Thursday, June 15, 2006

Significant increase in probes reported by FBI

The probes are searching for systems that have vulnerable versions of LPRng, the "Next Generation" version of the widely used LPR printing utility, as well as the RPC daemon used with Network File System (NFS) services. While a large portion of these attacks were the result of U.S./Chinese cyberskirmishes following the downing of a U.S. spy plane, the subsequent hacking traffic has not died down. Check your software distribution's home page for an updated version of LPRng and RPC, and do so without delay!

Remember that automated probes are looking for TCP/IP listening ports that are associated with known system weaknesses. Make sure that you're running your Linux system with all ports disabled; save the ones that you absolutely need. In a terminal window, switch to superuser status, open /etc/inetd.conf, and comment out ports you're not using (for a single-user system that isn't functioning as a server, likely candidates include anonymous FTP, POP3, Telnet, rlogin, and rcp).

New vulnerability in wu-ftpd

I have recently found a article on net that vulnerability has been confirmed in the wu-ftpd FTP daemon. This vulnerability is remotely exploitable and can be used to execute arbitrary code on the vulnerable FTP server.

Because wu-ftpd is such a popular and widely used FTP server, not only for Linux but for other UNIX-derivatives like BSD systems, the security impact is quite high. The fact that most FTP servers in use these days provide anonymous FTP access compounds the problem. This means that a user doesn't even have to authenticate himself or herself on the server as a real user in order to exploit this vulnerability.

The problem is due to the "file globbing" support in wu-ftpd. This globbing allows clients to organize files for FTP actions, such as list and download, based on patterns. A heap corruption problem in the wu-ftpd, in its most innocent form, will simply cause the FTP server to die with a segfault. Unfortunately, this same corruption problem can be exploited to run programs on the server that the user should not be permitted to execute.

Most vendors have released updates to fix this problem quickly. Therefore, if you are running a version of wu-ftpd installed prior to Nov. 27, 2001, you are vulnerable and need to obtain an update from your vendor.

No comments: