Security Hole in Unix / Linux Systems

Kevin Brown plug-discuss@lists.plug.mybutt.net
Wed, 16 Jan 2002 13:26:28 -0700 

ipf is ipfilter.  I think it is the kernel firewall for BSD and IPtables under
the 2.4.x kernels of linux.

"Robert A . Klahn" wrote:
> 
> Well, maybe, I dont know the product. Are we talking about ipfilter? If
> so, kinda. It would be a varient on the "run TCP Wrappers or something
> similar" solution. Turning off dtspcd completly, if you can, is still a
> better solution.
> 
> I should also point out that we are not nessasarly talking about remote X
> access here. The problem with dtspcd is that it can be used to start
> processes that never put anything up on your window.
> 
> Bob.
> 
> On 2002.01.16 12:32 Kevin Brown wrote:
> > On the last solaris machines that I maintained we ran a firewall, ipf, on
> > the
> > Solaris machines themselves.  Might be a possibility for those running
> > Solaris
> > that don't need remote X access to the machine.
> >
> > "Robert A . Klahn" wrote:
> > >
> > > Greetings:
> > >
> > > One thing that I have noticed missing in the media reports about this
> > > exploit is the answer to the question "So, what should I do?"
> > >
> > > For a Linux system, the answer is most likely "nothing". I dont know of
> > > any distribution that uses CDE, at least by default. Mostly, in the
> > Linux
> > > world, we have "moved past" CDE with Gnome and KDE.
> > >
> > > For other U*IXes, the answer is a little bit more complex. Solaris,
> > AIX,
> > > and HP/UX all use CDE, and for all recent versions, by default.
> > >
> > > So, what to do, for these other U*IXes? Consider if you need to run
> > dtspcd
> > > at all. Its purpose is to permit the running of applications on your
> > > server, from a remote client. Useful, perhaps. Risky, clearly. How does
> > > one turn dtspcd off? Easy, comment out this (or a similar looking line)
> > > from /etc/inetd.conf:
> > >
> > > dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
> > >
> > > Save the file, and restart the inetd process by sending it the SIGHUP
> > > signal. Do a "netstat" to verify that port 6112 is not open. The actual
> > > netstat syntax varies from U*IX to U*IX, so do a man if you are unsure.
> > >
> > > If you really need to be running dtspcd, you should block port 6112 at
> > > your firewall, and if you really need to run dtspcd, you really should
> > > have a firewall. You should also really be running dtspcd under TCP
> > > Wrappers, or something similar, on top of blocking the port at your
> > > firewall. If anyone is in this situation, let me know, and I can go
> > into
> > > more depth. But, as we are now at least two times removed from the
> > topic
> > > of the list (we are now talking about non-Linux systems that knowingly
> > > want to run something so risky), I will not take up any more of your
> > time
> > > on the topic.
> > >
> > > Bob.
> > >
> > > On 2002.01.16 09:43 John Mosier wrote:
> > > >
> > > >> CERT: EXPLOIT CIRCULATING FOR CDE HOLE
> > > >> Posted January 15, 2002 05:32 Pacific Time
> > > >> HACKERS ARE ACTIVELY exploiting a known vulnerability in Sun
> > > >> Microsystems Inc.'s Solaris version of the Unix operating system,
> > > >> security experts said late Monday, urging administrators to check if
> > > >> their system is vulnerable.
> > > >
> > > >> The U.S.-government funded Computer Emergency Response
> > > >> Team/Coordination Center (CERT/CC) at Carnegie Mellon University in
> > > >> Pittsburgh said in an advisory that it had received "credible
> > reports"
> > > >> of an exploit for Solaris systems. An exploit is a software tool
> > that
> > > >> can be used to break into computer systems and that is often used by
> > > >> hackers.
> > > >> The exploit takes advantage of a buffer overflow vulnerability that
> > was
> > > >> first discovered in March 1999. The flaw in a library function used
> > by
> > > >> the CDE (Common Desktop Environment) could allow an attacker to take
> > > >> full control over the system, CERT/CC said. CDE is a graphical user
> > > >> interface that is typically installed by default on Unix systems.
> > > >> CDE is "a fairly widespread product on Unix platforms" and is
> > included
> > > >> in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard
> > Co.
> > > >> and Compaq Computer Corp., according to Art Manion, an Internet
> > > >> security analyst with CERT/CC.
> > > >> The CDE Subprocess Control Service (dtspcd) is a network daemon that
> > > >> accepts requests from remote clients to execute commands and launch
> > > >> programs remotely. The service does not perform adequate input
> > > >> validation, as a result of which a malicious client could manipulate
> > > >> data sent and cause a buffer overflow, according to CERT/CC.
> > > >
> > > >> CERT/CC advises administrators to check if a system is configured to
> > > >> run dtspcd by looking for the entries "dtspc 6112/tcp" in
> > > >> "/etc/services" and "dtspc stream tcp nowait root /usr/dt/bin/dtspcd
> > > >> /usr/dt/bin/dtspcd" in "/etc/inetd.conf".
> > > >> Many Unix and Linux flavors are vulnerable and many vendors have
> > long
> > > >> issued patches to fix the problem. Any system that does not run
> > dtspcd
> > > >> is not vulnerable to this problem.
> > > >> For the full story:
> > > >>
> > http://www.infoworld.com/articles/hn/xml/02/01/15/020115hncert.xml?0116weam
> > > >
> > > > John Mosier, Excelco, Inc. NEW contact info: Free:  866 225-3605
> > > >
> > > > Fax:  (480) 922-6504                       Voice: (480) 922-6500
> > > > http://www.swinfo.com                     http://www.excelco.com
> > > > 8233 Via Paseo del Norte, Ste E-300, Scottsdale, AZ 85258
> > > >
> > > >
> > > >
> > > --
> > > Robert A. Klahn
> > > rklahn@acm.org
> > >
> > > "Hope has two beautiful daughters: Anger and Courage. Anger at the way
> > > things are, and Courage to struggle to create things as they should
> > be." -
> > > St. Augustine
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> --
> Robert A. Klahn
> rklahn@acm.org
> 
> "Hope has two beautiful daughters: Anger and Courage. Anger at the way
> things are, and Courage to struggle to create things as they should be." -
> St. Augustine
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss