[SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 542-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2004 http://www.debian.org/security/faq - -- Package: qt-copy Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 Debian Bug : 267092 Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-0691: Chris Evans has discovered a heap-based overflow when handling 8-bit RLE encoded BMP files. CAN-2004-0692: Marcus Meissner has discovered a crash condition in the XPM handling code, which is not yet fixed in Qt 3.3. CAN-2004-0693: Marcus Meissner has discovered a crash condition in the GIF handling code, which is not yet fixed in Qt 3.3. For the stable distribution (woody) this problem has been fixed in version 3.0.3-20020329-1woody2. For the unstable distribution (sid) this problem has been fixed in version 3.3.3-4 of qt-x11-free. We recommend that you upgrade your qt packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.dsc Size/MD5 checksum: 974 8310ba3e5a86f6d366ff8b3de0bba5e8 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.diff.gz Size/MD5 checksum: 3389 4639e4bf10aa3f9582769fb517b192e3 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329.orig.tar.gz Size/MD5 checksum: 15576630 1d91e7f90e8c6e2dd7d93738ae42a0b4 Architecture independent components: http://security.debian.org/pool/updates/main/q/qt-copy/qt3-doc_3.0.3-20020329-1woody2_all.deb Size/MD5 checksum: 8602244 a36ca7f4be9889f6d2a6141c6b11f0fb Alpha architecture: http://security.debian.org/pool/updates/main/q/qt-copy/libqt3_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3313166 937a81563cd1aa7f8c962d6662ce21e2 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 1419182 003d0e8e54039c13a5cbe3203a178308 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3494652 7c436d0f781947e1a7b6213273b81aaf http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:17402 d86e3efa04c9ab4562771dc695f2b705 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37404 3d37ea2458a20d916d793c04804087d9 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46664 895d3c0497acbcac5ac6d9fd49e564ae http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37352 94f05fa06512370db653150643445cb8 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46616 d524b57c7988e7b0af2cb02e2d7ac5ce http://security.debian.org/pool/updates/main/q/qt-copy/libqxt0_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:31378 635e21687a646e9b206b51b725f7340d http://security.debian.org/pool/updates/main/q/qt-copy/qt3-tools_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 1825146 a09b064d09e4c1fc1f0135fb4e013879 ARM architecture: http://security.debian.org/pool/updates/main/q/qt-copy/libqt3_3.0.3-20020329-1woody2_arm.deb Size/MD5 checksum: 2683822 3949d54da77df42a40f18e6d70de36fc http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-dev_3.0.3-20020329-1woody2_arm.deb Size/MD5 checksum: 1119934 28ad280b4b285abea031db5a3a254557
Aleksander Sobol : nie ma mnie w pracy.
Nie bdzie mnie w pracy od 2004-08-26 i nie wrc przed 2004-09-12. Odpowiem na wiadomoci po powrocie.
Re: apache / exe process taking 99 % cpu
Hello Marcin,
thank you for your reply.
On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote:
My question is, have I been hacked?
Probably. Do you run PHP? Buggy PHP scripts are a common attack vector
these days.
Yes, we do run PHP scripts a lot.
Could that be a CGI program gone wild?
Yes, if the pid changes you noted are just independent processes. Less
likely, if these are intentional fork()/exit() tricks done by one
process (of course unless you don't trust your users).
Well, there are too many of them, so cannot really trust all of them. I know,
this doesnt' make any better. :(
Of course I could stop apache, but that's not what I want. I'd like to
figure out where this comes from.
try ls -l /proc/PID and ls -l /proc/PID/fd, these may reveal some
useful information. Also run chkrootkit.
Thanks for this advice, it found the PWD of the command in the environ file
under /proc/pid. Let me tell you another strange thing. netstat -avp showed
me that a apache process had an established connection from my box (source
port was some high port) to a box in .jp (dest port 113). This made me
curious.
