Solaris Worm Attacks IIS Servers05/15/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at problems in vixie cron, Oracle ADI, EnGarde Secure Linux, and Samba 2.0.8; discuss the sadmind/IIS worm; and talk about how to protect a system against worms and other attackers.
The version of vixie cron, a daemon used to schedule commands that was
patched in the fall of 2000, has an error that can be exploited by an
local user to obtain root-level privileges. The vulnerability is
caused by the
crontab command not properly dropping its permissions
under some conditions. It has been reported that this vulnerability
affects Debian, SuSE, and possibly other Linux distributions.
It is recommended that administrators of systems with a vulnerable
vixie cron restrict access to
cron to trusted users and upgrade to a
fixed version when one becomes available. Debian users should upgrade
to the latest version of vixie cron.
Oracle ADI (Application Desktop Integrator) version 220.127.116.11.1, an application
shipped with Oracle Financial Applications version 11.5.3, creates a
dbg.txt on the local system that contains the user names
and passwords used to log into the database. This file is created
whenever the software is started. A malicious user can use these
accounts and passwords to obtain full control over the tables in the
Alerts this week:
Users of Oracle ADI should downgrade to a version earlier than 18.104.22.168.1 and should watch Oracle for a patch.
EnGarde Secure Linux version 1.0.1 was distributed with a version of
glibc that is vulnerable to several environmental variable-based
Guardian Digital recommends that all users of EnGarde Secure Linux
version 1.0.1 upgrade to the latest
glibc package. This package is
available on the EnGarde Secure Linux web site and FTP server.
In April, Samba version 2.0.8 was released to fix a symbolic-link file race condition that could be used by an attacker to overwrite system files, destroy file systems, or obtain root privileges. Version 2.0.8 of Samba was released to solve this problem. However, it did not fix the security problem and version 2.0.9 has now been released to fix it.
The problem was fixed in the 2.2.0 release and users of that version do not need to upgrade.
Users of Samba 2.0.8 or earlier should upgrade to versions 2.0.9 or 2.2.0 as soon as possible. This is planned to be the last release in the 2.0.x series.
sadmind/IIS, a new worm that compromises Solaris servers and then scans for and attacks Microsoft IIS (Internet Information Server) web servers and defaces their web pages, has been reported. The worm attacks Solaris 7 and earlier machines by exploiting a buffer overflow in sadmind that was announced two years ago. It attacks Windows servers using a vulnerability that was announced seven months ago. It also will automatically spread itself to additional Solaris servers using the sadmind vulnerability.
The sadmind application is used to perform some system administration attacks remotely. A buffer overflow that was patched in 1999 can allow a remote attacker to execute arbitrary code with the permissions of the root user.
Signs that a Solaris system has been compromised by the worm include:
sadmind bus errors and core dump messages in the syslog file; a root
shell listening on port 600; the existence of the directories
/dev/cuc; a "
++" added to the
.rhosts file in root's home directory; and running processes such as:
/bin/sh /dev/cuc/sadmin.sh /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 /bin/sh /dev/cuc/uniattack.sh /bin/sh /dev/cuc/time.sh /usr/sbin/inetd -s /tmp/.f /bin/sleep 300
Once the worm has used the Solaris server to compromise 2000 Windows
IIS servers, it will modify the
index.html page, if any, on the Solaris
server's web server.
It has been reported that thousands of Windows servers running IIS and hundreds of Solaris machines have been damaged or compromised by the sadmind/IIS worm.
To protect your system from this type of attack:
First, do not allow unused and unneeded applications to be available
over the network. I suspect that most of the Solaris machines that
have been compromised by this worm were running sadmind not because
it was in use for remote system administration, but because it had
never been turned off. Administrators should look at two major areas
for applications that may listen on the network: the
file and running applications. They should turn off
any and all applications that are not going to be used or needed. In
many instances the crackers know about a vulnerability long before it
is announced by CERT, mentioned on BUGTRAQ, or fixed by a
distribution. Turning off unneeded software is foolproof protection
against a vulnerability in the software compromising your system.
Second, limit access to your system and the daemons listening on the network to authorized users. For example, if sadmind is being used on your system you can use a firewall to prevent arbitrary attackers located outside your network from connecting to the daemon to exploit a vulnerability. This also protects you to a degree from unannounced security vulnerabilities.
Third, watch for security announcements and apply needed patches and workarounds as they are announced. It is a good practice to watch several different sources of security news, as not every source will carry news of every vulnerability. Watching a security news source that only discusses news about one platform or area can be risky as well -- some news can take a long time to propagate.
If, as an administrator, you disable or remove unused applications, firewall your network, and apply any patches or workarounds that are needed, you will only read about systems that have been compromised -- and will be much less likely to find yourself cleaning up a compromised network.
Read more Security Alerts columns.
Return to the Linux DevCenter.