LinuxDevCenter.com

oreilly.comSafari Books Online.Conferences.

We've expanded our Linux news coverage and improved our search! Search for all things Linux across O'Reilly!

Search
Search Tips

advertisement

Listen Print Subscribe to Linux Subscribe to Newsletters
Security Alerts

Ramen Worm Attacks Red Hat Linux Machines

01/22/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include the Ramen Internet worm; buffer overflows in MySQL, cu, tcpdump, micq, and jaZip; a temporary file problem with SuSE rctab; and VirusWall.

Ramen Worm

An Internet worm that attacks Red Hat Linux machines has cracked hundreds (thousands?) of machines by exploiting problems in rpc.statd and wu-ftpd. Once it has cracked a machine, it replaces the web server's default page and installs a rootkit. It then sends e-mail to two web-based accounts and starts scanning the network for its next victim. Once it starts scanning, it will consume a large amount of bandwidth. The danger from the worm is the bandwidth it uses and the possibility of the author or someone else using the rootkit to access your machine.

The patches for the holes that the worm exploits have been available for some time now. This is a good example of a problem that can be avoided by applying patches promptly and, even more importantly, by not running unnecessary services and applications. Keeping up with every security announcement can be hard. Securing your box up front can make things easier.

MySQL

MySQL, a popular SQL-based database, has a buffer overflow in all versions prior to 3.23.31. This vulnerability can be used to gain access to all databases on a server. A user with a login and password to at least one database on the server is required to exploit the buffer overflow.

Alerts for this week:

• Ramen Worm

• MySQL

• cu

• tcpdump

• micq

• jaZip

• SuSE rctab

• Interscan VirusWall

• Veritas Backup Exec

• Oracle Application Server

• IBM Websphere Commerce Suite

It is recommended that users upgrade to version 3.23.31 or newer.

cu

A utility that is part of the uucp package used to call other systems, cu has a buffer overflow in the way it copies its name into an internal variable. On most systems, cu is installed as suid user uucp. Exploiting this overflow can be leveraged to potentially provide root access by replacing several commonly used applications (that are typically owned by uucp) with trojaned versions that will put back doors into place when executed by root. Also, on systems that are using uucp, the attacker gains access to the uucp files that can contain logins and passwords for other systems. It appears that versions of uucp based on Taylor uucp are not affected.

Systems that are not using uucp should remove the suid bit from cu or remove uucp altogether. Systems that are using uucp should watch their vendor for a patch.

tcpdump

Version 2.5.2 of tcpdump, a network analysis tool, has a remote buffer overflow. A remote exploit script has been released. As this tool is usually executed as root so that it can open the network interface in promiscuous mode, an attacker can use this problem to gain root.

At this time I am not aware of a patch for this problem. You should avoid using tcpdump until this problem has been fixed.

micq

An ICQ clone for Linux, micq has a remotely exploitable buffer overflow. This problem can allow a remote user to execute arbitrary code with the permissions of the user executing micq.

I am not aware of a patch for this problem. Check with your vendor for an updated version or a patch.

jaZip

A program for managing Iomega Zip or Jaz drives, jaZip has a buffer overflow. As this program is often installed suid root, it can be exploited by a malicious user to become root. An exploit script has been released for this problem.

If you are not using jaZip, you should remove it or remove its suid bit and watch your vendor for an update.

SuSE rctab

A script used in SuSE Linux to edit run levels, rctab has a problem in the way it uses the temporary directory. This problem with the temporary file code can be used to overwrite arbitrary files that the user running the program (in most cases root) has permission to write to.

The rctab script can be made safe by changing the line that reads mkdir -p ${tmpdir} to read mkdir ${tmpdir}.

A workaround for this type of insecure temporary directory race condition is to set the $TMP environment variable to a temporary directory that only you can write to, such as $HOME/tmp. This will cause many programs to use the specified location ($TMP) for their temporary files and provide some protection against this type of attack. I have not tested rctab for this behavior.

Interscan VirusWall

Trend Micro's Interscan VirusWall is a real-time virus detection and cleanup tool. Several problems have been reported: When passwords are changed by the administrator, they are sent across the network in the clear; the user name and password are embedded in each get request used by the administrator; and it creates predictable temporary files that can be used to overwrite files that can be written to by the user running VirusWall.

It is recommended that you only install VirusWall on a stand-alone box and not use the browser-based configuration tools remotely. It has been reported that Trend Micro is not going to release patches for these problems and will instead release a new version in late February or early March.

Veritas Backup Exec

It has been reported that the agent component of Veritas Backup Exec (a multi-platform backup solution) hangs when a connection is made to its port and no data is sent. This type of connection can be caused by actions such as a port scan. This problem has been reported for the agents running under Linux, AIX, Solaris, MS Windows, and Mac.

At this time I am not aware of any patches or workarounds for this problem.

Oracle Application Server

A patch for the problem with the mod_plsql function in the Oracle Application Server has been released by Oracle. This patch allows the administrator to exclude URLs with specific formats from being passed to mod_plsql. By default this patch excludes URLs with special characters such as space, newline, tab, single quotes, and backslash.

It is recommended by Oracle that this patch be applied to Internet Application Server version 1.0.2.0.

IBM Websphere Commerce Suite

I have been informed that the problems with IBM Websphere include all of the IBM Websphere application servers and not just the commerce server, and that in addition to securing the admin.config, you also need to secure the sas.server.properties file. It was also recommended that you do not place domain admin accounts into Websphere directly.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.




Tagged Articles

Be the first to post this article to del.icio.us

Recommended for You

  1. Cover of Linux Server Hacks, Volume Two
    Linux Server Hacks, Volume Two
    Print: $39.99
    Ebook: $31.99
  2. Cover of UNIX in a Nutshell
    UNIX in a Nutshell
    Print: $29.95
  3. Cover of Programming Linux Games
    Programming Linux Games
    Print: $39.95
  4. Cover of Learning GNU Emacs
    Learning GNU Emacs
    Print: $34.95

Sponsored Resources

  • Inside Lightroom
Advertisement

Sponsored by:

O'Reilly Media

©2009, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. 		About O'Reilly
Academic Solutions
Authors
Contacts
Customer Service
Jobs
Newsletters
O'Reilly Labs
Press Room
Privacy Policy
RSS Feeds
Terms of Service
User Groups
Writing for O'Reilly
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
Web
Web Design
 More O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
Inside iPhone
makezine.com
craftzine.com
hackszine.com
perl.com
xml.com

Partner Sites
InsideRIA
java.net
O'Reilly Insights on Forbes.com