Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1049 - Hacker attack to allow root access on ANY linux box
Summary: Hacker attack to allow root access on ANY linux box
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nfs-server
Version: 5.2
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-02-05 05:55 UTC by destef
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-03-12 21:45:26 UTC


Attachments (Terms of Use)

Description destef 1999-02-05 05:55:20 UTC
By overflowing the buffer of several services a user can
gain access to a root shell with very little effort.

The most known ports for attack are 111 and 143. I have had
3 servers all in different parts of the country get taken
down within a months time due to the same attack.

This problem has been around for years but only recently
heavily exploited. A fixed version of all the vulnerable
services should have been included in RedHat releases long
ago.

There are widely available scripts to portscan large ip
ranges to find linux machines vulnerable to the attack.

A FIX TO THIS PROBLEM SHOULD BE OF TOP PRIORITY TO REDHAT
IMMEDIATELY AND REDHAT SHOULD BE WARNING ANYONE WHO VISITS
THEIR WEB SITE OF THE PROBLEM AND OFFER A PATCH TO CORRECT
IT. BY NOT DOING SO REDHAT WILL LOSE MUCH CREDIBILITY WITH
MUCH NEEDED LINUX-TO-BE CUSTOMERS.

Bottom line is that no linux machine with internet presence
is safe from this attack and until RedHat does something to
correct the problem, and therefore I would not recommnd
anyone use it until then.

Please do your best to correct the problem immediately. A
redhat release version 5.21 or something is not too much to
ask to fix such a major problem--one that should have been
corrected long ago.

Comment 1 Aleksey Nogin 1999-02-05 07:23:59 UTC
Why did you use the "Component: nfs-server" in this bug report? Port
111 is sun-rpc and 143 is imap and they have nothing to do with
nfs-server component. Also, are you sure you had all the latest
security updates installed when your computers were compromized?

I am afraid you did not provide enough information about these
vulnerabilities. I am sure RedHat already included fixes for all
well-known vulnerabilities long time ago and if you know something
they've missed, you'd better provide more information.

Comment 2 Aleksey Nogin 1999-02-08 01:54:59 UTC
> You dont really have a "general" category so nfs is the closest
> since its the most often attacked.
>
I don't work for RedHat - I am just an ordinary user.

> No. I did not have the latest security updates installed because
> 1) red hat did not inform me of the updates,
>
You did not read RedHat Installation Guide carefully enough. It
mentions the redhat-announce-list and gives the link to RedHat Errata
- http://www.redhat.com/support/docs/errata.html

> I am well aware that fixes exist, my complaint lies in the fact that
> redhat still release buggy services. Redhat 5.2 was released last
> month and still does not have "fixed versions"
>
I find that RedHat always releases security fixes quickly. If you are
aware of some _particular_ problems that exist in RH5.2 and are not
yet fixed, it probably means that RedHat is not aware of these
problems and you should create a new bug reports describing those
problems and ways to fix them.

> >+I am afraid you did not provide enough information about these
> >+vulnerabilities. I am sure RedHat already included fixes for all
> >+well-known vulnerabilities long time ago and if you know something
> >+they've missed, you'd better provide more information.
>
>
> I installed everything out of the box as it comes in redhat 5.2
> which is my justification in saying that vulnerable versions are
> still being distributed. I made no changes to the services which are
> being attacked.
>
By "provide enough information" I mean "provide enough information so
that people at RedHat could verify the existance of the problem and
fix it", not just "enough information for someone who already knows
about all the vulnerabilities of all services in RedHat to guess what
you mean".

> could you at least point me to a page that contains ALL known
> secutiry holes (old or new) and how to guard against them.

http://www.redhat.com/support/docs/errata.html

P.S. The comments that are added to bugzilla via Web -
http://developer.redhat.com/bugzilla/show_bug.cgi?id=1049 are easier
to read than those that are sent by e-mail.


Note You need to log in before you can comment on or make changes to this bug.