Slashdot Mirror
Solaris, AIX Login Hole
An anonymous submitter sent in: "A CERT Advisory describes a buffer overflow vulnerability in implementations of login derived from System V, which includes among Solaris 8 and earlier and AIX 4.3/5.1. "An exploit exists and may be circulating." Vendors are testing fixes." There's a Reuters story as well.
how can this be?
here's the shake down for those to lazy to go to the site and read the article:
The hole is located in the "login" program that allows people to sign on to the operating system remotely by entering a username and password, ISS said. The vulnerability can be exploited only if certain remote command protocols, such as Telnet, are enabled, which they usually are by default, the company said.
ISS discovered the loophole in October and has been working with Sun and CERT on a fix, said Ingevaldson.
"We're not aware of anyone experiencing a problem with this," said Sun spokesman Russ Castronovo.
The security hole is very serious because there are so many computers in corporations and universities that run Solaris and because of the amount of harm someone could do if they were to gain complete control over a vulnerable machine, he said.
"Once you have super-user access to a machine you can do anything you want, modify files, create them, sniff network traffic," Ingevaldson said.
A temporary software patch is available for download from http://sunsolve.sun.com/securitypatch and a fully supported and tested fix will be available next week, Ingevaldson said.
Fixes are pending for AIX, according to CERT.
Moon Macrosystems. Sun's biggest competitor.
You can login as kt and get root.
Best Slashdot Co
This is a bad vulnerability, but not awful - you have to be allowing Telnet or RLogin access to the server for this exploit to be at risk.
Since Telnet and Rlogin are insecure by design, they should only be allowed to be used in environments where you implicitly trust all parties. You should never deploy them where bad guys can get ahold of them - in those cases you should use (open)SSH.
www.eFax.com are spammers
ooops. i lost my sarcasm /sarcasm tags. :-(
and
In Soviet Russia you dant have to put up with these crappy jokes
I guess that fixing this issue will delay delivery of "Magic Lantern for Unix" for a few months.
Acutally it's been known for a long time that telnet and rlogin are insecure. The effort has been to shift people to secure methods such as OpenSSH for those things. For the most part any sysadmin that has been using telnet and rlogin is probably too lazy to switch. I worked under a sysadmin for a while and it took months of pushing to get him to start implemting SSH across the board.
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
Isn't this a logical fallacy? MS has vulnerabilities in its products, Unix System V has vulnerabilities, therefore Microsoft makes quality products.
I'd say there's a subtle, but important difference between insecure by design and insecure due to a programmer's mistake.
Bush Lies Watch
If there is now this huge hole in Solaris/AIX many people will think there is a security hole in Linux or even OpenBSD.
Especially mainframe firms confuse these operating system, even IBM ported accidentially Linux to their big severs, because they though it's some kind of new unix brand.
So this security hole might help microsoft very much to install their operating systems everywhere because they say: Hey look at this hole at linux !!! which is a lie but people won't know the difference, really.
So this might be very bad.
I wonder if some script kiddies are behind this hole, this is always the same: You look, and, hey, there is a script kiddie behind the security hole ! (The famous script kiddie surprise.)
Owner of a Mensa membership card.
Isn't this where Michael says:
'Another gaping security hole goes unpatched by Microsoft... Uh, I mean, er, Sun' ?
pardon me, but it seems like security holes are found in microsoft products on a regular basis. unix holes are found VERY rarely. how can you say it is a level playing field?
Hackers do not target MS products because of "percieved" vulerabilities... they target MS because their products are KNOWN and EXPECTED to have holes.
> This is proof positive that MicroSoft make quality products. So now, can we all jsut lay off of MS and all decend in hordes on Sun and IBM?
;)
Isn't this more like proof that *nix sucks as much as MS?
Seirously tho, of course, the more mature techies will concede that both OS families have had their fair share of minor and major problems. I've never held either OS family up to such lofty 'uncrackable' standards, but the one thing I do have to say is that, considering MS's attitude towards its track record (ie, 'what me worry?'), it's still more frusterating when the exploit is an MS exploit rather than a Unix one.
Plus, much of the insecurity in Windows is due to the scripting and VB features that MS deemed so critical to the success of their software. This problem is an expoit, where as early email worms didn't even have to 'exploit' the box. MS's own feature set and technology caused billions of dollars in productivity loss in order to save the user from a few clicks, or incorperate 'gee wiz' functionality in their mail/www clients. That, to me, is far more damning than any accidental root exploit will ever be. Mistakes happen. Sacrificing security for brochure-ware is inexcusable and irresponsible.
"Old man yells at systemd"
There are at least 3 sure-fire solutions for eliminating all stack-overwriting buffer overflows in security-critical programs:
None of these solutions (except maybe #1) are easy, but none of them are beyond the state of the art, either. Given this, I find it inexcusable that these buffer overflows keep popping up.
IMHO the rules are simple:
This affects systems with telnet or rlogin accessible from the Internet? The implication is that these were somehow not vulnerable without this buffer overrun.
News to me.
Lacking <sarcasm> tags,
The above comment is not offtopic. The above comment refers to trojanning c compilers to put a back door into login programs. This was not only written about by Ken Thompson (linked in the article above), but successfully accomplished by a bastard of a programmer.
Thus, the above comment is on topic, just over someone's head.
Video for Online Dating Profiles
Yep. From the bugtraq advisory by ISS:
"Secure Shell (SSH) implements encrypted terminal connections, and it is designed to replace insecure protocols like Telnet and Rlogin. Recent versions of SSH implement their own version of the login program, and are not vulnerable. "
But I am not an "average administrator." Months ago, I faxed Sun a really long contract that gave me the right to download their source distribution. This was a major PITA but I needed to modify some other parts of the OS at the time, so I had no choice.
I simply cannot believe that Sun is taking over two months to patch this very simple problem. It's an unchecked buffer, for God's sake. Most C coders can fix a problem like this in their sleep.
And that is why I believe that open source has a future and Sun does not. Regardless of what your stance is on the "many eyes makes all problems shallow" doctrine, it is beyond debate that fixing this sort of bug in Linux is extremely easy for the average C programmer. Unfortunately, that programmer may not have signed Sun's NDAs and sold their soul, and they would not have the source access that it takes to protect their machines.
I really wish I could post my patch here, but that is a violation of my NDA. Sun's absolutist stance on intellectual property may sell them a lot of copies of Solaris, but it leaves us administrators exposed and looking stupid. My group will be moving to Linux as soon as all of our applications are available for it, and we will be giving Sun the boot. The nicer machines and OS just aren't worth the risk of getting rooted.
Bill
For details, see the 'UseLogin' option in your sshd config file.
DShield.org... fight back
Vintage computer games and RPG books available. Email me if you're interested.
This is mud int he eye of everyone who claims that *nix is inherently more secure than Windows... This is proof positive that MicroSoft make quality products.
Good point! However, This is not 'proof positive' that Microsoft makes good products... Where on earth do you draw that conclusion from?
And although you are correct in that *nix and Windows both have their fair share of security holes and other vulnerablities, the key thing to remember is volume. There are a lot more computers running Microsoft's OS than any other. Thus a single security hole in Windows affects Millions of computers (if not billions), while a bug of this sort on a Unix platform only affects Thousands...
And add to that the fact that in companies *nix environments are usually run by (on average) more experienced 'hackers'/sysadmins than in companies where the environment is mostly 'Microsoft' based. ( Please don't flame me on this, just look up the stats on google) Most *nix admins make their network as secure as possible during and after installation (since it's not a point and click procedure), while most NT admins are surprised to learn that their system is wide open to attack after installation...
---
Programming is like sex... Make one mistake and support it the rest of your life.
Most modern Unices (I know firsthand for Solaris and FreeBSD) allow you to disable execution of the stack. In fact, on Solaris, any attempt to execute the stack is logged.
The inability to execute is enabled by default in Solaris 8. Logging is not. However, you can explicity enable both by entering:
set noexec_user_stack=1
set noexec_user_stack_log=1
and rebooting. Not a huge deal. For FreeBSD, read the 'sysctl' man page.
Besides, if you're running telnet, you're just asking to get hax0red...
...but it's being eaten...by some...Linux or something...
Hackers do not target MS products because of "percieved" vulerabilities... they target MS because their products are KNOWN and EXPECTED to have holes.No, hackers target MS products, because they are more widely used, and generally used by people whose biggest concern isn't security. It's like going into a neighborhood where nobody locks their doors. Not that their doors can't be locked, but they feel like they have no reason to do so!
It does make me wonder why the people at CERT don't ever pretend to be skript kiddies. I just found this little tid-bit on a well known site which serves a lot of exploits.
Description: A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries!
Author: Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now?
Compromise: root REMOTELY!
Vulnerable Systems: Older Linux boxes, I think SunOS systems, probably others.
Date: January 1996 maybe? Quite old but lives forever like phf.
