Classification of CERT/CC Advisories 1993--1998

This document is a classification of the CERT alerts from 1993 through early 1998. These alerts are classified into different categories as shown below. The classification is structured so that there is a good correlation between the category and the technique we can use to prevent the attack (if we can). Due to the fact that the alerts do not provide detailed information about attacks, we have to perform the classification as well as assessment of detectability (using our approach) with limited information. To that extent, there may be some errors and unknowns in the information provided below.

Buffer overflow Trojan Horse
Insecure file handling Weak authentication/encryption
Inadeuquate argument checking Configuration errors
Insecure program features Kernel-level problems
Other

Buffer Overflow

Attacks in this category involve exploiting buffer overflow error to have programs (typically privileged programs) to execute arbitrary commands, such as forking an interactive shell to the attacker. Typically, the commands executed will cause the attacked program to take actions that it would not take under normal circumstance. As such, these attacks can be detected by our specification-based approach.

  1. CA-98.05  Topic 1:Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 
  2. CA-97.26 Buffer Overrun Vulnerability in statd(1M) Program
  3. CA-97.24 Buffer Overrun Vulnerability in Count.cgi cgi-bin Program
  4. CA-97.23 Buffer Overflow Problem in rdist
  5. CA-97.21 SGI Buffer Overflow Vulnerabilities
  6. CA-97.19 lpr Buffer Overrun Vulnerability
  7. CA-97.18 Vulnerability in the at(1) program
  8. CA-97.17 Vulnerability in suidperl (sperl)
  9. CA-97.13 Vulnerability in xlock
  10. CA-97.12 Vulnerability in webdist.cgi
  11. CA-97.11 Vulnerability in libXt
  12. CA-97.10 Vulnerability in Natural Language Servic
  13. CA-97.09 Vulnerability in IMAP and POP
  14. CA-97.08 Topic 2: Second vulnerability related to INN - ucbmail, Topic 1: Vulnerability in innd
  15. CA-97.07 Vulnerability in the httpd nph-test-cgi script
  16. CA-97.06 Vulnerability in rlogin/term
  17. CA-97.05 MIME Conversion Buffer Overflow in Sendmail
  18. CA-97.04 talkd Vulnerability
  19. CA-97.02 HP-UX newgrp Buffer Overrun Vulnerability
  20. CA-96.24 Sendmail Daemon Mode Vulnerability
  21. CA-96.20 Sendmail Vulnerabilities
  22. CA-96.18 Vulnerability in fm_fls
  23. CA-96.14 Vulnerability in rdist
  24. CA-96.13 Vulnerability in the dip program
  25. CA-96.04 Corrupt Information from Network Servers
  26. CA-95:17 rpc.ypupdated Vulnerability
  27. CA-95:13 Syslog Vulnerability - A Workaround for Sendmail
  28. CA-95:04 NCSA HTTP Daemon for UNIX Vulnerability
  29. CA-94:02 Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability

Insecure Handling of Filenames

This is another class of attacks that involve programs that fail to perform adequate permission checking on files. This may be because the program fails to perform any permission checking, fails to verify presence of a file before creating (and erasing previous content), fails to check if the file is a symbolic link, etc. Even if permissions are checked, there may be race conditions between the file access check and the actual open operation. Intrusions involving these problems are aimed at fooling a program into modifying critical files such as the password file, .login or .profile files, etc. In particular, they typically involve accessing files that the program would not normally access, or involve unexpected overwriting of files or use of symbolic links. Consequently, we expect to be able to capture most of these attacks using our specification based approach.

  1. CA-98.03 SSH agent (Inadequate checking of arguments to setuid program)
  2. CA-98.02 CDE vulnerabilities (Inadequate checking of arguments to setuid program)
  3. CA-97.03 Vulnerability in IRIX csetup (It is possible to configure csetup to run in DEBUG mode, creating a logfile in a publicly writable directory)
  4. CA-96.27 Vulnerability in HP Software Installation Programs
  5. CA-96.25 Sendmail Group Permissions Vulnerability
  6. CA-96.23 Vulnerability in WorkMan When a file is specified with "-p", WorkMan simply attempts to create and/or truncate the file, and if this succeeds, WorkMan changes the permissions on the file so that it is world-readable and world-writable.
  7. CA-96.19 Vulnerability in expreserve
  8. CA-96.17 Vulnerability in Solaris vold The handling of these files is not performed in a secure manner. As vold is configured to access these temporary files with root privileges, it may be possible to manipulate vold into creating or over-writing arbitrary files on the system.
  9. CA-96.16 Vulnerability in Solaris admintool
  10. CA-96.15 Vulnerability in Solaris 2.5 KCMS programs
  11. CA-96.08 Vulnerabilities in PCNFSD
  12. CA-95:09 Solaris ps Vulnerability
  13. CA-95:02 Vulnerabilities in /bin/mail
  14. CA-93:17 xterm.login

Inadequate Argument Checking

This category covers several instances where a program (typically a privileged one) is made to perform actions chosen by an attacker via carefully crafter input or arguments to the program. Buffer overflows and insecure filename handling are in fact special cases of this category, but we have listed them separately since they are so prevalent, and also because more specific defenses (e.g., attempt to execute a system call from code in the data segment or attempt to overwrite unrelated files) can be designed to capture them. The attacks in this category have the typical result of making a process perform actions that it normally does not do, and hence these attacks are generally detectable using our specification-based approach.

  1. CA-97.25.CGI_metachar Sanitizing User-Supplied Data in CGI Scripts (other) the author of the script has not sufficiently sanitized user-supplied input.
  2. CA-97.15 Vulnerability in SGI login LOCKOUT When LOCKOUT is enabled users may be able to create arbitrary or corrupt certain files on the system, due to an inadequate check in the login verification process
  3. CA-97.14 Vulnerability in metamail (insufficient variable checking in some support scripts)
  4. CA-96.22 Vulnerabilities in bash (Inadequate checking of arguments to setuid program)
  5. CA-96.06 Vulnerability in NCSA/Apache CGI example code (a library function escape_shell_cmd(), which attempts to prevent exploitation of shell-based library calls, such as system() and popen(), contains a vulnerability.)
  6. CA-95:14 Telnetd Environment Vulnerability (bug)The extension to telnet provides the ability to transfer environment variables from one system to another. By influencing that targeted system, a user may be able to bypass the normal login and authentication scheme and may become root on that system.
  7. CA-95:12 Sun 4.1.X Loadmodule Vulnerability Because of the way the loadmodule program sanitizes its environment, unauthorized users can gain root access on the local machine.

Insecure Program Features

Problems in this category involve using the features provided by a program in a manner that would compromise security. Whereas the previous categories typically involved exploitation of a "bug" in a program, this category involves exploitation of a (questionable?) "feature." Some of these attacks can be detected as they introduce unusual behavior in the exploited programs, while many others may be undetectable. In the list below, we use the flag D to indicate that an attack is likely detectable using our technique, PD to indicate that it is partially detectable or detectable with a lower degree of certainty, E to indicate that some non-specific effect can be detected. Absence of any flags indicates that the attack is unlikely to be detectable.

  1. CA-97.27 FTP Bounce PD by using the PORT command in active FTP mode, an attacker may be able to establish connections to arbitrary ports on machines other than the originating client (bad protocol)
  2. CA-98.05  E Topic 3: Denial-of-Service Vulnerability in BIND 8 (Invalid DNS record causing a loop in server)
  3. CA-97.22 BIND - the Berkeley Internet Name Daemon (cach posion, bad protocol) Cache poisoning occurs when malicious or misleading data received from a remote name server is saved (cached) by another name server. This "bad" data is then made available to programs that request the cached data through the client interface.
  4. CA-96.09 Vulnerability in rpc.statd The vulnerability in rpc.statd is its lack of validation of the information it receives from what is presumed to be the remote rpc.lockd. Because rpc.statd normally runs as root and because it does not validate this information, rpc.statd can be made to remove or create any file that the root user can remove or create on the NFS server.(bad protocol)
  5. CA-96.01 UDP Port Denial-of-Service Attack D When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered
  6. CA-95:10 ghostscript Vulnerability D Older versions of ghostscript do not completely disable the pipe operator that can be used execute commands that can modify files
  7. CA-95:08 Sendmail v.5 Vulnerability D

Trojan Horse

Attacks in this category involve a maliciously altered program that may perform destructive actions when executed. For most part, this class of attacks are detectable if we developed a reasonable profile of the program. In many cases, simple sandboxing that restricts the file accesses to those that are known to be needed will itself provide a significant degree of protection against this class of attacks. In the specific cases below, the first two are detectable, but the third one is not.

  1. CA-94:14 Trojan Horse in IRC Client for UNIX
  2. CA-94:07 wuarchive ftpd Trojan Horse
  3. CA-94:05 MD5 Checksums (Trojan Horse)

Weakness in Encryption or Authentication

The vulnerabilities in this category involve the use of poor authentication or encryption protocol. For most part, our techniques are not useful in detecting or defending against this class of problems.

  1. CA-96.21 TCP SYN Flooding and IP Spoofing Attacks
  2. CA-96.03 Vulnerability in Kerberos The Kerberos Version 4 server is using a weak random number generator to produce session keys. On a computer of average speed, the session key for a ticket can be broken in a maximum of 2-4 minutes.
  3. CA-95:01 IP Spoofing Attacks and Hijacked Terminal Connections
  4. CA-94:15 NFS Vulnerabilities
  5. CA-94:9 /bin/login Vulnerability
  6. CA-94:01 ongoing network monitoring attacks The intruders first penetrate a system and gain root access through an unpatched vulnerability.The intruders then run a network monitoring tool that captures up to the first 128 keystrokes of all newly opened FTP, telnet, and rlogin sessions visible within the compromised system's domain.
  7. CA-93:19 Solaris System Startup Vulnerability If fsck(8) fails during system boot, a privileged shell is run on the system console

Configuration Errors

Configuration errors involve improper file permission settings or improper configuration files to applications. For most part, these errors are either meaningless to detect (e.g., item 2 below) or cannot be detected (e.g., item 5) by our technique. Those that can be detected (D), partiall detected (PD), or detected with a nonspecific indication (E) are indicated below.

  1. CA-97.01 Multi-platform Unix FLEXlm Vulnerabilities Insecure configuration of vendor product installation
  2. CA-96.11 Interpreters in CGI bin Directories
  3. CA-96.10 NIS+ Configuration Vulnerability
  4. CA-95:16 wu-ftpd Misconfiguration Vulnerability D The problem is that the variable _PATH_EXECPATH was set to "/bin" in the configuration file src/pathnames.h when the distribution binary was built. _PATH_EXECPATH should be set to "/bin/ftp-exec" or a similar directory that does not contain a shell or command interpreter, for example.
  5. CA-95:15 SGI lp Vulnerability The SGI IRIX system as distributed has some accounts without passwords. Among the accounts that are password-less is the lp account
  6. CA-94:06 Writable /etc/utmp Vulnerability
  7. CA-93:6 wuarchive ftpd Vulnerability A vulnerability exists in the access control mechanism in this version of ftpd.
  8. CA-93:3 SunOS File/Directory Permissions File permissions on numerous files were set incorrectly in the distribution tape of 4.1.x. A typical example is that a file which should have been owned by "root" was set to be owned by "bin".
  9. CA-93:13 SCO Home Directory Vulnerability PD Some users have /tmp as home directory
  10. CA-93:11 UMN UNIX gopher and gopher+ Vulnerabilities D Ability to read password file.

Kernel-Level Problems

This category consists of attacks that are aimed at bugs within the kernel itself. Often, the kernel may crash. Since these problems do not happen at the process level, they cannot be detected by our system-call based approach.

  1. CA-98.01 smurf (ping pkt to broadcast address, with spoofed src=attacked host)
  2. CA-97.28 IP Denial-of-Service Attacks (KC) (Teardrop: overlapping IP fragments, Land: SYN packet with src=dst)
  3. CA-96.26 Denial-of-Service Attack via ping some systems will react in an unpredictable fashion when receiving oversized IP packets. Many ping implementations by default send ICMP datagrams consisting only of the 8 octets of ICMP header information but allow the user to specify a larger packet size if desired(KC)

Other Implementation Errors

For a majority of attacks in this category, we do not have sufficient information about the attack to be able to predict whether the problem can be detected using our specification-based approach.

  1. CA-98.05  Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and 8 (Read invalid regions of memory and crash)
  2. CA-97.20 JavaScript Vulnerability Security flaws exist in certain Web browsers that permit JavaScript programs to monitor a user's browser activities beyond the security context of the page with which the program was downloaded
  3. CA-97.16 ftpd Signal Handling Vulnerability D (?) This vulnerability is caused by a signal handling routine increasing process privileges to root, while still continuing to catch other signals. This introduces a race condition.
  4. CA-96.12 Vulnerability in suidperl On systems that support saved set-user-ID and set-group-ID, suidperl does not properly relinquish its root privileges when changing its effective user and group IDs.
  5. CA-96.07 Weaknesses in Java Bytecode Verifier A maliciously written applet can perform any action that the legitimate user can perform.
  6. CA-96.05 Java Implementations Can Allow Connections to an Arbitrary Host The Applet Security Manager allows an applet to connect to any of the IP addresses associated with the name of the computer from which it came.
  7. CA-95:07 SATAN Vulnerability: Password Disclosure depending on the configuration at your site, the supporting HTML browser, and how you use SATAN, your session key may be disclosed through the network.
  8. CA-95:03 Telnet Encryption Vulnerability
  9. CA-94:13 SGI IRIX Help Vulnerability
  10. CA-94:11 Majordomo Vulnerabilities
  11. CA-94:10 IBM AIX bsh Vulnerability
  12. CA-94:08 ftpd Vulnerabilities (RC)
  13. CA-94:03 IBM AIX Performance Tools Vulnerabilities
  14. CA-93:7 Cisco Router Packet Handling Vulnerability a router which is configured to suppress source routed packets may allow traffic which should be suppressed.
  15. CA-93:18 SunOS/Solbourne loadmodule and modload Vulnerability
  16. CA-93:8 SCO /bin/passwd Vulnerability This potential will not allow unauthorized access to a system, but it may deny legitimate users the ability to log onto the system.
 

Maintained by Sekar, sekar@cs.sunysb.edu
Last Modified 11/07/01