Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
I just looked through another paper at that site: The Magic Cauldron. Here were my comments to that piece...
Interesting paper. Does a pretty good job of explaining market behavior for 'free' or 'open-source' software. There are a few points that I noted as I thought I'd share.
|
If some of AOL's software were installed by default with Windows, and if AOL bugs caused problems for users (whether or not they wanted to use AOL per se), that would be a Windows problem, since whoever put the software on the machine is responsible for it.
Years ago, I bought a BIOS upgrade from DTK for my 286, because there was some bug in the earlier BIOS that screwed up my PDS (either 6 or 7, can't remember).
When the chips arrived, I put them in my machine, and it wouldn't boot.
After quite some time pulling my hair out, I put the old EPROMS back, and read the new EPROMS into my burner, and read them to files. I then ran a little utility I'd written earlier, which interleaved their bytes, so that I could examine text strings that were split between the two chips.
When I loaded the output file into list.com, I saw text strings containing the phrase "DISK KILLER".
DTK's binaries were infected with the "DISK KILLER" virus, and they merrily went about their business burning BIOS sets and shipping them to customers.
To make a long story short, they didn't know a thing about it until I called them. I'd never heard a giant puckering sound in Chinese before. When they sent me the replacement chips, they worked OK.
The moral of this story is that I can't fathom how a trojan could copy an operating system driver file into a BIOS, and still have a bootable computer, let alone one that boots, and runs the driver too!
Am I misunderstanding your post?
In the article you quote Microsoft is arguing that security companies shouldn't provide an step by step instruction manual on how to exploit a new bug. I and most other IT professionals agree.It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch. There is no need to provide script kiddies with an instruction manual.
I get the sense that the self-described "open source" advocates-cum-"supporters of information anarchy" paint a picture of a binary world: their side preaches "openess", and damns the other side, which it accuses of "security by obscurity".
In reality, there's a third option, which they refuse to consider. It's detailed quite nicely in that article.
Let's use a "door" metaphor. The "open" folks deride the more prudent homeowners, accusing them of "trying to make their homes secure by hiding the doorknob instead of buying a lock." Yet, they themselves continue to experience one break-in afer another.
Along comes a little boy, who was driven out of his last hometown after he pointed out that the emperor was naked. He looks at the situation, and tells the "open" people that he knows what their problem is.
Before he can say anything else the Head Open Guy pipes up and says "Look, kid -- we've got the best locks available, and we're constantly making them better. And because we're Open, we encourage others to work on the locks too, so that lock technology can evolve at an even faster pace. We fully document everything, so that they can get up to speed quickly."
The kid shakes his head, looks the HOG in the eye, and asks, "Are you done now?"
The HOG says, "fine, say whatever you want to say, but make it snappy; we've got a bunch of people in the next town that are getting hit really hard, and we've got to get an improved lock to them pronto!"
The kid says, "This won't take long. The problem with your locks is simple -- no matter how secure you make them, you persist in displaying picking directions on each one of 'em! You might as well not even bother having locks in the first place, because you're giving the thieves a blueprint to defeat them."
At this, the HOG shook his head, muttered an obscenity beneath his breath, and shot the kid.
This is not a sentence.
"That's Microsoft's characterization. Not everyone agrees that's what security companies are doing."
The Script Kiddies seem to be happy with it. And they seem to be validating what oc-f said about it too. Did you even read that article?
Heah ya go, son. Have y'all some jaw'vah.
Oh, tres drole! The "MS women" -- how wry, how pithy!
Then again, I'd expect nothing less than that level of brilliance from the Unix Eunichs.
BTW, if you really believe that there's only "_one_ UNIX-related exploit", your hard drive must be smokin' some fahn sheet, man. Um, I meant "man". Sorry 'bout that, y'all.
Ah, the "people that know.." gambit.
OK, I'll play that game too. "People that use UNIX eat feces and pack fudge, and agree that Bill Clinton was the best president in the country's history."
As to whether the "people that" populate your example outnumber those that populate the example I provided, well, since neither of us has provided anything to address that aspect of the discussion, it remains unknown.
By the way, has anyone mentioned to you that your attitude epitomizes everything that makes normal people hold the Eunichs in contempt? Your smarmy attacks, cheap shots, and smug arrogance all rolled into one cloying, syrupy sweet bolus is a caricature of itself. And a good one, too!
The "big" security firms are as tangled up with Microsoft as everyone else, and they would also probably like to see their lives made easier too. After all, malicious attackers have been laying waste to Windows for years.
Oh, this is great!
First, you let us know that nobody is with 'em, then you let us know that everybody is with 'em! Spin, spin, spin.
Don't forget to take your Dramamine!
Are you related to Casey Stengle? Your argument is frighteningly reminiscent of his, "no one goes there, it's too crowded" line.
This campaign against information anarchy isnt about "being responsible." It's about public relations. Otherwise, why characterize anyone who disagrees with the Microsoft position as an anarchist? Do you advocate INFORMATION TOTALITARIANISM?
Yup, it's Binary Blade, the Sailor! (Sung to the tune of Barnacle Bill...)
Anyone who doesn't put lockpick directions next to the doorlock is a TOTALITARIAN!!!
BTW, you forgot the part about shooting the kid.
I would note that published attack scripts are not a threat anyone running a secure OS.
Translation: "I would note that published lockpick directions are not a threat anyone with armed guards."
Barnacle, I'm afraid you Just Don't Get It. But don't feel bad. The syndrome is common to the Eunichs community. Perhaps hormone injections might help? :)
The difference is, when a test is rendered useless, they can put testees on hold, and quickly issue them new questions. When an OS compromise is cast to the four winds, millions of people suffer billions of dollars worth of damage. People may even die.
To the anarchy-purists, those are matters of little or no import.
Back when I was going to photography school, there were certain people who were of a similar doctrinaire philosophical bent. To those people, commercial photograpy was "prostitution", and anyone who would actually create something as requested by a client was nothing more than a whore.
Reality never seems to be much of a consideration to the taliban wing of any endeavor.
Logic like that never stands in the way of the Eunichs. They play the double corner of the checkerboard. You move in for the kill, and they squirm over to the other box, and vice-versa.
They pile on the lies thick and heavy about Windows. When you finish debunking them, they act as if they never even mentioned them, and launch into "Did you know that Bill Gates is an Athiest?" style anti-MS rant.
Why, flashing bios is nothing difficult for a virus. I don't see the difficulty in flashing an additional controller driver into bios.
On a suspect 440BX-2 motherboard I put in a blank HD that had been stored for 11 months then loaded DOS 6.22, then Windows 3.1. In both installs I found two comm.drv files of differing sizes and dates. 3.1's install was buggy so I went to '98. When I upgraded to '98 I had dual instances from kernal32 and the OS installed the hardware twice. Once on one boot, then again on a second boot. Both the comm.drv's were in '98 as well. At the second boot the CPU usage would spike to almost 100%. It was rather straight-forward. In '98 I checked the properties of the newer driver and it identified itself as the "NT5" version. This occured via a blank HD and write-protected archive media that hadn't been used in years.
In any event to be sure about what I'd found I isolated the worm to a CDR and after cleaning the network chose a machine to recreate the problem. I infected and cleaned it 3 times to be sure of the infection course and how to clean it. Trend, Symmantic, AVG, and McAffee all reported the sytstem was 'clean' when it was infected with the driver and/or the virtual root trojan.
The fix was a bit drastic but it worked:
1) write 0s to the drive, power off, remove the HD.
2) Flash the bios, power off and remove the CMOS battery for a min. 3) Reconnect, reinstall.
That's the only thing I found which worked. If I just zeroed the HD it would load up with the NT5 comm.drv sending calls to the OS, ergo it was in bios. You do know the NT5 comm.drv is a network comm.drv? I had no intention of that owning my NT4 machines.
As you so elegantly prove with every post.
I use both Windows and Linux. Why? Because each has a tool I require. Linux is mainly in use as my network firewall/router, because of the security and cost benefits it provides. Windows provides access to applications I use. The OS is a tool--not a religious/fanatical experience.
Windows has this, but what do I know...
-uptime in excess of 600 days (obviously not windows servers then)
Gee, you never patch your servers huh? I wouldn't want to work at your company if you only patch every 1.5 years. My NT based web server ONLY gets rebooted when a new patch is released. There is never a need to reboot otherwise.
Notice how happy the MS women are when _one_ UNIX-related exploit finally makes press (this software also runs on windows motards)...and this is one which can only be used when anonymous access is turned on anyway, so it doesn't pose a threat to any admin worth a damn. compare this to the win32 exploits which have come down the pipe this year, which _all_ windows servers were vulnerable to.
Sorry Charlie wrong again. If you subscribed to any of the security mailing lists you would know that Unix has just as many exploits discovered as Windows. Don't believe me, subscribe to the SANS Security Alert Consensus newsletter. It is a weekly digest of new exploits for all platforms (Windows, Unix, Linux, BSD, Solaris, Network Appliances, etc..) Your eyes will be opened my friend.
I know some of the windows people on this list are happy to finally see something bad come down the pipe re a UNIX-type server, but that is because they so desperately cling to their world where clicking a next button qualifies them as being a system administrator.
Finally? Have you been living in a cave? What about the recent Sadmind, and BIND exploits? Were they just lies put out by Microsoft's media relations department?
Setting up enterprise level software _is_ difficult. It can be made easier by introducing WYSIWYG admin tools, and fancy GUI, but for the most part, you get what you give. and when you give next to nothing (setting up a windows server) you get next to nothing (a windows server)
I agree that setting up enterprise software is difficult on all operating systems. It takes me roughly a day to harden (if you don't know what this term means than please go look it up) a NT server. The broader problem you are talking about is having an admin take the default settings of any operating system and then placing the machine on the Internet. Be it Unix, Linux, or Windows the machine has exploits out of the box.
you need qualified administrators , not inept fools.
Agreed. The problem with poorly trained admins exists on all platforms. Are you trying to say that ALL Unix admins are brilliant and never make mistakes? Don't make me laugh.
Oh, I see... it's all part of some vast global conspiracy. You asked for examples and I provided them.
The Code Red and Nimda viruses were incapable of executing on non-Windows machines, and they caused billions of dollars worth of damage to production data. Tell me, what vulnerability that is specific to all flavors of UNIX/Linux and only to UNIX/Linux has ever caused that kind of financial pain?
First of all I think everyone agrees that these figures are WAY blown out of proportion. BIND is a recent Unix exploit that comes to mind. Screwing up a DNS record can cause your website to be unvailable to customers. Large commerce sites can loose thousands of dollars per hour if their site is not accessible.
This campaign against information anarchy isnt about "being responsible." It's about public relations. Otherwise, why characterize anyone who disagrees with the Microsoft position as an anarchist? Do you advocate INFORMATION TOTALITARIANISM?
This is where you and I disagree. I think the proposal is reasonable and will benefit the industry. Please don't try to associate me with facisism, totalitarianism, or communisism... that obscures the point.
I would note that published attack scripts are not a threat anyone running a secure OS.
You are so full of it. Are you doing to say the Unix is a secure OS and there are never exploits on it? Get real. The OS is never secure it can only be hardened.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.