tech-pkg: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-pkg
Date: 01/12/2007 13:24:24

On Fri, 12 Jan 2007 10:05:33 -0700
"Andy Ruhl" <acruhl@gmail.com> wrote:

> On 1/12/07, Gavan Fantom <gavan@coolfactor.org> wrote:
> > Unless your box was severely hardened against malicious local
> > users, you really should consider it rooted once a local account is
> > compromised.
> 
> It's not me, it's another guy. I was just chiming in which maybe was a
> bad idea...
> 
> But still, I find it difficult to believe how quickly people assume
> the box is rooted just because a user account was compromised. Is it
> really that easy to get root on NetBSD? Or is it just simply unknown
> how many compromises there are?
> 

It's unknown and unknowable.

To take a random example, here's the current vulnerabilities list from
idefense.com:

>>  01.11.07 : Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability
>>  01.09.07 : Microsoft Excel Invalid Column Heap Corruption Vulnerability
>>  01.09.07 : Microsoft Excel Long Palette Heap Overflow Vulnerability
>>  01.09.07 : Microsoft Windows VML Element Integer Overflow Vulnerability
>>  01.09.07 : Adobe Macromedia ColdFusion Source Code Disclosure Vulnerability
>>  01.09.07 : Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability
>>  01.09.07 : Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability
>>  01.09.07 : Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability
>>  01.05.07 : Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability
>>  01.05.07 : Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability
>>  01.05.07 : Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability

Note that this list is just for this month -- new vulnerabilities just
announced within the last two weeks.  At least five of them could
affect NetBSD users.  The X vulnerabilities affect XFree86 and Xorg; I
wouldn't be surprised if vnc were vulnerable, too.  The X
vulnerabilities, I should note, are described as local exploits.
(Aside: that site likes you have Javascript enabled, but often the
workaround for browser holes is "disable Javascript"....)

Want more?  There were 27 security advisories for NetBSD last year
alone.  On January 1, 2006, pkg-vulnerabilities was 1657 lines long;
today, it's 2385 lines long.



		--Steve Bellovin, http://www.cs.columbia.edu/~smb