Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
Oh, I see your point... let's trivialize one of the largest IT research firm in the world.
I agree with you.
I agree 100%. Unfortunately not everyone understands that... hence the OS Holy Wars that erupt every now and then.
"Why, flashing bios is nothing difficult for a virus. I don't see the difficulty in flashing an additional controller driver into bios."
Neither do I. I do see a problem with the BIOS booting after you put the bullet in its head. (See my DTK adventure for reference.)
I've heard of badware trashing CMOS. I've never heard of badware installing drivers into it, let alone doing so and retaining the ability to boot (let alone adding badware code to the BIOS too, so that it could install the driver onto a hard drive!).
On a suspect 440BX-2 motherboard I put in a blank HD that had been stored for 11 months then loaded DOS 6.22, then Windows 3.1. In both installs I found two comm.drv files of differing sizes and dates. 3.1's install was buggy so I went to '98. When I upgraded to '98 I had dual instances from kernal32 and the OS installed the hardware twice. Once on one boot, then again on a second boot. Both the comm.drv's were in '98 as well. At the second boot the CPU usage would spike to almost 100%. It was rather straight-forward. In '98 I checked the properties of the newer driver and it identified itself as the "NT5" version. This occured via a blank HD and write-protected archive media that hadn't been used in years. In any event to be sure about what I'd found I isolated the worm to a CDR and after cleaning the network chose a machine to recreate the problem. I infected and cleaned it 3 times to be sure of the infection course and how to clean it. Trend, Symmantic, AVG, and McAffee all reported the sytstem was 'clean' when it was infected with the driver and/or the virtual root trojan. The fix was a bit drastic but it worked: 1) write 0s to the drive, power off, remove the HD. 2) Flash the bios, power off and remove the CMOS battery for a min. 3) Reconnect, reinstall. That's the only thing I found which worked. If I just zeroed the HD it would load up with the NT5 comm.drv sending calls to the OS, ergo it was in bios. You do know the NT5 comm.drv is a network comm.drv? I had no intention of that owning my NT4 machines.
Now that you've described it, it seems fairly obvious that the badware took over some area of the hard drive that was normally invisble (i.e., blocks of "bad" sectors, a micro-partition, etc.), and stored it's crapload there. When you flashed your BIOS, you probably cleared out the drive table which was probably modified by the badware to hide an area on the hard drive.
BTW, why was your BIOS left in writeable condition? Don't most motherboards come with the jumper defaulted to the R/O position?
You are very arrogant. So was Bill Clinton.
Why do you insist on playing the pointless-points game?
Wow, that's quite the epiphany!
Does this mean that Hizbollinux will be calling off the Jihad any time soon?
"I agree with you."
It's an immutable law of nature. When the rabbit population skyrockets, so does the coyote population. When cities outlaw the right to carry a pistol, armed robberies skyrocket. The prey-predator relationship is carved into the fabric of creation. The idea that the proliferation of a standard OS would not result in it being targetted by predators is absurd.
Let's say some program Microsoft wrote had a security problem, and the software ran on Windows and Macintosh. Would you blame the Macintosh or Windows operating system? No, it's a software bug.
What you are saying is because it comes with Linux, then it appears to a novice that it's a Linux problem? Sure, the same goes for Windows when someone gets a Word virus, it seems like a Windows problem.
You, however, claim to be knowledgable about computers. You know that a security problem with ICQ or IIS is not, stricly speaking a problem with the operating system. Surely you see that a buffer overflow vunderability in WU-FTP is not a Linux problem.
It would be nice if you were to tone down your posts, too.
I'm not the type to quietly take a beating without making it at least equally costly to the initiator.
You mean pointless point scoring like this?
Don Joe to Blade:
Don't forget to take your Dramamine!
Are you related to Casey Stengle?
Yup, it's Binary Blade, the Sailor! (Sung to the tune of Barnacle Bill...)
BTW, you forgot the part about shooting the kid.
Barnacle, I'm afraid you Just Don't Get It. But don't feel bad.
The syndrome is common to the Eunichs community. Perhaps hormone injections might help? :)
Don Joe, you're a joke. Style over substance, just like Bill.
Coming from you, that's quite the compliment.
IOW, dig yerself, man.
Are all the u-weenies such pathetic can-dish-it-out/can't-take-it lusers?
My granddaddy used to say if you wrestle a pig, all you do is get dirty and make the pig happy. Want to participate in Unix vs. Windows flame wars? Go read comp.os.linux.advocacy. You don't win arguments by stooping to your adversary's level.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.