Category Archives: Advisories

BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)

Cursory analysis of a system compromise (due to poor password choice)

On March 9 at 0856 the installation of a Fedora Core 3 system was completed.
System was then set up on a NAT network and patched using updates provided by
the Fedora project. The root password, for convenience, was temporarilly set to
‘password’ as an outside contractor would be setting up some software.

Continue reading

BA-2003-01 Debian: Unsafe directory ownership, default paths may lead to privilege escalation

 

Original release date: December 6, 2003
Last revised: December 06, 2003

A complete revision history is at the end of this file.

Systems Affected

Debian 3.0 with group ‘staff’ ownership of /usr/local/* and the default path setting in /root/.profile

Severity

Low/Medium (Requires access to a local ‘staff’ account)

Overview

The default path setting for Debian 3.0 sets priority to /usr/local before its /usr counterpart. Combined with the loose access controls on /usr/local, this could lead to a privilege escalation attack that might yield root access to an attacker.

Continue reading

BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm

From: Golden_Eternity [[email protected]]
Sent: Friday, June 28, 2002 2:15 PM
Subject: RE: Apache worm in the wild

Just based on the strings in the .a file, this is my best guess as to what its 
doing. I haven't tried running it, yet, so my observations are very limited. 
Hopefully someone will find this interesting.
 Continue reading 

BA-2001-02 Firewall rule exposure on ACK based filters

 

Original release date: May 26, 2001
Last revised: May 27, 2001

A complete revision history is at the end of this file.

Systems Affected

Any firewall configured to block inbound packets without the ACK bit set.

Severity

Low – Enumeration

Overview

Any firewall system configured to block (not respond to) inbound packets without the ACK bit set may be vulnerable to an information gathering attack that could reveal a portion of the firewall ruleset and suggest the presence of listening daemons.

Continue reading

ba-2001-01-post

From: Golden_Eternity [bhodi@….com]
Sent: Monday, April 23, 2001 12:08 PM
To: ‘BUGTRAQ@….com’
Subject: Non-user accounts assigned shell by default – Red Hat 6.1-7.0,
et al.

SEVERITY: Low
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0
DESCRIPTION:
The default installation does not assign a shell for most non-user accounts
(e.g. nobody, bin). If no shell is specified for an account, the shell
defaults to /bin/sh.

On its own, this does not pose a significant threat. However, very few of
these accounts require a shell, so there is no reason to grant this extra
privilege. This may violate security policies for granting the minimum
privileges necessary to accomplish a task.

Additionally, the default installation of /etc/shells does not contain a
shell such as /bin/false which would deny login.

Red Hat was contacted about this in June 2000 and has elected not to fix
this problem at this time.

https://bugzilla.redhat.com/show_bug.cgi?id=12409
SOLUTION:
The solution would be to assign these accounts a false shell which will
not permit login, such as /bin/false. This shell could be added to /etc/shells
for use with chsh.
DEMONSTRATION:
[[email protected] /root]# grep “nobody” /etc/passwd
nobody:x:99:99:Nobody:/:
[[email protected] /root]# su nobody
bash$

[[email protected] /root]# grep “xfs” /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[[email protected] /root]# su xfs
[[email protected] /root]#


I apologize if this is not considered a significant enough issue to post
to bugtraq. I debated posting for a while and eventually decided that if
it isn’t, the moderator will kill it. 😉

Since some administrators may not be aware that there is a default shell
for unix/linux accounts, I felt this information could be useful.

Updates to this warning can be found at http://www.bhodisoft.com/Sec/

BA-2001-01 Non-user accounts assigned shell by default

Original release date: April 23, 2001
Last revised: July 21, 2001

A complete revision history is at the end of this file.

Systems Affected

Confirmed on Red Hat 6.1, 6.2 and 7.0

Severity

Low

Overview

The default installation does not assign a shell for most non-user accounts (e.g. nobody, bin). If no shell is specified for an account, the shell defaults to /bin/sh.

Continue reading