Security is an ongoing process, not an end. An application that is deemed secure today may later prove to be vulnerable. For this reason, you should always keep up on recent security advisories and install recent updates. (The Glossary provides many resources to do just that.)
Some folks advise against installing the latest updates, arguing that newer software is bound to contain bugs unknown and undiscovered. To some extent, that's true. However, updates also solve older, better-known holes. This trade-off is definitely worth it. (In software that has no well-known holes, hackers and crackers must work to find an in; in software that has not been updated, attackers already have an in.)
The following index lists several important (and well-known) Linux security vulnerabilities that I failed to mention elsewhere in this book. This information will help if you're installing an older distribution.
Not everyone purchases the very latest Linux distribution. Many first-time users don't see the need to get the latest and greatest. Instead, they often buy Linux books (and CD-ROMs) from their local bookstore's remaindering section for 8 or 10 bucks (and why not; they can't lose). However, many of these CD-ROMs offer older Linux versions and therefore harbor old holes. Not all old Linux holes are listed here, but many important ones are.
Table B.1. Well-Known Linux Weaknesses
Program | Details |
---|---|
/dev | In Red Hat 4-5.0, various devices in /dev have liberal permissions, allowing ordinary users to read floppy diskettes or other removable media. Solution: Check permissions in /dev and change accordingly. |
/usr/bin/convfont | convfont is a utility that converts binary font formats to codepage format (and is part of svgalib ). On some systems, /usr/bin/ convfont is SUID root. This can lead to a root shell. Get the exploit at http://www.psychicfriends.net/~cyber/linux/convfontExploit.sh. |
admin v.1.2 | admin (Administrative Menu v.1.2) is an older Linux administration package that uses a dialog -based front end. It offers account and printer management. The program creates temp files in /tmp that attackers can link to sensitive system files. Solution: Delete admin . The details are at http://www.geek-girl.com/bugtraq/1997_3/0073.html. |
amd | amd is an administrative tool that offers automatic mounting of file systems. In Red Hat 4.1, vulnerabilities in amd grants attackers unauthorized access to devices in /dev . Solution: Upgrade. Details are at http://www.sdsc.edu/Security/bugtraq/msg00018.html. |
autofs | autofs is a kernel-based automounter for Linux. In Linux 2.0.36 (and some later releases), autofs is vulnerable to a buffer overflow. Solution: Upgrade. Details and exploit sources are at http://linuxtoday.com/stories/3250_flat.html. |
bash | bash is the Bourne-again shell, the default shell on most Linux distributions. bash -1.14.7 is vulnerable to a buffer overflow. Solution: Upgrade. |
bdash | bdash is a BoulderDash game clone. If you have it, it's in /usr/games/ . The program is vulnerable to a buffer overflow. Solution: Delete it. Details and exploit sources are at http://www.k-elektronik.org/arsip/eksploit/linux/bdexp.c. |
bnc | bnc is an Internet Relay Chat proxy application that supports multiple users and virtual hosts. bnc (2.2.4 and earlier) is vulnerable to several buffer overflows. Solution: Upgrade. Details and exploit sources are at http://www.safenetworks.com/Linux/bnc.html. |
bru | The Backup and Recovery Utility (bru ) from Enhanced Software Technologies installs its directory read, write, execute for everyone. Solution: chmod /usr/local/lib/bru to 1777. Details are at http://security.darkface.pp.se/mail/msg00647.html. |
cfengine | cfengine is a network administration tool common to Debian. Early versions were open to attack via temp files. Solution: Get 1.4.9-3 or later. |
color_xterm | color_xterm in SlackWare (3.1 and possibly 3.2) is SUID root and vulnerable to a buffer overflow. Solution: Remove the SUID bit. Details and exploit sources are at http://www.sekurity-net.com/newscripts/colorxterm.c. |
Communicator | Netscape Communicator is a popular Web browser. Version 4.07 is vulnerable to an odd but threatening attack. Remote servers can combine MIME directives with CGI scripts to execute arbitrary commands on the client side. Contact Netscape for a patch or go here for details: http://www.shout.net/~nothing/buffer-overflow-1/index.html. |
Configure | Configure (/usr/src/linux/scripts/Configure ) is a kernel configuration tool. This script harbors a race condition. Details and exploit sources are at http://security.darkface.pp.se/mail/msg01070.html. |
crond | crond is a background daemon that periodically scans for crontab files and executes commands stored in them. In SlackWare 3.4, crond is vulnerable to an attack that results in an SUID root shell. Solution: Upgrade. Further details and the exploit are at http://www.jabukie.com/Unix_Sourcez/dilloncrond.c.html. |
cxterm | cxterm is a terminal emulator for handling Chinese, Japanese, and Korean characters. cxterm (SlackWare 3.1, 3.2) is SUID root (and needs to be), but is vulnerable to a buffer overflow that when exploited, results in an SUID root shell. Solution: Upgrade. The exploit is at http://www.geek-girl.com/bugtraq/1997_2/0245.html. |
deliver | deliver is a tool that distributes remote mail to local recipients. In version 2.0.12 (and earlier), deliver is vulnerable to a buffer overflow (in both Debian and SlackWare). This is significant because deliver is SUID root. Solution: Upgrade. |
dhcpd | dhcpd is the Dynamic Host Configuration Protocol daemon. DCHP provides and automates address pool functionality, where the system automatically assigns new sessions dynamic network addresses as needed. dhcpd (first release of versions 1.0 and 2.0) are vulnerable to denial-of-service. Solution: Upgrade. |
dip 3.3.7i | On SlackWare 2.1.0, dip (a utility for managing ppp sessions) was setuid and world-executable. Also, dip 3.3.7o on SlackWare 3.4 is SUID root and vulnerable. Solution: Upgrade. The exploit is at http://safenetworks.com/Linux/dip4.html. Early dip releases are vulnerable to a buffer overflow. The solution is to upgrade. To test if your version is vulnerable, get exploit code at http://geek-girl.com/bugtraq/1996_3/0035.html. |
doom | doom is Linux's version of the popular shoot-em-up game from ID software. Individual users have their own configuration file (.doomrc ) and can specify within it a preferred sound server. The sound server specified executes as root (and users can therefore get a root shell). Solution: Unknown. Exploit source is at http://arctik.com/hack/sploits/Linux/doomsndserver.txt. |
dosemu | dosemu is a DOS emulator that allows Linux to run a DOS operating system in a virtual x86 machine. This allows you to run several hundred DOS applications on Linux. On early Debian systems, in the dosemu package (0.64.0.2-9), /usr/sbin/dos is SUID root. Solution: Check and correct thepermissions. |
dump | dump is a file system backup utility. dump (in Red Hat 2.1) is SUID root. Solution: Unset SUID . The exploit is at http://samarac.hfactorx.org/Exploits/dumpExploit.txt. |
dwww | dwww is a tool (Debian) that lets you view Linux documentation using a local WWW client and server. (The dwww home site is at http://dwww.jimpick.com/.) Attackers can gain leveraged access using metacharacters in their submission strings. Solution: Upgradeto version 1.4.3-1. |
elm (version 2.4) | ELM (a popular Linux email client) has a vulnerability that allows attackers to either overwrite user files or steal users' email. Solution: Upgrade (2.5). Versions 2.4, 2.3, and perhaps earlier, have a buffer overflow vulnerability. Exploit code is at http://security.darkface.pp.se/mail/msg00192.html. |
faxsurvey.cgi | HylaFax isan advanced telecommunication suite for handling faxes and automated paging. On S.u.S.E. Linux, the HylaFax distribution comes with a CGI script (faxsurvey.cgi ) that allows remote users to execute commands with the Web server's UID. Note that this hole has now been integrated into many popular scanners including Nessus. Solution: Delete faxsurvey.cgi . |
filerunner | filerunner is agraphical FTP tool for X (common to Debian) based partially on Tk. It works much like WS_FTP, offering split-screen local/remote file lists, multiple tagging, and automated file transfers. (The filerunner home is at http://www.cd.chalmers.se/~hch/filerunner.html.) Early filerunner distributions store temp filesinsecurely. Solution: Upgrade. |
