Looking at the lpdw0rm Worm05/01/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the lpdw0rm worm; an updated version of OpenSSL; buffer overflows in MIT Kerberos 5's FTP Daemon, and Mercury for NetWare's POP3 Daemon; a string format vulnerability in gftp; a symbolic link race condition in nedit's backup files; a temporary file race condition in rpmdrake; and problems in phpMyAdmin, Debian's zope packages, and the Tektronix PhaserLink 850's Web Server.
A new Linux worm, lpdw0rm, attacks Red Hat Linux 7.0 machines by exploiting a published vulnerability in lprng. As with similar worms, it installs several back doors and mails information after it successfully attacks a machine. It was reported by SecurityFocus that the author of the worm is a 19-year-old programmer from Australia who wrote the worm just to see if she could do it, that it had been released into the wild a month ago, and that the author had been getting mail from hundreds of compromised machines a day.
Once again administrators should watch for security alerts, run only the minimum services needed, and keep their systems as up to date as possible.
gftp, a graphical FTP client written using the GTK+ tool kit, has a string format vulnerability that can be exploited by a malicious FTP server to execute arbitrary commands on the local machine.
Alerts this week
This vulnerability is fixed in gftp version 2.0.8 and all users are encouraged to upgrade as soon as possible.
Version 0.9.6 of OpenSSL has been released and includes the following fixes:
- it will no longer use environmental variables when running as root,
- it now checks the result of RSA-CRT to reduce the possibility of calculating the private key from an incorrect signature,
- it has been changed to protect against Bleichenbacher's DSA attack, and
- the premaster secret is now zeroed once the master secret has been derived.
The authors of OpenSSL recommend that users upgrade to version 0.9.6 or newer.
nedit, the Nirvana Editor, is a text editor similar to editors available for Microsoft Windows. We reported last week on a temporary file race condition vulnerability in nedit. This week it has been announced that there is also a symbolic link race condition with the incremental backups and backup files. In order to exploit this attack the attacker must be able to create symbolic links in the same directory as the backups are being made.
As we suggested last week, any user of nedit should upgrade to version 5.1.1 or newer.
rpmdrake is a graphical RPM manager and download tool for Linux Mandrake systems. The version of rpmdrake that shipped with version 8.0 of Linux Mandrake has a temporary file race condition that an attacker may be able to exploit to execute arbitrary code as the root user.
The Linux Mandrake security team recommends that all users of Linux Mandrake 8.0 upgrade to rpmdrake version 220.127.116.11mdk.
It has been reported that phpMyadmin, a web-based front end to MySQL written using PHP, has a vulnerability that can allow an attacker to execute arbitrary code on the server with the permissions of the user running the web server. Versions 2.1.0 and earlier were reported to be vulnerable.
Users should watch the PHPWizard web site for an updated version.
The FTP daemon that is included with MIT's Kerberos 5 package has a remote buffer overflow that can be exploited to obtain root level access to a server. An attacker must be able to log into the server prior to being able to exploit the buffer overflow. They can login to the server either with a local account or by connecting as an anonymous user if this feature is enabled.
It is recommended that users of the MIT Kerberos FTP daemon upgrade to a version patched to fix this problem.
Debian has issued a new security advisory for their zope packages. In the last security update from Debian, several vulnerabilities were introduced or not fixed properly. A hotfix that was included in the last security update broke the user authentication and should not have been included. A second hotpatch included in that update failed to fix its intended bug leaving systems vulnerable to the exploit.
Debian recommends that all users of zope under Debian update their zope packages to the newest security update immediately.
The POP3 server that is included as part of the Mercury MTA package for Netware servers has a remote buffer overflow that can be used to crash the server and may be used to execute arbitrary code on the server.
It is reported that this buffer overflow was fixed in Mercury 1.48 and it is recommended that users upgrade to this version or newer.
The Tektronix PhaserLink 850 printer has a built-in web server that can be used for administering the printer. A hidden back door was discovered that allows the built-in security features of this web server to be bypassed.
It is recommended that users of this printer or any other printer that allows itself to be configured through the network be placed behind a firewall.
There have been more and more reports of security problems in small, limited function devices such as printers, DSL bridges, and network switches. We expect this trend to continue. Small devices are getting more sophisticated and complicated. Devices that in the past were configured using dip switches are now being sold with web servers. Many of these machines are going to be designed for the ease of end users and tech support people, rather than for security. Many of these machines will to use security by obscurity.
If not firewalled these devices will cost support staff a lot of time and energy as crackers find the secrets and vulnerabilities of each device.
Read more Security Alerts columns.
Return to the Linux DevCenter.