Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsThe Danger of Allowing Users to Post Images. A major discussion thread on BugTraq this week started when John Percival posted a note entitled The Danger of Allowing Users to Post Images. With it, he included an exploit developed by Chris 'stallion' Lambert which could be used with almost any web script that uses cookie session/login data to validate CGI forms. Many such web scripts, including threaded discussion forums like Infopop's Ultimate Bulletin Board or ezboard allow users to post images to the forum. This means that they accept user input in the form of HTML-embedded references or URLs. They do not, however, necessarily check the input they receive to make sure it does not contain additional HTML commands, such as possible hostile query-strings. As a result, another user clicking on such as image may be unwittingly executing HTML commands. If such a user has additional privileges, such as a forum administrator, more damage can result. BugTraq ID 2871 addresses this issue and currently lists four affected applications: ezboard, Infopop's Ultimate Bulletin Board, VBulletin and WWWThreads. Fixes for Ultimate Bulletin Board and VBulletin have been made available. However, the basic issue is not specific to the applications, but just a demonstration that input verification vulnerabilities are extremely wide-spread in current web-based scripts. Time to take a look at your web scripts and look at how you are currently verifying the user input you receive, particularly if that input is in the form of HTML or other executable code. CRYPTO-GRAM Newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for June is out. It covers a wide range of topics, including the grc.com attacks and the Honeynet project. "The results are fascinating. A random computer on the Internet is scanned dozens of times a day. The life expectancy of a default installation of Red Hat 6.2 server, or the time before someone successfully hacks it, is less than 72 hours. A common home user setup, with Windows 98 and file sharing enabled, was hacked five times in four days. Systems are subjected to NetBIOS scans an average of 17 times a day. And the fastest time for a server being hacked: 15 minutes after plugging it into the network." One of the links inside this month's CRYPTO-GRAM is to The Strange Tale of Denial of Service, an account by Steve Gibson of his research into the world of distributed denial-of-service attacks. In this case, the machines used to deploy the attacks were running Microsoft Windows operating systems, but the victims could be any machine. From his experiences, he learned that major ISPs were simply unwilling to take action in response to this type of problem, that the US Federal government has too many problems to handle and will not look at "small" problems, such as the disablement of a single site, and that age does indeed shield youthful offenders within the US from prosecution. To quote Steve, "We can not have a stable Internet economy while 13-year-old children are free to deny arbitrary Internet services with impunity". Using a Cryptographic Hardware Token with Linux: the OpenSSL Project's New Engine (Linux Journal). Linux Journal's Paul Friburg takes a look at using OpenSSL's new engine to provide support for digitally-signed emails using a hardware token. "Hardware tokens are nearly tamper proof and assure that the data are originating from a given Linux PC provided that the token is plugged into it. ... Sadly, the token we were requested to integrate, the Chrysalis-ITS Luna2 PC card, was not on the list of the three tokens implemented in the engine. This forced us to go under the hood of the OpenSSL engine code. ". Security Reportssysklogd denial-of-service vulnerability. Immunix reports that the Linux kernel logging daemon klogd distributed with the sysklogd is vulnerable to a denial-of-service attack because it will shut down if it receives a null byte in a log message from the Linux kernel. A patch to fix the problem is available.fetchmail buffer overflow. Wolfram Kleff reported a buffer overflow in all versions of fetchmail. This is remotely exploitable and could lead to root access if fetchmail is run by root. An upgrade to fetchmail 5.8.6 will resolve the problem.
rxvt buffer overflow. Samuel "Zorgon" Dralet reported a buffer overflow in rxvt which can be exploited to gain group utmp privileges on some systems, which could allow the utmp file to be modified. A patch is available to fix the problem.
man page source buffer overflow. zen-parse reported a buffer overflow in man that, when manual pages begin with a '.so' statement, may be exploited to execute arbitrary code under the 'man' group id. No patch or update for man has been posted so far. For more details, check BugTraq ID 2872.MDBMS query display buffer overflow. teleh0r reported a buffer overflow in MDBMS, an SQL database server for Unix which provides source code and is free for non-commercial use. The buffer overflow can be exploited to execute arbitrary code. An updated version is available, containing a fix for the problem.BSD ptrace race condition vulnerability. The version of ptrace shipped with NetBSD and OpenBSD has been reported to contain a race condition which can be exploited to allow an unprivileged user to attach to a privileged process, elevating the attacker's privileges. OpenBSD has released patches to their kernel to resolve the problem; NetBSD has fixed the problem in their CVS tree.ghttp buffer overflow. The Gaztek HTTP daemon, ghttpd, is a GPL'd HTTP server with a small memory footprint that is capable of handling "thousands of simultaneous connections". A buffer overflow has been reported in version 1.4 that can be exploited by a remote attacker to run arbitrary code under the privileges of the ghttpd server. No fix for the problem has been reported so far. Proprietary products. The following proprietary products were reported to contain vulnerabilities:
Updatesexim format string vulnerability. Check the June 14th LWN Security Summary for the original report.This week's updates: Previous updates:xinetd buffer overflow. Check the June 14th LWN Security Summary for the initial report. The buffer overflow is in the ident logging portion of xinetd, so one workaround to the problem is to disable ident logging.This week's updates: xinetd default umask vulnerability. Check the June 7th LWN Security Summary for the original report. Fixing the problem simply requires that the default umask for xinetd be set to 022 instead of 000. This is also covered in BugTraq ID 2826.This week's updates: Previous updates:
OpenSSH tmplink vulnerability. Check the June 7th LWN Security Summary for the initial report. This is also covered in BugTraq ID 2825.This week, OpenSSH 2.9.p2 was released with a fix for the problem. ispell symbolic link vulnerabilities. Check the June 7th LWN Security Summary for the original report.This week's updates: Previous updates:Webmin environment variable inheritance vulnerability. Check the May 31st LWN Security Summary for the original report. This week's updates: Previous updates:gnupg format string vulnerability. Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build problems with gnupg 1.0.6 when compiled without gcc.This week's updates:
gnupg. gnupg 1.0.5 was released on April 29th. Check the May 3rd LWN Security Summary for details. An upgrade to 1.0.5 is recommended.This week's updates: Previous updates:
Denial-of-service vulnerability in FTP server implementations. Check the March 22nd LWN Security Summary for the original report. Affected FTP daemons include ProFTPd, NetBSD FTP, PureFTPd (to some variants of this attack), BeroFTPD, and FreeBSD FTP.This week's updates: Previous updates:
Apache directory listing error. Check the March 8th LWN Security Summary for the initial report. Apache 1.3.18 and earlier are vulnerable; Apache 1.3.19 contains a fix for the problem.Previous reports: ResourcesBastille Linux 1.2. The Bastille Linux development team announced the release of Bastille Linux 1.2, a hardening script for multiple Linux distributions. CryptoMail 0.90. The first public release of CryptoMail, version 0.90, was announced this week. CryptoMail is an end-to-end secure email system. MySQL, Apache and Sendmail are required in order to run the server. More information is available at http://www.cryptomail.org. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
June 21, 2001
LWN Resources | |||||||||||||||||||||||||||