fsp | fsp (File Service Protocol) is an alternative to FTP (available in Debian) that has security features not present in FTP (including guards against server overload and some authentication). fsp packages earlier than 2.71-10 create a default fsp user without notifying you. Solution: Delete the fsp user or, better yet, upgrade. |
fte | fte (available on Debian) is a flexible text editor that offers many interesting programming features including syntax highlighting for many languages (C/C++/HTML and the like). Early fte releases run root and therefore allow local users to execute and read restricted files. Solution: Upgrade. (Versions prior to 0.46b-4.1 are affected.) |
ftpwatch | ftpwatch (a tool to watch remote FTP sites, available on Debian) has serious and undisclosed security flaws. Solution: Remove it until the developers issue an update. For more information, contact the folks at [email protected] . |
FWTK | The popular (and free) Firewall Toolkit (FWTK) creates easily predictable random numbers using process ID and time values. Local attackers can therefore conceivably predict such numbers and by doing so, circumvent FTWK's authentication scheme. Learn more at http://www.msg.net/utility/FWTK/challenge.html. |
getpwnam() + libc | The getpwnam() function searches the user database (passwd) for a name. In Linux 2.0, this offers attackers a means of getting root. Solution: Upgrade or go to http://temp.redhat.com/linux-info/security/linux-alert/1996-May/0002.html for details, exploit source, and a quick-fix patch. |
GhostScript | GhostScript is a free PostScript interpreter for Linux. (PostScript is a language developed by Adobe Systems that describes page layout and appearance to printers, among other things.) Because GhostScript depends on interpreted, humanly viewable, and humanly alterable code, GhostScript documents can contain commands and directives (including those unrelated to the document's production). GhostScript versions 1.4 and earlier have an obscure vulnerability. Malicious users can nest shell code in documents, and the shell currently being used by GhostScript will execute that code. The chances of someone actually executing such an attack are slim, but I wouldn't risk it. Solution: Upgrade. To learn more about GhostScript, go to http://www.cs.wisc.edu/~ghost/gnu/index.html. |
gnuplot | gnuplot is a free, interactive plotting program. Some Linux distributions (SuSE 5.2, for example) ship with gnuplot SUID root. This is a typical instance in which a program is SUID root for no reason. The solution: chmod -s /usr/bin/gnuplot . Find the exploit at http://safenetworks.com/Linux/gnuplot.html. |
httpd | httpd is your Web server. Apache 1.1.3 (the default) creates temp files that attackers can link to restricted files. Solution: Create a new temp directory with proper permissions (see httpd.conf and the pointer to apache_status ). |
httpd | On Debian Linux 2.1, the Apache Web server installs with a configuration (in srm.conf ) that aliases /doc/ to /usr/doc , allowing remote attackers to view /usr/doc . Solution: Comment out the offending line. |
Ideafix | Ideafix is a development toolkit. Within it, the wm program has a vulnerability that leads to an SUID root shell. Learn more at http://www.njh.com/latest/9710/971019-04.html. |
imapd | On SlackWare 3.2, Red Hat 4.0, and some earlier releases, attackers can exploit imapd to overwrite the root password, replacing it with whitespace. Solution: Upgrade. Exploit source is at http://www.njh.com/latest/9706/970624-07.html. Later versions (in Red Hat 4.1-5.0 and Caldera OpenLinux 1.2+) are vulnerable to overflow, so ensure that you upgrade to the latest release. |
inn | inn (Internet News system, earlier than version 1.6) is vulnerable to remote attack. Solution: Upgrade. Exploit code for testing is at http://www.ecst.csuchico.edu/~jtmurphy/exploits/0229.txt. |
ip_glue() | Linux is vulnerable to several IP fragmentation attacks. Attackers can send custom datagrams that will either eat your available memory resources or reboot your machine. Learn more at http://security.darkface.pp.se/mail/msg00673.html. |
ipfilter | ipfilter is a popular packet filter. To learn more about ipfilter , go to http://cheops.anu.edu.au/~avalon/ipfilter. version 3.2.10 reportedly saves output files insecurely. Learn more at http://geek-girl.com/bugtraq/1999_2/0151.html. |
ircd | ircd (the Internet Relay Chat server) in Debian 1.3.1 runs root and is world-readable. Solution: Run ircd under another UID and change the permissions. |
KDE Screensaver | The K Desktop Environment (KDE) is a free desktop environment for Linux. (It comes with all the trimmings, including file management, a notepad, a calculator, and so forth, and is at least as functional as the commercial Common Desktop Environment.) KDE 1.0 screensavers on Caldera OpenLinux ran SUID root. Learn more at http://www.calderasystems.com/news/security/SA-1998.37.txt or see Caldera Security Advisory SA-1998.37. |
killmouse | killmouse (from Doom) runs several SUID scripts. Solution: Remove SUID (see startmouse ). |
klogd | klogd (from the sysklogd-1.3 package) in Red Hat 5 and SlackWare 3 is vulnerable to a buffer overflow. Solution: Unknown; visit your vendor. Exploit test code is at http://hackersclub.com/km/files/c_scripts/klogd.txt. |
kppp | kppp ships with the K Desktop. (It's a utility for setting up Dial-Up Networking in KDE). It is vulnerable to an overflow and runs SUID root. Solution: Don't run it SUID root. The exploit is at http://www.student.fsu.umd.edu/~damoulan/hack/sploits/kppp_overflow.html. |
ld.so | ld.so is the a.out dynamic link loader (used with dynamically linked executables). You may have loaded ld.so . It provides backward compatibility for many older Linux applications. (If you're developing, you might conceivably use this if your target environment was legacy Linux). ld.so has buffer overflow issues. Solution: Install the patch. Learn more at http://www.geek-girl.com/bugtraq/1997_3/0120.html. |
libXt | Programs created with X11R6 shared libraries in XFree86 before version 3.3 can be vulnerable to buffer overflows that on SUID and SGID files can lead to root. Solution: Upgrade. |
lilo | LILO (the Linux Loader) allows on-site attackers to gain root by passing the right parameters (init=/bin/sh Solution: Add LILO boot password protection (see Chapter 3, "Installation Issues") and the RESTRICTED option to /etc/lilo/conf . |
LinCity | LinCity is an SVGALIB (Linux only) and X-based city/country simulation game for Linux and other UNIX platforms. It works much like Sim City: You design and build a city. Early versions are vulnerable to a buffer overflow. Solution: Upgrade. Learn more about LinCity at http://www.floot.demon.co.uk/lincity.html. |
linuxconf | linuxconf (in Red Hat 5.1) is SUID root. Solution: Remove the SUID permission (chmod -s /bin/linuxconf ). |
login | login in Red Hat 4.0 is vulnerable to a buffer overflow that can lead to unauthorized root access. Solution: Get the util-linux-2.5-29.i386.rpm update from Red Hat. |
login | On SlackWare 3.2-3.5, if /etc/group does not exist, all users are granted root privileges on login. Solution: Upgrade or apply the patch from http://geek-girl.com/bugtraq/1998_3/0123.html. |
login (with shadowing) | A strange bug, reportedly confined to SlackWare 3.2-3.5. If /etc/group doesn't exist when users log in, users are logged in with root UID and GID. Learn more at http://geek-girl.com/bugtraq/1998_3/0123.html. |
lpc | This buffer overflow is limited to a rare distribution of lpc (4.0.3 on S.u.S.E 5.2 only). The exploit leads to root access. Solution: Upgrade. Exploit source is at http://www.hideaway.net/sploits/011.txt. |
lpd | Some early versions of the Linux line printer daemon (lpd ) allow local attackers to delete restricted files at will. Solution: Upgrade. Exploit source is at http://www.jabukie.com/Unix_Sourcez/lpd-rm.c.html. |
lpr (multiple problems) | The Linux offline printing utility (lpr ) in Linux 2.0.20 is vulnerable to a stack overflow. The result is that attackers can execute commands with lpr 's UID. Solution: Upgrade. Exploit code for testing is at http://www.netcraft.co.uk/security/lists/lpr.txt. Other early lpr versions are vulnerable to linking that leads to similar results; users can remove restricted files. Solution: Upgrade. Exploit test code is at http://hackers.pulhas.org/exploits/SunOS/lpr1.html. Finally, some versions of lpr are vulnerable to yet another stack overflow. To test yours, get exploit code at http://www.the-collective.net/~locutus/security/linux/linux-lpr_exploit. |
