|
SANS Network Security Digest - June 1997(excerpts by Ian relevant to coding practices) From: The SANS Institute <sans@clark.net> To: idallen@freenet.carleton.ca From: Alan Paller, SANS Network Security Digest Coordinator ----------------------------------------------------------------- | @@@@ @@ @ @ @@@@ | | @ @ @ @@ @ @ | | @@@@ @ @ @ @ @ @@@@ Vol. 1, No. 5 | | @ @@@@@@ @ @ @ @ June 23, 1997 | | @ @ @ @ @ @@ @ @ | | @@@@ @ @ @ @ @@@@ | | The SANS Network Security Digest | | Editor: Michele Crabb | | Contributing Editors: | | Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz | | Rob Kolstad, Marcus Ranum, Dorothy Denning, Dan Geer | | Peter Neumann, Peter Galvin, David Harley, Jean Chouanard | ----A Resource for Computer and Network Security Professionals--- CONTENTS: i) Executive Summary ii) CURMUDGEON'S EXECUTIVE SUMMARY 1) NETSCAPE COMMUNICATOR BUG 2) MULTIPLE IRIX PROGRAMS SUFFER SECURITY PROBLEMS 3) BUFFER OVERFLOW IN LIBXT LIBRARY 4) BUFFER OVERFLOW PROBLEMS IN METAMAIL 5) BUFFER OVERFLOW IN THE TALKD PROGRAM 6) BUFFER OVERFLOW IN SUIDPERL 7) BUFFER OVERFLOW IN AT PROGRAM 8) SUN RELEASES SEVERAL SECURITY PATCHES AND ALERTS 9) HP RELEASES A NUMBER OF SECURITY PATCHES FOR KNOWN PROBLEMS 10) QUICK TIDBITS AND SUMMARIES 11) THE PROBLEM WITH SPAM 12) WIN/NT DENIAL OF SERVICE ATTACK 13) WIN95 NETWORK PASSWORD VULNERABILITY 14) WIN/NT SMB DOWNGRADE EXPLOIT - ------------------------------------------------------------------ ii) CURMUDGEON'S EXECUTIVE SUMMARY Buffer overflows appear to be the most common problems reported in May, with denial-of-service problems a distant second. Many of the buffer overflow problems are probably the result of careless programming, and could have been found and corrected by the vendors, before releasing the software, if the vendors had performed elementary testing or code reviews along the way. - ------------------------------------------------------------------ 2) IRIX PROGRAMS SUFFER SECURITY PROBLEMS May was certainly a "pick on SGI" month where the hacker community found one buffer overflow after another. SGI, CERT and CIAC all posted alerts regarding the problems, which are summarized below. Expect to see continued alerts on these pesky buffer overflow problems. SGI maintains a security web site at: <http://www.sgi.com/Support/Secur/security.html> May 6 - Vulnerability in the csetup program which is suid root. A local user could gain root access by exploiting the bug. See the SGI security alert for more information. Patches are available. For more information, see: <ftp://sgigate.sgi.com/security/19970101-02-PX> ------------------------ May 6 - Vulnerability in the webdist.cgi cgi-bin program, which is part of the Mindshare Out Box package. Local and remote users can exploit the vulnerability, which allows them to run programs as the http daemon. For more information see the following alert: <ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist> ------------------------ May 8 - New patch out for the netprint program. Original advisory sent out in 12/97. More info at: <http://www.sgi.com/Support/Secur/security.html> ------------------------ May 14 - Vulnerability in runpriv program, which is also suid root. A local user could gain root access by exploiting this bug. See the SGI Security alert for more information: <ftp://sgigate.sgi.com/security/19970503-01-PX> ------------------------ May 14th - Vulnerability in the /usr/sbin/scanners program, which is part of the Impresario Server V1 as shipped vi IRIX 5.x. If exploited, local users could gain root access. For more information see the AUSCERT bulletin at: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.16.IRIX.scanners.environ.vul> ------------------------ May 28th - Buffer overflow discovered in multiple IRIX programs: df, pset, eject, login/scheme, ordist and xlock. These vulnerabilities were first posted on various newsgroups and by AUSCERT. Aside from the initial SGI announcement, there is no further information regarding these problems or how to fix them. Exploit programs for some of the bugs have been published on the Internet. A wrapper program, available from AUSCERT, can protect against most of these buffer overflow problems. See the page at: <ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/\ overflow_wrapper.c> You can also remove the SUID bit if that is possible for your environment. Relevant AUSCERT advisories may be found at: <http://www.auscert.org.au/information/advisories/aus_1997.html> Two other SGI program vulnerabilities have been discussed on the bugtraq mailing list: /usr/lib/desktop/permissions and /usr/sbin/printers ------------------------ May 29th - Vulnerability in the run time linker program, /bin/rld. The problem may allow local users to gain root access. A patch is available from SGI. For more information see: <ftp://sgigate.sgi.com/security/19970504-01-PX> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 3) BUFFER OVERFLOW IN LIBXT LIBRARY (5/8) A buffer overflow in the libXt library of the X11 distribution from the Open Group has been discovered. Programs built using this library from versions prior to X11 R6.3, which are SUID root, are potentially vulnerable. CERT recommends upgrading to 6.3 to correct the problem. The problem may also exist in some third-party vendor-derivatives of the X11 code. The problem was first discussed in various news groups in late 1996 and at that time exploitation scripts were made available. For more information see the CERT bulletin: <ftp://info.cert.org/pub/cert_advisories/> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 4) BUFFER OVERFLOW PROBLEMS IN METAMAIL (5/23) A vulnerability in the metamail program (all versions through 2.7) can allow the sender of a MIME-encoded email message to cause the recipient to execute an arbitrary command if the receiver processes the message using the metamail package. Some vendors provide metamail as part of their distribution. Apply patch if available. For more information see the CERT bulletin at: <ftp://info.cert.org/pub/cert_advisories/CA-97.14.metamail> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 5) BUFFER OVERFLOW IN THE TALKD PROGRAM (5/8) Vulnerability in talkd (otalkd, ntalkd) program. The vulnerability involves overflowing the stack where the DNS information is kept (see CERT advisory CA-96.04 ). By exploiting this vulnerability remote users may be able to arbitrarily execute commands with root privileges. CERT recommends that you upgrade to BIND 4.9.4 Patch level 1 or later to solve the general problem, or disable the talkd program to resolve this specific instance of the problem. For more information refer to the following bulletins: <ftp://info.cert.org/pub/cert_advisories/CA-97.04.talkd> <ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 6) BUFFER OVERFLOW IN SUIDPERL (5/29) Buffer overflow in suidperl included with Perl Versions 4.x and 5.x (prior to 5.003). Vulnerability allows local users to potentially gain root access by calling programs with "crafty" parameters. CERT recommends removing the SUID bit on suidperl until you have installed a patch. See the CERT bulletin for more information: <ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 7) BUFFER OVERFLOW IN AT PROGRAM (6/14) A buffer overflow has been discovered in the at program, which may allow local users to run programs with root privileges. Many vendors have released patches for this problem. For more information, see the CIAC bulletin at: <http://ciac.llnl.gov/ciac/bulletins/h-71.shtml> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 8) SUN RELEASES SECURITY PATCHES AND ALERTS Sun security patches are available at: < ftp://sunsolve1.sun.com/pub/patches/patches.html> A) April 29th - Sun announced the release of the (Solaris 2.5.1) security patch for the buffer overflow problem in the Pluggable Authentication Module (PAM). Patches for 2.4 and 2.3 should also be released soon. Under Solaris 2.5.1, the nispasswd, yppasswd, and passwd programs use PAM. See the AUSCERT Bulletin for more information: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.09.Solaris.passwd.buffer.overrun.vul> ----------------------- B) May 14th - Sun announces release of patch to correct buffer overflow problem in the ffbconfig program. For more information, refer to the bulletin at: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.06c.solaris.ffbconfig.buffer.overrun.vul> ----------------------- C) May 13th - Vulnerability under Solaris 2.X in method lp spooler creates temporary files. By exploiting the bug a local user may overwrite or create arbitrary files and possibly gain root access. Exploits for this vulnerability are freely available on the Internet. See the bulletin for more info: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.15.Solaris.lp.temp.file.creation.vul> ----------------------- D) May 21st - Buffer overflow vulnerability in the /usr/bin/ps and /usr/ucb/ps programs may allow local users to gain root access. No patch is available, but AUSCERT recommends removing the SUID bit. For more information see the AUSCERT bulletin at: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.17.solaris.ps.buffer.overflow.vul> ----------------------- E) May 22nd - Buffer overflow vulnerability in the /usr/bin/chkey program. The vulnerability may allow local users to gain root access. Temporary workaround is to remove the SUID bit. For more information see the AUSCERT bulletin at: <ftp://ftp.auscert.org.au/pub/auscert/advisory/\ AA-97.18.solaris.chkey.buffer.overflow.vul> ----------------------- F) June 4th - Sun announces release of patches for the rpcbind vulnerability in the following O/S versions (Solaris 2.5.1, 2.5, 2.4, and 2.3). Since the vulnerability can allow a remote user to gain unauthorized root access, the patches should be applied as soon as possible. See Sun Bulletin #00142 for more information. ----------------------- G) June 5th - Vulnerability in getopt(3) function, which may allow users to create programs using getopt which will run arbitrary commands. Additional threat if the programs are SUID/SGID, which may allow users to gain root access. Sun has provided patches for the problems. See Sun alert #00141 or the CIAC bulletin for more information: <http://ciac.llnl.gov/ciac/bulletins/h-69.shtml> - ------------------------------------------------------------------ - ------------------------------------------------------------------ 9) HP RELEASES SECURITY PATCHES HP released several security patches during the last month, correcting problems previously reported in HP, CERT, CIAC and AUSCERT bulletins. The HP Electronic Support Center is located at: <http://us-support.external.hp.com http> (US and Canada) <http://europe-support.external.hp.com> (Europe) To access the HP security bulletins you must go through a registration process on the web. April 30th - Patches for several sendmail vulnerabilities. April 30th - Patch to correct buffer overflow in talkd May 7th - Patch to protect against SYN flooding attacks. May 13th - Patch for buffer overflow in libXt/Error.c May 28th - Patch for CGI vulnerability in the VirtualVault Transaction Server Product. - ------------------------------------------------------------------ D) Want to learn more about buffer overflow problems in Linux? See a new web page on stack overflow exploits at: <http://www-miaif.ibp.fr/willy/security> ------------------------ Copyright, 1997. All rights reserved. This is the final SANS Network Security Digest that may be freely forwarded to co-workers and other security professionals. After July 1, all recipients should be registered. To register at no cost (through December, 1998), act before July 1, 1997. Send your name, job title, employer, a home or office surface mail address (for the Network Security poster) telephone and preferred email. Send to: sans@clark.net. After July 1, send the same registration information along with credit card number and expiration date. The fee is $80 for the period ending December, 1998. If you don't want to email credit card information, fax it (but make sure the email is legible) to 301-229-1063. Corporate discounts are available. -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBM63NhaNx5suARNUhAQEvlQP+JNjRm9fiA+X5IlGGalrDJ7VaMmePitJP TYty4DGsEcBCeK3EcaAlKcM+gAhRSsJZJrhoC2LDBZQktnjwe7E7ppnkNzeVhBOw 5mf774aoirycmgJF4Efcr4ycLXDeBPhVS8Q8LFuPXjOxzSubUlfvN+/IDEkaYy4u /vmn1iQ3c/I= =FbbN -----END PGP SIGNATURE----- -- Michele D. Crabb mcrabb@cisco.com Computer Security Analyst Phone: 408 527-3842 Engineering Computer Services - Bldg. E1 FAX: 408 526-4575 Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 |
Web Author: Ian! D. Allen idallen@idallen.ca Updated: 2003-01-19 05:50 Support free and non-commercial Internet. This site works best in Any Browser, a campaign for non-specific WWW. This work is licensed under a Creative Commons License. |