exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CS-96.04

CS-96.04
Posted Sep 23, 1999

CS-96.04

SHA-256 | ed26230263a8e30b21339ee15fcaad29abe985d55bc56b3021eb1d9a07e9921f

CS-96.04

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------
CERT(*) Summary CS-96.04
July 23, 1996
Last Revised: October 2, 1997
Updated copyright statement

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/

Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------


Increasing Sophistication of Intruder Community Expertise
- ---------------------------------------------------------

In earlier summaries, we noted that the intruder community was
analyzing operating system source code to develop increasingly
sophisticated and effective exploitation techniques. The intruder
community is now developing new techniques to analyze programs for
potential vulnerabilities even in the absence of source code. This can
be done with a tool that traces system calls and subroutine calls
within a program, thus allowing a person to match such calls against
command line parameters.

Although there is little that sites can do in direct response to this
information, it does highlight the importance of staying up to date
with security patches and workarounds for your operating systems and
applications.


Operating System Concerns
- -------------------------

We receive reports relating to incident activity from many different
sites using a wide variety of operating systems. Because of problems
we see that directly relate to operating systems, we felt it
worthwhile to make a few observations about choosing an operating
system. For information on this subject, see

ftp://info.cert.org/pub/tech_tips/choose_operating_sys


Forged Advisories
- -----------------

Occasionally, we see forged advisories on various newsgroups or other
distribution lists. If you have the Pretty Good Privacy (PGP) program,
you can determine whether or not an advisory is genuine by checking
the PGP signature.

We use PGP to sign all our advisories. To verify that a CERT advisory
is authentic,

1. Get the CERT public key from

ftp://info.cert.org/pub/CERT_PGP.key

2. Verify the authenticity of the document by checking the PGP
signature. To do this, enter the following command:

%pgp <filename>

You should see a message that includes the statement

Good signature from user "CERT Coordination Center <cert@cert.org>".
Signature made <date>



Recent Activity and Trends
- --------------------------

Since the May CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Linux root compromises

At least once a week we see reports of Linux machines that suffer
break-ins leading to root compromises. In many of these incidents, the
systems were misconfigured, and/or the intruders exploited well-known
vulnerabilities (for which CERT advisories have been published); the
intruders then installed Trojan horse programs and/or network
monitoring programs (packet sniffers).

If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We recommend that you also review

ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

http://bach.cis.temple.edu/linux/linux-security/


2. Telnetd in Linux systems

We have noticed an increase in the exploitation of a vulnerability in
the telnetd environment on unpatched Linux-based systems. If you have
not patched your system(s) for this vulnerability, we urge you to
review CERT advisory CA-95:14 and install the patch or workaround
provided.

ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability


3. Password Cracking

We continue to receive daily reports of unauthorized site access as a
result of compromised accounts and/or "cracked" passwords. For
information about protecting your password files, please see

ftp://info.cert.org/pub/tech_tips/passwd_file_protection


4. Sendmail attacks

Although discussed in previous summaries, we continue to receive
reports each week about intruders who attempt to exploit sendmail
vulnerabilities. We have published several advisories on sendmail. If
you have not addressed the vulnerabilities in sendmail, we urge you to
review these advisories and take appropriate action. All advisories,
including sendmail advisories, can be found at

ftp://info.cert.org/pub/cert_advisories/

In many of these attempts, intruders are trying to obtain
password files. For information on protecting your password files, see

ftp://info.cert.org/pub/tech_tips/passwd_file_protection

We have had many questions about when to use the sendmail restricted
shell program (smrsh). You should run smrsh with any UNIX system that
is running sendmail, regardless of vendor or version.

smrsh is now included as part of the current sendmail distribution
(effective with version 8.7.1). We strongly urge you to upgrade to the
latest version of sendmail. See

ftp://info.cert.org/pub/latest_sw_versions/sendmail


5. cgi-bin vulnerabilities

Since our last summary, we've seen an increase in the number of
reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin
program that relies on escape_shell_cmd() to prevent exploitation of
shell-based library calls may be vulnerable to attack. For more
information about cgi-bin vulnerabilities and patches, please see

ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

There have been discussions in several public forums about the problem
of general-purpose interpreters being placed in the cgi-bin directory.
If these interpreters are accessible in the cgi-bin directory of a Web
server, then a remote user can execute any command the interpreters
can execute on that server. For more details and patch information,
see

ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir


6. Mail spamming/spoofing attacks

We receive at least three incidents each week of mail spamming and/or
spoofing attacks. For information on responding to and recovering from such
activity, see

ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing



What's New in the CERT FTP Archive
- ----------------------------------

We have made the following changes since the last CERT Summary (May 22, 1996).


* New Additions

ftp://info.cert.org/pub/cert_advisories/

CA-96.10.nis+_configuration
CA-96.11.interpreters_in_cgi_bin_dir
CA-96.12.suidperl_vul
CA-96.13.dip_vul

ftp://info.cert.org/pub/cert_bulletins/

VB-96.08.sgi
VB-96.09.freebsd
VB-96.10.sco
VB-96.11.freebsd

ftp://info.cert.org/pub/tech_tips/

choose_operating_sys Things to consider when choosing an
operating system for your site

ftp://info.cert.org/pub/tools/

ifstatus Added the ifstatus program

ftp://info.cert.org/pub/vendors/

sun/sun_bulletin_00135 Added bulletin from Sun
Microsystems, Inc.

dec/dec-96.0383 Added bulletin from Digital
Equipment Corporation


* Updated Files

ftp://info.cert.org/pub/cert_advisories/

CA-95:13 Added vendor information for Digital
Equipment Corporation and Silicon
Graphics, Inc.

CA-96.04 Added information about the next
release of BIND

CA-96.08 Added vendor information for Digital
Equipment Corporation, NEC
Corporation, and Data Design Systems,
Inc. Added patch information for
FreeBSD, Inc.

CA-96.09 Added vendor information for Digital
Equipment Corporation. Added pointers
to Silicon Graphics, Inc. release notes
and Sun Microsystems, Inc. patches

CA-96.12 Added vendor information for FreeBSD,
NEC Corporation, and Digital Equipment
Corporation

ftp://info.cert.org/pub/FIRST/

first-contacts Updated contact information


ftp://info.cert.org/pub/latest_sw_versions/

bind Added pointer to version 4.9.4
ifstatus Added pointer to ifstatus

If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.

If you have any questions about the software listed in this directory,
please contact the vendor for more information.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key

- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:

Oct 02, 1997 Updated copyright history

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDgB43VP+x0t4w7BAQHmLgQAnM+f3nTzJzXi3ed309IatQ/fPDRAoB3A
wkzULnPIYTsl+ahCAt5+d0kXn1FcfhiZomwJfeTurc0ss3wDZ2Ki1sI8zlxZSBZS
xtb54+Sm/AcgshrDbe3aHuj20EYtNKhV50ojZTi5OkDkclcv+dNW0aErvsbSQCfr
H1zIU2LqfwU=
=KZ+L
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close