lprm | lprm is a tool for removing jobs from the line printer spool. In Red Hat 4.2 and 5.0, lprm fails to perform adequate bounds checking. The result is that attackers can gain root access. Solution: Upgrade. Exploit test code is at http://free.prohosting.com/~vladimir/unix/linux-exploits/lprm.c. |
lynx | lynx is a text-based Web client (useful on machines with meager memory and graphics resources). Versions 2.7.1 and earlier store temp files insecurely, allowing local attackers to create or overwrite files. Solution: Upgrade. To learn more about Lynx (and obtain updates), go to http://lynx.browser.org/. |
mailx | mailx 5.5 creates temp files that ordinary users can read and write. Solution: Upgrade. Exploit test code is at http://www.martnet.com/~johnny/exploits/linux/mailx-exploit. In Red Hat 4.2 and 5.0, mailx has a race condition and mailx -8.1.1 across the board has a buffer overflow problem. Solution: Upgrade. |
makewhatis | Relevant to Red Hat 3 and 4. The makewhatis script (triggered by crontab ) builds a copy each week of the whatis database in /tmp . This file can be used to overwrite others. Solution: Delete makewhatis.cron from the weekly cron list. Details and exploit sources are at http://security.darkface.pp.se/mail/msg00062.html. |
man | The manual page system (Linux's basic help system) includes the man command which, when invoked, searches for and displays manual pages. On some man distributions, there are various vulnerabilities (mostly stemming from bad permissions). To be safe, you should upgrade if you're running man_db -2.3.10-2 or earlier. |
mc | mc is Midnight Commander, a DOS-style file manager for Linux. Some early mc versions allow attackers to nest commands in long compressed filenames. These filenames appear normal in mc and mc attempts to uncompress them. The result is that the hidden commands are executed. Recent versions do not have this problem. You should upgradeto the latest distribution. |
mediatool | mediatool is a K Desktop library. During normal operation (Caldera), mediatool creates temp files that attackers can use to gain leveraged access. Solution: Upgrade to kdelibs-1.1-2. |
metamail | metamail determines which programs to use when displaying non-text mail. (This information is derived from mailcap ). Version 2.7-5 (and potentially earlier versions) can grant attackers the ability to arbitrarily create files in other users' directories. Root is not vulnerable. Solution: Upgrade. |
mgetty+sendfax | In Red Hat, Gert Doering's Fax-enabled getty replacement provides fax services for Class 2 or 2.0 modems. The package relies on several scripts that can give attackers root access. Solution: Upgrade. Learn more at http://www.leo.org/~doering/mgetty/. |
MILO | Relevant if you have a DEC Alpha. MILO is a boot manager for Linux. In Red Hat 5, MILO is vulnerable to a denial-of-service/reboot attack. Local users (without special privileges) can reboot the machine. Solution: Go to ftp://genie.ucd.ie/pub/alpha/milo/milo-latest to obtain the patch. To learn more about the hole, go to http://mail-index.netbsd.org/port-alpha/1999/02/06/0002.html. |
minicom | minicom is a DOS-style, Linux terminal communication package (that works much like Qmodem, MTEZ , and terminal.exe ). Version 1.80.1 (SlackWare) has an overflow. Solution: Upgrade. |
mount | mount is a utility for mounting file systems and it part of the Linux Utilities package. In util-linux 2.5, mount is vulnerable to an overflow attack and local users can use this to gain leveraged access (and perhaps root privileges). Exploit test code is at http://www.njh.com/latest/9610/961030-02.html. |
mountd | The NFS mount daemon that handles remote requests for mounting file systems (mountd ) is vulnerable to remote attack and can give attackers root access. Solution: Upgrade. Exploit code is at http://www.ryanspc.com/exploits/ADMmountd.c. |
msgchk | msgchk is a mail notification tool. It checks mail drops for new mail. In Red Hat 2.1, msgchk is installed SUID root. This can lead to root compromise. Also, other versions are vulnerable to a stack-smashing attack. Solution: Remove root privileges in both cases. Exploit test code is at http://arctik.com/hack/sploits/Linux/linux-mh.txtand http://www.spyjurenet.com/hack/msgchk_exploit.c.html. |
ncftp | ncftp is a popular Linux FTP client. Versions 2.0.0-2.4.2 are vulnerable to an attack from remote FTP servers. Remote servers can write to your local drive (for example, your .rhosts file.) Solution: Upgrade. Strange exploit. The source is at http://www2.merton.ox.ac.uk/~security/rootshell/0016.html. To learn more about ncftp, go to http://www.ncftpd.com/ncftp/. |
netconfig | netconfig is a SlackWare script for configuring your network. netconfig on SlackWare 3.4 creates temp files that attackers can use to arbitrarily overwrite files. Solution: Upgrade or avoid using netconfig . |
netstd | netstd on Debian (before version 3.07-2hamm.4) has two buffer overflow problems that can give remote attackers leveraged access. Solution: Upgradeto version 3.07-2hamm.4. |
PAM | Linux Pluggable Authentication Modules (PAM) allow you to control how applications authenticate users. PAMs provide exceptional flexibility; if you don't like one authentication method, you can easily and quickly incorporate another. Unfortunately, the PAM package (prior to version 0.64-2) has a flawed passwd module. Solution: Upgrade. Learn more at http://www.sekurity-net.com/newfiles/pam_unix_passwd.so.txt. Also, Linux-PAM-0.57 has an obscure bug that affects rlogin authentication. Learn more at http://www.geek-girl.com/bugtraq/1997_4/0000.html. Learn more general information about PAM at http://www.us.kernel.org/pub/linux/libs/pam/. |
pine | pine is a popular Linux mail client. In versions 3.91 and earlier, pine creates temp files that attackers use to overwrite files. Solution: Upgrade. Sample exploit code is at http://users.succeed.net/~kill9/hack/software/pine/pine.html. |
ping | ping is a network diagnostic utility that verifies a remote host's existence by eliciting an ICMP response. Early Linux distributions are vulnerable to a ping-initiated denial-of-service attack. Attackers can use this method to remotely reboot your machine. (They can be running any old operating system on the attacking end, including Windows 95. This attack does not require programming or extensive networking experience. Basically, this is it: ping -l 65510 linuxbox.net ). Solution: Upgrade. Learn more at http://www.njh.com/latest/9610/961019-03.html. |
pkgtool | pkgtool is a popular software package maintenance tool for Linux. In SlackWare 3.0 and earlier, the program creates temp files that attackers use to overwrite files. Solution: Set root-only permissions on pkgtool (whereas they're normally read and writefor everyone). |
pppd | pppd is the Point-to-Point protocol daemon, useful for managing either incoming or outgoing PPP connections. Early versions (2.2) install with /var/log/ppp.log world-readable. This can potentially expose network passwords. Solution: Upgrade. |
premail | premail (earlier than 0.45-4) on Debian write temp files insecurely. Solution: Upgrade. Learn more at http://debian.crosslink.net/security/premail.html. |
procmail | procmail is an autonomous mail processor. Versions prior to 3.12 are vulnerable to an overflow (that can potentially result in root access). Solution: Upgrade. |
rcp | User Nobody can be used to exploit a hole in rcp that gives remote attackers root. (Are you running NCSA httpd?) Solution: Change Nobody 's UID. Learn more at http://www.geek-girl.com/bugtraq/1997_1/0113.html. |
rdist | rdist is a file-distribution tool that allows you to maintain the same files across multiple hosts. Some rdist versions are installed setuid root and are vulnerable to a buffer overflow. Solution: Check your rdist . If it is setuid root, change the permissions. Also, you should upgrade to the latest version (if you haven't already). Learn more at http://www.cert.org/advisories/CA-97.23.rdist.html. |
resizecons | resizecons is a program for changing the console video mode (by columns and rows). In Red Hat 2.1, resizecons is setuid root and vulnerable to an attack that leads to a root shell. Solution: Strip setuid from resizecons . Exploittest code is at http://www.ecst.csuchico.edu/~jtmurphy/exploits/resizeConsExploit.txt. |
rexecd | rexecd is the Linux remote execution server and provides remote execution facilities with authentication based on usernames and passwords. rexecd has authentication issues that can offer remote attackers root access. Solution: Upgrade. This is an older bug. To test a machine on your network, get exploittest sources at http://www.k-elektronik.org/arsip/eksploit/bsd/bsd_rexecd_src.txt. |
