Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a vulnerability in
sendmail; buffer overflows in Solaris's Yellow Pages password server,
dtterm, and AIX's
lpd; and problems in CDE ToolTalk, OpenUnix 8's
login, BSAFE SSL-J Software Developer Kit, OpenServer's
vi, and FreeBSD's OpenSSH.
sendmail, a commonly used email server, has been reported to be vulnerable to several local attacks that can be used by an attacker to destroy information, gain access to unauthorized information, and execute arbitrary code with the permissions of the user running the email server.
It is recommended that users upgrade to version 8.12.1 of
sendmail as soon as possible.
The CDE (Common Desktop Environment) ToolTalk RPC database service is a message-brokering system that allows CDE applications to communicate between different hosts and platforms. The ToolTalk RPC database server
rpc.ttdbserverd has a format-string vulnerability that can be exploited to run arbitrary code as root. Vulnerable systems include: UnixWare, Open Linux, AIX, HP-UX, and Solaris.
Affected users should check with their vendor for a patch for this problem. Vendors that have announced a patch include Compaq Computer, Hewlett-Packard, IBM, The Open Group, and Sun.
The Solaris Yellow Pages (also known as NIS) password server
rpc.yppasswdd has a buffer overflow that can be exploited by a remote attacker to gain root permissions. Solaris 2.6, 7, and 8 have been reported to be vulnerable by this buffer overflow if they are running the
rpc.yppasswdd daemon. A script to automate exploiting this vulnerability has been released. Symptoms of a possible attack include the
rpc.yppasswdd not running (the attack causes the process to crash), and the presence of an additional running
A workaround for this vulnerability is to stop the
rpc.yppasswdd server. Doing this will prevent Yellow Pages users from changing their password. It is recommended that affected users apply the appropriate patch to their system.
The terminal application
dtterm has a buffer overflow that on some platforms can be exploited by a local attacker to gain root access. It has been reported that the buffer overflow is exploitable under OpenUnix 8, Unixware, True64 5.1, and HP-UX.
It is suggested that any set user id bits be removed from
dtterm until a patch has been installed that fixes this buffer overflow.
xlock application distributed with OpenUnix 8 has been reported to have a vulnerability that can be exploited to execute commands with root permissions.
Users of OpenUnix 8 should watch Caldera for a patch for this problem.
There are three buffer overflows in the line printer daemon
lpd distributed with AIX versions 4.3 and 5.1 (and possibly earlier versions) that can be used by an attacker to gain root permissions. Exploiting two of the buffer overflows requires that the attacker's machine be listed in
/etc/hosts.equiv. To exploit the remaining buffer overflow, the attacker must be able to control the machine's DNS server.
IBM recommends that users upgrade AIX 4.3 with patch APAR #IY23037 and AIX 5.1 with patch APAR #IY23041 as soon as they become available. Versions of AIX earlier than 4.3 are no longer supported by IBM, and no patches for these operating systems will be released.
speechd daemon implements a device named
/dev/speech that will convert any text written to it into speech. Versions 0.54 and earlier have a vulnerability that can be exploited to execute arbitrary code with root permissions.
It is recommended that users upgrade to version 0.55 or newer as soon as possible.
login application can be abused by any local user to read arbitrary files on the system as root. The
login application checks for nologin while still retaining superuser permissions.
This problem is reported to be corrected in the current CVS version. Users can upgrade login to this version or watch for an official patch.
It has been reported that there is a security vulnerability in the BSAFE SSL-J Software Developer Kit released by RSA Security that can be used by a remote attacker to bypass client authentication by using a false client certificate. This vulnerability has been reported to affect version 2.0 of Cisco's iCDN (Internet Content Distribution Network).
Cisco recommends that users of iCDN upgrade to version 2.0.1. Users of the BSAFE SSL-J Software Developer Kit should contact RSA Security for a repaired version.
This problem was repaired quickly by Hushmail.com. They described the problem as a straightforward problem caused by not using
htmlspecialchars() in a portion of their code.
vi editor that is included in all versions of OpenServer is vulnerable to a symbolic link race condition attack against its temporary files. This vulnerability can be used to write arbitrary files with the permissions of the user running
Caldera recommends that all users of OpenServer upgrade their
vi editor as soon as possible.
OpenSSH on FreeBSD machines can be used by a local attacker to read any file on the system with root privileges. The problem is caused by OpenSSH not dropping privileges before processing the login class capability database and files.
Affected users should watch FreeBSD for a patch to fix this problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.