11/02/2000HEPiX-HEPNT 2000, Jefferson Lab1 Unix/Linux Security Update Bob Cowles November 2, 2000.
-
Upload
ariel-horton -
Category
Documents
-
view
228 -
download
1
Transcript of 11/02/2000HEPiX-HEPNT 2000, Jefferson Lab1 Unix/Linux Security Update Bob Cowles November 2, 2000.
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 1
Unix/Linux Security Update
Bob Cowles
November 2, 2000
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 2
Outline
• Intro
• Format String
• Buffer Overflows
• Symlink following
• Specials
• Conclusions
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 3
Intro (1/3)
• Microsoft Security Bulletins– 1998 20– 1999 61– 2000 5 mos 37– 2000 10 mos 82
• http://www.securityfocus.com
• http://www.securityportal.com
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 4
Intro (2/3)
• Ddos is still a problem– Often placed on compromised machines– Selection of clients is improving (!)
• AES selection is complete– Rijndael selected– Expected to be good in mobile, low-power
platforms
• Microsoft breakin comments
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 5
Intro (3/3)hacked web servers 10/31
courtesy of attrition.org• www.elipsedesign.com hooyah• www.diamond.com.au prime suspectz• www.tvet-pal.org • gsmart.net.id chikebum• www.adara.com.tw m0r0n/nightmana• www.advancetek.com.tw m0r0n/nightma• alessiamarcuzzi.it azndragon• www.eiba.biu.ac.il m0r0n/nightman• www.mba.biu.ac.il m0r0n/nightman• www.wiredsolutionstk.com MaNa2EEsH• www.0x7f.org• www.clearwaterfarm.com keoki• www.ca0.net RSH• advancedit.co.za one man
army• www.warrenconner.org mecca
• www.wmsolutions.com • www.woodengate.com tyl0x• birthingthefuture.com keoki• www.kia.co.kr Prime Suspectz• mail.mountainzone.net• wchs02.washington.high.washington.k
12.ga.us dis• www.boitnotts.com Hackah Jak• www.bancoprimus.com.br Anti
Security Hackers• www.dersa.com.br prime suspectz• www.epson.ru prime suspectz• www.penalty.com.br Anti Security
Hackers• www.enap.cl CiXX
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 6
Format String
• Affects all Unix/Linux systems
• Started with QPOPPER in May
• We haven’t seen the end
• Latest is ypbind
• Severe in LOCALE subsystem and environment variable passing of telnet
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 7
Format String Alerts (1/2)
• May– QPOPPER
• June– Various ftpd
• July– BitchX IRC client
– rpc.statd (nfsutils)
• August– gnu mailman
– NAI net tools PKI server
• August (cont)– IRIX telnetd– xlock
• September– Locale subsystem– screen– klogd– KDE kvt– LPRng– lpr– SCO help http server
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 8
Format String Alerts (2/2)
• October– Cfengine– eeprom in BSD, libutil, fstat– BSD telnet (remote)– PHP error logging– ypbind
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 9
Buffer Overflows
• April– Solaris ufsrestore
– Solaris lp/lpstat/lpset
• May– netpr
– kerb4 and kerb5 in compatibility mode
• Remote exploits for klogin, ksu, krshd
• September– Pine remote exploit
using From: line
• October– Dump
– Tcpdump
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 10
Symlink Following
• Mgetty / faxrund– Creates .last_run in world-writable directory– Follows symlinks allowing …
• File creation anywhere
• File smashing
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 11
Specials
• Cisco
• Linux capabilities
• Cross site scripting
• PGP
• Netscape
• RSA
• Sun key compromise
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 12
Cisco
• 04/19 Access to priv mode in catalyst switch (fix 5.4(2))
• 04/20 IOS reload when telnetd port is scanned
• 05/15 Router crash with httpd enabled %%
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 13
Linux Capabilities
• Capabilities available in release 2.2.x
• Fine-grain privilege setting
• Inherited from parent process
• Can prevent suid program dropping root
• Exploits used sendmail and procmail
• Temporary fix from CERN
• Current fix is to require 2.2.16
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 14
Cross Site Scripting
• Problem inherent in browser/server design
• Fix is up to proper application design by web developers
• Can be used to steal cookies or read/write local files
• 09/07 E*Trade user names and passwords are remotely recoverable
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 15
PGP
• Affects version 4 of PGP public keys– Mostly Diffie-Hellman– Additional decryption keys
• Part of public key not covered by encrypted checksum – allows insertion of additional, unauthorized decryption keys
• Primary issue is one of confidence in PGP
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 16
Netscape
• SSL certification validation code error– Happens if host name mismatch– No further validation for future use of
certificate
• Brown Orifice httpd– Delivered in a number of modes– Advertised itself as compromised– Fix forced upgrade to 4.75
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 17
RSA
• 09/06 Code was released to public domain 2 weeks prior to patent expiration
• Expect a greater volume of encryption products to be released over the next year
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 18
SUN Certificate Compromise
• Web server certificate compromised
• First admitted case for major vendor
• http://sunsolve5.sun.com/secbull/certificate_howto.html to determine if certificate has been accepted
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 19
IIS Unicode
• Not UNIX, but very important; allows remote execution of commands (cmd, tftp)
• Other Unicode exploits are likely in other programs needing to edit input data
• Difficult to remove all “dangerous” characters – too many ways to represent them
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 20
Recommendations
• Leverage security concerns to gain control of OS configurations– Security is not a part of the service organization
• Limit visibility of complex protocols– Block if possible, otherwise allow only “well
maintained” servers– HTTP and XML are going to have many more
security issues
11/02/2000 HEPiX-HEPNT 2000, Jefferson Lab 21
Questions?