Linux Virus Reported09/18/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a report on the Remote Shell Trojan Linux-based virus; buffer overflows in
fetchmail, Gauntlet Firewall, Open Unix's
lpsystem, the BSD line printer daemon, and Digital Unix's
msgchk; a symbolic link race condition in Check Point Firewall-1; and problems in
mod_auth_oracle, and PostgreSQL PAM and NSS Modules.
- Remote Shell Trojan
- Hiding the Apache Version and Modules
- mod_auth_pgsql and mod_auth_pgsql_sys
- Gauntlet Firewall
- Open Unix lpsystem
- PostgreSQL PAM and NSS Modules
- BSD Line Printer Daemon
- Check Point Firewall-1
- Digital Unix msgchk
It has been reported that the Remote Shell Trojan is a Linux-based virus that infects ELF binaries. When executed, the Remote Shell Trojan is reported to attempt to infect all the utilities in the
/bin directory and the current working directory, and then spawn a listening process on port 5503.
A reported cleaning script has been released that claims to disinfect ELF binaries infected with the Remote Shell Trojan. At this time, it is not clear if the cleaning script is safe to use.
It is recommended that system administrators do only tasks that require root permissions as the root user, that they ensure that the current directory (".") is not in root's path, and that they do not run user-writable binaries as root. Doing these things will prevent almost all chances of infecting the system with a virus.
Apache will tell remote hosts its version and give out some information on modules that are loaded giving an attacker valuable information that can be used in planning or executing an attack against the server.
This behavior can be modified in Apache using the
ServerTokens directive in the
ServerTokens takes the following parameters:
ServerTokens directive defaults to
Full, which sends the version of Apache, the operating system, and loaded modules.
Minimal will only return the version of Apache.
Product will only send that it is Apache.
OS will send the version of Apache and the operating system that it is running on.
fetchmail has a remotely-exploitable buffer overflow that can allow a remote user to execute arbitrary code with the permissions of the user running
fetchmail uses the message index numbers sent by the mail server as an index into an internal array. If the remote mail server sends a negative number,
fetchmail will overflow its buffer.
Users should upgrade
fetchmail to a version newer than 5.8.9.
mod_auth_pgsql_sys Apache modules have a vulnerability that can be exploited by an attacker to inject arbitrary SQL statements and gain unauthorized access to the database. It has been reported that version 0.9.5 of
mod_auth_pgsql and version 0.9.4 of
mod_auth_pgsql_sys are vulnerable.
mod_auth_pgsql_sys should upgrade to a fixed version as soon as possible. They also should consider disabling database access for the modules until they have been fixed.
Gauntlet Firewall has a buffer overflow vulnerability in the
smapd email applications that can be exploited by a user sending mail through the system to execute arbitrary commands with the permissions of the user running
smapd. This vulnerability affects Gauntlet for Unix versions 5.x, PGP e-ppliance 300 series version 1.0, and McAfee e-ppliance 100 and 120 series.
PGP Security have created patches for this problem and recommend that users download and apply them as soon as possible.
The Open Unix
lpsystem command has a buffer overflow that may be exploitable by an attacker to execute arbitrary commands with the permissions of the root user. Open Unix version 8.0 has been reported to be vulnerable.
Caldera recommends that users update their
lpsystem command with the patched version from their website.
mod_auth_oracle Apache module has a vulnerability that can be used by an attacker to execute arbitrary stored procedures and cause arbitrary data to be returned.
mod_auth_oracle should upgrade to a fixed version as soon as possible. They also should consider disabling database access for the module until it has been fixed.
A new version of
bugzilla has been released that repairs numerous security problems. Security problems fixed include parameters not being checked or escaped safely and several problems that could be abused to get information on confidential bugs without proper permissions.
Red Hat recommends that users of
bugzilla upgrade to version 2.14 or newer as soon as possible.
Noel Davis has his thoughts on last week's attacks on RootPrompt.org.
PostgreSQL PAM and NSS Modules are vulnerable to an attack that can be used to execute arbitrary SQL commands during a password-based login to the system. This vulnerability may be usable to successfully log in to a system without a valid password. Modules reported to be vulnerable include:
pam_pgsql 0.0.3, and
Users of vulnerable modules should upgrade to a repaired version as soon as possible. They should consider moving to a non-database-based authentication method until this problem has been fixed or should block unauthorized access with a firewall,
tcp_wrappers, or other access controls.
The BSD line printer daemon,
lpd, has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server as the root user.
Users should watch for an update from the FreeBSD security team.
Check Point Firewall-1 versions 3.0b and 4.0 have been reported to be vulnerable to a symbolic link race condition that can be exploited to gain root permissions.
It is recommended that users upgrade to Check Point Firewall-1 version 4.1 with the latest service pack.
The set user id root utility
msgchk supplied with Digital Unix 4.0 has a buffer overflow that can be exploited to execute code as the root user.
Users should remove the set user id bit from the
Read more Security Alerts columns.
Return to the Linux DevCenter.