Apache.org Server Compromisedby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the compromise of the Apache Software Foundation Server; buffer overflows in yppasswd, Qpopper, and mailtool; vulnerabilities in TWIG, webmin, and GnuPG; a new type of attack against sendmail; and discuss the use of the user nobody.
The public server used by the Apache Software Foundation to provide the source code repository, binary distribution, web services, and public mailing lists was compromised earlier this month. The cracker is reported to have gained access to an account on the Apache Software Foundation's server via the compromise of the SourceForge servers. Once the attacker had an account, root access was obtained through a bug in OpenSSH, followed by replacement of OpenSSH and other software with trojaned versions.
An automated nightly audit caught the changes in the executables and alerted the administrators of the server. Once alerted to the problem they shut down SSH, did an audit of the server through a serial console, reinstalled the operating system, removed all the back doors, and zeroed out compromised passwords. The administrators then turned SSH back on and enabled commit access to the source code repositories.
The Apache Software Foundation has done a careful audit of the source code and binary repositories on the server and, as of March 29th, no problems or changes had been found. They have asked that anyone with information concerning the compromise of apache.org or other related compromises contact firstname.lastname@example.org.
Alerts this week:
TWIG, a free web-based email reader written in PHP, does not properly check all of its variables before passing them as a query to the database, which could allow an attacker to construct a query to provide complete control over the tables and data in the database. This is known to affect TWIG version 2.6.2 and earlier.
Users of TWIG should watch the TWIG web site for an update.
There is a buffer overflow with a published exploit that attacks
Solaris machines running NIS and running the
daemon. It has been reported that Solaris 2.6, 7, and 8 are
vulnerable to this attack.
It is suggested that users turn off
yppasswd, until a
patch from Sun has been applied, and firewall any machines running NIS
off the Internet. It should be noted that firewalling the machines
will not protect from an inside attack and that turning off
yppasswd will prevent users from changing their
webmin, a web-based administration tool does not clear
its environmental variables properly. This can be used by a local
attacker to gain root-level access.
It is recommended that users upgrade to webmin version 0.82 or newer.
sendmail has been found to be vulnerable to a race
condition in its signal handling routines. At this time there are no
known exploits for this vulnerability.
Sendmail, Inc., and the Sendmail Consortium have announced sendmail 8.11.4. This new version of sendmail changes the handling of signals to reduce the chance of a race condition leading to heap corruption and fixes other bugs.
Sendmail, Inc., and the Sendmail Consortium recommends that users upgrade to version 8.11.4 to prevent a compromise in the event a method is discovered to exploit the signal handling race condition.
The GNU privacy guard, GnuPG, is a replacement for the PGP (Pretty Good Privacy) software. There is a format string bug in GnuPG's code, which processes the filename of a file to be decrypted, that an attacker can use to execute arbitrary code with the permissions of the user decrypting the file. This bug affects versions 1.0.5 and earlier.
All users of GnuPG are advised to upgrade to version 1.0.6 or newer as soon as possible.
Qpopper, a Unix POP mail server, has a buffer overflow that may be exploitable by an attacker to gain root access to the server. It has been reported that the buffer overflow affects all versions of Qpopper 4.x prior to 4.0.3.
All users of Qpopper should upgrade to version 4.0.3 or newer that is available at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/.
There is a buffer overflow in the Solaris mailtool program that is known to affect Solaris 8 and 2.6 systems and may affect other versions of Solaris. mailtool is installed set group id mail.
Users should remove the set group id bit from mailtool until a patch from Sun has been applied.
Sometimes the conventional wisdom is wrong, and sometimes we can find ourselves picking up habits or methods that we would change if we only thought through them. I am talking specifically about the use of the user nobody. How many of us run applications and daemons under the user nobody? How many web servers are running as the user nobody? I know that all of mine have -- not out of planning or careful consideration of the issues -- because that was the way I learned to do it and never gave it a lot of thought.
I never gave it a lot of thought until this week when I read a Bugtraq post, by Darren Moffat, which explained that the user nobody should not be used as a general purpose account, that it was created to be the user that root gets mapped to under NFS, and that there should never be sensitive files owned by the user nobody. I knew about NFS, but I'd never thought very much about the nobody account and some of the risks involved in running multiple applications under it.
Darren is right: the proper way to have a "nobody" account for applications and daemons is to create individual accounts for each one of them and grant them only the permissions they need and not to use the nobody account as a general purpose, catch-all account.
Read more Security Alerts columns.
Return to the Linux DevCenter.