October 2000 - openSUSE Security - openSUSE Mailing Lists

SuSE Security Announcement: ncurses (SuSE-SA:2000:043)
by Roman Drahtmueller 27 Oct '00

27 Oct '00

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: ncurses Announcement-ID: SuSE-SA:2000:043 Date: Friday, October 27th, 2000 17:00 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 5 SuSE default package: yes Other affected systems: systems with suid binaries linked against ncurses Content of this advisory: 1) security vulnerability resolved: ncurses problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The ncurses library is used by many text/console based applications such as mail user agents, ftp clients and other command line utilities. A vulnerability has been found by Jouko Pynnönen <jouko(a)solutions.fi> in the screen handling functions: Insufficient boundary checking leads to a buffer overflow if a user supplies a specially drafted terminfo database file. If an ncurses-linked binary is installed setuid root, it is possible for a local attacker to exploit this hole and gain elevated privileges. There are several ways to fix the problem associated with the library. One of them would be to fix the library. However, it is not considered unlikely that another problem (similar to the one that has just been found) will be revealed in the future. Therefore, it is advisable to not link setuid applications against the ncurses library. As a permanent and cleaner fix, we do not provide update packages for the ncurses library, but we suggest to change the modes of the relevant setuid applications. There are three setuid-root applications contained in SuSE-distributions: xaos (suid root for permissions to use SVGAlib on the Linux console) screen (does not need root privs in the latest version) cda, contained in the xmcd program, a command line CD player. It might need elevated privileges to access the cdrom device file. The script attached to the email with this announcement changes the modes of files in the SuSE distribution that match both criteria necessary to exploit the buffer overflow in the ncurses library: 1) the binary is setuid root, 2) it is linked against libncurses. Please save the attachment under the name "perms-ncurses.sh" and execute it using the command `bash ./perms-ncurses.sh´. It does: a) Check your version of the screen program installed. b) Changes /etc/permissions and /etc/permissions.easy to reflect the mode changes. The original files are saved, see /etc/permissions.* . (note: The chkstat program is being executed by SuSEconfig, the SuSE configuration script, to set the modes of files according to the entries in the permission files. The files being used are /etc/permissions, /etc/permissions.local and /etc/permissions.easy unless the administrator changed the settings in /etc/rc.config .) c) Changes the file modes by hand by executing chmod 755 /usr/X11R6/lib/X11/xmcd/bin-Linux-$ARCH/cda \ /usr/bin/screen /usr/bin/xaos You can download the script from the following location: ftp://ftp.suse.com/pub/suse/noarch/perms-ncurses.sh md5sum: abe22607d45ecdb710f6061d5bbd3d13 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: A summary about ongoing issues will be included in the next security announcement. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security(a)suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe(a)suse.com>. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe(a)suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info(a)suse.com> or <suse-security-faq(a)suse.com> respectively. =============================================== SuSE's security contact is <security(a)suse.com>. =============================================== Regards, Roman Drahtmueller. - - -- - - | Roman Drahtmueller <draht(a)suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nuernberg, Germany +49-911-740530 // (Batman Costume warning label) | - - ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security(a)suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOfmlFXey5gA9JdPZAQG+HQf9GQ2b3bGulr6WZKOhHxLbl71Nj7dI+ord rI8g1/sC0ie+FdjTz0A796CrnUBEh/NwgrOltvXaQXhiTzQguPqnpgoEvct8YF06 tDzCbMog9Jq11Q+YeWRdXbpODqumYoNZdni4gyCWbz391ADi4rlIuhM9yjOkIbHU 8qmvhXS2OvKLNxKM53JX/dWnwrFNvd7sdvrnUMKfga23AEM923LLfq94a7WZtXHg 42nHySQiwrn7l37Zbu+IDeQ5/PQw3MU3AfS1Hhhuofoa6ot8do3mCDO9R6CvDxlg 980AfBGHrDd6l8Wf9g5/+lxKtS641a8sbzzasmAFI2vHGL5KQbt6DA== =Jd2C -----END PGP SIGNATURE-----

2 1

RE: [suse-security] Microsoft Hacked!!!!!
by Mike Johnson 27 Oct '00

27 Oct '00

It was the Qaz.worm virus. We got hit a couple of weeks ago because the company brass likes to open every single email attachment they get.... I've been busy changing passwords all week. Here's what CERT said about it: QAZ Worm The QAZ Worm is a trojan that has been spreading on the Internet for several weeks. This worm exploits unprotected windows networking shares similar to the network.vbs worm as discussed in CERT Incident Note IN-2000-02 IN-2000-02, Exploitation of Unprotected Windows Networking Shares The QAZ worm searches for shared drives where \\Windows\Notepad.exe is available. Once the worm finds an unprotected share with notepad.exe available, it copies itself to the machine and modifies the registry to insure that it is run every time Windows is restarted. When the machine is rebooted the worm renames the original notepad.exe to note.com and copies itself in place as notepad.exe. Users are encouraged to follow the advice in IN-2000-02 for securing Windows networking shares. Additional information about these viruses and others can be found by visiting the sites listed on our Computer Virus Resources page. I found that it didn't necessarily need a windows share with notepad available. - Mike Johnson -----Original Message----- From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] Sent: Friday, October 27, 2000 2:50 PM To: SuSE Security Mail List Subject: Re: [suse-security] Microsoft Hacked!!!!! Hi Avi and friends all, No one knows how deep they got, and how much did they borrow from $MS. It has to be much, BBC reporting on Microsoft, sounds strange. Pity that we do not know for sure, bust just to be malicious, wont it be some $MS campaign or some thing baking or been prepared?? Sci-Fi. Who knows. But will have great consecuences, for sure. Stay tunned. Cheers!! =:`8) Avi Schwartz wrote: > There is nothing funny about it. As much as I dislike Microsoft, this > is still a criminal act. > > Avi > > Matthew Johnson wrote: > > > http://news.bbc.co.uk/hi/english/business/newsid_993000/993933.stm > > > > Thoughts? Opinions? Erm, jokes? > > -- > Avi Schwartz Get a Life > avi(a)CFFtechnologies.com Get Linux -- HTH Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...] --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

2 1

RE: [suse-security] UE draft on cybercrime
by bacano 27 Oct '00

27 Oct '00

Hi2all It's nice to see that some people here share my concerns about this. Like software, laws got holes, so laws about software usually have 'the best' of both worlds. I did had some interesting 'issues' in my life about this, but this is not the point, this is just a kind of justification about my interest in the issue. <bolo(a)lupa.de> said: > This draft is horribly incomplete, opens possibly dangerous legislative > backdoors and generally is no good basis for further discussion/legislation in > the area of computer security. What the makers of this draft don't want to > understand is that even the most strict laws are nonsense if the person you > want to hit with this law can not be found out. And we all know how difficult > it is to trace a hacker or even get a general idea where he or she was coming > from when he or she attacks several hosts. Danger #1: If they are not sure if the suspect is the right suspect, but since he had 'illegal' software, is a defendant anyway (and the witch hunt will start right here). > Some may say that it's a good thing to prohibit and/or illegalize the > production of trojan programs like back orifice or netbus which are clearly > programmed to cause trouble and to overtake foreign systems, but where do they > stop? Do they (the european council) really intend to prohibit security apps > like nmap, sniffit or the like? Are they up to lay the power of network > security investigations in the hands of big companies who are able to proof > (with lots of bakshish) that they are using their security tools > "according the law"? Danger #2: If a 'certified' vendor makes the tool, it's legal. A private team makes a tool of the same kind (some times better), it's illegal (we had seen this before, didn't we?) > The whole draft convention reads like a NSA paper in certain parts, specially > where speech turns to collection and archiving of traffic data. I don't want to > spread the fear of the "big brother", but I for myself would be much more > alert and subversive if this convention turns into reality - and that is what > most criminal elements will do, too; the real bad boys know how to protect > themselves of being caught, regardless wether there are renewed laws or not. Danger #3: Again, the small fish is in trouble while the big fish will be out of danger <oldenburg(a)pinnatel.net> said: > Any chance this legislation could be MS sponsered? Who is actually the > brainchild of this draconian document? Soemhow I just cannot see some old MEP > in Brussles formulating this for obvious reasons. Today i had listen a local 'economist' guru saying that what will happend in the future will be worldwide corps sponsoring and choosing goverments. I suppose MS is big enough for that, the sponsership is just not clear, if it exist anyway, but who knows? i dont know, but i'll not be surprised even. There was an issue that was not public, the 128-bit upgrade of IE, that was supposed not be available outside US and Canada. The fact was that it was available worldwide, under a simple condition. Then they change their policy and let local authorities handle that. Probably now, they luv too see 'proper' laws approved... <listuser(a)seifried.org> said: > I would say it is when it'll make things like nmap and tcpdump illegal. Of > course once the treaty passes there is still a large window before countries > pass laws to actually implement it, but this treaty scares the bejezus out of > me, lists like Linux-Security will also be illegal, and vendor advisories that > show how to exploit a problem would also be illegal (my interpetation might be > wrong, but the way the treaty is going ..... ). Law Hole #1: All laws that UE approve, must be regulated in each contry. Before that it just continue to be a draft. Law Hole #2: They say it will be exceptions to the law, like for legal system administrators, so i just have to create an enterprise about Security Consulting, and all staff will be 'legal'. And i will not have to pay sallaries, people will pay me for having a job :> Final note about other mails regaring the Microsoft hack, passwords from their servers where allways travelling around the globe, now that was public ;) (i'm afraid to say that only now they had discover that) [ ]'s bacano

1 0

compiling
by Steffen Beck 27 Oct '00

27 Oct '00

Hi all I was wondering if there is a command that can compile multiple files in directories and sub directories and delete the files where it finds errors .. I'm sure there is a way ... Thanks in advance Steffen Beck Sign up for your "FREE E-MAIL" @ MADMAIL http://www.madmail.com

2 1

UE draft on cybercrime
by bacano 27 Oct '00

27 Oct '00

http://conventions.coe.int/treaty/en/projets/cybercrime.htm What this have to do with SuSe, you may ask. The answer is simple, several tools included in SuSe, as nmap, will be illegal if this cames law in Europe. The "production, sale, procurement for use, import, distribution or otherwise making available of" this tools will be illegal. I'd like to listen what SuSe Security Team has to say about this, and of course all other people in the list (soon many of us - if not all -, will just be criminals by this law). In that URL you can read the draft and send the comments you may feel proper. [ ]'s bacano

2 1

FreeS/WAN Ver 1.6 - Setup
by Steven Thompson 27 Oct '00

27 Oct '00

Hi All Freeswan have released Ver 1.6. In their "BUGS" file they recommend the following: <snip> * Installing a new FreeS/WAN on top of an old one doesn't update kernel configuration options, so if new options are added, you need to start with a virgin kernel instead. </snip> I'm running SuSE 6.4 Kernel 2.2.16 Intel. With FreeS/WAN Ver 1.3 which comes with SuSE Question 1 With regards to SuSE 6.4 how would you start with Virgin kernel? Do you just uninstall the FreeS/WAN Package. Question 2 Is SuSE going to be releasing a FreeS/WAN 1.6 RPM in the future? All Tips Welcome Thanks in advance Steven

1 0

Re: [suse-security] UE draft on cybercrime
by bacano 26 Oct '00

26 Oct '00

I didn't said what suse will do, i had ask ... and of course who has them already will still be able to use them like now, the *silly* diference is that will be illegal doing that. I hope that you never had/will have the *silly* feeling of being under police investigation, and seeing your private life defaced because of *silly*, or even silly, things ... [ ]'s bacano, the silly ----- Original Message ----- From: "Lars Trebing" <ltrebing(a)ltrebing.de> To: "bacano" <bacano(a)esoterica.pt> Sent: Thursday, October 26, 2000 9:54 PM Subject: Re: [suse-security] UE draft on cybercrime > bacano wrote: > > > I'd like to listen what SuSe Security Team has to say about this, and > > of course all other people in the list (soon many of us - if not all > > -, will just be criminals by this law). > > What a silly thought. Who says that SuSE will continue distributing this > kind of software no matter what happens? These tools will just not be > distributed any more, that's it. Everyone who has them already will > still be able to use them like now, and there probably will still be > development on them, with the only difference that official distibution > will be stopped. >

1 0

SuSEfirwall 4.0
by Carsten Umland 26 Oct '00

26 Oct '00

i´ve doawnloaded the file SuSEfirewall 4.0 to install the script i logged in as root change directory to SuSEfirewall 4.0 and type _install_ - but it doesn´t work. -- zu wenig argumente - is the description. my system suse 7.0 kernel 2.2.16 dial - up internet connetion as isdn can anyone explain me how i install the firwall ? or what must i type in the bash ? must i replace any files with cut and past in my system and then that´s it ? All types have to set START_FW in /etc/rc.config to "yes" ;-) = yes i´ve done it;-)- but it doesn´t work anythink....:((( -- ------------------------------ with best regards carsten umland mailto:carsten.umland@gmx.de ------------------------------

4 5

Removing banners
by RoMaN SoFt / LLFB!! 26 Oct '00

26 Oct '00

Hi folks: I know this is trivial stuff, but I want to remove banners used by all listening daemons. This is good for security, because at least it's annoying for hackers who mostly based their attacks in version numbers appearing in daemon banners. For instance, on SuSE 6.4, running SMTP: 220 machine_name.domain ESMTP Sendmail 8.9.3/8.9.3/SuSE Linux 8.9.3-0.1; Thu, 26 Oct Is it possible to change banner without having to re-compile the Sendmail sources??? I've had a look to /etc/sendmail.cf. There is an entry which contains "DZ8.9.3/SuSE Linux 8.9.3-0.1". So I suppose there will be no problems if I change it to any string I want. But... could I remove the "Sendmail" string or simply remove the banner completely and change to "220 machine_name.domain Microsoft Mail Server"??? I think I'd have to recompile Sendmail... (not the db's, I'm referrering to the sendmail source code)- The question extends to any other daemons like Proftpd, Qpopper, etc.. Is it easy to achieve it? Thx a lot. PS: Banners are very important to hackers (or at least script-kiddies) wanting to penetrate your machine. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman(a)madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4 3

exploiting
by Steffen Beck 26 Oct '00

26 Oct '00

Hi all .. I see a great thing in people discovering holes and so on in all sorts of applications .. but how can i check whether the software the victim is running is something that can be exploited. I know my knowledge on this area isn't good but is there more methods than just port scanning and connecting to the open ports ? Thanks in advance Steffen Beck Sign up for your "FREE E-MAIL" @ MADMAIL http://www.madmail.com

2 1