11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 1

Unix/Linux Security Update

Bob Cowles

November 2, 2000

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 2

Outline

• Intro

• Format String

• Buffer Overflows

• Symlink following

• Specials

• Conclusions

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 3

Intro (1/3)

• Microsoft Security Bulletins– 1998 20– 1999 61– 2000 5 mos 37– 2000 10 mos 82

• http://www.securityfocus.com

• http://www.securityportal.com

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 4

Intro (2/3)

• Ddos is still a problem– Often placed on compromised machines– Selection of clients is improving (!)

• AES selection is complete– Rijndael selected– Expected to be good in mobile, low-power

platforms

• Microsoft breakin comments

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 5

Intro (3/3)hacked web servers 10/31

courtesy of attrition.org• www.elipsedesign.com hooyah• www.diamond.com.au prime suspectz• www.tvet-pal.org • gsmart.net.id chikebum• www.adara.com.tw m0r0n/nightmana• www.advancetek.com.tw m0r0n/nightma• alessiamarcuzzi.it azndragon• www.eiba.biu.ac.il m0r0n/nightman• www.mba.biu.ac.il m0r0n/nightman• www.wiredsolutionstk.com MaNa2EEsH• www.0x7f.org• www.clearwaterfarm.com keoki• www.ca0.net RSH• advancedit.co.za one man

army• www.warrenconner.org mecca

• www.wmsolutions.com • www.woodengate.com tyl0x• birthingthefuture.com keoki• www.kia.co.kr Prime Suspectz• mail.mountainzone.net• wchs02.washington.high.washington.k

12.ga.us dis• www.boitnotts.com Hackah Jak• www.bancoprimus.com.br Anti

Security Hackers• www.dersa.com.br prime suspectz• www.epson.ru prime suspectz• www.penalty.com.br Anti Security

Hackers• www.enap.cl CiXX

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 6

Format String

• Affects all Unix/Linux systems

• Started with QPOPPER in May

• We haven’t seen the end

• Latest is ypbind

• Severe in LOCALE subsystem and environment variable passing of telnet

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 7

Format String Alerts (1/2)

• May– QPOPPER

• June– Various ftpd

• July– BitchX IRC client

– rpc.statd (nfsutils)

• August– gnu mailman

– NAI net tools PKI server

• August (cont)– IRIX telnetd– xlock

• September– Locale subsystem– screen– klogd– KDE kvt– LPRng– lpr– SCO help http server

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 8

Format String Alerts (2/2)

• October– Cfengine– eeprom in BSD, libutil, fstat– BSD telnet (remote)– PHP error logging– ypbind

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 9

Buffer Overflows

• April– Solaris ufsrestore

– Solaris lp/lpstat/lpset

• May– netpr

– kerb4 and kerb5 in compatibility mode

• Remote exploits for klogin, ksu, krshd

• September– Pine remote exploit

using From: line

• October– Dump

– Tcpdump

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 10

Symlink Following

• Mgetty / faxrund– Creates .last_run in world-writable directory– Follows symlinks allowing …

• File creation anywhere

• File smashing

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 11

Specials

• Cisco

• Linux capabilities

• Cross site scripting

• PGP

• Netscape

• RSA

• Sun key compromise

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 12

Cisco

• 04/19 Access to priv mode in catalyst switch (fix 5.4(2))

• 04/20 IOS reload when telnetd port is scanned

• 05/15 Router crash with httpd enabled %%

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 13

Linux Capabilities

• Capabilities available in release 2.2.x

• Fine-grain privilege setting

• Inherited from parent process

• Can prevent suid program dropping root

• Exploits used sendmail and procmail

• Temporary fix from CERN

• Current fix is to require 2.2.16

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 14

Cross Site Scripting

• Problem inherent in browser/server design

• Fix is up to proper application design by web developers

• Can be used to steal cookies or read/write local files

• 09/07 E*Trade user names and passwords are remotely recoverable

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 15

PGP

• Affects version 4 of PGP public keys– Mostly Diffie-Hellman– Additional decryption keys

• Part of public key not covered by encrypted checksum – allows insertion of additional, unauthorized decryption keys

• Primary issue is one of confidence in PGP

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 16

Netscape

• SSL certification validation code error– Happens if host name mismatch– No further validation for future use of

certificate

• Brown Orifice httpd– Delivered in a number of modes– Advertised itself as compromised– Fix forced upgrade to 4.75

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 17

RSA

• 09/06 Code was released to public domain 2 weeks prior to patent expiration

• Expect a greater volume of encryption products to be released over the next year

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 18

SUN Certificate Compromise

• Web server certificate compromised

• First admitted case for major vendor

• http://sunsolve5.sun.com/secbull/certificate_howto.html to determine if certificate has been accepted

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 19

IIS Unicode

• Not UNIX, but very important; allows remote execution of commands (cmd, tftp)

• Other Unicode exploits are likely in other programs needing to edit input data

• Difficult to remove all “dangerous” characters – too many ways to represent them

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 20

Recommendations

• Leverage security concerns to gain control of OS configurations– Security is not a part of the service organization

• Limit visibility of complex protocols– Block if possible, otherwise allow only “well

maintained” servers– HTTP and XML are going to have many more

security issues

11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 21

Questions?