How many times will we find new buffer overflow security holes before developers STOP WRITING STUPID CODE?!
Use strncpy instead of strcpy.
Problem solved.
Idiots.
- For the complete works of Shakespeare: cat
IBM has a fix available for AIX 4.3 and 5.1 - download at ftp://service.boulder.ibm.com/aix/efixes/security/ tsmlogin_efix.tar.Z
The tsm/login/getty program runs setuid root under AIX, this may be an increased vulnerability. Patch, patch, patch!
- The Mad Duke
-The Mad Duke
theregister also mentions this, along with the idea that using SSH instead of Telnet is the quick solution.
I find it oddly tame that all michael has to say with this article is "There's a reuters story as well."
:)
He was able to expand into about 8 paragraphs with "Another Gaping Microsoft Security Hole Goes Unpatched."
When it is *nix, its "developer notice", and when it is win* it is "microsoft wants to rape us of our rights"?
I'm probably missing something, like 'duh, you shouldn't use telnet'. Then again, I actually believe the vapid notion that you'll be okay if you download from trusted sources, so I'm not worried about IE. I will save people the time and tell myself that there is no such thing as a trusted source
When?
...
I wish Unix/Linux would remove Telnet forever. Not just removed from default install, but removed from from the packages totally. If these things weren't installed by default, and people were forced to use ssh, we could come a long ways.
People are too lazy to use ssh instead of telnet. So, force them to use ssh. Even behind firewalls.
Old apps use telnet? Tough, if the company values security they'll convert. If not, they get the same sympathy that people who open unknown attachments get, none
They should be taken to court, made fun of, boycotted! A security hole, my god, well I run Solaris, thank goodness I'm not affecte.....What's that?? It affects what? Oh....oh my....OH WAITER!!!! A plate of crow please! :)
Unbelievable! Anybody notice how clear, concise and FUD free this post by michael was? It seems only yesterday that we had a full page rant by michael himself that deplored Microsoft for not revealing a GAPING secutiry hole until recently.
Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever.
Now lets see... "ISS discovered the loophole in October" Hmm.... that's a whole month longer than Mircosoft held out...
Netscape and most other browsers have no problem with this.
This is a *serious* security hole, and it's all sun's fault. Macintosh, Windows and most other operating systems don't have a problem with this.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.
If you routinely use Solaris or AIX to login and do work, keep in mind that anybody can take over your computer, steal sensitive files, destroy your machine, anything.
Happy browsing!
Congrats! You've got Gaping Security Hole!
Hmm.. maybe we can do with a little more balanced reporting here on bash-Microdot.org
I wouldn't call this a level playing field either. Why not? Because of differences in the vendors' attitudes to the discovery of these problems.
Microsoft wants to sweep these problems under the rug; keep them as secret as possible and even criminalize those who discover them and make them known. They have a poor track record when it comes to timely releases for patches, and alerting their user base.
Do you, for instance, remember this slashdot story?
What about this?
With this in place, 'stack overflow' exploits don't execute.
I do not deploy Linux. Ever.
Yup, apparently most slashdot readers didn't become sentient until 1998 and were unaware of UNIX's absolutely fucking terrible security record. They comfort themselves with the idea that Unix has ugo permissions and the Win98 that was on their mom's presario does not.
Just to set the record straight -- UNIX was written by academics who felt they could trust everyone on their network and didn't have any need for namby-pamby coding practices like checking your return values and limited the size of inputs. It took years and years to fix this (and it ain't done yet).
Heck, it was only a couple years ago when there would be a RedHat Advisory Of The Week, and Windows got relatively little love from the whitehats. The only thing you can really say about MS is that they should have been paying attention to the pain on the Unix side and been somewhat proactive.
boy... i'm sure glad you added this follow up post.. for a second i almost thought i was reading zdnet forums
I believe sex is highly over rated... unless it involves me
Dang it, I was all set to moderate, but this needs a followup instead since Dimwit left something out. Namely that those set commands belong in /etc/system.
--
I don't want to rule the world... I just want to be in charge of mayonnaise.
Background: The box came from a defunct internet delivery service. I wonder what corporate records I'll find? Definately customer records if the admins didn't wipe the database. It's a good thing I'm ethical. I wonder how many customer records from defunct Internet-focused IPOs are now in the hands of crooks?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Of course, correct me when I'm wrong or off base on this here... I don't know about any Solaris patches or AIX fixes, since I don't generally use those platforms, but I bet they are either underway. See your local sunsolve outlet or your IBM patch repository.
Well sir, the good news is that if we get your car back in one piece the thieves might leave fingerprints behind.
Hey!!! the parentheses are good for something
Alternatively, when will the Slashcode guys do the intelligent thing and place each comment in a seperate table so that morons can't fuck up the page for everyone else? Curently, the attempted 'fixes' are laughably ineffective and serve only to break comments (particularly with URLs) posted by regular slashdotters.
Hackers target MS products for political reasons. They want MS to look bad and Unix to look good.
...is found at The Register's coverage of this issue.
Level playing field? Let's see .....
...1?
Bug count:
Windows = 65,000+
*nix =
Yeah, looks really level to me.......
Of course making the stack executable is not a miracle cure. You can still execute arbitrary code through another trampoline (like jumping into libc, rewriting/patching functions through trojaned libraries ($LD_LIBRARY_PATH and $LD_PRELOAD for example) or other tricks).
Sorry if this is a little offtopic, but stack smashes aren't the only way to skin a cat.
Works for IE 6.0, Navigator 4.78, & Mozilla 0.9.2.1, but not for Konqueror 2.2.2.
Method of processing duck feet
This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained.
If the ssh server is configured the way a telnet server is (I'm guessing it is, although I could well be wrong since I've never run one) ssh would give you an identical vulnerability.
I think I could have resisted throwing in a jab about people who know three or four factoids about security deciding that this story must involve one of those three or four things if Michael himself hadn't jumped on the anti-telnet bandwagon. Of course, I'm also wondering why the FUD-packed rant he directed at Microsoft a couple of days ago wasn't thought be newsworthy here. This is a much more serious hole and much easier to exploit against an alert target.
What I'm listening to now on Pandora...
The day after Robert T Morris unleashed his worm on the internet on November 2, 1988, Keith Baaaaaaaahstic distributed instructions from the "Experimental Computing Facility, Center for Disease Control" on how to patch the sendmail binary by replacing the "D" in the "DEBUG" command with a null, thus disabling the worm.
Unfortunately the effect was actually to change the name of the "DEBUG" command to the null string! So telnetting to port 25 and simply hitting CR to send a blank line would actually put sendmail into debug mode!
Of course Sun Microsystems immediately installed this bogus patch, which I accidentally discovered, and reported to Sun. More than a year later I discussed it on the security mailing list... I hope that gave them enough time to fix the bug in the source code and recompile.
-Don
====
Date: Sun, 11 Feb 90 01:02:15 -0500
From: don@cs.umd.edu (Don Hopkins)
Subject: Computer Abuse / Product Liability / Criminal Statutes / ECPA
To: blackcat@neuro.usc.edu
Cc: security@pyrite.rutgers.edu
>> [...] updating the old X10 server for the ibm/pc to work with X11R4, etc.
Yeah, right. Might as well have them fill in the Grand Canyon using a pair of tweezers. How about having Robert Morris implement the Gnu kernel? I'm sure he's bright enough to come up with a very secure system (much to rms's disgust). So secure that only he would know the loopholes.
Morris would be dead meat if his daddy didn't work for the NSA.
One of the first patches for sendmail that was sent around to keep the Internet worm out was to edit the sendmail binary changing the 'D' in "DEBUG" to '\0', so the DEBUG command wouldn't work any more. Well that stopped the worm, but it made the null string invoke the debug command. I noticed this a couple days after the worm, when I telneted to sun.com port 25, to EXPN a user name of somebody on a mailing list I run, hit CR a couple of times to make sure sendmail was listening, and did the EXPN. It spit back huge ammounts of debugging information! Of course I promptly notified the appropriate people at Sun so they could put the right fix in. Sheez.
-Don
====
Date: 3 Nov 88 10:54:57 GMT
From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic)
Subject: Fixes for the virus
Approved: ucb-fixes@okeeffe.berkeley.edu
Subject: Fixes for the virus
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD
There's a virus running around; the salient facts. A bug in sendmail has been used to introduce a virus into a lot of Internet UNIX systems. It has not been observed to damage the host system, however, it's incredibly virulent, attempting to introduce itself to every system it can find. It appears to use rsh, broken passwords, and sendmail to introduce itself into the target systems. It affects only VAXen and Suns, as far as we know.
There are three changes that we believe will immunize your system. They are attached.
Thanks to the Experimental Computing Facility, Center for Disease Control for their assistance. (It's pretty late, and they certainly deserved some thanks, somewhere!)
Fix:
[...]
If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works:
Note, make sure the eight control 'G's are preserved in this line. If this command results in something like:
0000008 abcd
your strings(1) command prints out locations in decimal, else it's octal.
The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! This script assumes that your strings(1) command prints out the offsets in decimal.
Script started on Thu Nov 3 02:08:14 1988 /usr/lib/sendmail | egrep debug /usr/lib/sendmail
okeeffe:tmp {2} strings -o -a
0096972 debug
okeeffe:tmp {3} adb -w
?m 0 0xffffffff 0
0t10$d
radix=10 base ten
96972?s
96972: debug
96972?w 0
96972: 25701 = 0
okeeffe:tmp {4} ^D
script done on Thu Nov 3 02:09:31 1988
If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d".
After you've fixed sendmail, move both /bin/cc and /bin/ld to
something else. (The virus uses the cc and the ld commands
to rebuild itself to run on your system.)
Finally, kill any processes on your system that don't belong there. Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random digits, as the command name on the ps(1) output line.
One more thing, if you find files in /tmp or /usr/tmp that
have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or
"xNNNNNNN,vax.o" where the N's are random digits, you've been
infected.
====
Keith sent out the following addendum to the patch, which prevents the null string bug, but Sun obviously didn't pay attention to it.
====
Date: 3 Nov 88 16:12:19 GMT
From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic)
Subject: Fixes for the virus, #2
Approved: ucb-fixes@okeeffe.berkeley.edu
Original-newsgroup: comp.bugs.4bsd.ucb-fixes
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD
Description:
This is a followup message, to clear up two points. First off, a better value to use to PATCH your sendmail executable is 0xff; if you're using the patch script, change:
96972?w 0
to:
96972?w 65535
Secondly, note, if, when you run strings(1) on your sendmail executable, greping for ``debug'', you don't get any output, don't worry about the problem, your system is already (we think) safe.
Take a look and feel free: http://www.PieMenu.com
Everytime a story comes around about a security hole i hear the "you had it coming, you shouldn't have run it anyway". And it's starting to get on my nerves.
So people shouldn't run telnetd, because it's unsafe, now should they? So "it's ok to have a bug there, don't blame Unix"? Well they shouldn't run IIS either, because it's unsafe, so it must be ok to have a bug in IIS too...
Stop the double standards. We'll never be taken seriously as a community of free-thinking, mature, Unix/open_source/whatever believers until we start acting like mature people in the first place.
It's a bug, and it's bad. It's been posted in October and Sun is taking ages to fix it, and so is IBM. That is _real_ bad. So face it.
Yes, this is different from the Microsoft/IIS/Outlook exploits. But you have to KNOW the difference before you can TELL the difference. And the difference is THIS IS A BUG, MICROSOFT PROBLEMS ARE USUALLY FLAWS.
THAT is the main difference, THAT is what sets Unix apart from Windows. Both have problems occasionally. One because it couldn't help it, the other because it didn't care. Now that's a world of a difference.
free the mallocs!
Sun et al aren't demanding silence from security professionals who discover bugs, security holes, and exploits.
Microsoft is.
What is more, Microsoft is trying to bribe security professionals and services into silence, requiring among other things that Microsoft be informed of problems before the securty firm's own paying customers are.
In short, Sun & Co. have done nothing improper or worthy of customer or professional outrage.
Microsoft has.
Biased or not, Slashdot and its readership are more than a little correct in bashing Microsoft's security policies, and in reporting security lapses of other firms as well, even though these other firms have behaved in a much more ethical and open manner.
Had it been otherwise, you doubtless would have been bashing slashdot and its readership for not reporting the vulnerabilities.
In short, Mr. Microsoft Flunky, get over yourself. If slashdot's pro-Free Software and pro-GNU/Linux bias upsets you so much, then go hang out in a pro-Microsoft forum where you can suck up as much Redmond marketing drivel as your heart desires, while leaving the rest of us in peace.
The Future of Human Evolution: Autonomy
Nonetheless, most of the people ranting against telnet are talking about its vulnerabilty to sniffing, which is an important weakness but has nothing to do with this.
What I'm listening to now on Pandora...
since this is a non-Microsoft hole, nobody goes around bashing and thrashing Sun. I'm obvisouly not a *nix advocate, but I'm not a Microsoft agent either. FUCK THAT PAPER CLIP. Anyway, score -1 for the flamers and +1 for the bias!
One day the trolls will rise and conquer, and the mighty will fall and their bodies turn to dust. THE END
On handle of the door they couldn't unlock?
