[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Reports from DefCon. At this point, those of you following security-related media news have been inundated with reports from this year's DefCon conference in Las Vegas. Given an attendance of over 5000 people, the event is large enough and controversial enough to attract more main stream media attention, for better or for worse. We were unable to attend, so, instead, we've picked out some amusing highlights for your enjoyment.

Forbes noted the heightened presence of members of the CIA, Department of Defense and the NSA. Their mission ... to hire hackers.

Such recruitment did not go unnoticed and sparked articles with warnings from professional security firms against hiring "Grey Hats" or "DefCon hackers". Check this Fairfax IT or this GlobalTechnology.com article for examples.

Our choice for an interesting report from DefCon, though, was this technically detailed report on Palante's server entry into the Capture the Flag contest. It used a modified Linux kernel with Domain and Type Enforcement added in.

Access to a root shell was made fairly easy and straightforward (for a "DefCon hacker" :-). After that, though, the hackers soon found that a root shell did not equate to a flag capture. From the description of Domain and Type Enforcement: "Imagine someone "popping a root shell" on your box and not being able to do anything with it, and you not having to panic and reinstall. This is one of the many advantages of Domain and Type Enforcement, which groups similar (with respect to security) subjects and objects (e.g. processes and files) into clumps whose interactions are strictly and incessantly controlled."

Netscape/Java "Brown Orifice" vulnerability. Dan Brumleve reported security holes in Java and Netscape that could be used to "allow arbitrary network access and read-access for local files and directories." He put up a website, entitled "Brown Orifice", under which he ran a webserver to demonstrate the problem. Elias Levy provided a clear description of the two vulnerabilities demonstrated.

Amusingly, Hiromitsu Takagi, in turn, found and reported a vulnerability in Dan's demonstration server.

So far, it appears that Mozilla is not vulnerable (but if you've hacked your version of Mozilla to use Java support, you may be) and that the Netscape 6 PRE 1 and PRE2 version are not, either. Netscape 4.74 definitely is and no update to Netscape has been released as of yet. Until one is released, disabling Java support in Netscape is strongly recommended.

So far, so good. However, give an exploit a "cool name" and you'll immediately garner more media attention. The "Brown Orifice" label on this vulnerability was apparently irresistible. As a result, you can check out media coverage in a variety of different articles:

The worst of the coverage culminated with this SiliconValley.com article, riddled with so many errors that it provoked a response from SecurityFocus' Elias Levy. "Please fact check your stories. Double check any statements made by people in the computer security industry. Including those from us, SecurityFocus.com. This industry likes to exaggerate the danger of vulnerabilities. Nothing sells products like fear."

The introduction of media antics like the above always seem like a rude interruption in the arena of security reporting. Usually, we get a technical report of a problem, commentary, confirmation or negation posted in reply and preferably quick patches to fix the problem. In the middle of a storm of news articles, finding the real information gets more and more difficult.

Sandia Red Team hacks all computer defenses. This press release from the Sandia National Laboratories reports on their Information Design Assurance Red Team or IDART. "The typical IDART group, which may consist of three to eight hackers, sometimes explains to clients in advance exactly how and when they will attack. System defenders have time to prepare specific, automatic, and even redundant defenses for their software, platforms, firewalls, and other system components. Yet results disconcert clients every time: their defenses are breached."

Linux Sux Redux: A Rebuttal. SecurityFocus Director of Site Content, Ben Greenbaum, put out a rebuttal to Fred Moody's Linux Sux Redux, which took manipulation of statistics to a high level of inaccuracy. "The worst situation by far is when the statistics are not only "massaged" to serve personal or corporate goals, but interpreted incorrectly in the first place. The Bugtraq stats have been used and referenced in various articles and endeavors, with varying degrees of accuracy. The most egregious example of misuse and misinterpretation by far to this point is in the article referenced above, where Mr. Moody states that Linux is the most insecure OS available. This is based on a gross misreading of the available data."

Since it was SecurityFocus' data that was misread, Ben's rebuttal to this article seems most appropriate.

