[ale] pwck, AOL IM vulnerabilities, etc.

Transam transam at cavu.com
Sat Jan 5 21:09:09 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the past week there were announcements of a critical vulnerability in
AOL's Instant Messenger service on the Windows platform, Windows XP
vulnerabilities, a minor Linux vulnerability, and lots more scans for
SSH servers.

				LINUX
				-----
There was a buffer overflow bug discovered in pwck and grpck.  Since these
programs do not run set-UID or set-GID, this vulnerability only can be
taken advantage of if these programs are invoked by some other program or
script running with root privileges.  Most of the Linux distributions have
patches or will have soon.  Still, unless you use these, it is best to turn
them off via the following (as root):

     cd /usr/sbin
     chmod 0 pwck grpck
     mv pwck pwck.bad
     mv grpck grpck.bad
     ls -l pwck.bad grpck.bad

	YET MORE WINDOWS AND INTERNET EXPLORER VULNERABILITIES
	------------------------------------------------------

Many Windows XP users are slow to patch a security hole in a new plug-and-play
feature could let crackers take control of computer:
http://security.ittoolbox.com/news/nr.asp?i=60577

Yet another scripting hole in Microsoft IE exposes local files to remote
attacks:
http://security.ittoolbox.com/news/nr.asp?i=60581

			AOL INSTANT MESSENGER (IM)
			--------------------------
The big news this week is that a critical bug in AOL's Instant Messenger
client on Windows allows anyone to run any arbitrary code on your
Windows system.  This remote "root" vulnerability affects about 100 million
systems.  We discourage people from using IMs but recognize that many will
not stop using them.  This critical vulnerability affects AOL's IM versions:

     4.3 through 4.7.2480 for Windows
     4.8.2616 for Windows (beta)
     It may affect older versions too
     There have been no reports of vulnerabilities on MACs, Linux, or Unix

After a week, AOL made changes to its servers to fix this problem.  Still,
since the vulnerability exists on clients, this puts every Windows user
of IM in the position of trusting AOL's security practices.  However, this
vulnerability shows that their practices are unacceptable, in our opinion.

We and other security experts have warned for a long time now that Instant
Messenger services represent an unknown and possibly severe vulnerability
to those that allow it.  This is especially dangerous for clients released
without open source as this prevents outside experts from inspecting the
code for vulnerabilities.  When coupled with Windows' "every program
gets complete control of the system", this is a deadly combination.
Similar critical problems seem to be reported for Internet Explorer
several times a month.

Recommendations:

Follow the practices of the CIA and others.  Have separate computer
systems to handle different levels of security and isolate them on
separate networks with Firewalls that prevent email, browsing, and IMs
onto the high security network.  Have a "low security" network with
systems that receive email and Instant Messaging and browsing and a
"high security" network where these are forbidden.  Physically label the
displays and keyboards so that there is no uncertainty about which systems
are which with enforceable sanctions for violations.

Allow important data only on the high security network.  An alternative
(but less desirable) solution is to use a good anti-virus filter and
update its rules at least daily.  The alternative to this admittedly
inconvenient solutions is to plan on being compromised.

While this vulnerability concerns AOL's IM, there may be problems with
Microsoft's, Yahoo's, and others.  We worry that the various real time
audio systems also have vulnerabilities and many of them use the UDP
protocol that allows source IP spoofing.

An online article this week on VNUNet.com claims that there were more
virus activity in December of 2001 than in any other month so far in
history, though we are skeptical of its claim.

INSTANT MESSAGING VIRUSES SET TO SOAR
http://security.ittoolbox.com/news/nr.asp?i=60643

SERIOUS AIM SECURITY HOLE COULD INVITE WORMS - EXPERTS
http://security.ittoolbox.com/news/nr.asp?i=60642

- From Internet Security Systems:
- - - AOL said it implemented a server-side fix for the vulnerability in
its AOL Instant Messenger (AIM) meaning that customers will not have
to download the patch. As earlier reported, the security bug affected
AOL Instant Messenger (AIM) version 4.7 and the 4.8 beta, or test
version. Only AIM users running Microsoft's Windows operating system
are vulnerable.

- - - Businesses should examine the value of allowing the use of AIM or
other chat services within the business environment by weighing the
pros and cons of those services.  By default, these services have the
ability to display the user's name, address, employment and IP
address, thus creating additional avenues for compromises via the
Internet and through social engineering.  It should also be noted
that most recent worm activity has utilized chat programs to
propagate.

- - - Users with new computers as a result of holiday gifts or simple
self-indulgence should ensure that the operating system and other
packaged software are up-to-date by updating at the various vendor
sites.  This would include anti-virus and personal firewalls.  You
should also remember that if you now have a powerful computer and a
high-speed connection via cable modem or DSL, you have now become an
attractive target for remote exploitation

- - - We continue to see many nuisance mass mailer worms in the wild,
such as the iterations of Maldal, GOP-A, Hybris-C and a new Trojan
named DLDER.A.  With folks coming back to work after the holidays,
expect numerous e-mail problems associated with these socially
engineered worms.  SysAdmins are strongly encouraged to ensure that
their anti-virus solution of choice is updated with current
signatures.

- - - X-Force Advisory regarding the AIM vulnerability:
http://xforce.iss.net/alerts/advise107.php 

End of Internet Security Systems extract.

			SSH SERVER SCANS
			----------------
SSH (or SSL) generally should be the only way one should transmit
confidential data over unsecured networks, including the Internet and
an organization's network.  Unfortunately, some people still run the ancient
Version 1 of SSH that we and others consider too insecure to use.  The
OpenSSH version of Version 2 has a number of vulnerabilities, some reported
as late as 2001.

You want to keep up-to-date on SSH patches as there has been a dramatic
increase in Crackers scanning sites and remembering what version of SSH you
have.  If they cannot break in now, plan on their doing so when a new
vulnerability is found in your version (that they remembered).  The commercial
version of SSH (still open source and free to non-profit schools) has had much
fewer vulnerabilities reported in it and we recommend it over the
OpenSSH version; it is easier to install too.

We recommend even that access to one's SSH server is limited to the subnets
that it will be accessed from.  E.g., configure your Firewall or TCP Wrappers
to only allow it from appropriate IPs within your organization and from
the range of IPs that SysAdmins' home systems will come from.  This would be
the "Network" and "Netmask" or "Mask" that your networking software shows.
For Linux users, issue the command "ifconfig" to determine this.

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.           "Experts in Linux & network security"
bob at cavu.com
http://www.cavu.com                   [Linux/Unix & Network Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
http://www.cavu.com/sunset.html       [Sunset Computer]
Quality Linux, UNIX and network security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
  and at http://pgp5.ai.mit.edu/pks-commands.html#extract
  and on the CD-ROM that comes sealed and attached to Real World Linux Security
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8N64eltNTPeOhxUARAlfVAKCf+NFmj/NxJfZGBwdWDCv9uYEzfACdHm4t
cKhnvJ0mJ7jOTwiHm3VOhIc=
=S+St
-----END PGP SIGNATURE-----

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list