UnixLinux Security Update - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

UnixLinux Security Update

Description:

www.adara.com.tw m0r0n/nightmana. www.advancetek.com.tw m0r0n/nightma ... Brown Orifice httpd. Delivered in a number of modes. Advertised itself as compromised ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 22
Provided by: bobc180
Category:

less

Transcript and Presenter's Notes

Title: UnixLinux Security Update


1
Unix/Linux Security Update
  • Bob Cowles
  • November 2, 2000

2
Outline
  • Intro
  • Format String
  • Buffer Overflows
  • Symlink following
  • Specials
  • Conclusions

3
Intro (1/3)
  • Microsoft Security Bulletins
  • 1998 20
  • 1999 61
  • 2000 5 mos 37
  • 2000 10 mos 82
  • http//www.securityfocus.com
  • http//www.securityportal.com

4
Intro (2/3)
  • Ddos is still a problem
  • Often placed on compromised machines
  • Selection of clients is improving (!)
  • AES selection is complete
  • Rijndael selected
  • Expected to be good in mobile, low-power
    platforms
  • Microsoft breakin comments

5
Intro (3/3)hacked web servers 10/31 courtesy
of attrition.org
  • www.elipsedesign.com hooyah
  • www.diamond.com.au prime suspectz
  • www.tvet-pal.org
  • gsmart.net.id chikebum
  • www.adara.com.tw m0r0n/nightmana
  • www.advancetek.com.tw m0r0n/nightma
  • alessiamarcuzzi.it azndragon
  • www.eiba.biu.ac.il m0r0n/nightman
  • www.mba.biu.ac.il m0r0n/nightman
  • www.wiredsolutionstk.com MaNa2EEsH
  • www.0x7f.org
  • www.clearwaterfarm.com keoki
  • www.ca0.net RSH
  • advancedit.co.za one man army
  • www.warrenconner.org mecca
  • www.wmsolutions.com
  • www.woodengate.com tyl0x
  • birthingthefuture.com keoki
  • www.kia.co.kr Prime Suspectz
  • mail.mountainzone.net
  • wchs02.washington.high.washington.k12.ga.us dis
  • www.boitnotts.com Hackah Jak
  • www.bancoprimus.com.br Anti Security Hackers
  • www.dersa.com.br prime suspectz
  • www.epson.ru prime suspectz
  • www.penalty.com.br Anti Security Hackers
  • www.enap.cl CiXX

6
Format String
  • Affects all Unix/Linux systems
  • Started with QPOPPER in May
  • We havent seen the end
  • Latest is ypbind
  • Severe in LOCALE subsystem and environment
    variable passing of telnet

7
Format String Alerts (1/2)
  • May
  • QPOPPER
  • June
  • Various ftpd
  • July
  • BitchX IRC client
  • rpc.statd (nfsutils)
  • August
  • gnu mailman
  • NAI net tools PKI server
  • August (cont)
  • IRIX telnetd
  • xlock
  • September
  • Locale subsystem
  • screen
  • klogd
  • KDE kvt
  • LPRng
  • lpr
  • SCO help http server

8
Format String Alerts (2/2)
  • October
  • Cfengine
  • eeprom in BSD, libutil, fstat
  • BSD telnet (remote)
  • PHP error logging
  • ypbind

9
Buffer Overflows
  • April
  • Solaris ufsrestore
  • Solaris lp/lpstat/lpset
  • May
  • netpr
  • kerb4 and kerb5 in compatibility mode
  • Remote exploits for klogin, ksu, krshd
  • September
  • Pine remote exploit using From line
  • October
  • Dump
  • Tcpdump

10
Symlink Following
  • Mgetty / faxrund
  • Creates .last_run in world-writable directory
  • Follows symlinks allowing
  • File creation anywhere
  • File smashing

11
Specials
  • Cisco
  • Linux capabilities
  • Cross site scripting
  • PGP
  • Netscape
  • RSA
  • Sun key compromise

12
Cisco
  • 04/19 Access to priv mode in catalyst switch (fix
    5.4(2))
  • 04/20 IOS reload when telnetd port is scanned
  • 05/15 Router crash with httpd enabled

13
Linux Capabilities
  • Capabilities available in release 2.2.x
  • Fine-grain privilege setting
  • Inherited from parent process
  • Can prevent suid program dropping root
  • Exploits used sendmail and procmail
  • Temporary fix from CERN
  • Current fix is to require 2.2.16

14
Cross Site Scripting
  • Problem inherent in browser/server design
  • Fix is up to proper application design by web
    developers
  • Can be used to steal cookies or read/write local
    files
  • 09/07 ETrade user names and passwords are
    remotely recoverable

15
PGP
  • Affects version 4 of PGP public keys
  • Mostly Diffie-Hellman
  • Additional decryption keys
  • Part of public key not covered by encrypted
    checksum allows insertion of additional,
    unauthorized decryption keys
  • Primary issue is one of confidence in PGP

16
Netscape
  • SSL certification validation code error
  • Happens if host name mismatch
  • No further validation for future use of
    certificate
  • Brown Orifice httpd
  • Delivered in a number of modes
  • Advertised itself as compromised
  • Fix forced upgrade to 4.75

17
RSA
  • 09/06 Code was released to public domain 2 weeks
    prior to patent expiration
  • Expect a greater volume of encryption products to
    be released over the next year

18
SUN Certificate Compromise
  • Web server certificate compromised
  • First admitted case for major vendor
  • http//sunsolve5.sun.com/secbull/certificate_howto
    .html to determine if certificate has been
    accepted

19
IIS Unicode
  • Not UNIX, but very important allows remote
    execution of commands (cmd, tftp)
  • Other Unicode exploits are likely in other
    programs needing to edit input data
  • Difficult to remove all dangerous characters
    too many ways to represent them

20
Recommendations
  • Leverage security concerns to gain control of OS
    configurations
  • Security is not a part of the service
    organization
  • Limit visibility of complex protocols
  • Block if possible, otherwise allow only well
    maintained servers
  • HTTP and XML are going to have many more security
    issues

21
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "UnixLinux Security Update" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!