LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Linux Virus Reported

09/18/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a report on the Remote Shell Trojan Linux-based virus; buffer overflows in fetchmail, Gauntlet Firewall, Open Unix's lpsystem, the BSD line printer daemon, and Digital Unix's msgchk; a symbolic link race condition in Check Point Firewall-1; and problems in mod_auth_pgsql, mod_auth_pgsql_sys, bugzilla, mod_auth_oracle, and PostgreSQL PAM and NSS Modules.

Remote Shell Trojan

It has been reported that the Remote Shell Trojan is a Linux-based virus that infects ELF binaries. When executed, the Remote Shell Trojan is reported to attempt to infect all the utilities in the /bin directory and the current working directory, and then spawn a listening process on port 5503.

A reported cleaning script has been released that claims to disinfect ELF binaries infected with the Remote Shell Trojan. At this time, it is not clear if the cleaning script is safe to use.

It is recommended that system administrators do only tasks that require root permissions as the root user, that they ensure that the current directory (".") is not in root's path, and that they do not run user-writable binaries as root. Doing these things will prevent almost all chances of infecting the system with a virus.

Hiding the Apache Version and Modules

Apache will tell remote hosts its version and give out some information on modules that are loaded giving an attacker valuable information that can be used in planning or executing an attack against the server.

This behavior can be modified in Apache using the ServerTokens directive in the httpd.conf file. ServerTokens takes the following parameters: Minimal, ProductOnly, OS, and Full. The ServerTokens directive defaults to Full, which sends the version of Apache, the operating system, and loaded modules. Minimal will only return the version of Apache. Product will only send that it is Apache. OS will send the version of Apache and the operating system that it is running on.

fetchmail

fetchmail has a remotely-exploitable buffer overflow that can allow a remote user to execute arbitrary code with the permissions of the user running fetchmail. fetchmail uses the message index numbers sent by the mail server as an index into an internal array. If the remote mail server sends a negative number, fetchmail will overflow its buffer.

Users should upgrade fetchmail to a version newer than 5.8.9.

mod_auth_pgsql and mod_auth_pgsql_sys

The mod_auth_pgsql and mod_auth_pgsql_sys Apache modules have a vulnerability that can be exploited by an attacker to inject arbitrary SQL statements and gain unauthorized access to the database. It has been reported that version 0.9.5 of mod_auth_pgsql and version 0.9.4 of mod_auth_pgsql_sys are vulnerable.

Users of mod_auth_pgsql or mod_auth_pgsql_sys should upgrade to a fixed version as soon as possible. They also should consider disabling database access for the modules until they have been fixed.

Gauntlet Firewall

Gauntlet Firewall has a buffer overflow vulnerability in the smap/smapd email applications that can be exploited by a user sending mail through the system to execute arbitrary commands with the permissions of the user running smapd. This vulnerability affects Gauntlet for Unix versions 5.x, PGP e-ppliance 300 series version 1.0, and McAfee e-ppliance 100 and 120 series.

PGP Security have created patches for this problem and recommend that users download and apply them as soon as possible.

Open Unix lpsystem

The Open Unix lpsystem command has a buffer overflow that may be exploitable by an attacker to execute arbitrary commands with the permissions of the root user. Open Unix version 8.0 has been reported to be vulnerable.

Caldera recommends that users update their lpsystem command with the patched version from their website.

mod_auth_oracle

The mod_auth_oracle Apache module has a vulnerability that can be used by an attacker to execute arbitrary stored procedures and cause arbitrary data to be returned.

Users of mod_auth_oracle should upgrade to a fixed version as soon as possible. They also should consider disabling database access for the module until it has been fixed.

bugzilla

A new version of bugzilla has been released that repairs numerous security problems. Security problems fixed include parameters not being checked or escaped safely and several problems that could be abused to get information on confidential bugs without proper permissions.

Red Hat recommends that users of bugzilla upgrade to version 2.14 or newer as soon as possible.

PostgreSQL PAM and NSS Modules

Noel Davis has his thoughts on last week's attacks on RootPrompt.org.

PostgreSQL PAM and NSS Modules are vulnerable to an attack that can be used to execute arbitrary SQL commands during a password-based login to the system. This vulnerability may be usable to successfully log in to a system without a valid password. Modules reported to be vulnerable include: libnss-pgsql 0.9.0, nss_postgresql 0.6.1, pam-pgsql 0.9.2, pam_pgsql 0.0.3, and pam-pgsql 0.5.1.

Users of vulnerable modules should upgrade to a repaired version as soon as possible. They should consider moving to a non-database-based authentication method until this problem has been fixed or should block unauthorized access with a firewall, tcp_wrappers, or other access controls.

BSD Line Printer Daemon

The BSD line printer daemon, lpd, has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server as the root user.

Users should watch for an update from the FreeBSD security team.

Check Point Firewall-1

Check Point Firewall-1 versions 3.0b and 4.0 have been reported to be vulnerable to a symbolic link race condition that can be exploited to gain root permissions.

It is recommended that users upgrade to Check Point Firewall-1 version 4.1 with the latest service pack.

Digital Unix msgchk

The set user id root utility msgchk supplied with Digital Unix 4.0 has a buffer overflow that can be exploited to execute code as the root user.

Users should remove the set user id bit from the msgchk utility.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: