sshd fiasco
Last week a site called "rootshell" was broken into, and had its web
page replaced. The maintainers of rootshell determined that access
was probably made through ssh, and that therefore there was a security
hole in the sshd they were running (1.2.26 on Linux). Within a few
days, IBM was writing a draft of an advisory for sshd, including a patch
that would fix the hole. A few days later, however, the author of
ssh got in contact with IBM and they discovered that the patch was ineffective,
and that there also probably was no hole in sshd. IBM was never able
to reproduce the bug after recompiling sshd from scratch. The rootshell
website put out a little zine claiming that sshd is at fault, but currently
the facts seem to support the notion that sshd 1.2.26 is fine. Many
people started poring over the code as a result of the hype, though, and
a few small bugs (believed to not be exploitable) have been found and fixed.
End result: sshd 1.2.26 is probably safe.
users can control tapes on solaris
The /dev/rmt directory on Solaris has devices with permissions letting
users manipulate the tape drives. Some of the amusing exploits for
this involved ruining your backups, or restoring from a backup into a user's
directory where they can read secret files (like /etc/shadow).
windows may export its system dir
If you share a printer under Windows (95 or 98), your Windows system
directory (usually \windows\system) will be exported read-only,
so anyone can see what's in it (but can't change it). Microsoft later
defended this, saying it is used to share printer drivers, and that you
should run NT in environments where security is an issue. You can
minimize the damage by turning off "File and Printer sharing for Microsoft
networks" under TCP/IP properties, after which your system directory is
only exported to your local LAN.
sendmail can be blocked on linux
Linux's network stack behaves slightly differently than an old-style
BSD stack, mostly for performance reasons. During an initial connection,
Linux may detect an error and notify the application using error codes
that exist in all Unixes but aren't typically returned during a passive
connect attempt. (Linux will sometimes notify an application of a
connection before the 3-way TCP handshake is actually complete -- if the
3-way handshake fails to complete, it will then return an error to the
application.) Sendmail "copes" with unknown error codes by logging
an error message and putting itself to sleep for 5 seconds.
A malicious person can therefore cause your sendmail to spend most of its
time asleep by sending a SYN followed by RST every few seconds.
irix autofsd exploit explained
The autofsd problem reported last week on IRIX is apparently caused
by executable maps. If a client makes an autofs request to a map
which is an executable file, autofsd will attempt to execute that file,
appending the client's key. Unfortunately it uses popen() to do this,
which executes a shell. A client can make an autofs request which
contains a semicolon (;) followed by a command to execute.
hpux sharedx goes south
"Certain messages" sent to HPUX's SharedX port can cause it to enter
an infinite CPU spin. HPUX released patches without giving any further
information.
password protection on mac disks can be avoided
There's a utility for the Mac called FWB Hard Disk Toolkit 2.5.
It's a disk driver that you can install which will let you password-protect
volumes on the disk. Most Mac formatting utilities will let you replace
the FWB disk driver, but they will generally also corrupt the data on the
drive. If you replace the FWB driver with La Cie Silverlining, though,
the drive can be read and the password is no longer needed to access it.
This is kind of obscure and maybe not very important, but I wanted to give
equal time to Mac people...
two new nestea victims
USR Netserver 8/16 V.34 running OS 2.0.14 can be knocked down by the
"nestea" IP attack, and has to be restarted. FreeBSD 3.0-release
was also vulnerable for a while, although they fixed the problem rapidly
(again). I can't figure out FreeBSD's naming scheme, so I'm not sure
what to tell anyone who wants to upgrade to a "safe" version. Apparently
both the broken and fixed releases are just called "FreeBSD 3.0-release".
browser bugs