[lug] Security notice and Ramen

D. Stimits stimits at idcomm.com
Tue Jan 23 15:20:00 MST 2001


"Scott A. Herod" wrote:
> 
> Not Ramen itself but I have had to deal with an attack from the
> same root kit.  ( New rule, if you put up a machine outside
> the firewall, and don't follow the network rules, some friends with
> tin snips will come visit you and emacs is going to be hard for you to
> use again. )
> 
> I'm only familiar with the 6.2 exploit and there, as the advisory
> probably mentioned, a patched version of statd have been available
> at least since Nov.
> 
> As for other holes, I'm sure new ones will be found.  For example,
> how old is the lpd attack used against RH 7.0?  ( Of course, I've
> not written enough C/C++ networking code to understand why it's so
> hard to close buffer overflow attacks. )

A big part of making buffer overflow popular is because of functions
that expect a NULL-terminated string (i.e., sprintf/sscanf and friends
are easy to find and work on; using snprintf avoids much of that iff the
length of the string measured is itself safe, not depending on NULL).
Those functions are usually part of glibc, and well-known how to work on
them to break them.

A nice way to avoid making your C/C++ app a target is to not use
NULL-terminated char string C/C++ functions (for example, use a
std::string instead of char*), without a predefined means of limiting
how far it is going to allow that string length limit. How many
applications out there might use a char* style string? HUGE list.

> 
> Scott
> 
> John Starkey wrote:
> >
> > Has anyone had to deal with the ramen toolkit? I was just made aware that
> > some machines on the same network as mine have been compromised. I'm not
> > running any of the specified services and it looks like i'm clear but CERT
> > just issued the Incident Note last week. So i'm wondering if there are any
> > other holes that could be used?
> >
> > Funny, their using /usr/src/.poop as the root dir. Such jokers :}
> >
> > TIA,
> >
> > John
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug




More information about the LUG mailing list