LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Apache.org Server Compromised

by Noel Davis
06/04/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the compromise of the Apache Software Foundation Server; buffer overflows in yppasswd, Qpopper, and mailtool; vulnerabilities in TWIG, webmin, and GnuPG; a new type of attack against sendmail; and discuss the use of the user nobody.

Apache Software Foundation Server

The public server used by the Apache Software Foundation to provide the source code repository, binary distribution, web services, and public mailing lists was compromised earlier this month. The cracker is reported to have gained access to an account on the Apache Software Foundation's server via the compromise of the SourceForge servers. Once the attacker had an account, root access was obtained through a bug in OpenSSH, followed by replacement of OpenSSH and other software with trojaned versions.

An automated nightly audit caught the changes in the executables and alerted the administrators of the server. Once alerted to the problem they shut down SSH, did an audit of the server through a serial console, reinstalled the operating system, removed all the back doors, and zeroed out compromised passwords. The administrators then turned SSH back on and enabled commit access to the source code repositories.

The Apache Software Foundation has done a careful audit of the source code and binary repositories on the server and, as of March 29th, no problems or changes had been found. They have asked that anyone with information concerning the compromise of apache.org or other related compromises contact root@apache.org.

Alerts this week:

Apache Software Foundation Server

TWIG

yppasswd

webmin

sendmail

GnuPG

Qpopper

Solaris mailtool

The User nobody

TWIG

TWIG, a free web-based email reader written in PHP, does not properly check all of its variables before passing them as a query to the database, which could allow an attacker to construct a query to provide complete control over the tables and data in the database. This is known to affect TWIG version 2.6.2 and earlier.

Users of TWIG should watch the TWIG web site for an update.

yppasswd

There is a buffer overflow with a published exploit that attacks Solaris machines running NIS and running the yppasswd daemon. It has been reported that Solaris 2.6, 7, and 8 are vulnerable to this attack.

It is suggested that users turn off yppasswd, until a patch from Sun has been applied, and firewall any machines running NIS off the Internet. It should be noted that firewalling the machines will not protect from an inside attack and that turning off yppasswd will prevent users from changing their passwords.

webmin

webmin, a web-based administration tool does not clear its environmental variables properly. This can be used by a local attacker to gain root-level access.

It is recommended that users upgrade to webmin version 0.82 or newer.

sendmail

sendmail has been found to be vulnerable to a race condition in its signal handling routines. At this time there are no known exploits for this vulnerability.

Sendmail, Inc., and the Sendmail Consortium have announced sendmail 8.11.4. This new version of sendmail changes the handling of signals to reduce the chance of a race condition leading to heap corruption and fixes other bugs.

Sendmail, Inc., and the Sendmail Consortium recommends that users upgrade to version 8.11.4 to prevent a compromise in the event a method is discovered to exploit the signal handling race condition.

GnuPG

The GNU privacy guard, GnuPG, is a replacement for the PGP (Pretty Good Privacy) software. There is a format string bug in GnuPG's code, which processes the filename of a file to be decrypted, that an attacker can use to execute arbitrary code with the permissions of the user decrypting the file. This bug affects versions 1.0.5 and earlier.

All users of GnuPG are advised to upgrade to version 1.0.6 or newer as soon as possible.

Qpopper

Qpopper, a Unix POP mail server, has a buffer overflow that may be exploitable by an attacker to gain root access to the server. It has been reported that the buffer overflow affects all versions of Qpopper 4.x prior to 4.0.3.

All users of Qpopper should upgrade to version 4.0.3 or newer that is available at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/.

Solaris mailtool

There is a buffer overflow in the Solaris mailtool program that is known to affect Solaris 8 and 2.6 systems and may affect other versions of Solaris. mailtool is installed set group id mail.

Users should remove the set group id bit from mailtool until a patch from Sun has been applied.

The User nobody

Sometimes the conventional wisdom is wrong, and sometimes we can find ourselves picking up habits or methods that we would change if we only thought through them. I am talking specifically about the use of the user nobody. How many of us run applications and daemons under the user nobody? How many web servers are running as the user nobody? I know that all of mine have -- not out of planning or careful consideration of the issues -- because that was the way I learned to do it and never gave it a lot of thought.

I never gave it a lot of thought until this week when I read a Bugtraq post, by Darren Moffat, which explained that the user nobody should not be used as a general purpose account, that it was created to be the user that root gets mapped to under NFS, and that there should never be sensitive files owned by the user nobody. I knew about NFS, but I'd never thought very much about the nobody account and some of the risks involved in running multiple applications under it.

Darren is right: the proper way to have a "nobody" account for applications and daemons is to create individual accounts for each one of them and grant them only the permissions they need and not to use the nobody account as a general purpose, catch-all account.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: