UNIX system vulnerabilities and Preventive Measures

7.4 UNIX (telnet ftp finger SSH, etc.) system vulnerabilities and telnetd originating from the BSD telnet Daemon have a boundary check error. There is no valid boundary check in the function that processes telnet protocol options. When some options are used, the buffer may overflow in the BSS area, so the attack is limited. Preventive Measures

1. A buffer overflow vulnerability exists in telnetd of multiple Unix systems

Vulnerability description:

The telnetd from the BSD telnet daemon has a boundary check error. There is no valid boundary check in the function that processes telnet protocol options. When some options are used, the buffer may overflow in the BSS area, so the attack is limited. Because the characters that attackers can control are limited and overflow occurs, the discoverer reports that attacks are feasible in at least some systems (FreeBSD/BSDI/NetBSD.

Preventive measures:

Disable Telnet and use ssh or openssh. In addition, you can install the vendor's patch. Currently, FreeBSD has released the corresponding patch.

2. Taylor UUCP parameter processing error vulnerability in multiple Unix systems

Vulnerability description:

Some components in the Taylor UUCP package have a security vulnerability when processing command line parameters, which may cause local attackers to obtain uucp user or group permissions. The problem involves uux, uuxqt, and uucp programs. For OpenBSD 2.8, attackers can overwrite

The crontab script of/usr // daily regularly runs this program.

For RedHat 7.0, attackers can create arbitrary Empty files or specify commands executed during console logon.

Other systems may also be affected by this problem.

Test procedure:

Zen-parse (zen-parse@gmx.net) provides the following test code:

(1) create a configuration file (/tmp/config. uucp), execute any command, and copy the file to any uid/gid uucp.

Directory with write permission;

(2) create a command file containing the command you want to execute (/tmp/commands. uuucp );

(3) perform the following operations:

$ Content $ nbsp; THISHOST = 'uuname-l' $ Content $ nbsp; WHEREYOUWANTIT =/var/spool/uucp/$ {THISHOST}/X. /X. $ {THISHOST} X1337 $ Content $ nbsp; uux 'ucp -- config =/tmp/config. uucp/tmp/commands. uucp '$ {WHEREYOUWANTIT}

3. UnixWare coredumps followed by a symbolic connection

Affected Systems: UnixWare 7.1.

Vulnerability description:

Users can use coredump data to overwrite system files, and the root permission may be obtained. The sgid execution file of UnixWare allows dump core (suid is not allowed ). By "calculating" the pid of the sgid execution file to be called, you can create a symbol from "./core. pid" to connect to a file with write permission of a group. If you can find the association with "./. rhosts" or "/etc/hosts. equiv", you will get the root permission.

Preventive measures:

Install the manufacturer's patch.

4. UnixWare rtpm Security Vulnerability

Affected Systems: UnixWare 7.1.

Vulnerability description:

Unixware differs from Linux, BSD, Solaris, and other systems in terms of password database management. Except for common/etc/passwd and/etc/shadow files, unixware also saves copies of these files in/etc/security/ia/master and/etc/security/ia/omaster. These two binary files store data in different formats than/etc/passwd and/etc/shadow. The Unixware C function can access the data. Some authentication programs in the Unixware system, such as the i2odialog daemon, use these files instead of the/etc/shadow file.

Once an attacker sgid sys program is found, the entire system can be fully controlled. /Usr/sbin/rtpm is a program with Buffer Overflow (obtain sys group permissions. Attackers can exploit this vulnerability to capture an encrypted password from the/etc/security/ia/master file or insert a shell into the/etc/security/tcb/privs file. It is not difficult to obtain the root permission through these methods.

Preventive measures:

Install the manufacturer's patch. You can download it from the manufacturer's home page.

5. potential security vulnerabilities in mtr of UNIX systems

Vulnerability description:

The "mtr" Program (versions earlier than 0.42) developed by Matt Kimball and Roger Wolff has potential security problems in UNIX systems except HPUX. The original intention of the author is to call the seteuid (getuid () function to prevent unauthorized use of mtr or its link library to obtain the root privilege. However, because the user uid can be reset to 0 through the setuid (0) function, attackers can successfully obtain the root privilege by exploiting the buffer overflow vulnerability found in the link library called by mtr. In the patch version, the seteuid () function is changed to the setuid () function to clear this potential security vulnerability. Most Linux versions include version 0.28 of the mtr tool. This vulnerability also exists in this version. Please check with publishers.

Preventive measures:

Upgrade to mtr-0.42 or later. Another temporary solution is to remove the setuid attribute. This vulnerability has been fixed in TurboLinux 6.0.2 or later versions.

6. UnixWare majordomo Security Vulnerability

Vulnerability description:

A security vulnerability exists in the default majordomo package included in UnixWare 7.1, allowing local users to gain additional permissions. Currently, the tested majordomo version is 1.94.4.majordomo wrapper, which allows users to run programs in the/usr/local/majordomo directory using the "owner" uid and "daemon" gid. The wrapper attribute is set:

-Rwsr-xr-x 1 root Dae on 6464 Jan 4 1999/usr/local/majordomo/wrapper

But before executing this program, wrapper will first setuid () to "owner", and setgid () to "daemon ".

/Usr/local/majordomo/resend is a Perl program that does not correctly check the input parameters, which may cause security problems. The problematic code is as follows:

-Snip-# If the first argument is "@ filename", read the real arguments # from "filename", and shove them onto the ARGV for later processing # by & Getopts () # if ($ ARGV [0] = ~ /^ \ @/) {$ Fn = shift (@ ARGV); $ fn = ~ S/^ @ //; open (AV, $ fn) | die ("open (AV, \" $ fn \ "): $! \ NStopped ");-snip-

If our first parameter starts with "@", resend will try to open the file name we provide using the open () function. However, if the file name parameter is "@ | id", resend will end. resend is actually executed as the owner: daemon, therefore, you can obtain the permissions of the "owner" user and "daemon" group.

Preventive measures:

The manufacturer already has security patches. You can download them from the manufacturer page.