1. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab1 Unix/Linux Security Update Bob Cowles November 2, 2000

2. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab2 Outline Intro Format String Buffer Overflows Symlink following Specials Conclusions

3. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab3 Intro (1/3) Microsoft Security Bulletins –199820 –199961 –2000 5 mos37 –2000 10 mos82 http://www.securityfocus.com http://www.securityportal.com

4. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab4 Intro (2/3) Ddos is still a problem –Often placed on compromised machines –Selection of clients is improving (!) AES selection is complete –Rijndael selected –Expected to be good in mobile, low-power platforms Microsoft breakin comments

5. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab5 Intro (3/3) hacked web servers 10/31 courtesy of attrition.org www.elipsedesign.com hooyahwww.elipsedesign.com www.diamond.com.au prime suspectzwww.diamond.com.au www.tvet-pal.org gsmart.net.id chikebum www.adara.com.tw m0r0n/nightmanawww.adara.com.tw www.advancetek.com.tw m0r0n/nightmawww.advancetek.com.tw alessiamarcuzzi.it azndragon www.eiba.biu.ac.il m0r0n/nightman www.mba.biu.ac.il m0r0n/nightman www.wiredsolutionstk.com MaNa2EEsHwww.wiredsolutionstk.com www.0x7f.org www.clearwaterfarm.com keokiwww.clearwaterfarm.com www.ca0.net RSHwww.ca0.net advancedit.co.za one man army www.warrenconner.org meccawww.warrenconner.org www.wmsolutions.com www.woodengate.com tyl0xwww.woodengate.com birthingthefuture.comkeoki www.kia.co.kr Prime Suspectzwww.kia.co.kr mail.mountainzone.net wchs02.washington.high.washington.k 12.ga.usdis www.boitnotts.com Hackah Jakwww.boitnotts.com www.bancoprimus.com.br Anti Security Hackerswww.bancoprimus.com.br www.dersa.com.br prime suspectzwww.dersa.com.br www.epson.ru prime suspectzwww.epson.ru www.penalty.com.br Anti Security Hackerswww.penalty.com.br www.enap.cl CiXXwww.enap.cl

6. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab6 Format String Affects all Unix/Linux systems Started with QPOPPER in May We haven’t seen the end Latest is ypbind Severe in LOCALE subsystem and environment variable passing of telnet

7. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab7 Format String Alerts (1/2) May –QPOPPER June –Various ftpd July –BitchX IRC client –rpc.statd (nfsutils) August –gnu mailman –NAI net tools PKI server August (cont) –IRIX telnetd –xlock September –Locale subsystem –screen –klogd –KDE kvt –LPRng –lpr –SCO help http server

8. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab8 Format String Alerts (2/2) October –Cfengine –eeprom in BSD, libutil, fstat –BSD telnet (remote) –PHP error logging –ypbind

9. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab9 Buffer Overflows April –Solaris ufsrestore –Solaris lp/lpstat/lpset May –netpr –kerb4 and kerb5 in compatibility mode Remote exploits for klogin, ksu, krshd September –Pine remote exploit using From: line October –Dump –Tcpdump

10. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab10 Symlink Following Mgetty / faxrund –Creates.last_run in world-writable directory –Follows symlinks allowing … File creation anywhere File smashing

11. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab11 Specials Cisco Linux capabilities Cross site scripting PGP Netscape RSA Sun key compromise

12. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab12 Cisco 04/19 Access to priv mode in catalyst switch (fix 5.4(2)) 04/20 IOS reload when telnetd port is scanned 05/15 Router crash with httpd enabled %

13. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab13 Linux Capabilities Capabilities available in release 2.2.x Fine-grain privilege setting Inherited from parent process Can prevent suid program dropping root Exploits used sendmail and procmail Temporary fix from CERN Current fix is to require 2.2.16

14. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab14 Cross Site Scripting Problem inherent in browser/server design Fix is up to proper application design by web developers Can be used to steal cookies or read/write local files 09/07 E*Trade user names and passwords are remotely recoverable

15. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab15 PGP Affects version 4 of PGP public keys –Mostly Diffie-Hellman –Additional decryption keys Part of public key not covered by encrypted checksum – allows insertion of additional, unauthorized decryption keys Primary issue is one of confidence in PGP

16. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab16 Netscape SSL certification validation code error –Happens if host name mismatch –No further validation for future use of certificate Brown Orifice httpd –Delivered in a number of modes –Advertised itself as compromised –Fix forced upgrade to 4.75

17. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab17 RSA 09/06 Code was released to public domain 2 weeks prior to patent expiration Expect a greater volume of encryption products to be released over the next year

18. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab18 SUN Certificate Compromise Web server certificate compromised First admitted case for major vendor http://sunsolve5.sun.com/secbull/certific ate_howto.html to determine if certificate has been accepted

19. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab19 IIS Unicode Not UNIX, but very important; allows remote execution of commands (cmd, tftp) Other Unicode exploits are likely in other programs needing to edit input data Difficult to remove all “dangerous” characters – too many ways to represent them

20. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab20 Recommendations Leverage security concerns to gain control of OS configurations –Security is not a part of the service organization Limit visibility of complex protocols –Block if possible, otherwise allow only “well maintained” servers –HTTP and XML are going to have many more security issues

21. 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab21 Questions?