Linux Today: Linux News On Internet Time.

O'Reilly Network: Insecurities in a Nutshell: Vixie cron Exploit and More

Nov 22, 2000, 21:42 (0 Talkback[s])
(Other stories by Noel Davis)

"An exploit was announced that uses fopen() and a preserved umask vulnerability in Paul Vixie's cron. An attacker can use this vulnerability to create a world-writable file in /var/spool/cron. They would then be able to write arbitrary cron entries into that file, which would run as the user being attacked. It is reported that Mandrake 7.0, Red Hat versions 6.1 and earlier, Cobalt Linux, and Trustix are not vulnerable. Debian 2.2 and systems where Vixie cron has been installed manually are vulnerable. FreeBSD versions 2.1.x, 2.2.x, 3.x, 4.x, and -CURRENT are not vulnerable if launched by a normal user, but members of the wheel group can use the exploit successfully. A quick workaround is to chmod 700 /var/spool/cron."

"Versions of OpenSSH prior to 2.3.0 are vulnerable to a compromised or hostile sshd server. Basically, if you disable the X11 forwarding in the client, the server can still forward X11 connections later in the session. A short-term workaround is to clear the $DISPLAY and the $SSH_AUTH_SOCK variables before connecting with OpenSSH, but it is recommended that you upgrade to version 2.3.0 or above."

"The gnupg version of PGP (Pretty Good Privacy) digital signature/encryption can generate false positive results for messages with multiple signatures. In other words, if only some of the signatures are valid, it could still report that they were all correct. There are packages out for FreeBSD and Debian, or you can upgrade to a version newer than 1.04."

Complete Story

Related Stories: