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsSecurity trouble with ssh. It turns out that there is a security vulnerability in ssh, for all versions derived from ssh-1.2.x (which wraps rcp inside of ssh), which bears watching. If a user employs scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local (users) system. If the ssh program is not setuid or is setuid to someone other than root then the intrusion is limited to files with write access granted to the owner of the ssh program. In either case, files can be overwritten with code allowing others access to the system unexpectedly. For example, cron jobs that blindly execute scripts could be duped into opening a hole for an intruder if that script has been overwritten using the scp exploit. Because this type of vulnerability can be used to open holes to root access, the arguments could be made that
Crist J. Clark posted a possible workaround for this problem: wrap the file transfer into a tar command, then check the resulting tar file for suspicous files: It is an unpleasant problem and it affects both regular ssh and OpenSSH versions derived from the original ssh-1.2.x (and rcp too since this version of ssh just wraps around the rcp protocols). Since ssh-2.x uses a different protocol it does not suffer from this problem. Fixes are not yet available, but presumably will be in short order.$ ssh remote-host "tar cf - Better than SYNcookies?. Steve Gibson's alternative to SYNcookies, known as Genesis (Gibson's ENcryption-Enhanced Spoofing Immunity System), might be a simple solution to DoS attacks. On his web site, Steve writes:The elimination of Denial of Service (DoS) vulnerability from spoofed IP flooding requires that the Server defers any per-connection resource commitment until the Client's remote IP address has been "authenticated". Steve's solution takes three parts:
In a letter to the Linux-Kernel and Linux-Net mailing lists, Dan Hollis quoted Steve as saying that the main difference between the two is that SYNcookies switches on and off, potentially causing valid packets to be rejected. Steve also says that SYNcookies breaks aspects of the TCP protocol but that Genesis does not. The question was unresolved at the time of this writing, but because of the nature and effects of DoS attacks, we're sure to hear more about this issue in the future. Slashcode default passwords. The Web site code provide by Slashdot that implements their system, known as slashcode, has been provided with default user and password entries for the administrative login. The INSTALL document provided with this code reminded administrators to change these prior to going live with their sites. This sound advice was, apparently, not followed by the Slashdot team itself, leaving the Slashdot site (via a test system on their network that they left connected to the internet) open to intrustion by a pair of clever if not overly destructive bandits. Oops.c|net's News.com covered this story in a more mundane fashion."The hackers appear not to have done anything beyond posting a story trumpeting their achievement, and the site was never taken down because of the attack..." Misuse of xhost. A report to BugTraq stated that Mandrake 7.1 bypasses Xauthority X session security by using the xhost command within the system wide Xsession file. A seperate posting stated that a similar problem existed for XFCE 3.5.1.The xhost man page specifically states: In the case of hosts, [this command] provides a rudimentary form of privacy control and security. It is only sufficient for a workstation (single user) environment, although it does limit the worst abuses. Environments which require more sophisticated measures should implement the user-based mechanism or use the hooks in the protocol for passing other authentication data to the server. Use of xhost in the system wide Xsession file, therefore, would imply a distribution targeted at single user hosts. While xfce is not a commercial distribution with a well defined audience, one wonders if a single user environement was really MandrakeSoft's target audience. The Mandrake report also covers issues with the use of ssh agenting in the system-wide Xsession file, suggesting the use of ssh-add be left to the individual users' ~/.Xclients file. Linux Mandrake posted a security update which addresses the problem. Security scanner checks source code for security problems. Version 1.1 of ITS4 from Cigital was released this week. It's a freely available package that uses a command line interface on Unix systems to scan C and C++ code for security problems. LWN noted a previous release of ITS4 in the February 24th issue of the Linux Weekly News.Digital Signatures become law. While it's not a security issue for software, it is interesting to note that the Electronic Signatures in Global and National Commerce Act took effect on October 1st. This act provides the legal binding that makes digital signatures as meaningful as their hand written cousins. One wonders if that makes them as forgeable too...The document for this act can be found online in pdf format. CERT changes disclosure policy. CERT posted a change in policy for disclosing reported vulnerabilities.It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.
Elias Levy on ``10 Most Important'' list.. Not everything here is about things that are broken...SecurityFocus.com's co-founder Elias Levy, who also happens to be the moderator for the highly regarded BugTraq mailing list, was chosen by Network Computing as one of the 10 Most Important People of the Decade. Congratulations, Elias. U.S. Selects a New Encryption Technique (NY Times). It's been a long time coming, but the US Department of Commerce has finally settled on a new encryption technique upon which to standardize: Rijindael (a play on the names of two Belgium inventors of the algorithm used):Rijndael (whose creators suggest pronunciations approximating "Rhine doll") does not become a new standard overnight. Officials said that in the coming weeks the institute would publish a notice in the Federal Register recommending the software as the new Federal Information Processing Standard. After 90 days for comment and revision, the secretary of commerce will most likely accept the proposal. More information on the Advanced Encryption Standards (AES) effort can be found at NIST's AES page and at NIST's Public Affairs release announcing the winners. (Thanks to Kalle Svensson and Dan York). FBI releases first Carnivore documents (ZDNet). ZDNet carried a story this week on the FBI's release of the first batch of Carnivore related documents in response to a Freedom of Information Act suit from the Electronic Privacy Information Center. The documents were heavily blacklined (aka redacted) and many were simply missing."There is one document that talks very generally about voice-over-IP interception," said Banisar. "It's mostly about what 'voice-over-IP' is. When it gets to the part about what they are doing about it -- those pages are redacted."
Security ReportsPine exploit. An exploit in Pine was reported to BugTraq this past week. The problem involves Pine's handling of incoming mail during an open session. Interestingly, Pine was found to have over 4000 calls to sprintf, strcpy, and/or strcat, raising the question "can Pine be made secure?"Apache mod_rewrite vulnerabilty. A vulnerability in the mod_rewrite module for Apache was reported in Apache Week of 2000-09-22. According to the notice: "A patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename". An appropriate example is provided with more details in the announcement.A patch, which has also been committed to the Apache source, has been posted to BugTraq for this issue. Traceroute allows local access to root. Tim Robbins posted to the Security Audit mailing list about problems he'd found in traceroute, the tool used to follow packets through a network. The problems are interesting by their nature - heap overflow and buffer size issues - and are compounded by the installation of traceroute as a suid program. A more detailed explanation showed up in the Linux Security mailing list. A number of distributions that include traceroute, including any that based their version on LBNL 1.4a5, are expected to be vulnerable to attacks from local users attempting to gain root access. Some reports, however, suggest that OpenBSD, at least, fixed this problem up to two years ago.This week's updates (in no particular order):
Root access from cfd daemon in GNU CFEngine. Another syslogd style problem, this one in the form of format string problems with GNU CFEngine.As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. This project is aimed at providing a very high level language for building expert systems which administrate and configure large computer networks. While included as a package in the Debian distribution, cfd is not started by default. Red Hat does not include cfd. Other distributions have yet to respond to this issue. GnoRPM security update. Thanks to Gnotices, we hear that a security problem has been fixed in GnoRPM. There was a /tmp vulnerability in all versions prior to 0.95.1 that could allow local users to do undesirable things. An upgrade is recommended - especially since this utility, which has not distinguished itself as one of the most stable programs around, is said to actually work these days.This week's updates: thttpd exposes world readable files. A CGI program called ssi included with the thttpd server allows visitors read access to any files on the server that are world readable or readable by the owner of the thttpd process. The fix involves upgrading to 2.20, which has been patched to fix this problem.ISS issues security advisory for GNU Groff. Groff is the GNU version of troff, the text formatting package. According to the Internet Security Systems Security Advisory, groff will read untrusted commands from the current working directory. According to the advisory:The vulnerability is particularly dangerous in Linux distributions that have the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set which points to a wrapper script for the "less" pager program named "/usr/bin/lesspipe.sh". If less is passed a filename with any of the extensions ".1" through ".9", ".n", or ".man", it automatically calls groff to handle the file.
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesLPRng, lpr format string vulnerability. Check the September 28th LWN Security Summary for the initial report.This month's advisories: Last month's advisories: Red Hat also issued an advisory for a similar problem in lpr.Related advisories this month: Rehashing an old su problem. LWN reported this past week on what appeared to be a new report on a format string vulnerability in /bin/su. However, that report turned out to be a rehashing of an older su problem related to problems found in glibc and reported on last month. The problems are serious and users should upgrade their glibc packages as soon as possible.wu-ftp vulnerability. Check the June 15th LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.This week's updates: Previous updates:
Discussion on this thread in BugTraq uncovered possible bugs in the ftp client as well, though it's not clear if this problem is exploitable in any way. ResourcesOther resources on security this week.
EventsUpcoming security events and announcements.
Section Editor: Liz Coolbaugh |
October 5, 2000
| |||||||||||||||||||||