I added a iptables rule to the OUTPUT chain dropping all tcp packets to that
box:port and guess what? My server was back idle again. No more 99 % cpu
usage and the process now sits there. (sleeping) It doesn't change the pid
any more and I also can do an strace:
[EMAIL PROTECTED] [/proc/18305] strace -p 18305
connect(8, {sin_family=AF_INET, sin_port=htons(113),
sin_addr=inet_addr(ip.of.remote.box)}}, 16 = -1 ETIMEDOUT (Connection timed
out)
close(8)= 0
dup(2) = 8
fcntl64(8, F_GETFL) = 0x2 (flags O_RDWR)
fstat64(8, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(8, SNDCTL_TMR_TIMEBASE, 0xb5d8) = -1 ENOTTY (Inappropriate ioctl for
device)
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40014000
_llseek(8, 0, [0], SEEK_CUR)= 0
write(8, connect: Connection timed out\n, 30) = 30
close(8)= 0
munmap(0x40014000, 4096)= 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({30, 0}, {30, 0}) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
And then it starts again connecting. I think this process tries to talk back
to someone? Well, I am only guessing ...
I downloaded the ISO image from the F.I.R.E. Linux distribution to have some
static binaries which I can trust. I burned the image to a cd which I then
mounted and tried to excute some of them but I only get su -: Permission
denied
[EMAIL PROTECTED] [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
[EMAIL PROTECTED] [/proc/18305] uname -r
2.4.27
Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel?
Many thanks in advance
Timo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt 0.6 and how it does *not* solve the problem
On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote: the Debian project as we have it. Bear with me for a second... I am not about to take the piss out of the APT 0.6 people, who have done an outstanding job. The problem is deeper... If the issues you mean to address are not relevant to apt, then why are you pointing fingers at it? (answer: trolling) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [ph.unimelb.edu.au #11] AutoReply: [SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service
On 31 Aug 2004, Physics IT Support via wrote: This message has been automatically generated in response to the creation of a trouble ticket regarding: [SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service, a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [ph.unimelb.edu.au #11]. Good day. While I can understand the desire to gate security announcements into your bug tracking system directly, having the system respond to a public mailing list is probably not your desired goal. It does provide some amusement to the rest of the world, however. :) Regards, Daniel -- There is no satisfaction in hanging a man who does not object to it. -- G. B. Shaw -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache / exe process taking 99 % cpu
On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: On Monday 30 August 2004 21:06, Marcin Owsiany wrote: I added a iptables rule to the OUTPUT chain dropping all tcp packets to that box:port and guess what? My server was back idle again. No more 99 % cpu usage and the process now sits there. Seems like the process is a DoS zombie. Probably it opened as many connections to that machine, as possible, and that caused the heavy CPU utilization. And then it starts again connecting. I think this process tries to talk back to someone? Well, I am only guessing ... Could be. I would unblock the rule for a while and record some of the traffic. Viewing it with something nice like ethereal could provide more infomation on the nature of those connections. I downloaded the ISO image from the F.I.R.E. Linux distribution to have some static binaries which I can trust. Basically, if you don't trust your binaries, that means that you suspect the attacker got root access. And if they did, they probably installed a kernel backdoor. And if they did, then trusted binaries won't buy you anything. You need to boot off a trusted media if you want to be sure. I burned the image to a cd which I then mounted and tried to excute some of them but I only get su -: Permission denied [EMAIL PROTECTED] [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied [EMAIL PROTECTED] [/proc/18305] uname -r 2.4.27 Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? I don't think so. I suspect this is either a permissions (file or filesystem) or dynamic libs problem. Marcin PS: Please don't cc me. I really do read this list :-) -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 Every program in development at MIT expands until it can read mail. -- Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apache / exe process taking 99 % cpu
Hi list, I have a apache process which takes 99 % cpu. Its not common that a apache proc takes that much cpu on this system. I noticed it on my rrd load and cpu usage graph. It's on since yesterday about 22:00. top also lists the process with a name of exe. Running under the user id of www-data. I couldn't find it with ps auwwx until I tried some other params of ps. It looks to me like if it the process is somehow camouflaged. Could that be? [EMAIL PROTECTED] [~] ps -l -C exe F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 040 R33 6358 1 89 77 0 - 370 - ?00:00:04 exe [EMAIL PROTECTED] [~] ps -lf -C exe F S UIDPID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD 040 R www-data 6360 1 95 79 0 - 370 - 15:47 ? 00:00:04 /usr/sbin/apache I tried to strace the process, but I have to be fast. The pid changes every 15 seconds, according to top. [EMAIL PROTECTED] [~] ps -l -C exe F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 040 R33 6398 1 99 77 0 - 370 - ?00:00:03 exe [EMAIL PROTECTED] [~] strace -p 6398 --- SIGALRM (Alarm clock) --- As you can see, the process seems do die with SIGALARM. My question is, have I been hacked? Could that be a CGI program gone wild? Of course I could stop apache, but that's not what I want. I'd like to figure out where this comes from. TIA Timo
Dirk Bonengel ist außer Haus.
Ich werde ab 27.08.2004 nicht im Büro sein. Ich kehre zurück am 13.09.2004. Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. In dringenden Fällen wenden Sie sich bitte an Herrn Christian Treml ([EMAIL PROTECTED]) oder Herr Stefan Höfele ([EMAIL PROTECTED])
[ph.unimelb.edu.au #11] AutoReply: [SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service
Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: [SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service, a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [ph.unimelb.edu.au #11]. Please include the string: [ph.unimelb.edu.au #11] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Thank you, [EMAIL PROTECTED] - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 542-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2004 http://www.debian.org/security/faq - -- Package: qt-copy Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 Debian Bug : 267092 Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-0691: Chris Evans has discovered a heap-based overflow when handling 8-bit RLE encoded BMP files. CAN-2004-0692: Marcus Meissner has discovered a crash condition in the XPM handling code, which is not yet fixed in Qt 3.3. CAN-2004-0693: Marcus Meissner has discovered a crash condition in the GIF handling code, which is not yet fixed in Qt 3.3. For the stable distribution (woody) this problem has been fixed in version 3.0.3-20020329-1woody2. For the unstable distribution (sid) this problem has been fixed in version 3.3.3-4 of qt-x11-free. We recommend that you upgrade your qt packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.dsc Size/MD5 checksum: 974 8310ba3e5a86f6d366ff8b3de0bba5e8 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.diff.gz Size/MD5 checksum: 3389 4639e4bf10aa3f9582769fb517b192e3 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329.orig.tar.gz Size/MD5 checksum: 15576630 1d91e7f90e8c6e2dd7d93738ae42a0b4 Architecture independent components: http://security.debian.org/pool/updates/main/q/qt-copy/qt3-doc_3.0.3-20020329-1woody2_all.deb Size/MD5 checksum: 8602244 a36ca7f4be9889f6d2a6141c6b11f0fb Alpha architecture: http://security.debian.org/pool/updates/main/q/qt-copy/libqt3_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3313166 937a81563cd1aa7f8c962d6662ce21e2 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 1419182 003d0e8e54039c13a5cbe3203a178308 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3494652 7c436d0f781947e1a7b6213273b81aaf http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:17402 d86e3efa04c9ab4562771dc695f2b705 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37404 3d37ea2458a20d916d793c04804087d9 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46664 895d3c0497acbcac5ac6d9fd49e564ae http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37352 94f05fa06512370db653150643445cb8 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46616 d524b57c7988e7b0af2cb02e2d7ac5ce
Abwesenheit
Abwesenheit Sehr geehrte Damen und Herren, ich bin in der Zeit vom 21. August bis zum 9. September im Urlaub. In dieser Zeit können Sie sich an Herrn Zander wenden. Telefon 0391 544 56 70 Mit freundlichen Grüßen Sebastian Hennebrüder Leitung eCommerce - Internet --- Grass GmbH, eCommerce - Internet Allee-Center Ernst-Reuter-Allee 5 39104 Magdeburg Germany National Telefon 0391 / 54456 76 Fax 0391 / 54456 - 78 International Telefon ++49 391 / 54456 76 Fax ++49 391 / 54456 - 78
Dr. Daniel Berning ist außer Haus.
Ich werde ab 20.08.2004 nicht im Büro sein. Ich kehre zurück am 05.09.2004. Ich werde Ihre Nachricht nach meiner Rückkehr bearbeiten.
Re: apache / exe process taking 99 % cpu
On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: My question is, have I been hacked? Probably. Do you run PHP? Buggy PHP scripts are a common attack vector these days. Could that be a CGI program gone wild? Yes, if the pid changes you noted are just independent processes. Less likely, if these are intentional fork()/exit() tricks done by one process (of course unless you don't trust your users). Of course I could stop apache, but that's not what I want. I'd like to figure out where this comes from. try ls -l /proc/PID and ls -l /proc/PID/fd, these may reveal some useful information. Also run chkrootkit. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
