CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX

CGI Scripts The Common Gateway Interface (CGI) is a standard for interfacing external applications with information servers, such as HTTP or Web servers Any time that a program is interacting with a networked client, there is the possibility of that client attacking the program to gain unauthorized access. Even the most innocent looking script can be very dangerous to the integrity of your system. Guidelines for writing secure CGI Scripts List of CGI vulnerabilities

Aglimpse Operating Systems – UNIX and similar OSs Protocol Services – Port 80 HTTP Glimpse is a search engine used to efficiently search for information in large numbers of files. "aglimpse" is a CGI program that makes up part of a WWW gateway to Glimpse. A vulnerability exists in the /cgi-bin/aglimpse script which allows a remote user to execute arbitrary commands on the remote system as the user which the web server runs as Signature of attack Because attack is carried out using normal HTTP commands monitoring network packets with a sniffer will not likely reveal the attack – looks like a legitimate request of web content from server Have to look at web server logs Protection Against Web server should be run as user, never root, with minimal access Use latest version of Webglimpse -

Campas Operating Systems – UNIX Protocol Services – Port 80 HTTP The file /cgi-bin/campas can be used to remotely view any file your web server has permissions to view Signature of attack Because attack is carried out using normal HTTP commands monitoring network packets with a sniffer will not likely reveal the attack – looks like a legitimate request of web content from server Have to look at web server logs Protection Against Web server should be run as user, never root, with minimal access Upgrade your web server and ensure that campras script is no longer available on your server

NetPR Operating Systems – Solaris Protocol Services – Network Printing Service A security vulnerability is present in several version of netpr. The exploit code enables local users to gain root privileges by exploiting a buffer overflow problem in the netpr applicationexploit code Protection against Apply vendor patches

DTprintinfo Operating Systems – Solaris Protocols/Services – Local boundary condition error using the dtprintinfo command The exploit code enables local users to gain root privileges by exploiting a stack buffer overflow problem in the dtprintinfo applicationexploit code Protection against Apply vendor patches Using an application such as CA’ Etrust that manages root authorityCA’ Etrust Saint Jude Project – nothing new since 2002; currently soliciting for new administrator Saint Jude Project

Sadmind Operating Systems – Sun OS Protocols/Services – sadmind (Solstice AdminSuite daemon) collection of applications, provided by Sun for enterprise system management Exploit The default configuration of sadmind uses a set of unencrypted Remote Procedure Calls (RPC) to authenticate between two machines. Because the authentication sequence is unencrypted, an attacker can create a set of specially constructed RPC packets that allow her to forge a valid client identity. Protection Later Website ( 16sept2003.html#anchorthree) gives different information than text re Sun (no patches) 16sept2003.html#anchorthree To protect systems against forged client compromises, Sun recommends either completely disabling sadmind or modifying its configuration to require DES encryption for its authentication sequence. Most Stanford Solaris users do not use the Solaris AdminSuite tools, and are therefore strongly encouraged to disable sadmind. Do this by commenting out the appropriate line in /etc/inetd.conf by adding a '#' sign at the beginning, and then restarting inetd.

XWindows Operating Systems – UNIX with XWindows Protocols/Services – XWindows and XTest Exploit One way to tunnel into a network from the outside using normal features of the XWindows protocol, and ultimately gaining control over the computer system of an internal system administrator using the XTest XWindows extension. org/practical/Chris_Covington.doc+xwindows+exploit&hl=en org/practical/Chris_Covington.doc+xwindows+exploit&hl=en Protection One of the biggest things that you can do is to block the 6000 port range on the firewall, and to make sure that each client that can tunnel XWindows traffic is specifically denied by a configuration file on the client (since a successful attacker can alter the external server side) if it tries to tunnel to an external computer.

Solaris Catman Race Condition Operating Systems – Sun Solaris Protocols/Services – Catman Service Exploit Through the use of symbolic links from temporary files created by /usr/bin/catman, local users can force the root user running catman to overwrite critical files, possibly causing a denial of service attack. The catman command creates preformatted versions of the online manual. It also creates the windex database for utilities like apropos and whatis. The problem lies with catman creating a temporary file in /tmp, the file has the form of /tmp/sman_pidofcatman. An attacker can monitor the process list for the execution of catman and create a symlink to a root owned file. Catman will upon execution overwrite the contents of that file. Protection – Apparently Sun never created any patches but possible solution can be found at

Multiple Linux Vendor RPC.STATD Exploit Operating Systems – Various Linux Versions Protocols/Services – rpc.statd (Remote Procedure Call) Exploit The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root. Protection Upgrade your version of rpc.statd Disable the rpc.statd service Block unneeded ports at your firewall