1 / 21

Unix/Linux Security Update

Unix/Linux Security Update. Bob Cowles November 2, 2000. Outline. Intro Format String Buffer Overflows Symlink following Specials Conclusions. Intro (1/3). Microsoft Security Bulletins 1998 20 1999 61 2000 5 mos 37 2000 10 mos 82 http://www.securityfocus.com

oro
Download Presentation

Unix/Linux Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unix/Linux Security Update Bob Cowles November 2, 2000 HEPiX-HEPNT 2000, Jefferson Lab

  2. Outline • Intro • Format String • Buffer Overflows • Symlink following • Specials • Conclusions HEPiX-HEPNT 2000, Jefferson Lab

  3. Intro (1/3) • Microsoft Security Bulletins • 1998 20 • 1999 61 • 2000 5 mos 37 • 2000 10 mos 82 • http://www.securityfocus.com • http://www.securityportal.com HEPiX-HEPNT 2000, Jefferson Lab

  4. Intro (2/3) • Ddos is still a problem • Often placed on compromised machines • Selection of clients is improving (!) • AES selection is complete • Rijndael selected • Expected to be good in mobile, low-power platforms • Microsoft breakin comments HEPiX-HEPNT 2000, Jefferson Lab

  5. www.elipsedesign.com hooyah www.diamond.com.au prime suspectz www.tvet-pal.org gsmart.net.id chikebum www.adara.com.tw m0r0n/nightmana www.advancetek.com.tw m0r0n/nightma alessiamarcuzzi.it azndragon www.eiba.biu.ac.il m0r0n/nightman www.mba.biu.ac.il m0r0n/nightman www.wiredsolutionstk.com MaNa2EEsH www.0x7f.org www.clearwaterfarm.com keoki www.ca0.net RSH advancedit.co.za one man army www.warrenconner.org mecca www.wmsolutions.com www.woodengate.com tyl0x birthingthefuture.com keoki www.kia.co.kr Prime Suspectz mail.mountainzone.net wchs02.washington.high.washington.k12.ga.us dis www.boitnotts.com Hackah Jak www.bancoprimus.com.br Anti Security Hackers www.dersa.com.br prime suspectz www.epson.ru prime suspectz www.penalty.com.br Anti Security Hackers www.enap.cl CiXX Intro (3/3)hacked web servers 10/31 courtesy of attrition.org HEPiX-HEPNT 2000, Jefferson Lab

  6. Format String • Affects all Unix/Linux systems • Started with QPOPPER in May • We haven’t seen the end • Latest is ypbind • Severe in LOCALE subsystem and environment variable passing of telnet HEPiX-HEPNT 2000, Jefferson Lab

  7. May QPOPPER June Various ftpd July BitchX IRC client rpc.statd (nfsutils) August gnu mailman NAI net tools PKI server August (cont) IRIX telnetd xlock September Locale subsystem screen klogd KDE kvt LPRng lpr SCO help http server Format String Alerts (1/2) HEPiX-HEPNT 2000, Jefferson Lab

  8. Format String Alerts (2/2) • October • Cfengine • eeprom in BSD, libutil, fstat • BSD telnet (remote) • PHP error logging • ypbind HEPiX-HEPNT 2000, Jefferson Lab

  9. April Solaris ufsrestore Solaris lp/lpstat/lpset May netpr kerb4 and kerb5 in compatibility mode Remote exploits for klogin, ksu, krshd September Pine remote exploit using From: line October Dump Tcpdump Buffer Overflows HEPiX-HEPNT 2000, Jefferson Lab

  10. Symlink Following • Mgetty / faxrund • Creates .last_run in world-writable directory • Follows symlinks allowing … • File creation anywhere • File smashing HEPiX-HEPNT 2000, Jefferson Lab

  11. Specials • Cisco • Linux capabilities • Cross site scripting • PGP • Netscape • RSA • Sun key compromise HEPiX-HEPNT 2000, Jefferson Lab

  12. Cisco • 04/19 Access to priv mode in catalyst switch (fix 5.4(2)) • 04/20 IOS reload when telnetd port is scanned • 05/15 Router crash with httpd enabled %% HEPiX-HEPNT 2000, Jefferson Lab

  13. Linux Capabilities • Capabilities available in release 2.2.x • Fine-grain privilege setting • Inherited from parent process • Can prevent suid program dropping root • Exploits used sendmail and procmail • Temporary fix from CERN • Current fix is to require 2.2.16 HEPiX-HEPNT 2000, Jefferson Lab

  14. Cross Site Scripting • Problem inherent in browser/server design • Fix is up to proper application design by web developers • Can be used to steal cookies or read/write local files • 09/07 E*Trade user names and passwords are remotely recoverable HEPiX-HEPNT 2000, Jefferson Lab

  15. PGP • Affects version 4 of PGP public keys • Mostly Diffie-Hellman • Additional decryption keys • Part of public key not covered by encrypted checksum – allows insertion of additional, unauthorized decryption keys • Primary issue is one of confidence in PGP HEPiX-HEPNT 2000, Jefferson Lab

  16. Netscape • SSL certification validation code error • Happens if host name mismatch • No further validation for future use of certificate • Brown Orifice httpd • Delivered in a number of modes • Advertised itself as compromised • Fix forced upgrade to 4.75 HEPiX-HEPNT 2000, Jefferson Lab

  17. RSA • 09/06 Code was released to public domain 2 weeks prior to patent expiration • Expect a greater volume of encryption products to be released over the next year HEPiX-HEPNT 2000, Jefferson Lab

  18. SUN Certificate Compromise • Web server certificate compromised • First admitted case for major vendor • http://sunsolve5.sun.com/secbull/certificate_howto.htmlto determine if certificate has been accepted HEPiX-HEPNT 2000, Jefferson Lab

  19. IIS Unicode • Not UNIX, but very important; allows remote execution of commands (cmd, tftp) • Other Unicode exploits are likely in other programs needing to edit input data • Difficult to remove all “dangerous” characters – too many ways to represent them HEPiX-HEPNT 2000, Jefferson Lab

  20. Recommendations • Leverage security concerns to gain control of OS configurations • Security is not a part of the service organization • Limit visibility of complex protocols • Block if possible, otherwise allow only “well maintained” servers • HTTP and XML are going to have many more security issues HEPiX-HEPNT 2000, Jefferson Lab

  21. Questions? HEPiX-HEPNT 2000, Jefferson Lab

More Related