[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

Security trouble with ssh. It turns out that there is a security vulnerability in ssh, for all versions derived from ssh-1.2.x (which wraps rcp inside of ssh), which bears watching. If a user employs scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local (users) system. If the ssh program is not setuid or is setuid to someone other than root then the intrusion is limited to files with write access granted to the owner of the ssh program. In either case, files can be overwritten with code allowing others access to the system unexpectedly. For example, cron jobs that blindly execute scripts could be duped into opening a hole for an intruder if that script has been overwritten using the scp exploit.

Because this type of vulnerability can be used to open holes to root access, the arguments could be made that

  1. ssh should not be setuid for root
  2. scp should not be used by root to move files
  3. ssh should not be used in automated processes, such as cron jobs
The latter of these issues is hard to resolve - how would cron know if a file has been compromised? But automating the movement of files is such a common administrator task. The only resolution may be to force such automation to be performed by non-privileged users. That, at least, may minimize the impact of intrusions.

Crist J. Clark posted a possible workaround for this problem: wrap the file transfer into a tar command, then check the resulting tar file for suspicous files: 

$ ssh remote-host "tar cf - " > ssh_tmp.tar
$ tar tvf ssh_tmp.tar
  [check for suspicious paths or files]
$ tar xf ssh_tmp.tar && rm ssh_tmp.tar
It is an unpleasant problem and it affects both regular ssh and OpenSSH versions derived from the original ssh-1.2.x (and rcp too since this version of ssh just wraps around the rcp protocols). Since ssh-2.x uses a different protocol it does not suffer from this problem. Fixes are not yet available, but presumably will be in short order.

Better than SYNcookies?. Steve Gibson's alternative to SYNcookies, known as Genesis (Gibson's ENcryption-Enhanced Spoofing Immunity System), might be a simple solution to DoS attacks. On his web site, Steve writes:

The elimination of Denial of Service (DoS) vulnerability from spoofed IP flooding requires that the Server defers any per-connection resource commitment until the Client's remote IP address has been "authenticated".

Commercial and personal firewalls have attempted to protect their client machines from half-open connection flooding by maintaining size-limited lists of half-open (possibly spoofed) connections. The oldest non-established connection is discarded when the list becomes full to make room for newly arriving SYN packets. This solution suffers from requiring resources to limit and manage the number of allowed half-open connections, and from the significant possibility that valid half-open connections will be pushed from the list, replaced by more recently spoofed SYN packets. This would cause valid connections to be rejected thus denying service to valid Clients. As a result, while existing techniques can mitigate the damaging effects of Denial of Service, they fail to completely solve the problem. By comparison, the GENESIS system requires NO local resources and suffers from none of these limitations.

Steve's solution takes three parts:

  • The deferral of all "connection management" until the end of the standard 3-way TCP handshake.
  • The explicit, non-spoofable, cryptographic authentication of the remote Client's IP address.
  • Use the Client's Initial Sequence Number as a bias to the ISN we generate from the Client's IP address.
The question is: is this a better solution to what has been an apparently complex - and arguable successful - solution, SYNcookies, to preventing Denial of Service attacks? In fact, is it even all that different?

In a letter to the Linux-Kernel and Linux-Net mailing lists, Dan Hollis quoted Steve as saying that the main difference between the two is that SYNcookies switches on and off, potentially causing valid packets to be rejected. Steve also says that SYNcookies breaks aspects of the TCP protocol but that Genesis does not.

The question was unresolved at the time of this writing, but because of the nature and effects of DoS attacks, we're sure to hear more about this issue in the future.

Slashcode default passwords. The Web site code provide by Slashdot that implements their system, known as slashcode, has been provided with default user and password entries for the administrative login. The INSTALL document provided with this code reminded administrators to change these prior to going live with their sites. This sound advice was, apparently, not followed by the Slashdot team itself, leaving the Slashdot site (via a test system on their network that they left connected to the internet) open to intrustion by a pair of clever if not overly destructive bandits. Oops.

c|net's News.com covered this story in a more mundane fashion."The hackers appear not to have done anything beyond posting a story trumpeting their achievement, and the site was never taken down because of the attack..."

Misuse of xhost. A report to BugTraq stated that Mandrake 7.1 bypasses Xauthority X session security by using the xhost command within the system wide Xsession file. A seperate posting stated that a similar problem existed for XFCE 3.5.1.

The xhost man page specifically states:

In the case of hosts, [this command] provides a rudimentary form of privacy control and security. It is only sufficient for a workstation (single user) environment, although it does limit the worst abuses. Environments which require more sophisticated measures should implement the user-based mechanism or use the hooks in the protocol for passing other authentication data to the server.

Use of xhost in the system wide Xsession file, therefore, would imply a distribution targeted at single user hosts. While xfce is not a commercial distribution with a well defined audience, one wonders if a single user environement was really MandrakeSoft's target audience.

The Mandrake report also covers issues with the use of ssh agenting in the system-wide Xsession file, suggesting the use of ssh-add be left to the individual users' ~/.Xclients file.

Linux Mandrake posted a security update which addresses the problem.

Security scanner checks source code for security problems. Version 1.1 of ITS4 from Cigital was released this week. It's a freely available package that uses a command line interface on Unix systems to scan C and C++ code for security problems. LWN noted a previous release of ITS4 in the February 24th issue of the Linux Weekly News.

Digital Signatures become law. While it's not a security issue for software, it is interesting to note that the Electronic Signatures in Global and National Commerce Act took effect on October 1st. This act provides the legal binding that makes digital signatures as meaningful as their hand written cousins. One wonders if that makes them as forgeable too...

The document for this act can be found online in pdf format.

CERT changes disclosure policy. CERT posted a change in policy for disclosing reported vulnerabilities.

It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.

Elias Levy on ``10 Most Important'' list.. Not everything here is about things that are broken...

SecurityFocus.com's co-founder Elias Levy, who also happens to be the moderator for the highly regarded BugTraq mailing list, was chosen by Network Computing as one of the 10 Most Important People of the Decade. Congratulations, Elias.

U.S. Selects a New Encryption Technique (NY Times). It's been a long time coming, but the US Department of Commerce has finally settled on a new encryption technique upon which to standardize: Rijindael (a play on the names of two Belgium inventors of the algorithm used):

Rijndael (whose creators suggest pronunciations approximating "Rhine doll") does not become a new standard overnight. Officials said that in the coming weeks the institute would publish a notice in the Federal Register recommending the software as the new Federal Information Processing Standard. After 90 days for comment and revision, the secretary of commerce will most likely accept the proposal.

More information on the Advanced Encryption Standards (AES) effort can be found at NIST's AES page and at NIST's Public Affairs release announcing the winners. (Thanks to Kalle Svensson and Dan York).

FBI releases first Carnivore documents (ZDNet). ZDNet carried a story this week on the FBI's release of the first batch of Carnivore related documents in response to a Freedom of Information Act suit from the Electronic Privacy Information Center. The documents were heavily blacklined (aka redacted) and many were simply missing.

"There is one document that talks very generally about voice-over-IP interception," said Banisar. "It's mostly about what 'voice-over-IP' is. When it gets to the part about what they are doing about it -- those pages are redacted."

Security Reports

Pine exploit. An exploit in Pine was reported to BugTraq this past week. The problem involves Pine's handling of incoming mail during an open session. Interestingly, Pine was found to have over 4000 calls to sprintf, strcpy, and/or strcat, raising the question "can Pine be made secure?"

Apache mod_rewrite vulnerabilty. A vulnerability in the mod_rewrite module for Apache was reported in Apache Week of 2000-09-22. According to the notice: "A patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename". An appropriate example is provided with more details in the announcement.

A patch, which has also been committed to the Apache source, has been posted to BugTraq for this issue.

Traceroute allows local access to root. Tim Robbins posted to the Security Audit mailing list about problems he'd found in traceroute, the tool used to follow packets through a network. The problems are interesting by their nature - heap overflow and buffer size issues - and are compounded by the installation of traceroute as a suid program. A more detailed explanation showed up in the Linux Security mailing list. A number of distributions that include traceroute, including any that based their version on LBNL 1.4a5, are expected to be vulnerable to attacks from local users attempting to gain root access. Some reports, however, suggest that OpenBSD, at least, fixed this problem up to two years ago.

This week's updates (in no particular order):

Root access from cfd daemon in GNU CFEngine. Another syslogd style problem, this one in the form of format string problems with GNU CFEngine.

As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise.

This project is aimed at providing a very high level language for building expert systems which administrate and configure large computer networks.

While included as a package in the Debian distribution, cfd is not started by default. Red Hat does not include cfd. Other distributions have yet to respond to this issue.

GnoRPM security update. Thanks to Gnotices, we hear that a security problem has been fixed in GnoRPM. There was a /tmp vulnerability in all versions prior to 0.95.1 that could allow local users to do undesirable things. An upgrade is recommended - especially since this utility, which has not distinguished itself as one of the most stable programs around, is said to actually work these days.

This week's updates:

thttpd exposes world readable files. A CGI program called ssi included with the thttpd server allows visitors read access to any files on the server that are world readable or readable by the owner of the thttpd process. The fix involves upgrading to 2.20, which has been patched to fix this problem.

ISS issues security advisory for GNU Groff. Groff is the GNU version of troff, the text formatting package. According to the Internet Security Systems Security Advisory, groff will read untrusted commands from the current working directory. According to the advisory:

The vulnerability is particularly dangerous in Linux distributions that have the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set which points to a wrapper script for the "less" pager program named "/usr/bin/lesspipe.sh". If less is passed a filename with any of the extensions ".1" through ".9", ".n", or ".man", it automatically calls groff to handle the file.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

LPRng, lpr format string vulnerability. Check the September 28th LWN Security Summary for the initial report.

This month's advisories:

Last month's advisories: Red Hat also issued an advisory for a similar problem in lpr.

Related advisories this month:

Rehashing an old su problem. LWN reported this past week on what appeared to be a new report on a format string vulnerability in /bin/su. However, that report turned out to be a rehashing of an older su problem related to problems found in glibc and reported on last month. The problems are serious and users should upgrade their glibc packages as soon as possible.

wu-ftp vulnerability. Check the June 15th LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.

This week's updates:

Previous updates:

Discussion on this thread in BugTraq uncovered possible bugs in the ftp client as well, though it's not clear if this problem is exploitable in any way.

Resources

Other resources on security this week.

Events

Upcoming security events and announcements.
Date Event Location
October 4-6, 2000. 6th European Symposium on Research in Computer Security (ESORICS 2000) Toulouse, France.
October 4-6, 2000. Elliptic Curve Cryptography (ECC 2000) University of Essen, Essen, Germany.
October 11, 2000. The Internet Security Forum Edinburgh, Scotland.
October 14-21, 2000. Sans Network Security 2000 Montery, CA, USA.
October 16-19, 2000. 23rd National Information Systems Security Conference Baltimore, MD, USA.
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


October 5, 2000


Secure Linux Projects
Bastille Linux
Immunix
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds