LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Ramen Worm Attacks Red Hat Linux Machines

01/22/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include the Ramen Internet worm; buffer overflows in MySQL, cu, tcpdump, micq, and jaZip; a temporary file problem with SuSE rctab; and VirusWall.

Ramen Worm

An Internet worm that attacks Red Hat Linux machines has cracked hundreds (thousands?) of machines by exploiting problems in rpc.statd and wu-ftpd. Once it has cracked a machine, it replaces the web server's default page and installs a rootkit. It then sends e-mail to two web-based accounts and starts scanning the network for its next victim. Once it starts scanning, it will consume a large amount of bandwidth. The danger from the worm is the bandwidth it uses and the possibility of the author or someone else using the rootkit to access your machine.

The patches for the holes that the worm exploits have been available for some time now. This is a good example of a problem that can be avoided by applying patches promptly and, even more importantly, by not running unnecessary services and applications. Keeping up with every security announcement can be hard. Securing your box up front can make things easier.

MySQL

MySQL, a popular SQL-based database, has a buffer overflow in all versions prior to 3.23.31. This vulnerability can be used to gain access to all databases on a server. A user with a login and password to at least one database on the server is required to exploit the buffer overflow.

Alerts for this week:

Ramen Worm

MySQL

cu

tcpdump

micq

jaZip

SuSE rctab

Interscan VirusWall

Veritas Backup Exec

Oracle Application Server

IBM Websphere Commerce Suite

It is recommended that users upgrade to version 3.23.31 or newer.

cu

A utility that is part of the uucp package used to call other systems, cu has a buffer overflow in the way it copies its name into an internal variable. On most systems, cu is installed as suid user uucp. Exploiting this overflow can be leveraged to potentially provide root access by replacing several commonly used applications (that are typically owned by uucp) with trojaned versions that will put back doors into place when executed by root. Also, on systems that are using uucp, the attacker gains access to the uucp files that can contain logins and passwords for other systems. It appears that versions of uucp based on Taylor uucp are not affected.

Systems that are not using uucp should remove the suid bit from cu or remove uucp altogether. Systems that are using uucp should watch their vendor for a patch.

tcpdump

Version 2.5.2 of tcpdump, a network analysis tool, has a remote buffer overflow. A remote exploit script has been released. As this tool is usually executed as root so that it can open the network interface in promiscuous mode, an attacker can use this problem to gain root.

At this time I am not aware of a patch for this problem. You should avoid using tcpdump until this problem has been fixed.

micq

An ICQ clone for Linux, micq has a remotely exploitable buffer overflow. This problem can allow a remote user to execute arbitrary code with the permissions of the user executing micq.

I am not aware of a patch for this problem. Check with your vendor for an updated version or a patch.

jaZip

A program for managing Iomega Zip or Jaz drives, jaZip has a buffer overflow. As this program is often installed suid root, it can be exploited by a malicious user to become root. An exploit script has been released for this problem.

If you are not using jaZip, you should remove it or remove its suid bit and watch your vendor for an update.

SuSE rctab

A script used in SuSE Linux to edit run levels, rctab has a problem in the way it uses the temporary directory. This problem with the temporary file code can be used to overwrite arbitrary files that the user running the program (in most cases root) has permission to write to.

The rctab script can be made safe by changing the line that reads mkdir -p ${tmpdir} to read mkdir ${tmpdir}.

A workaround for this type of insecure temporary directory race condition is to set the $TMP environment variable to a temporary directory that only you can write to, such as $HOME/tmp. This will cause many programs to use the specified location ($TMP) for their temporary files and provide some protection against this type of attack. I have not tested rctab for this behavior.

Interscan VirusWall

Trend Micro's Interscan VirusWall is a real-time virus detection and cleanup tool. Several problems have been reported: When passwords are changed by the administrator, they are sent across the network in the clear; the user name and password are embedded in each get request used by the administrator; and it creates predictable temporary files that can be used to overwrite files that can be written to by the user running VirusWall.

It is recommended that you only install VirusWall on a stand-alone box and not use the browser-based configuration tools remotely. It has been reported that Trend Micro is not going to release patches for these problems and will instead release a new version in late February or early March.

Veritas Backup Exec

It has been reported that the agent component of Veritas Backup Exec (a multi-platform backup solution) hangs when a connection is made to its port and no data is sent. This type of connection can be caused by actions such as a port scan. This problem has been reported for the agents running under Linux, AIX, Solaris, MS Windows, and Mac.

At this time I am not aware of any patches or workarounds for this problem.

Oracle Application Server

A patch for the problem with the mod_plsql function in the Oracle Application Server has been released by Oracle. This patch allows the administrator to exclude URLs with specific formats from being passed to mod_plsql. By default this patch excludes URLs with special characters such as space, newline, tab, single quotes, and backslash.

It is recommended by Oracle that this patch be applied to Internet Application Server version 1.0.2.0.

IBM Websphere Commerce Suite

I have been informed that the problems with IBM Websphere include all of the IBM Websphere application servers and not just the commerce server, and that in addition to securing the admin.config, you also need to secure the sas.server.properties file. It was also recommended that you do not place domain admin accounts into Websphere directly.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: