Classification of CERT/CC Advisories 1993--1998
This document is a classification of the CERT alerts from 1993 through early 1998.
These alerts are classified into different categories as shown below. The classification
is structured so that there is a good correlation between the category and the technique
we can use to prevent the attack (if we can). Due to the fact that the alerts do not
provide detailed information about attacks, we have to perform the classification as well
as assessment of detectability (using our approach) with limited information. To that
extent, there may be some errors and unknowns in the information provided below.
Attacks in this category involve exploiting buffer overflow error to have programs
(typically privileged programs) to execute arbitrary commands, such as forking an
interactive shell to the attacker. Typically, the commands executed will cause the
attacked program to take actions that it would not take under normal circumstance. As
such, these attacks can be detected by our specification-based approach.
- CA-98.05 Topic
1:Inverse Query Buffer Overrun in BIND 4.9 and BIND 8
- CA-97.26 Buffer Overrun
Vulnerability in statd(1M) Program
- CA-97.24 Buffer Overrun
Vulnerability in Count.cgi cgi-bin Program
- CA-97.23 Buffer Overflow
Problem in rdist
- CA-97.21 SGI
Buffer Overflow Vulnerabilities
- CA-97.19 lpr Buffer Overrun
Vulnerability
- CA-97.18 Vulnerability in the
at(1) program
- CA-97.17 Vulnerability in
suidperl (sperl)
- CA-97.13 Vulnerability in
xlock
- CA-97.12 Vulnerability in
webdist.cgi
- CA-97.11 Vulnerability in
libXt
- CA-97.10 Vulnerability in
Natural Language Servic
- CA-97.09 Vulnerability
in IMAP and POP
- CA-97.08 Topic 2: Second
vulnerability related to INN - ucbmail, Topic 1: Vulnerability in innd
- CA-97.07
Vulnerability in the httpd nph-test-cgi script
- CA-97.06
Vulnerability in rlogin/term
- CA-97.05 MIME Conversion
Buffer Overflow in Sendmail
- CA-97.04 talkd
Vulnerability
- CA-97.02 HP-UX newgrp
Buffer Overrun Vulnerability
- CA-96.24
Sendmail Daemon Mode Vulnerability
- CA-96.20 Sendmail
Vulnerabilities
- CA-96.18 Vulnerability in
fm_fls
- CA-96.14 Vulnerability
in rdist
- CA-96.13 Vulnerability in
the dip program
- CA-96.04
Corrupt Information from Network Servers
- CA-95:17
rpc.ypupdated Vulnerability
- CA-95:13 Syslog
Vulnerability - A Workaround for Sendmail
- CA-95:04
NCSA HTTP Daemon for UNIX Vulnerability
- CA-94:02
Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability
This is another class of attacks that involve programs that fail to perform adequate
permission checking on files. This may be because the program fails to perform any
permission checking, fails to verify presence of a file before creating (and erasing
previous content), fails to check if the file is a symbolic link, etc. Even if permissions
are checked, there may be race conditions between the file access check and the actual
open operation. Intrusions involving these problems are aimed at fooling a program into
modifying critical files such as the password file, .login or .profile files, etc. In
particular, they typically involve accessing files that the program would not normally
access, or involve unexpected overwriting of files or use of symbolic links. Consequently,
we expect to be able to capture most of these attacks using our specification based
approach.
- CA-98.03 SSH agent (Inadequate
checking of arguments to setuid program)
- CA-98.02 CDE vulnerabilities (Inadequate
checking of arguments to setuid program)
- CA-97.03 Vulnerability in
IRIX csetup (It is possible to configure csetup to run in DEBUG mode, creating a
logfile in a publicly writable directory)
- CA-96.27
Vulnerability in HP Software Installation Programs
- CA-96.25 Sendmail
Group Permissions Vulnerability
- CA-96.23
Vulnerability in WorkMan When a file is specified with "-p", WorkMan simply
attempts to create and/or truncate the file, and if this succeeds, WorkMan changes the
permissions on the file so that it is world-readable and world-writable.
- CA-96.19 Vulnerability
in expreserve
- CA-96.17
Vulnerability in Solaris vold The handling of these files is not performed in a secure
manner. As vold is configured to access these temporary files with root privileges, it may
be possible to manipulate vold into creating or over-writing arbitrary files on the
system.
- CA-96.16
Vulnerability in Solaris admintool
- CA-96.15
Vulnerability in Solaris 2.5 KCMS programs
- CA-96.08 Vulnerabilities
in PCNFSD
- CA-95:09 Solaris
ps Vulnerability
- CA-95:02
Vulnerabilities in /bin/mail
- CA-93:17
xterm.login
This category covers several instances where a program (typically a privileged one) is
made to perform actions chosen by an attacker via carefully crafter input or arguments to
the program. Buffer overflows and insecure filename handling are in fact special cases of
this category, but we have listed them separately since they are so prevalent, and also
because more specific defenses (e.g., attempt to execute a system call from code in the
data segment or attempt to overwrite unrelated files) can be designed to capture them. The
attacks in this category have the typical result of making a process perform actions that
it normally does not do, and hence these attacks are generally detectable using our
specification-based approach.
- CA-97.25.CGI_metachar
Sanitizing User-Supplied Data in CGI Scripts (other) the author of the script has not
sufficiently sanitized user-supplied input.
- CA-97.15 Vulnerability
in SGI login LOCKOUT When LOCKOUT is enabled users may be able to create arbitrary or
corrupt certain files on the system, due to an inadequate check in the login verification
process
- CA-97.14 Vulnerability
in metamail (insufficient variable checking in some support scripts)
- CA-96.22
Vulnerabilities in bash (Inadequate checking of arguments to setuid program)
- CA-96.06
Vulnerability in NCSA/Apache CGI example code (a library function escape_shell_cmd(),
which attempts to prevent exploitation of shell-based library calls, such as system() and
popen(), contains a vulnerability.)
- CA-95:14
Telnetd Environment Vulnerability (bug)The extension to telnet provides the ability to
transfer environment variables from one system to another. By influencing that targeted
system, a user may be able to bypass the normal login and authentication scheme and may
become root on that system.
- CA-95:12 Sun
4.1.X Loadmodule Vulnerability Because of the way the loadmodule program sanitizes its
environment, unauthorized users can gain root access on the local machine.
Problems in this category involve using the features provided by a program in a manner
that would compromise security. Whereas the previous categories typically involved
exploitation of a "bug" in a program, this category involves exploitation of a
(questionable?) "feature." Some of these attacks can be detected as they
introduce unusual behavior in the exploited programs, while many others may be
undetectable. In the list below, we use the flag D to indicate
that an attack is likely detectable using our technique, PD to
indicate that it is partially detectable or detectable with a lower degree of certainty, E
to indicate that some non-specific effect can be detected. Absence of any
flags indicates that the attack is unlikely to be detectable.
- CA-97.27 FTP Bounce PD
by using the PORT command in active FTP mode, an attacker may be able to
establish connections to arbitrary ports on machines other than the originating client
(bad protocol)
- CA-98.05 E
Topic 3: Denial-of-Service Vulnerability in BIND 8 (Invalid DNS record
causing a loop in server)
- CA-97.22 BIND - the Berkeley
Internet Name Daemon (cach posion, bad protocol) Cache poisoning occurs when malicious
or misleading data received from a remote name server is saved (cached) by another name
server. This "bad" data is then made available to programs that request the
cached data through the client interface.
- CA-96.09 Vulnerability
in rpc.statd The vulnerability in rpc.statd is its lack of validation of the
information it receives from what is presumed to be the remote rpc.lockd. Because
rpc.statd normally runs as root and because it does not validate this information,
rpc.statd can be made to remove or create any file that the root user can remove or create
on the NFS server.(bad protocol)
- CA-96.01 UDP
Port Denial-of-Service Attack D When a connection is
established between two UDP services, each of which produces output, these two services
can produce a very high number of packets that can lead to a denial of service on the
machine(s) where the services are offered
- CA-95:10 ghostscript
Vulnerability D Older versions of ghostscript do not
completely disable the pipe operator that can be used execute commands that can modify
files
- CA-95:08
Sendmail v.5 Vulnerability D
Attacks in this category involve a maliciously altered program that may perform
destructive actions when executed. For most part, this class of attacks are detectable if
we developed a reasonable profile of the program. In many cases, simple sandboxing that
restricts the file accesses to those that are known to be needed will itself provide a
significant degree of protection against this class of attacks. In the specific cases
below, the first two are detectable, but the third one is not.
- CA-94:14
Trojan Horse in IRC Client for UNIX
- CA-94:07
wuarchive ftpd Trojan Horse
- CA-94:05 MD5
Checksums (Trojan Horse)
The vulnerabilities in this category involve the use of poor authentication or
encryption protocol. For most part, our techniques are not useful in detecting or
defending against this class of problems.
- CA-96.21 TCP SYN
Flooding and IP Spoofing Attacks
- CA-96.03
Vulnerability in Kerberos The Kerberos Version 4 server is using a weak random number
generator to produce session keys. On a computer of average speed, the session key for a
ticket can be broken in a maximum of 2-4 minutes.
- CA-95:01
IP Spoofing Attacks and Hijacked Terminal Connections
- CA-94:15 NFS
Vulnerabilities
- CA-94:9
/bin/login Vulnerability
- CA-94:01
ongoing network monitoring attacks The intruders first penetrate a system and gain
root access through an unpatched vulnerability.The intruders then run a network monitoring
tool that captures up to the first 128 keystrokes of all newly opened FTP, telnet, and
rlogin sessions visible within the compromised system's domain.
- CA-93:19
Solaris System Startup Vulnerability If fsck(8) fails during system boot, a privileged
shell is run on the system console
Configuration errors involve improper file permission settings or improper
configuration files to applications. For most part, these errors are either meaningless to
detect (e.g., item 2 below) or cannot be detected (e.g., item 5) by our technique. Those
that can be detected (D), partiall detected (PD),
or detected with a nonspecific indication (E) are indicated
below.
- CA-97.01 Multi-platform
Unix FLEXlm Vulnerabilities Insecure configuration of vendor product installation
- CA-96.11
Interpreters in CGI bin Directories
- CA-96.10 NIS+
Configuration Vulnerability
- CA-95:16 wu-ftpd
Misconfiguration Vulnerability D The problem is that the
variable _PATH_EXECPATH was set to "/bin" in the configuration file
src/pathnames.h when the distribution binary was built. _PATH_EXECPATH should be set to
"/bin/ftp-exec" or a similar directory that does not contain a shell or command
interpreter, for example.
- CA-95:15 SGI lp
Vulnerability The SGI IRIX system as distributed has some accounts without passwords.
Among the accounts that are password-less is the lp account
- CA-94:06
Writable /etc/utmp Vulnerability
- CA-93:6
wuarchive ftpd Vulnerability A vulnerability exists in the access control mechanism in
this version of ftpd.
- CA-93:3
SunOS File/Directory Permissions File permissions on numerous files were set
incorrectly in the distribution tape of 4.1.x. A typical example is that a file which
should have been owned by "root" was set to be owned by "bin".
- CA-93:13
SCO Home Directory Vulnerability PD Some users have /tmp as
home directory
- CA-93:11
UMN UNIX gopher and gopher+ Vulnerabilities D Ability to
read password file.
This category consists of attacks that are aimed at bugs within the kernel itself.
Often, the kernel may crash. Since these problems do not happen at the process level, they
cannot be detected by our system-call based approach.
- CA-98.01 smurf (ping
pkt to broadcast address, with spoofed src=attacked host)
- CA-97.28 IP
Denial-of-Service Attacks (KC) (Teardrop: overlapping IP fragments, Land: SYN packet
with src=dst)
- CA-96.26 Denial-of-Service
Attack via ping some systems will react in an unpredictable fashion when receiving
oversized IP packets. Many ping implementations by default send ICMP datagrams consisting
only of the 8 octets of ICMP header information but allow the user to specify a larger
packet size if desired(KC)
For a majority of attacks in this category, we do not have sufficient information about
the attack to be able to predict whether the problem can be detected using our
specification-based approach.
- CA-98.05 Topic
2: Denial-of-Service Vulnerabilities in BIND 4.9 and 8 (Read invalid regions of memory and
crash)
- CA-97.20 JavaScript
Vulnerability Security flaws exist in certain Web browsers that permit JavaScript
programs to monitor a user's browser activities beyond the security context of the page
with which the program was downloaded
- CA-97.16 ftpd Signal
Handling Vulnerability D (?) This vulnerability is caused by
a signal handling routine increasing process privileges to root, while still continuing to
catch other signals. This introduces a race condition.
- CA-96.12
Vulnerability in suidperl On systems that support saved set-user-ID and set-group-ID,
suidperl does not properly relinquish its root privileges when changing its effective user
and group IDs.
- CA-96.07
Weaknesses in Java Bytecode Verifier A maliciously written applet can perform any
action that the legitimate user can perform.
- CA-96.05
Java Implementations Can Allow Connections to an Arbitrary Host The Applet Security
Manager allows an applet to connect to any of the IP addresses associated with the name of
the computer from which it came.
- CA-95:07 SATAN
Vulnerability: Password Disclosure depending on the configuration at your site, the
supporting HTML browser, and how you use SATAN, your session key may be disclosed through
the network.
- CA-95:03
Telnet Encryption Vulnerability
- CA-94:13
SGI IRIX Help Vulnerability
- CA-94:11
Majordomo Vulnerabilities
- CA-94:10
IBM AIX bsh Vulnerability
- CA-94:08
ftpd Vulnerabilities (RC)
- CA-94:03
IBM AIX Performance Tools Vulnerabilities
- CA-93:7
Cisco Router Packet Handling Vulnerability a router which is configured to suppress
source routed packets may allow traffic which should be suppressed.
- CA-93:18
SunOS/Solbourne loadmodule and modload Vulnerability
- CA-93:8
SCO /bin/passwd Vulnerability This potential will not allow unauthorized access to a
system, but it may deny legitimate users the ability to log onto the system.
|