Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Buffer overflows in OpenUnix 8 utilities and the Solaris printer daemon

09/04/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in snmpXdmid, OpenUnix 8 utilities, TrollFTPD, gdm, the Solaris printer daemon, and the HP-UX line printer daemon; and vulnerabilities in xinetd, gnut, NetBSD sendmsg, Mambo Site Server, phpBB, Macromedia ColdFusion Server, JavaServer WDK, and BSCW.

Alerts this week:

xinetd

gnut

Solaris snmpXdmid

NetBSD sendmsg

Mambo Site Server

OpenUnix 8 Buffer Overflows

phpBB

Macromedia ColdFusion Server

TrollFTPD

JavaServer WDK

gdm

BSCW

Solaris Printer Daemon

HP-UX Line Printer Daemon

Unused Services

xinetd

A security audit of xinetd, a replacement for the inetd super server by Solar Designer and others, has resulted in the fixing of many security and reliability related bugs.

All users of xinetd should upgrade to version 2.3.3 or newer as soon as possible.

gnut

gnut, a console- and Web-based Gnutella client available for Linux and Windows, is vulnerable to an HTML injection attack. This attack is conducted by sharing a file with HTML embedded into the file name.

All users of gnut should upgrade to version 0.4.27 or newer.

Solaris snmpXdmid

The snmpXdmid daemon is an agent that functions as part of the Solstice Enterprise Agent Desktop Management Interface package. It maps Simple Network Management Interface requests to equivalent Desktop Management Interface requests. Versions of snmpXdmid supplied with Solaris 2.6, 7, and 8 have a buffer overflow that can be exploited remotely to execute arbitrary code with the permissions of the root user.

Users should apply the appropriate patch from Sun.

NetBSD sendmsg

The NetBSD function call sendmsg() can be used by a malicious user to panic the system, causing a denial of service. It has been announced that all versions of NetBSD from 1.3 on are vulnerable to this denial-of-service attack.

It is recommended that users upgrade any NetBSD machines to NetBSD systems dated July 1, 2001, or newer; rebuild the kernel; and reboot the system.

Mambo Site Server

Mambo Site Server is a content management tool written using PHP and MySQL. A design flaw in the use of global variables can be exploited to gain administrative control over Mambo.

Users of Mambo should watch for an updated version that repairs this problem.

OpenUnix 8 Buffer Overflows

It has been reported that there are buffer overflows in the OpenUnix 8 utilities dtaction, dtprintinfo, and dtsession.

Users of OpenUnix 8 should watch Caldera for patches to fix these problems.

phpBB

phpBB, a Web-based bulletin board program, has several vulnerabilities that can lead to increased permissions and allow arbitrary commands to be executed on the server with the permissions of the user executing the Web server.

Users of phpBB should upgrade to version 1.4.1 or newer.

Macromedia ColdFusion Server

Vulnerabilities have been found in two example applications that ship with Macromedia ColdFusion. These vulnerabilities can be used to view files, create files, and execute commands on the server running ColdFusion. ColdFusion Servers 4.x for Windows, Solaris, HP-UX, and Linux have been reported to be vulnerable. Version 5 of ColdFusion Server has been reported as not vulnerable.

Macromedia recommends that example applications and documentation not be installed on production servers, that the /CFDOCS directory tree be removed from all production servers, and that users read the Macromedia ColdFusion "Best Security Practices" document available from the Allaire Web site.

TrollFTPD

A buffer overflow in TrollFTPD's handling of recursive directories can be used by a remote attacker to gain root access to the server. Pure-FTPd, a derivative of TrollFTPD, is reported as not vulnerable to this buffer overflow.

Users should upgrade to TrollFTPD version 1.27 as soon as possible.

JavaServer WDK

The JavaServer Web Development Kit (WDK) has a bug that can be used to read, with the permissions of the root user, any file on the server. This can be used by an attacker to access encrypted passwords in the shadow password file, and can be used to gain information for an attack against the system.

Users should watch Sun for an update to the JavaServer WDK.

gdm

A buffer overflow in gdm can be exploited by sending a carefully-crafted XDMCP message to gain root access on the server.

Users of gdm should watch their vendor for a repaired version and should consider disabling XDMCP in gdm.conf if it is not needed.

BSCW

BSCW, a Web-based groupware system, has a vulnerability that can be used to read any file on the system that is readable by the user running the Web server. The attack against this vulnerability has two parts; the first part is exploited by preparing a carefully-crafted tar file that contains links to files on the BSCW server. When this tar file is extracted in the BSCW "data-bag," the attacker can then follow the symbolic links and download the linked files. For example, the attacker can download the BSCW password file and gather information for other attacks.

The developers of BSCW have released patches for this vulnerability and it is recommended that all users of BSCW apply them as soon as possible.

Solaris Printer Daemon

The Sun Solaris BSD print protocol daemon in.lpd has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server as the root user. This buffer overflow has been reported to affect Sparc and x86 versions of Solaris 2.6, 7, and 8.

Sun has released patches to fix this buffer overflow and it is recommended that this patch be applied as soon as possible.

HP-UX Line Printer Daemon

The HP-UX line printer daemon rlpdaemon has a remotely-exploitable buffer overflow that can be used by an attacker to execute arbitrary commands as the root user. This has been reported to affect HP-UX versions 10.01, 10.10, 10.20, 11.00, and 11.11.

Users should apply the appropriate patch for this problem as soon as possible.

Unused Services

Many systems are vulnerable to attacks, such as the Solaris or HP-UX printer daemon buffer overflows, that do not even use the vulnerable application. Remaining current on security announcements is a very good way to protect the security of a system, but it is also important to turn off unused services so that a system will never be made vulnerable by an application that is not being used.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.