Red Hat Bugzilla – Bug 1049
Hacker attack to allow root access on ANY linux box
Last modified: 2008-05-01 11:37:49 EDT
By overflowing the buffer of several services a user can
gain access to a root shell with very little effort.
The most known ports for attack are 111 and 143. I have had
3 servers all in different parts of the country get taken
down within a months time due to the same attack.
This problem has been around for years but only recently
heavily exploited. A fixed version of all the vulnerable
services should have been included in RedHat releases long
There are widely available scripts to portscan large ip
ranges to find linux machines vulnerable to the attack.
A FIX TO THIS PROBLEM SHOULD BE OF TOP PRIORITY TO REDHAT
IMMEDIATELY AND REDHAT SHOULD BE WARNING ANYONE WHO VISITS
THEIR WEB SITE OF THE PROBLEM AND OFFER A PATCH TO CORRECT
IT. BY NOT DOING SO REDHAT WILL LOSE MUCH CREDIBILITY WITH
MUCH NEEDED LINUX-TO-BE CUSTOMERS.
Bottom line is that no linux machine with internet presence
is safe from this attack and until RedHat does something to
correct the problem, and therefore I would not recommnd
anyone use it until then.
Please do your best to correct the problem immediately. A
redhat release version 5.21 or something is not too much to
ask to fix such a major problem--one that should have been
corrected long ago.
Why did you use the "Component: nfs-server" in this bug report? Port
111 is sun-rpc and 143 is imap and they have nothing to do with
nfs-server component. Also, are you sure you had all the latest
security updates installed when your computers were compromized?
I am afraid you did not provide enough information about these
vulnerabilities. I am sure RedHat already included fixes for all
well-known vulnerabilities long time ago and if you know something
they've missed, you'd better provide more information.
> You dont really have a "general" category so nfs is the closest
> since its the most often attacked.
I don't work for RedHat - I am just an ordinary user.
> No. I did not have the latest security updates installed because
> 1) red hat did not inform me of the updates,
You did not read RedHat Installation Guide carefully enough. It
mentions the redhat-announce-list and gives the link to RedHat Errata
> I am well aware that fixes exist, my complaint lies in the fact that
> redhat still release buggy services. Redhat 5.2 was released last
> month and still does not have "fixed versions"
I find that RedHat always releases security fixes quickly. If you are
aware of some _particular_ problems that exist in RH5.2 and are not
yet fixed, it probably means that RedHat is not aware of these
problems and you should create a new bug reports describing those
problems and ways to fix them.
> >+I am afraid you did not provide enough information about these
> >+vulnerabilities. I am sure RedHat already included fixes for all
> >+well-known vulnerabilities long time ago and if you know something
> >+they've missed, you'd better provide more information.
> I installed everything out of the box as it comes in redhat 5.2
> which is my justification in saying that vulnerable versions are
> still being distributed. I made no changes to the services which are
> being attacked.
By "provide enough information" I mean "provide enough information so
that people at RedHat could verify the existance of the problem and
fix it", not just "enough information for someone who already knows
about all the vulnerabilities of all services in RedHat to guess what
> could you at least point me to a page that contains ALL known
> secutiry holes (old or new) and how to guard against them.
P.S. The comments that are added to bugzilla via Web -
http://developer.redhat.com/bugzilla/show_bug.cgi?id=1049 are easier
to read than those that are sent by e-mail.