This section is for persons who don't have local users, except themselves, and have their Linux box connected to the Internet or a Network and wish to keep outside persons from gaining local access.
--------------------------------------------------------------------------------
If you can not already tell, this section is stale!!! These bugs are old, and you should not just use this page to protect your system, although he rest of the site is still good. If need to be kept up on security problems as they occure, you should read Bugtraq or goto Root Shell.
---------------------------------------------------------------------------------
Name:
rpc.mountd PRE nfs-server-2.2beta29 New!

Result:
A non local user can, in a sense, probe your system for installed files

Effected?:
Run rpc.mountd? It turned on by default in Slackware!

Description:
A small flaw in rpc.mountd will let a user probe your system. Not a big deal right? Well, probe a system will let an attacker know what you have installed, including flawed version of other programs.

The Quick fix:
None, disable rpc.mountd by killing it in memory, and then disableing it /etc/rc/rc.M

The Long Term Fix:
goto ftp://ftp.mathematik.th-darmstadt.de/pub/linux/okir or ftp.uk.linux.org/pub/linux/Networking for the latest rpc.mountd.

The Exploit:
The rpc.mountd bug


Name:
imapd Pre 4.1BETA New!

Result:
Non local users can gain access.

Effected?:
Well, run imapd from Washtingon State that is not 4.1BETA or later?

Description:
Yet, another problem with IMAPD. Hell, does anyone know of a IMAP that does not have a security problem? I don't have much faith in 4.1BETA, but I know a few people use it and they say its "Okay"
telnet to the imapd port (telnet localhost imap) and if you get something like: "* OK example.com IMAP4 v10.00 server ready" and not IMAP4rev1 then you are in trouble, This problem is know to also effect POP3d from the same Pine Package.

The Quick fix:
Disable imapd in inetd, and then do "killall -HUP inetd"

The Long Term Fix:
I believe the fix can be found at Pine Web Page in pine3.96 package

The Exploit:
Imapd Exploit2.c


Name:
innd below 1.6 New!

Result:
Non-local people can get root access

Effected?:
Run a news server?

Description:
Innd is the newsserver. This should not be concern to most of you, since it is unlikely that any of you will be running a newsserver. But hell, some who do might read this!

The Quick fix:
None, do the Long Term Fix.

The Long Term Fix:
Fill in Link here

The Exploit:
nnrp.c
innbuf.c

Its a two parter, so figure it out. It's easy. No clue what the offset is.


Name:
Bind 1.8 and bind 1.8.1 New!

Result:
Bind slightly dies

Effected?:
Bind for DNS stuff (Domain Name Service)

Description:
Bind is used so that users don't have to remember 132.241.2.46, then cn just remember dietcoke.ecst.csuchico.edu. Easy HUN!?. Well, Bind as this version can be killed.
The orginal message on Bind Nuking
So many of you don't run Bind, don't worry if you don't understand.

The Quick fix:
Going to have to find this

The Long Term Fix:
Have to upgrade, will find the link, someday


Name:
db-1.85.4 New!

Result:
Currently unknown if exploitable

Requirements:
Use libdb-1.85.4?

Effected?:
Well, hell its hard to tell.

Description:
A snprintf() function in the library breaks down to a sprintf(), which means that there might be a buffer overflow in the library and any program linked with it. Now, don't panic, I have heard of anyone exploiting this and the conversion that took place on bugtraq seems to show its is not a big problem, or a problem at all.
Now, the latest libc contain a proper snprintf() that does it job properly, so if you use libdb (Its a database library) you can recompile it without the snprintf.o file and Linux should use the good one found in libc.
Do a "ldconfig -v |grep libld" as root and see what version is pointed by your libld

The Quick fix:
See right above

The Long Term Fix:
See right above


Name:
IpFragmentation Bug

Result:
Your Linux Box will lock up.

Requirements:
Running kernel 2.0.30 or less, that is not patched. I think 2.1.63+ fixes it.

Description:
As packets travel through networks, sometimes they have to be cut up to fit through routers. This normal and does not cause any problems, unless parts of the packet is lost, in that case the sender just sends the packet again. When the packet gets to the other machine, it is reassembled by the reciever and then the reciever extracts the data it needs.
However, there is a bug in Linux that will screw up packet assemblely and thus screw up the Network Stack, which crashes it or locks it up. Now that I think about it, I think that how this bug works that it would not show up in everyday use, but it still a problem because there is an exploit for it out there. I will have to look into this, this weekend and bring you people up today.
Also, this LOCKS UP WINDOWS95 AND WINDOWSNT MACHINES!!! YeeeeeeHaaaaaaa

The Quick Fix:
None. Just apply the patch below and be on with your life.

?

The Long Term Fix:
Use a Kernel above 2.0.30 or use the below patch.

The Exploit:
TearDrop.c

The Patch:
IpFrag.patch


[Thu Sep 25 23:20:44 PDT 1997]
Name:
Samba 1.9.16p11 to 1.9.17p1.

Result:
Non local users may get root access or do a Denial of service attack.

Requirements:
Have installed and running Samba. This is found on Redhat, and I think Slackware. I don't know if it is the default. This it should only works on Intel Machines, but it could be used agaist other platforms, however difficult.

Description:
Samba is a UNIX package that will let you export UNIX drives to Windows Users. Its a great package that lets them login, and mount UNIX drives,a nd it has tons of features to let you control everything about it.

Well, on the down side, it has a buffer overflow in the worst place, where the outside attacker can get a root shell. I tested this and was unable to get it to work, but I did fiddle with it and I changed some stuff. However, I did manage get it spin out of control, and take as much CPU as it could take. Bad.

The Quick Fix:
Disable samba, or block other subnets that you don't want to access you machine.

The Long Term:
Get the latest samba-latest.tar.gz

The Exploit:
sambaexploit.c


[Wed June 25 3:15:25 PST 1997]
Name:
Imapd 4.0 from Washington.edu (You know the makers of Pine)

Result:
Non-local users may gain root access, or just local access

Requirements:
Do you have imapd running in /etc/inetd.conf.

Effected?:
Do "grep imapd /etc/inetd.conf" and see what you see.
Description:
There is a buffer overflow in imapd, that takes a string from the outside world and feeds it to a function, which does not check the bounds of the array. Thus if someone feeds the proper code and someway get it to get it in the stack, they thay can get aroot shell, or in this exploit, have it overwrite part of a file (/etc/passwd).

The Quick fix:
Disable imapd in /etc/inetd.conf and then send a -HUP to the inetd deamon.

The Long Term Fix:
4.1-BETA appears to fix the problem as well as few others. Of course, download, configure, complie and install. Or, if you don't use it, don't enable it!

The Exploit:
Imapd Exploit.c


[Tue Feb 4 11:29:41 PST 1997]
Name:
rcp

Result:
Non-Local users may gain root.

Requirements:
Run rcp as a user with the UID of 65535 from Slackware 3.1 (Eariler version too.), RedHat 3.0, and RedHat 4.0 under certain conditions.

Description:
If rcp runs as user 65535 there can be problems. The UID 65535 is not liked by a few functions in C (chown(), chgrp(), set*uid() and others) because 65535 is really -1 mod 2^16. The 2^16 is dropped and the -1 is sent to the system functions. The result is that -1 is not a valid UID and thus is ignored by certain system functions. So when the program switches to privilaged UID and then goes to switch back, it can not and does not. So you can get rcp to do bad things for you as a privilaged UID.
Regular users can not get rcp to do bad things because they have valid UID's. If you can get a program that runs as UID 65535 to execute programs, then you might be vulenerable. A few programs suggest that you create users that the programs are ran as (httpd suggests this), they are write but you should change the UID in which they run as. See the exploit below. This only can be exploited via poor scripts if done with httpd.
The reason RedHat users might be effected is when Admins upgrade from an earlier version and then just copy the /etc/passwd file to RedHat 4.0, the improper UID are transfered to the new system. It is not in RedHat 4.0 by default.

The Quick fix:
Don't run any programs as UID 65535. Try UID 99 or 75 or whatever.

The Long Term Fix:
Don't run any programs as UID/GID 65535. Try UID 99 or 75 or whatever.

The Exploit:
rcp.exploit


[Mon Jan 27 16:59:48 PST 1997]
Name:
talkd

Result:
Non-local user may be able to execute commands remotely

Requirements:
talkd from Net-Kit.07 or Earlier and have it enabled. Which distibutions of Linux are unknown at this time

Description:
From what I have heard from the Cert Advisory, there is an error in the bounds of the array which holds the IP of the calling site that is checked agiast the DNS server. So the buffer is overflowed and the stack rewritten. From what I can tell this requires that the targeted systems DNS must be hijacked.
At this time, I do not have the exploit and tend to view Cert as Ivory Tower Security Experts that tend to be vauge, to say the least. This attack does require some skill, but there is an exploit aviliable. More information to come later.
This attack also brings in to focus some other problems with attacks via DNS. Maybe I can have more information on it.

The Quick fix:
Disable talkd in /etc/inetd.conf.

The Long Term Fix:
Download NetKit-0.09.tar.gz, configure, compile and install.

The Link:
CA-97.04.talkd

The Exploit:
talkd-exploit (Thanks to reptile@interport.net for the exploit)

The Link:
talkd-exploit.txt (READ THIS!)

[Sun Oct 20 20:21:31 PDT 1996]
Name:
Ping Bug

Result:
Non-local users can crash your Linux Box

Requirements:
Running a 1.2.x (I believe) - 2.0.23 kernel.

Description:
There is a bug in the Linux kernel which does not check ping packet sizes (Its is stated quite clear in a RFC that ICMP packets are not to exceed a certain size). So a ICMP ping packet larger than 65507 bytes maybe be able to crash your Linux Box. Some machines are affected some are not. Read The Link for the full story.
A big note is that only non Unix Systems can do this to Linux boxes. Most Unicies ping are programmed not to let the user send oversized ICMP packets, but Win95 will. So you guessed right, every "Windozs Lozer" is going to be doing this trick.

The Quick fix:
None. Get a 2.0.24 or later kernel, configure, compile and install or take the current kernel source you have and apply the needed patch (Below), configure, compile, and install.

The Long Term Fix:
Upgrade your kernel to a patched version (See Quick Fix).

The Exploit:
ping -l 65510 (The ICMP packet size actually can be between 65508 and 65527)
Here is also a small program for those of you without Windows 95 (YaHooo!!!!)
PingBugExploit.c(Read the notes in the Source to get to compile) from the message 0142.html

The Patches:
2.0.23 Standard Patch
2.0.23 Patch with Logging of the attacker
2.0.23 Improved Patch(Recompile your modules)
1.2.13 Standard Patch

The Link:
Urgent !! Serious Linux Security Bug....
And a web Page devoted to this bug. The Ping Bug Page


Name:
libroot.so explote (libroot, lib.so attack, telnetd explote, ftp upload attack)

Result:
Non-Local users can gain root access until telnetd times out (30 secs). Local users may also use this trick to gain root access.

Requirements:
Ability to upload the explote, usually via ftp, have an ELF based system, and a Dynamically compiled /bin/login.

Effected?:
Execute ls -la /bin/login and if login is small, less that 10 or 20K then your login was dynamicly compiled and thus your effected. This only effects ELF systems, primary Slackware 3.0 and 3.1 as well as other Slackware drived systems OR 'ldd /bin/login'.
This will either say:
libc.so.5 => /lib/libc.so.5.2.18
(or whatever libc you have) if it is dynamically linked, or:
statically linked (ELF)
(Thanks to M.Humphrey@Bradford.ac.uk for that!)

Description:
A library that will give non-local users root access by using a feature in telnetd that lets it tell /bin/login to specify a library to load instead of the usual one(s) in /lib. Local users may also use this to gain root access. Since the telnetd times out, the attckers has about 30 secs to make sure that they can get back in with using the same attack. This means doing a "echo '+ +' > /root/.rhosts" or giving themselves an account on the machine.

The Quick Fix:
Disable ftpd via inetd.conf or make all directories in /home/ftp non-writeable.

The Log term fix:
Statically (cc -static login.c -o login) compile login so that it does not need to load libraries. (See information about shadow-in-a-box in the section Bonus programs to keep your system safe.)

The Exploit:
libroot-0.9a.tar.gz


Name:
rlogind

Other names:
rlogind attack, rlogind explote (If there is an explote avil)

Result:
Non-local users can root access.

Requirements:
Have rlogin turned on in inetd.config and have effected rlogind. Slackware 3.1 and older, as well as Slackware derived systems.

Effected?:
If you have not installed NetKitB-0.7 or later. RedHat Linux 2.0, 2.1 and derived systems including Caldera Network Desktop, Slackware 3.1 and others.

Description:
There is code in the rlogind program that does not do complete bounds checking of input from remote rlogin program. Thus, it is possible to overflow the bounds of the array and rewrite the stack to give the attacker a root shell. Note: This is very difficult, but is possaible.

The quick fix:
Disable rlogind in /etc/inetd.conf and then restart inetd (kill -HUP )

The Long Term fix:
Download the newest version of NetKitB, configure and install. It fixes this problem as well as many others.

The Link:
rlogin vulnerabilty

Name:
rlogind (Maybe the same as above, have to gather more information)

Result:
Non local users can gain access.

Requirements:
Unknown version of rlogin. Check with the Exploit

Description:
The problem is that login does not know how parse the command lines correctly. IOW, to login, -f lusername looks the same as -flusername. Now, normally if we tried to pass -f lusername to login it would not work because login would recognize the space between the "-f" and the "lusername," and see that -f is a flag that is not allowed to be passed by the intruder. However, in this case login does not see the difference between -f lusername and -flusername except that since there is no space it does not parse the command correctly. Where you can not pass "-f lusername" you can pass "-flusername" and this will cause login to think that the username is authenticated. "-froot" gives you root access in many cases.

The Quick fix:
Disable rlogind in /etc/inetd.conf and restart inetd

The Long Term Fix:
Download the latest verion of NetKit and install it.

The Exploit:
rlogin victim.com -l -froot
would give you root acces on victim.com if they are vulnerable.

Name:
wu-ftpd 2.4

Result:
Non-local users may gain access to the system.

Requirements:
wu-ftpd 2.4 and have wu-ftpd enabled.

Effected?:
If you have Slackware 2.0, 2.1, 2.2, 2.3, Yggdrasil Plug&Play Fall'94 and Debian Distribution and have not upgraded wu-ftpd.

Description:
The version of wu-ftpd that comes with the above distributions was compile with incorrect settings in the source code. This not a bug in the source code but an error in the configuration of the release of wu-ftpd.

The following set of commands can be used to determine if your ftp server is affected (source host's name is viper. The name of a system being checked is devnull) 
        [jru@viper]:~> ftp devnull
        Connected to devnull
        220 ftphost FTP server (Version wu-2.4(3) Wed May 31 04:11:15 EDT 1995)
        Name (devnull:jru): jru
        331 Password required for jru
        Password:
        230 User user logged in.
        ftp> quote site exec echo Joe Random User
        200-echo Joe Random User
        200-Joe Random User
        200 (end of 'echo Joe Random User')
        ftp> quit
        221 Goodbye.
If you see the phrase you specified in echo command is displayed on the screen, then the configuration of the ftp server on the host is probably vulnerable and you will need to obtain a fix for it.

The Quick fix:
type "ftpshut now" or disable wu-ftpd in inetd.conf and restart inet to have it reload the configuration file.

The Long Term Fix:
Download wu-ftpd-2.4-fix.tar.gz or newer version of wu-ftpd and install it.

The Links:
CA-95%3A16.wu-ftpd.vul


Name:
/bin/login

Result:
Non-local users may gain root access.

Requirements:
Have you installed Shadow Password Suite prior to shadow-960129.tar.gz?

Description:
An array that holds the login name does do any bounds checking. Thus the stack can be rewritten to and a root shell started for the attacker. This does not effect people who have not installed any shadow support.

The Quick fix:
Disable /bin/login (IE: See The Long Term Fix)

The Long Term Fix:
Download, configure and install the latest Shadow in a Box software package.

The Link:
v02.004 of the Linux Security Digest
CA-94%3A09.bin.login.vulnerability