Category Archives: Advisories

BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)

Cursory analysis of a system compromise (due to poor password choice)

On March 9 at 0856 the installation of a Fedora Core 3 system was completed.
System was then set up on a NAT network and patched using updates provided by
the Fedora project. The root password, for convenience, was temporarilly set to
‘password’ as an outside contractor would be setting up some software.

Continue reading BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)

BA-2003-01 Debian: Unsafe directory ownership, default paths may lead to privilege escalation

 

Original release date: December 6, 2003
Last revised: December 06, 2003

A complete revision history is at the end of this file.

Systems Affected

Debian 3.0 with group ‘staff’ ownership of /usr/local/* and the default path setting in /root/.profile

Severity

Low/Medium (Requires access to a local ‘staff’ account)

Overview

The default path setting for Debian 3.0 sets priority to /usr/local before its /usr counterpart. Combined with the loose access controls on /usr/local, this could lead to a privilege escalation attack that might yield root access to an attacker.

Continue reading BA-2003-01 Debian: Unsafe directory ownership, default paths may lead to privilege escalation

BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm

From: Golden_Eternity [[email protected]]
Sent: Friday, June 28, 2002 2:15 PM
Subject: RE: Apache worm in the wild

Just based on the strings in the .a file, this is my best guess as to what its 
doing. I haven't tried running it, yet, so my observations are very limited. 
Hopefully someone will find this interesting.
 Continue reading BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm 

BA-2001-03 Multiple Problems with the Implementation of SSH ChRootGroups/ChRootUsers

 

Original release date: July 22, 2001
Last revised: July 22, 2001

A complete revision history is at the end of this file.

Systems Affected

A) Systems running SSH Communications, Inc’s SSH 2 implementation, using the built-in features for user login security.

B-C) Those same systems using SSH 1 compatibility.

Continue reading BA-2001-03 Multiple Problems with the Implementation of SSH ChRootGroups/ChRootUsers

BA-2001-02 Firewall rule exposure on ACK based filters

 

Original release date: May 26, 2001
Last revised: May 27, 2001

A complete revision history is at the end of this file.

Systems Affected

Any firewall configured to block inbound packets without the ACK bit set.

Severity

Low – Enumeration

Overview

Any firewall system configured to block (not respond to) inbound packets without the ACK bit set may be vulnerable to an information gathering attack that could reveal a portion of the firewall ruleset and suggest the presence of listening daemons.

Continue reading BA-2001-02 Firewall rule exposure on ACK based filters

ba-2001-01-post

From: Golden_Eternity [bhodi@….com]
Sent: Monday, April 23, 2001 12:08 PM
To: ‘BUGTRAQ@….com’
Subject: Non-user accounts assigned shell by default – Red Hat 6.1-7.0,
et al.

SEVERITY: Low
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0
DESCRIPTION:
The default installation does not assign a shell for most non-user accounts
(e.g. nobody, bin). If no shell is specified for an account, the shell
defaults to /bin/sh.

On its own, this does not pose a significant threat. However, very few of
these accounts require a shell, so there is no reason to grant this extra
privilege. This may violate security policies for granting the minimum
privileges necessary to accomplish a task.

Additionally, the default installation of /etc/shells does not contain a
shell such as /bin/false which would deny login.

Red Hat was contacted about this in June 2000 and has elected not to fix
this problem at this time.

https://bugzilla.redhat.com/show_bug.cgi?id=12409
SOLUTION:
The solution would be to assign these accounts a false shell which will
not permit login, such as /bin/false. This shell could be added to /etc/shells
for use with chsh.
DEMONSTRATION:
[root@roto-router /root]# grep “nobody” /etc/passwd
nobody:x:99:99:Nobody:/:
[root@roto-router /root]# su nobody
bash$

[root@roto-router /root]# grep “xfs” /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[root@roto-router /root]# su xfs
[root@roto-router /root]#


I apologize if this is not considered a significant enough issue to post
to bugtraq. I debated posting for a while and eventually decided that if
it isn’t, the moderator will kill it. 😉

Since some administrators may not be aware that there is a default shell
for unix/linux accounts, I felt this information could be useful.

Updates to this warning can be found at https://www.bhodisoft.com/Sec/

BA-2001-01 Non-user accounts assigned shell by default

Original release date: April 23, 2001
Last revised: July 21, 2001

A complete revision history is at the end of this file.

Systems Affected

Confirmed on Red Hat 6.1, 6.2 and 7.0

Severity

Low

Overview

The default installation does not assign a shell for most non-user accounts (e.g. nobody, bin). If no shell is specified for an account, the shell defaults to /bin/sh.

Continue reading BA-2001-01 Non-user accounts assigned shell by default