Security Reports

suidperl/mailx vulnerability. Sebastian Krahmer and Michal Zalewski took undocumented "features" in /bin/mail (mailx) and a poor programming choice in suidperl and demonstrated the resulting local root exploit. This has been confirmed with sperl 5.00503 and newer. Fixes for this problem repair both the perl and mail packages. For the exquisite details, check this additional posting. This is one that you'll want to fix immediately.

You'll notice below that some distributions have issued updates to mailx, some to perl and some to both. It is true that the described vulnerability will be prevented as soon as one or the other package is fixed, but both packages should be fixed sooner or later to prevent other, similar vulnerabilities. None of the advisories particularly explain their decision-making process, so for now, we'll assume that updates for both mailx and perl will eventually be made available, as soon as the distributors have a repaired package with which they are satisfied.

Note for the Red Hat update: an error message is generated by rpm when the new perl package is installed, complaining about a dependency on rpmlib. To resolve the problem, you can either install the rpm 3.0.5 packages or just add the "--nodeps" to your rpm command.

Red Hat security update to umb-scheme. Red Hat has issued an update to the umb-scheme package which fixes a file permissions problem in which two files are installed world-writable. This is likely a Red Hat-specific problem. Conectiva and Linux-Mandrake have confirmed that they are not impacted.

Diskcheck 3.1.1 Symlink Vulnerability. You, Jin-Ho reported a symlink vulnerability in Diskcheck 3.1.1. Diskcheck is a perl script that monitors disk usage and is generally run via cron. The default configuration uses a temporary file in /tmp. A simple modification to the configuration file to choose an alternate, safer location should fix the problem. Stan Bubrouski commented that the problem was reported last month (though it apparently missed our radar as well) and is fixed in Red Hat's pinstripe and rawhide versions. It is apparently not shipped with earlier versions of Red Hat (and possibly not many other distributions, as well).

PCCS MySQLDatabase Admin Tool Manager. A recent posting to BugTraq pointed out problems with the PCCS MySQLDatabase Admin Tool Manager which could allow unauthorized remote administration of the database and/or access in plaintext to the administrator password.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

Mailman. A vulnerability was reported in mailman 2.0beta3 and 2.0beta4 and fixed in 2.0beta5. Check last week's Security Page for more details.

ntop. In web server mode, ntop can be used to remotely read any file on the system. Check last week's Security Summary for more details. ntop 1.3.1 has been reported not vulnerable. The Debian update below appears to contain a patched version of 1.2a7.

  • Debian (Debian 2.1 not vulnerable, "potato" (soon to be Debian 2.2) and "woody" are)

Netscape/Mozilla JPEG marker vulnerability. Check the July 27th Security Summary for more information.

SuSE omnibus security advisory. SuSE has sent out a combined security advisory describing several current issues, including Netscape, NFS, PAM, kon2, mailman, and the home account of the "nobody" user. SuSE users should have a look and act on the issues that affect them.

Resources

Nessus 1.0.4. An updated version of the Nessus security scanner has been made available, with new security checks and several bug-fixes.

Crypto list for beginners. A new cryptography list for beginners has been announced. "This list is to talk about different cryptology and how it's used both at home and in the workplace. We will also discuse any security issues with different versions of PGP and how to fix these issues."

ICAT Searchable Vulnerability Index. The National Institute of Standards and Technology has announced their ICAT searchable vulnerability index. It is based on the CVE vulnerability naming standard. "ICAT does not compete with publicly available vulnerability databases but instead is a search engine that drives traffic to them."

Events

August/September security events.
Date Event Location
August 14-17, 2000. 9th Usenix Security Symposium Denver, Colorado, USA.
August 14-18, 2000. Ne2000 (Networking 2000) Lunteren, The Netherlands
August 18-20, 2000. Hack Forum 2000 Ukraine
August 20-24, 2000. Crypto 2000 Santa Barbara, California, USA
August 22-23, 2000. WebSec 2000 San Francisco, California, USA
September 1-3, 2000. ToorCon Computer Security Expo San Diego, California, USA.
September 11-14, 2000. InfowarCon 2000 Washington, DC, USA.
September 13-14, 2000. The Biometric Consortium 2000 Gaithersburg, MD, USA.
September 19-21, 2000. New Security Paradigms Workshop 2000 Cork, Ireland.
September 26-28, 2000. CERT Conference 2000 Omaha, Nebraska, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


August 10, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds