Lion Worm Continues Rampage04/03/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the Lion worm; a race condition in the Linux kernel; buffer overflows in several SCO Unix utilities; a new version of MySQL that fixes a major security problem; vulnerabilities in some Cisco routers, switches, and concentrators; and problems with Raptor Firewall, CrazyWWWBoard, Solaris tip, and Pitbull LX.
The Lion worm has been found spreading itself across the Internet by exploiting a known vulnerability in BIND on Linux systems. Once the worm gains root permissions by exploiting BIND, it emails to a china.com address
/etc/shadow, and some network settings; removes
/etc/hosts.deny, installs back doors that listen on ports 60008 and 33567; stops
login with a version with a back door; and installs the t0rn root kit. The Lion worm then starts scanning random class B network ranges for its next victim. There are two known versions of the worm propagating across the Internet with only minor differences reported between them.
The Lion worm is a very good example of why system administrators should watch and react to security-related announcements. The BIND exploit the worm uses was announced in January and administrators that made an update at the time of the announcement would not have been affected by the worm.
SANS has released a utility to scan systems for the Lion worm. However, at this time there is no automated way to remove the worm. If you are using a tool such as tripwire, you will know what files have been changed by the worm and will need to be restored. If not, your only choice may be to reinstall the operating system.
Alerts this week:
There is a race condition in versions of the Linux Kernel prior to 2.2.19 that may be used by an attacker to gain root privileges. Several exploits have been published that can be used to exploit the race condition with arbitrary suid programs.
Administrators of Linux systems should upgrade the kernel to version 2.2.19 as soon as possible.
MySQL version 2.23.36 has been released. This release fixes the problem of an attacker using a database name containing
.. and overwriting arbitrary files with the permissions of the user running
It is recommended that users upgrade to version 3.23.36 as soon as possible.
The Raptor firewall is a cross-platform firewall designed to be easy to administer that is distributed by the Symantec Corporation. If HTTP traffic has been allowed, Raptor firewall Versions 6.5 and earlier will allow proxy web connections through both the internal and external interfaces.
Allowing the proxy connections can be stopped for both interfaces by adding a
http.noproxie directive to the Raptor configuration files or for one interface by adding a rule with
http.noproxy in the advance features tab.
Symantec plans in its next release to change the external interface's default behavior so that it will not forward proxie connections. It will also make the
http.noproxie functionality more available in the management console.
A series of security announcements were made this week that reported buffer overflows in
setuid programs shipped as part of SCO Unix 5.0.6. The suid programs reported to have buffer overflows are:
MMDF (Multi-channel Memo Distribution Facility). These buffer overflows all have the potential to be exploitable to gain root privileges. MMDF is a mail handler that is installed if sendmail is not chosen during the installation. When MMDF is installed there is a wrapper installed that is named sendmail but actually calls the MMDF package.
Users should contact their vendor for patches.
Hewlett-Packard has announced that a flaw in the
newgrp command in HP-UX 11.11 can be used to gain additional permissions.
Hewlett-Packard recommends that users of HP-UX version 11.11 apply patch PHCO_23083.
CrazyWWWBoard, a commercial bulletin board system for Linux, has a buffer overflow in the full edition and the limited edition that can be used to execute arbitrary code as the user running the web server. An exploit for this buffer overflow has been released.
Users should contact their vendor for an update.
Some Cisco routers and switches that run Cisco IOS have a vulnerability that can lead to the accidental exposure of SNMP community strings which can be used by an attacker to gain information about the router's or switch's configuration for additional attacks.
Also, some Cisco VPN3000 series of concentrators can be rebooted by sending a large amount of data to the telnet or SSL port of the device.
Users of these devices are encouraged to contact Cisco for information on determining if their devices are affected and to obtain patches.
tip command is used to access the serial port to dial a modem and connect to a remote system. The version of
tip supplied under Solaris does not properly handle some of its environmental variables and is exploitable to gain
Users should remove the
setuid bit from tip and watch Sun for a patch.
All versions of Pitbull LX, a commercial package used to add security features to Linux, has a potential security problem that may be used to obtain full control over the system. To exploit the flaws in Pitbull LX, the attacker must first obtain root privileges through some other exploit (on Pitbull systems the root user has additional restrictions). The attacker then can modify the ModProbePath kernel variable (one of the variables that are not protected by Pitbull) and use
modprobe to execute arbitrary code and bypass Pitbull's protections.
Roland Postle found this vulnerability during an online cracking contest and said about Pitbull, "Pitbull is a _very_ secure product. In my opinion, one of the very best security solutions. It's used by many online banks. But not many product are 100% secure...."
An unofficial patch can be downloaded from Argus Systems or the kernel can be recompiled without loadable module support. Users should watch Argus Systems for an official solution.
Return to the Linux DevCenter.