Author: Ryan Maple
week, advisories were released for acroread, ftpd, gaim, glibc, gv,
kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup,
rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat. The
distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Suse, and Trustix.
Reducing the Risk
Reducing the
risk of intrusion can be achieved by eliminating many of the known
common problems.
The vast majority of attacks on done by script kiddies who scan massive
IP blocks looking for a vulnerable computer, then run a program which
they don’t understand, to exploit the vulnerability they’ve just
discovered. To block these script kiddies just fix the common
vulnerabilities that the programs they use rely on.
Buffer Overflow
A buffer overflow attack is when the attacker sends malformed packets
to a service that causes the memory buffer to overflow. The
cracker hopes this will cause the program to crash and defaulting into
a root prompt. Buffer overflows happen because of programming
errors where input was not checked to be valid.
To prevent buffer overflows, all code must be meticulously hand checked
multiple times by multiple people. Since this is not often
possible, to limit the chances of being successfully cracked by a
buffer overflow attack, make sure you keep your systems up to date and
get rid of all excess services. Reducing the number of total services
your server is offering, the less amount of code that could have a
potential buffer overflow. Also, there are kernel patches that
prevent some forms of buffer overflow.
Denial of Service
A Denial of Service, DoS, attack can come in many shapes and forms. The
Blue Screen of Death from Windows can be one if it is caused by someone
and not just poor programming. Also, the infamous DDoS attacks
from earlier this year are an example where multiple ‘zombie’ computers
coordinate together to attack a host all at the same time. A DoS attack
is anything that maliciously prevents the computer from doing what was
intended. This is usually accomplished by errors in code that
will cause the program to eat up all the system resources.
IP Session Hi-Jacking
IP Session Hi-Jacking, also known as a man in the middle attack, is a
sophisticated attack which can now be done using tools circulating in
the script kiddie community. With an IP Session Hi-Jacking, an
user connects to a system using a service like telnet, then a cracker
intercepts the packets and tricks the system into thinking that the
cracker’s machine is actually the user’s machine. The user will
think her connect got dropped, when in actuality, it is still going,
but it has been taken over by the cracker.
With this form of attack, there is no way to block it, but there are
checks that can be done to prevent it. Telnet is the type of
service that crackers want to hi-jack; it has shell access, is
unencrypted, and doesn’t perform many checks to make sure the person
really is who they say they are. SSH, on the other hand, would be
very hard to hi-jack; it has strong encryption, multiple checks of an
identity, and can have its shell access limited. Most services
can’t really be hi-jacked, but the ones that can, like telnet, usually
have a secure replacement, like SSH, that can be used instead.
Security Tip Written by Ryan Maple (ryan@guardiandigital.com)
Additional tips are available at the following URL:
http://www.linuxsecurity.com/tips/
—–
LinuxSecurity
Feature Extras:
An
Interview with Gary McGraw, Co-author of Exploiting Software: How to
Break Code – Gary McGraw is perhaps best known for his
groundbreaking
work on securing software, having co-authored the classic Building
Secure Software (Addison-Wesley, 2002). More recently, he has
co-written with Greg Hoglund a companion volume, Exploiting Software,
which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his
insights with all of us at LinuxSecurity.com.Security
Expert Dave Wreski Discusses Open Source Security – Dave Wreski, CEO of
Guardian Digital, Inc. and respected author of various hardened
security and Linux publications, talks about how Guardian Digital is
changing the face of IT security today. Guardian Digital is perhaps
best known for their hardened Linux solution EnGarde Secure Linux,
touted as the premier secure, open-source platform for its
comprehensive array of general purpose services, such as web, FTP,
email, DNS, IDS, routing, VPN, firewalling, and much more.
[ Linux
Advisory Watch ] – [ Linux Security Week
] – [ PacketStorm
Archive ] – [ Linux
Security Documentation ]
Linux
Advisory
Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.[
Subscribe
]
| Distribution: | Conectiva | ||
| 8/13/2004 | squirrelmail | ||
| Multiple vulnerabilities
This patch addresses four vulnerabilities in SquirrelMail, including |
|||
| Distribution: | Debian | ||
| 8/20/2004 | ruby | ||
| Insecure file permissions
This can lead an attacker who has also shell access to the webserver to |
|||
| 8/20/2004 | rsync | ||
| Insufficient path sanitation
The rsync developers have discoverd a security related problem in rsync |
|||
| 8/20/2004 | kdelibs | ||
| Insecure temporary file vulnerability
This can be abused by a local attacker to create or truncate arbitrary |
|||
| 8/20/2004 | mysql | ||
| Insecure temporary file vulnerability
Jeroen van Wolffelaar discovered an insecure temporary file |
|||
| Distribution: | Fedora | ||
| 8/20/2004 | rsync | ||
| Insufficient path sanitization
This update backports a security fix to a path-sanitizing flaw that |
|||
| Distribution: | Gentoo | ||
| 8/13/2004 | Roundup | ||
| Filesystem access vulnerability
Roundup will make files owned by the user that it’s running as |
|||
| 8/13/2004 | gv | ||
| Buffer overflow vulnerability
gv contains an exploitable buffer overflow that allows an attacker to |
|||
| 8/13/2004 | Nessus | ||
| Race condition vulnerability
Nessus contains a vulnerability allowing a user to perform a privilege |
|||
| 8/13/2004 | Gaim | ||
| Buffer overflow vulnerability
Gaim contains a remotely exploitable buffer overflow vulnerability in |
|||
| 8/13/2004 | kdebase,kdelibs Multiple vulnerabilities |
||
| Buffer overflow vulnerability
KDE contains three security issues that can allow an attacker to |
|||
| 8/20/2004 | acroread | ||
| Buffer overflow vulnerabilities
Acroread contains two errors in the handling of UUEncoded filenames |
|||
| 8/20/2004 | Tomcat | ||
| Insecure installation
Improper file ownership may allow a member of the tomcat group to |
|||
| 8/20/2004 | glibc | ||
| Information leak vulnerability
glibc contains an information leak vulnerability allowing the debugging |
|||
| 8/20/2004 | rsync | ||
| Insufficient path sanitation
This vulnerability could allow the listing of arbitrary files and allow |
|||
| 8/20/2004 | xine-lib Buffer overflow vulnerability |
||
| Insufficient path sanitation
An attacker may construct a carefully-crafted playlist file which will |
|||
| 8/20/2004 | courier-imap Format string vulnerability |
||
| Insufficient path sanitation
An attacker may be able to execute arbitrary code as the user running |
|||
| Distribution: | Mandrake | ||
| 8/13/2004 | gaim | ||
| Buffer overflow vulnerabilities
Sebastian Krahmer discovered two remotely exploitable buffer overflow |
|||
| 8/13/2004 | mozilla | ||
| Multiple vulnerabilities
A large number of Mozilla vulnerabilites is addressed by this update. |
|||
| 8/20/2004 | rsync | ||
| Insufficient path sanitation
If rsync is running in daemon mode, and not in a chrooted environment, |
|||
| 8/20/2004 | spamassassin | ||
| Denial of service vulnerability
Security fix prevents a denial of service attack open to certain |
|||
| 8/20/2004 | qt3 | ||
| Heap overflow vulnerability
his vulnerability could allow for the compromise of the account used to |
|||
| Distribution: | NetBSD | ||
| 8/20/2004 | ftpd | ||
| Privilege escalation vulnerability
A set of flaws in the ftpd source code can be used together to achieve |
|||
| Distribution: | Red Hat | ||
| 8/19/2004 | pam | ||
| Privilege escalation vulnarability
If he pam_wheel module was used with the “trust” option enabled, but |
|||
| 8/19/2004 | Itanium | ||
| kernel Multiple vulnerabilities
Updated Itanium kernel packages that fix a number of security issues |
|||
| 8/19/2004 | semi | ||
| Insecure temporary file vulnerability
Temporary files were being created without taking adequate precautions, |
|||
| 8/20/2004 | Netscape | ||
| Multiple vulnerabilities
Netscape Navigator and Netscape Communicator have been removed from the |
|||
| 8/20/2004 | kernel | ||
| Denial of service vulnerability
A bug in the SoundBlaster 16 code which did not properly handle certain |
|||
| Distribution: | Suse | ||
| 8/20/2004 | rsync | ||
| Insufficient pathname sanitizing
If rsync is running in daemon-mode and without a chroot environment it |
|||
| 8/20/2004 | qt3 | ||
| Buffer overflow vulnerability
Chris Evans found a heap overflow in the BMP image format parser which |
|||
| Distribution: | Trustix | ||
| 8/20/2004 | rsync | ||
| Path escape vulnerability
Please either enable chroot or upgrade to 2.6.1. People not running a |
|||
