LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Looking at the lpdw0rm Worm

05/01/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the lpdw0rm worm; an updated version of OpenSSL; buffer overflows in MIT Kerberos 5's FTP Daemon, and Mercury for NetWare's POP3 Daemon; a string format vulnerability in gftp; a symbolic link race condition in nedit's backup files; a temporary file race condition in rpmdrake; and problems in phpMyAdmin, Debian's zope packages, and the Tektronix PhaserLink 850's Web Server.

lpdw0rm

A new Linux worm, lpdw0rm, attacks Red Hat Linux 7.0 machines by exploiting a published vulnerability in lprng. As with similar worms, it installs several back doors and mails information after it successfully attacks a machine. It was reported by SecurityFocus that the author of the worm is a 19-year-old programmer from Australia who wrote the worm just to see if she could do it, that it had been released into the wild a month ago, and that the author had been getting mail from hundreds of compromised machines a day.

Once again administrators should watch for security alerts, run only the minimum services needed, and keep their systems as up to date as possible.

gftp

gftp, a graphical FTP client written using the GTK+ tool kit, has a string format vulnerability that can be exploited by a malicious FTP server to execute arbitrary commands on the local machine.

Alerts this week

lpdw0rm

gftp

OpenSSL

nedit

rpmdrake

phpMyadmin

MIT Kerberos 5 FTPD

Debian's zope Packages

Mercury for NetWare POP3

Tektronix PhaserLink 850's web server

This vulnerability is fixed in gftp version 2.0.8 and all users are encouraged to upgrade as soon as possible.

OpenSSL

Version 0.9.6 of OpenSSL has been released and includes the following fixes:

  • it will no longer use environmental variables when running as root,
  • it now checks the result of RSA-CRT to reduce the possibility of calculating the private key from an incorrect signature,
  • it has been changed to protect against Bleichenbacher's DSA attack, and
  • the premaster secret is now zeroed once the master secret has been derived.

The authors of OpenSSL recommend that users upgrade to version 0.9.6 or newer.

nedit

nedit, the Nirvana Editor, is a text editor similar to editors available for Microsoft Windows. We reported last week on a temporary file race condition vulnerability in nedit. This week it has been announced that there is also a symbolic link race condition with the incremental backups and backup files. In order to exploit this attack the attacker must be able to create symbolic links in the same directory as the backups are being made.

As we suggested last week, any user of nedit should upgrade to version 5.1.1 or newer.

rpmdrake

rpmdrake is a graphical RPM manager and download tool for Linux Mandrake systems. The version of rpmdrake that shipped with version 8.0 of Linux Mandrake has a temporary file race condition that an attacker may be able to exploit to execute arbitrary code as the root user.

The Linux Mandrake security team recommends that all users of Linux Mandrake 8.0 upgrade to rpmdrake version 1.3.32.1mdk.

phpMyadmin

It has been reported that phpMyadmin, a web-based front end to MySQL written using PHP, has a vulnerability that can allow an attacker to execute arbitrary code on the server with the permissions of the user running the web server. Versions 2.1.0 and earlier were reported to be vulnerable.

Users should watch the PHPWizard web site for an updated version.

MIT Kerberos 5 FTPD

The FTP daemon that is included with MIT's Kerberos 5 package has a remote buffer overflow that can be exploited to obtain root level access to a server. An attacker must be able to log into the server prior to being able to exploit the buffer overflow. They can login to the server either with a local account or by connecting as an anonymous user if this feature is enabled.

It is recommended that users of the MIT Kerberos FTP daemon upgrade to a version patched to fix this problem.

Debian's zope Packages

Debian has issued a new security advisory for their zope packages. In the last security update from Debian, several vulnerabilities were introduced or not fixed properly. A hotfix that was included in the last security update broke the user authentication and should not have been included. A second hotpatch included in that update failed to fix its intended bug leaving systems vulnerable to the exploit.

Debian recommends that all users of zope under Debian update their zope packages to the newest security update immediately.

Mercury for NetWare POP3

The POP3 server that is included as part of the Mercury MTA package for Netware servers has a remote buffer overflow that can be used to crash the server and may be used to execute arbitrary code on the server.

It is reported that this buffer overflow was fixed in Mercury 1.48 and it is recommended that users upgrade to this version or newer.

Tektronix PhaserLink 850's Web Server

The Tektronix PhaserLink 850 printer has a built-in web server that can be used for administering the printer. A hidden back door was discovered that allows the built-in security features of this web server to be bypassed.

It is recommended that users of this printer or any other printer that allows itself to be configured through the network be placed behind a firewall.

There have been more and more reports of security problems in small, limited function devices such as printers, DSL bridges, and network switches. We expect this trend to continue. Small devices are getting more sophisticated and complicated. Devices that in the past were configured using dip switches are now being sold with web servers. Many of these machines are going to be designed for the ease of end users and tech support people, rather than for security. Many of these machines will to use security by obscurity.

If not firewalled these devices will cost support staff a lot of time and energy as crackers find the secrets and vulnerabilities of each device.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: