Unix, Linux computers vulnerable to damaging new attacks

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-200-2719802.html?tag=st.ne.1003.ttext.ni

By Stephen Shankland
Staff Writer, CNET News.com
September 7, 2000, 12:45 p.m. PT

Security experts have uncovered a new class of vulnerabilities in Unix
and Linux systems that let attackers take full control of computers.

These "format string" vulnerabilities started surfacing about two
months ago, said Elias Levy, a moderator of the Bugtraq computer
security mailing list. Some of them have lurked for years in basic
Unix programs, but security experts only now have begun to find and
fix them.

To take advantage of a format string vulnerability, an attacker gets a
computer to display a string of text characters with formatting
commands. By carefully manipulating the formatting commands, the
attacker can trick the computer into running a program.

"Format string bugs are the new trend in computer security
vulnerabilities," said Ivan Arce, president of Argentinian security
company Core SDI and discoverer of the "locale" format string
vulnerability that became public last Friday.

Fans of Unix and its close relative, Linux, pride themselves on the
general security of their operating systems compared with Microsoft
Windows, which has been plagued with security problems. But the format
string issue highlights the fact that weaknesses can lurk for years
within software, and that it's hard to track them down among hundreds
of thousands of lines of programming code.

Letting an attacker gain the privileges of the system administrator
can be disastrous. An attacker could do damage such as erasing
databases or password files. Even if the computer doesn't house
precious information, a compromised computer can be used as a drone in
a distributed-denial-of-service (DDoS) attack such as those that
brought down major Web sites, such as Yahoo, in February.

Levy estimates that computer security experts have announced six or
seven format string vulnerabilities in recent weeks, and Arce predicts
many more are on the way. And already, security specialists have
published on Bugtraq sample programs that can exploit the weakness.

The locale vulnerability uses internationalization software that
allows Unix and Linux systems to be used in multiple languages. It's
significant because countless basic Unix programs rely on the locale
system to print messages such as "password incorrect" in the proper
language.

Preston Brown, manager of Red Hat's Linux operating systems
development, said today that Red Hat fixed the locale problem by
changing the basic library of programs written in the C programming
language. A key step is to make sure that basic programs on a computer
system use the system's own message catalogs instead of allowing an
attacker to get the programs to use a message catalog that contains
format string attack commands, he said.

Arce initially found the locale vulnerability on a Sun Microsystems
server, but it affects all Linux and Unix operating systems except
OpenBSD and FreeBSD, he said. Unfortunately, the widespread nature of
the vulnerability derailed Arce's plan for a coordinated announcement
of the vulnerability and Unix and Linux companies' fixes.

Arce notified 18 Unix and Linux companies that he planned to announce
the vulnerability Sept. 11. However, he said, representatives of the
Red Hat, Debian and Conectiva versions of Linux posted advisories of
the vulnerability before that--a problem because attackers could
easily, and correctly, guess the vulnerability applied to other
versions of Unix and Linux as well.

"I realized that the whole coordinated release of information with the
vendors had been blown to pieces," Acre said in a Bugtraq posting.
"Given that it's a matter of minutes to realize that the problem is
present in other Unix (operating systems), that the format string bugs
are the new trend and that writing an exploit is really not very hard,
I decided that it was best to just publish our advisory and warn all
Unix users that they might be, and some are, vulnerable."

The slipup was the result of miscommunication, Red Hat's Brown said.
"It was pretty much a misunderstanding that our posts went out earlier
than he intended," he said. However, it's common that coordinated
attempts to release vulnerability information falter, he added.

Levy said the issue is serious, though.

"It does go to show that there needs to be better work by Linux
vendors in general on informing people about vulnerabilities," he
said. With slipups such as this one, those who discover bugs won't
have faith in the cooperation of the operating system companies and
instead will simply post vulnerability announcements without giving
companies a chance to write a repair first, Levy said.

The Computer Emergency Response Team at Carnegie Mellon University has
described other format string attacks. In July, the organization
posted alerts about a problem with a commonly used file transfer
program from Washington University called wu-ftpd. And in August, CERT
posted an alert about another basic program, rpc.statd, which is part
of the Network File Sharing system.

Format string vulnerabilities are similar to another broad class of
problems called "buffer overflow," which have been around for decades
and hinge on an attacker inserting too many characters into an input
field such as a password prompt. In a buffer overflow, an attacker
also can get a computer to run arbitrary instructions that let the
attacker take over the computer.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".