rlogin | rlogin is a remote login program (similar to Telnet) for Linux that supports Kerberos authentication. On SlackWare 3.1 and Red Hat 2.0-2.1, rlogin is vulnerable to a remote environment variable-passing attack. Solution: Upgrade. In Red Hat 2.1 and 2.0 (and SlackWare 3.1), rlogin is vulnerable to a very primitive but effective attack. To test your system, try rlogin target.system.com -l -froot . If that logs you in, you need an upgrade. |
RealServer | RealServer 6.0 stores its admin password in plain text in /usr/local/rmserver/rmserver.cfg and the file is world- readable. Solution: Remove read permissions for others. Learn more about RealServer at http://www.real.com. |
rpm | Red Hat Package Manager (rpm ) is a tool for manipulating and installing packages (*.rpm files). In Red Hat 4.2, rpm creates temp files that attackers can link and thereby overwrite files. (This is an extremely unlikely attack.) Also, in some versions pre-2.4.11, rpm executes the -setperms and -setuid functions incorrectly, potentially leading to world-readable, writable, executable files. Solution: Upgrade. |
rwhod | rwhod is the system status server that responds to rwho queries. (rwho works much like who , except over the LAN, and returns information on who is currently logged in.) Early versions on rhowd on SlackWare were vulnerable to denial-of-service attacks. Solution: Upgrade. Test your rhowd with code from this site: http://hackers.pulhas.org/exploits/BSD/rwhod.html. |
rxvt | rxvt is a vt100 emulator for X (and a little quicker than xterm because it uses less memory). In some Linux distributions, rxvt is setuid root. Solution: Remove setuid root. Exploit test code is at http://www.dataguard.no/bugtraq/1996_1/0000.html. |
Samba | Samba is the Server Message Block protocol server for networking Linux boxes with Windows systems. (Samba allows Linux boxes to masquerade as NT/LanManager servers on Windows-based LANs). In Red Hat 4.2, 5.0, and 5.1, the Samba server has serious (and in some cases, undisclosed) security issues. Solution: Visit Red Hat for a patch. Note: smbmount in smbfs-2.0.1 has a buffer overflow. If smbmount is installed SUID root, this can lead to serious consequences. Solution: Upgrade. Exploit test code is at http://www.njh.com/latest/9706/970627-01.html. To learn more about Samba in general, go to http://www.samba.org/. |
sendmail | sendmail is a popular mail transport system with a long of security problems. sendmail packages sendmail-8.8.7-4.i386.rpm and earlier are vulnerable to a denial-of-service attack. (The connection is reset by a peer and the system dies.) Solution: Upgrade. |
sperl | sperl (suidperl ) is a tool (common to Perl 4 and 5) designed to provide an extra layer of security when dealing with privileged scripts. In various sperl versions, local users can use it to execute commands as root. Problems range from erroneous permissions to buffer overflows. For early coverage on this issue, see http://www.sdsc.edu/Security/ciac_advisory/msg00049.html. Other problems cropped up in 1997 and 1998. Solution: Upgrade. |
splitvt | splitvt is a utility for splitting a VT100 terminal in two so you can run two programs at once. In Linux 2.3, splitvt is vulnerable to a stack overflow. The result is that local users can grab root. Solution: Unknown. Avoid using splitvt . Exploit test code is at http://afterdark.ml.org/~arnstein/webfiles/linux/splitvt.html. |
sshd | sshd is the Secure Shell server. (Secure Shell offers encrypted terminal sessions, among other things.) In December 1998, there was talk that sshd was vulnerable to buffer overflows on Debian. In response, Debian released patches. Go here for more information: http://www.debian.org/Lists-Archives/debian-security-announce-9812/msg00002.html. To learn more about Secure Shell, visit the SHH home page at www.ssh.fi/sshprotocols2/. |
SuperProbe | SuperProbe is a utility that attempts to automatically ascertain your video card's capabilities. (SuperProbe comes in handy if your video card is not explicitly supported—not on the xf86config script's list, for example). In SlackWare 3.1, SuperProbe has buffer overflow problems and is SUID root. Solution: Change the permissions. Exploit test code is at http://darkwing.uoregon.edu/~sbrewing/security/super_probe_exploit.txt. |
super | super is a system administration utility that ships with Debian Linux. Its purpose is to allow select users to operate in privileged mode. As of February 1999 (and before version 3.11.7), super was vulnerable to a buffer overflow. Go here for details: http://cert.ip-plus.net/bulletin-archive/msg00106.html. |
slip.login | The SLIP initialization script (/etc/slip.login ) allows valid SLIP users to execute commands with root UID. (Users specify their commands with the script as environment variables.) To find out if yours is vulnerable, test it with exploit code from this site: http://www.mc2.nu/hack/linux/slipLogin.txt. Solution: Upgrade. |
s-povray | povray is a ray-tracing graphics program. In version 3.02, s-povray is SUID root and reportedly must be to perform display functions. Solution: Unknown. Contact the developers at http://www.povray.org/. |
startmouse | On various systems (particularly SlackWare 3), startmouse , which is part of the Doom game distribution, is SUID root. The solution is to fix the permissions. The exploit is at http://www.tao.ca/fire/bos/old/1/0369.html. |
suidexec | suidexec on Debian 2.0 (in package suidmanager , 0.18) can provide root access via SUID shell scripts. Solution: Upgrade. Learn more and obtain the exploit at http://www.newwave.net/~optimum/exploits/files/suexec.txt. |
tcsh | tcsh is an enhanced version of csh (the C shell). tcsh -6.07.02 is vulnerable to buffer overflow. Solution: Upgrade. |
traceroute | traceroute is a network utility that traces the route between the localhost and a remote target (and is often used for route diagnosis). On Caldera OpenLinux and traceroute distributions 1.4a5-3 and earlier, traceroute is vulnerable to a buffer overflow. Solution: Upgrade. |
umount | umount is a utility for dismounting file systems and is part of the Linux Utilities package. In util-linux 2.5, umount is vulnerable to an overflow attack and local users can use this to gain leveraged access (and perhaps root privileges). Exploit test code is at http://www.njh.com/latest/9610/961030-02.html. |
workman | workman is an audio CD player. On some Linux versions, workman installs SUID root. In such cases, attackers can use workman to overwrite any file. Solution: Check the permissions and adjust them accordingly. |
wsmbconf | wsmbconf (part of samba-1.9.18p10-3) ran SGID owned by root. Learn more at http://archive.redhat.com/redhat-watch-list/1998-November/0002.html or see Caldera Security Advisory SA-1998.35. |
wu-ftpd | wu-ftpd is the default FTP server. Version 2.4.2-academ[BETA-18] harbors a buffer overflow which, when exploited, can give attackers root access. This affects Red Hat 5.2, SlackWare 3.6, Caldera 1.3, and potentially others. Solution: Visit your Linux vendor (or distribution site) for the latest patch. Learn moreat http://www.ciac.org/ciac/bulletins/j-029.shtml. |
XCMail | XCMail is an X11-based mail tool with MIME and POP3 support. The application is vulnerable to attack via buffer overflow (but apparently, with minimal impact). Solution: Unknown. Learn more at http://www.securiteam.com/exploits/XCMail_remote_vulnerability.html. |
Xconfigurator | Xconfigurator is a Red Hat X configuration utility. During use, Xconfigurator creates temp files insecurely (and apparently installs SUID root). Solution: Fix the permissions. |
xinitrc | xinitrc is a startup file for X (/usr/X11R6/lib/X11/xinit/ xinitrc ). On some TurboLinux systems, a + is appended to the xhost entry. Solution: Remove the + . |
xosview | xosview is a graphical performance meter; it tracks system load, memory, and so on. In Red Hat 5.1 (xosview 1.5.1), it installs SUID root. Solution: Correct the permissions. Exploit test code is at http://acsys.anu.edu.au/~tpot/hypermail/bugtraq/0059.html. |
xtvscreen | xtvscreen is a capture utility, compatible with TV capture cards. On some systems (SuSE 6 for certain) xtvscreen installs SUID root. Solution: Change the permissions. Exploit test code is at http://linuxtoday.com/stories/3210_flat.html. |
After plugging these holes, your next important step is to stay informed. As you might expect, the Linux community freely shares a wide range of security information. You just need to know where to look, and that's what Appendix D is all about: where to get more information.
13.58.44.229