Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Solaris Worm Attacks IIS Servers

05/15/2001

Alerts this week:

vixie cron

Oracle ADI

EnGarde Secure Linux

Samba 2.0.8

sadmind/IIS Worm

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at problems in vixie cron, Oracle ADI, EnGarde Secure Linux, and Samba 2.0.8; discuss the sadmind/IIS worm; and talk about how to protect a system against worms and other attackers.

vixie cron

The version of vixie cron, a daemon used to schedule commands that was patched in the fall of 2000, has an error that can be exploited by an local user to obtain root-level privileges. The vulnerability is caused by the crontab command not properly dropping its permissions under some conditions. It has been reported that this vulnerability affects Debian, SuSE, and possibly other Linux distributions.

It is recommended that administrators of systems with a vulnerable vixie cron restrict access to cron to trusted users and upgrade to a fixed version when one becomes available. Debian users should upgrade to the latest version of vixie cron.

Oracle ADI

Oracle ADI (Application Desktop Integrator) version 7.1.1.10.1, an application shipped with Oracle Financial Applications version 11.5.3, creates a file named dbg.txt on the local system that contains the user names and passwords used to log into the database. This file is created whenever the software is started. A malicious user can use these accounts and passwords to obtain full control over the tables in the database.

Users of Oracle ADI should downgrade to a version earlier than 7.1.1.10.1 and should watch Oracle for a patch.

EnGarde Secure Linux

EnGarde Secure Linux version 1.0.1 was distributed with a version of glibc that is vulnerable to several environmental variable-based attacks.

Guardian Digital recommends that all users of EnGarde Secure Linux version 1.0.1 upgrade to the latest glibc package. This package is available on the EnGarde Secure Linux web site and FTP server.

Samba 2.0.8

In April, Samba version 2.0.8 was released to fix a symbolic-link file race condition that could be used by an attacker to overwrite system files, destroy file systems, or obtain root privileges. Version 2.0.8 of Samba was released to solve this problem. However, it did not fix the security problem and version 2.0.9 has now been released to fix it.

The problem was fixed in the 2.2.0 release and users of that version do not need to upgrade.

Users of Samba 2.0.8 or earlier should upgrade to versions 2.0.9 or 2.2.0 as soon as possible. This is planned to be the last release in the 2.0.x series.

sadmind/IIS Worm

sadmind/IIS, a new worm that compromises Solaris servers and then scans for and attacks Microsoft IIS (Internet Information Server) web servers and defaces their web pages, has been reported. The worm attacks Solaris 7 and earlier machines by exploiting a buffer overflow in sadmind that was announced two years ago. It attacks Windows servers using a vulnerability that was announced seven months ago. It also will automatically spread itself to additional Solaris servers using the sadmind vulnerability.

The sadmind application is used to perform some system administration attacks remotely. A buffer overflow that was patched in 1999 can allow a remote attacker to execute arbitrary code with the permissions of the root user.

Signs that a Solaris system has been compromised by the worm include: sadmind bus errors and core dump messages in the syslog file; a root shell listening on port 600; the existence of the directories /dev/cub and /dev/cuc; a "++" added to the .rhosts file in root's home directory; and running processes such as:

/bin/sh /dev/cuc/sadmin.sh
/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111
/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80
/bin/sh /dev/cuc/uniattack.sh
/bin/sh /dev/cuc/time.sh
/usr/sbin/inetd -s /tmp/.f
/bin/sleep 300

Once the worm has used the Solaris server to compromise 2000 Windows IIS servers, it will modify the index.html page, if any, on the Solaris server's web server.

It has been reported that thousands of Windows servers running IIS and hundreds of Solaris machines have been damaged or compromised by the sadmind/IIS worm.

To protect your system from this type of attack:

First, do not allow unused and unneeded applications to be available over the network. I suspect that most of the Solaris machines that have been compromised by this worm were running sadmind not because it was in use for remote system administration, but because it had never been turned off. Administrators should look at two major areas for applications that may listen on the network: the /etc/inetd.conf file and running applications. They should turn off any and all applications that are not going to be used or needed. In many instances the crackers know about a vulnerability long before it is announced by CERT, mentioned on BUGTRAQ, or fixed by a distribution. Turning off unneeded software is foolproof protection against a vulnerability in the software compromising your system.

Second, limit access to your system and the daemons listening on the network to authorized users. For example, if sadmind is being used on your system you can use a firewall to prevent arbitrary attackers located outside your network from connecting to the daemon to exploit a vulnerability. This also protects you to a degree from unannounced security vulnerabilities.

Third, watch for security announcements and apply needed patches and workarounds as they are announced. It is a good practice to watch several different sources of security news, as not every source will carry news of every vulnerability. Watching a security news source that only discusses news about one platform or area can be risky as well -- some news can take a long time to propagate.

If, as an administrator, you disable or remove unused applications, firewall your network, and apply any patches or workarounds that are needed, you will only read about systems that have been compromised -- and will be much less likely to find yourself cleaning up a compromised network.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.