You left out the option to make the stack non-executable.
Breaking the law anonymously is not an act of civil disobedience; it is an act of cowardice, and it will bring little sympathy from the public or from the people who are in positions of power.
Bill
Damn... he got me in the "MS Watches..." article with the same trick.
Method of processing duck feet
Whoops! Forgot to say that those commands go into /etc/system. Sorry for replying to my own post. :)
...but it's being eaten...by some...Linux or something...
If I only telnet over networking infrastructure I trust (e.g., there are secured switches on both ends, I trust that my ISP hasn't been hacked, etc.), then I am safe. All users must authenticate with passwords to gain access. With these holes, anyone can remotely log in as root. Yeah, telnet/rlogin/rsh might not be as secure as ssh, but they're no where near the category of vulnerability that this hole exposes.
Some times, "design" is 100% equivalent to "a programmer's mistake".
That is obviously the case with X-Windows, the world's first fully modular software disaster. It was a mistake to even design it. A mistake carried out to perfection. The defecto standard. Flaky and built to stay that way. Complex nonsolutions to simple nonproblems. Form follows malfunction. Ignorance is our most important resource. It could be worse, but it'll take time. More than enough rope. Power tools for power fools. Putting new limits on productivity. The cutting edge of obsolescence. The art of incompetence. The defacto substandard. You'll envy the dead. Even your dog won't like it.
-Don
Take a look and feel free: http://www.PieMenu.com
Windows and most other operating systems don't have a problem with this.
Hmm, so your argument is that companies should be installing Windows on their AIX servers?
Good luck with that.
Vintage computer games and RPG books available. Email me if you're interested.
Today network are designed and built with idea and mind set that anything on the network could be cracked. Machine you know are cool need to prove who they are. Don't assume anything. By default insecure service should be disabled and never used. The insecure terms should not be used. When the phase `telnet into a box` is heard it should should be corrected with `ssh into a box`. Anyone that still uses r services or telnet for access get what is coming to them.
Death to port 23!!
The journey is better then the end.
The focus on Free Software is fine. Bashing MS is fine. Plenty to bash.
But why not put it somewhere other than the front page article? Why not make the front page article concise, and let the rants come from others in the comments? Everyone can take their secret glee at the pains of MS, but when it's pointed out on the front page, it makes you sound insecure about your operating system's virtues. It's mudslinging.
After all, Linux isn't better because MS sucks, it's better because it's better.
Let's not stir that bag of worms...
Heh why don't you just come out and say 'Gee, I just started getting into this *NIX thing last week, when my friend said it was cool?'. Anyone that has been around for a long time realizes that UNIX has been a source of major security flaws for decades. Consider that the much-ballyhooed "Internet Worm", which took out pretty much the ENTIRE INTERNET in its time relied primarily on some really stupid bugs in UNIX-based programs such as sendmail. Before 1992 or so, a determined script kiddie could root virtually any Internet accessible UNIX box within hours using only widely known buffer overflow and/or library path problems.
I don't mean this as an anti-UNIX rant. My point is simply that complex software is bound to have bugs until companies start development policies which highlight 'security first' in the way that "Extreme Programming" highlights 'test first'. The economics of doing this, though, are such that no company that wants to make money is very likely to bother in the near future. Thus we'll have this never-ending cycle of finding and fixing bugs. And this goes for all commercial platforms, UNIX and Windows alike.
Anyone that gets on a high-horse about such things, either pro-Microsoft or pro-UNIX, just shows he/she doesn't have all the facts, or is the equivalent of a religious fanatic who only sees what he/she wants to see.
PS. I realize there are projects to address the issue I spoke about, namely OpenBSD. And that's great. I disagree on many of the merits people claim that OSS has (most of these merits are theoretical only and never pan out in practice), but OpenBSD, by mixing security minded developers and the removal of profit as the primariy motive for working, has been doing quite a lot to make *BSD based UNIX systems more secure.
If the mainstream press reported it, the headline would be something like:
"Killer Login Virus Affecting Everyone's Computer"
and totally skip over the specifics until the last sentence in the jump section on page 14b.
If anything, as much as the maintream media jumps on M$ for its business practices, it too is caught in the "Microsoft is Computing" attitude in that any M$ product vulnerability must be industry-wide.
Well, I'd say so. 30 seconds of searching on google revealed the exploit with a really good explanation of the problem and solutions to protect yourself. As well as an OpenSSH exploit.
From the file:
HOW TO PROTECT: There are a few ways. If you have a statically linked login, then you are safe. setuid programs ignore LD_PRELOAD so one you have logged in, you cannot subvert the system.
You can patch telnetd to wipe all but a few env variables. There are many widely pieces of available code to demonstrate this.
as it has already been cracked
I remember one hillarious Sun security hole, around SunOS 3.0 or so, that let you get a root shell by walking up to the console and holding down one of they keys until it autorepeated enough to fill up a buffer somewhere. Then you just hit the return key and it logged you in with a root shell! Chris Torek, Mark Weiser, Steve Miller and I witnessed this behavior on Suns at the U of Maryland some time during the 80's.
My favorite boneheaded idiotic Unix security hole was the /etc/passwd "::0:0:::" bug.
It would conveniently open up a giant security hole whenever somebody accidentally left a blank line in /etc/passwd.
The next time anybody changed their password, the setuid root "passwd" program would read the old /etc/passwd file line by line using scanf("%s:%s:%d:%d:%s:%s:%s", ...), without checking for errors, then write out the new password file using printf("%s:%s:%d:%d:%s:%s:%s", ...). The blank line would read in as zero length strings and zeros, and would be written back out as "::0:0:::".
And of course what does "::0:0:::" mean in /etc/passwd? It defines a root-privileged user whose name is the null string! How convenient!
Then all anyone has to do to get root was to type:
% su ""
On the Pyramid (which ran a bizarre hybrid combination of BSD and System V), all you had to do to exploit this hole was to hit the return key at the "login:" prompt, and it would display the message of the day followed by the a root shell prompt "#".
People complain that Unix is difficult to use, and requires a lot of typing. But getting a root shell was certainly quite easy, requiring even fewer keystrokes on the Pyramid than the Sun.
Has Windows NT *EVER* been that easy and convenient to break into? I don't think so.
-Don
Take a look and feel free: http://www.PieMenu.com
Lets Blame it on MS!
After all, every single news post seems to have some dispariging remark about MS! And we all know MS is the only company that makes software with bugs!
It is not clear from the releases if the kerberized versions are also vulnerable.
hey moderator freak.....
just caus someone pointed out your problem don't go bashing on them... you like 2 or something
due to the last sentance posting as AC for fear of retribution
I wish every programmer guilty of creating this kind of error would be forced to spend 6 months doing nothing but maintenance coding on undocumented, hacker-level C. Maybe that would instill at least a glimmer of respect for quality in them.
If we can't use Telnet, then the terrorists have already won!
rlogin and telnet are 'insecure' in that data transmitted over them is insecure; this is known.. and ssh2 is a good alternative.
This buffer overflow bug is no different than those found in ssh previously...
so saying that 'You shouldn't be running telnet' is bullshit.
You shouldn't be USING telnet for anything you don't want sniffed is more accurate. Running it is only a problem in that it's yet one more available service.
Dang it, I was all set to moderate, but this needs a followup instead since Dimwit left something out. Namely that those set commands belong in /etc/system.
And a second followup that the whole thing is moot since that "fix" has been hacked.
There are patches available for linux to do this too, but they never went in for one simple reason: noexec-stack doesn't work. Search for "return into libc."
It does at least stop the kiddies though, since all the distributed exploits execute code on the stack. But any skilled programmer could transform a code-on-stack exploit to a return-into-libc one, so all you get is a false sense of security.
So saying "Hackers do not target MS products because of "percieved" vulerabilities... they target MS because their products are KNOWN and EXPECTED to have holes. " is not flamebait, but saying that "Hackers target MS products for political reasons" is.
I think this flamebait rating is based on political considerations as well.
Judging by the scarce description, this doesn't look like an ordinary buffer overflow (proper bounds checking on array of pointers is missing), so it's not clear if a non-executable stack will help here.
In addition, a non-executable stack doesn't prevent all exploits. In many cases, specially crafted exploits (using return-into-libc techniques etc.) are still possible.
Actually, the current problem is a UNIX hole (unless you are a BSD addict and do not consider System V to be a UNIX). All systems using a SysV-derived login share it.
From the CERT advisory linked above:
...
HP-UX is NOT Exploitable. It is NOT a security issue with HP-UX. HP-UX does have a benign buffer overflow which is the only reason HP-UX is listed as "effected" above. In any case, the buffer overflow has been fixed by HP.
What the hell is a "benign buffer overflow" ? Either the stack can be smashed or not - the benevolence of the attacker is left as an exercise to the reader
It's a NON SEQUITUR.
Because if they made separate tables Netscape 4 would take forever to scroll with... since we all know how masterful that rendering engine is with the table tag.
In short, Mr. FreeUser Flunky, how quickly you forget the incident where RedHat is berated by other Linux and Unix companies for informing the world of a rootable security exploit effecting wu-ftp prior to the other companies completing their fixes. All of these companies want the security notices to be held back until it's fixable. But if you're sick of concern by companies for the welfare of their clients and consumers, they perhaps you should hang yourself on slashdot where the idiocy roams free ... oh, wait.
Is that the same reason that hackers have found a million holes in UNIX software?
Because they want to make UNIX look bad and OpenVMS look good? (it ain't the MS guys finding those holes...)
There are some days I'm glad I read /. in lynx.
Lynx Version 2.8.2rel.1 (01 Jun 1999)
Built on openbsd2.7 May 5 2000 21:26:30
Not affected.
Jesus, you're an idiot. Will you kindly take twenty seconds of your time to learn about UNIX holes - all caused by galloping featuritis?
I'd say that you're about 15 years old. You're certainly not much older than 25 - all 25 year olds who've spent time in the industry laugh their asses off about UNIX and its "accidental root exploits".
UNIX's track record is a joke. In fact, its current record is a joke, too - but you seem to be way down the road of Windows bashing, so it'll be difficult to convince you. What's your IP? Post it here, and suffer the (trivial UNIX security hole) consequences.
but this needs a followup instead since Dimwit left something out. Namely that those set commands belong in /etc/system
/etc/system. After all, the original poster even mentioned rebooting the computer in order to activate them.
Not really, I don't think there is any Sun admin that wouldn't have at least guessed that those were kernel parameters that needed to be set in
So, your remark is informative for non-Sun administrators.
Sigged!
Please, learn C++ and use stringstream. Buffer overflow bugs don't need to exist.
apparently this was patched back in October, but didn't make it out of testing yet (oops) - so there's probably a T-Patch available, and I'm guessing a public one should show up on Sunsolve in a day or 2. I would venture to guess patch 111085-02.
So, this vulnerability was discovered in October, but was going to be left secret until the patches were completed? Sounds painfully similar to the requests made by another company that demands that the nature and demonstration not be made public until a fix is prepared.
Hypocrisy, or selective ignorance?
MS is demanding that information like this is not made available to the general public.
Sun and IBM go and patch their systems as fast as they can.
You tell me who deserves bashing.
IANAL but write like a drunk one.
Mozilla 0.9.6 is affected ..
-- Hasbullah bin Pit (sebol)
So what you're saying is that Unix is more mature than NT, rather than ageing technology, as is usually stated by pro-MS people. I suppose I'd better use that, instead of waiting 20 years for MS to learn how to produce reasonably secure software.
Does a Christian soccer team even need a goalkeeper?
shhh. I think I can hear it clearly now.
[Waaaaahahhhhh]
Ah yes, the distinctive sound of a Microsoft shrill whining about the Slashdot "bias." Jeeze, that's like complaining about the "pro-gun" bias at a local NRA meeting.
Well, I'm saying it's both. UNIX was specifically designed NOT to be secure, in a manner of speaking; it was a 'casterated' version of MULTICS, which WAS, as I recall, designed to be quite secure.
Vintage computer games and RPG books available. Email me if you're interested.
Well, if hackers have found a million holes in Unix, it must be less secure than Windows. :)
Assuming that Unix isn't too screwed up today, I imagine that many of these holes were found at a time when MS was not on hackers' radar screen. They just wanted to hack and they were familiar with Unix. Later anti-MS became a crusade and they had another reason to hack. I can't prove this theory but I base it largely on the percentage of anti-MS posts I see on slashdot. It doesn't mean that the slashdot users are hackers, but I think it is a fair indication of the thoughts of Unix users.
That's basically a fair criticism. But I'd like to point out that since Solaris works so well out of the box, a not small number of Solaris admins I know have never had to change a kernel parameter. Unlike SunOS, and indeed Linux, where kernel rebuilds are practically de rigeur, Solaris generally just works, without tweaking. No doubt this has a lot to do with the fairly homogenous hardware (speaking only of Sparc here, not x86 Solaris.)
It's too bad a crack has been found for even this protection, but it was probably inevitable. Crackers tend to start with a lot of ingenuity; mix in a deep knowledge of the machine and they will find the weak spots, eventually.
--
I don't want to rule the world... I just want to be in charge of mayonnaise.
(MARKETING???)
What a lame troll!