Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a problem in SysV-derived
login programs; buffer overflows in
getty, and Load Sharing Facility; and problems in
script, Cisco Secure Integrated Software, JRun Java Application Server, Mandrake Linux's Apache, HP-UX's
rlpdaemon, ATPhttpd, and Unix Manual.
Some versions of the
login program have a vulnerability that can be used by a remote attacker to execute arbitrary commands as the root user. Systems reported to be vulnerable include Sun Solaris (versions 8 and earlier) and OpenServer (version 5.0.6a and earlier). It is not known if other SysV-based
login programs are vulnerable. The problem is caused by
login not properly handling long environmental variables passed to it by daemons such as
Both Sun and Caldera have released updated
login packages and affected users should upgrade to the appropriate package as soon as possible.
script utility is used to record a log of an interactive shell session. It has a vulnerability that can be exploited to overwrite arbitrary files on the system with the permissions of the user executing
script utility uses
typescript as its default output file and does not check for a hard link before writing the file.
script should upgrade to the latest version and avoid executing it in directories to which other users can write.
Cisco Secure Integrated Software, also known as the IOS Firewall Feature set and as the Context Based Access Control, has a bug that can, under some circumstances, allow traffic that should have been denied by the dynamic access control lists to pass through the firewall. Only systems that implement CBAC are vulnerable to this bug. Cisco has reported that the affected router models are: 800, 820, 950, 1400, 1600, 1700, 2500, 2600, 3600, 4000 Gateway, 4224, 7100, 7200, 7400, 7500, SOHO 70, ubr900, and ICS7750. Also affected are Catalyst 5000 and 6000 devices, if the are running Cisco IOS.
Cisco recommends that affected users upgrade their Cisco IOS software to the appropriate release level.
The JRun Java application server has a vulnerability that can be used by an attacker to view the source code of Java Server pages and other files. This vulnerability has been reported to affect versions 2.3.3, 3.0, and 3.1 of the JRun Java application server.
Users of JRun should disable the SSI support in the Web server and should watch Allaire for a patch to fix this vulnerability.
The Apache Web server has a vulnerability that can be used by a remote attacker to bypass directory index restrictions, and a problem in the Perl-proxy management software that could be used to gather information about the system.
New packages for Mandrake Linux have been released, and it is recommended that all users of Apache upgrade as soon as possible.
The set user id root
rlpdaemon printer daemon distributed with HP-UX has a problem that can be exploited by a local attacker to create or append to any file. An attacker can use this problem to create a file that can be leveraged into root access. It has been reported that versions 10.20 and 11.00 of HP-UX are affected by this problem. It is not required that printers be configured for this problem to be exploited.
Users should contact HP for a fix for this problem, and should consider disabling the printer subsystem if it is not being used.
ATPhttpd is a small caching Web server designed for serving a large amount of static content. It is vulnerable to a denial-of-service attack using a very long URL.
Users should watch ATPhttpd's Web site for an updated version.
The PHP script Unix Manual allows the viewing of Unix man pages with a Web browser. The script does not filter for unsafe characters, and can be exploited by a remote attacker to execute arbitrary shell commands with the permissions of the user executing the Web server.
Users of this script should disable it until it has been modified to filter out shell meta-characters.
frox, a transparent FTP proxy, has a buffer overflow that can under some circumstances be exploited remotely to execute arbitrary code with the permissions of the user running
frox. The exploit requires that the FTP server return a long string in reply to the client's MDTM request.
It is recommended that users upgrade to version 0.6.7 or newer as soon as possible.
getty program distributed with OpenServer 5.0.6a and earlier is vulnerable to a buffer overflow that can be used by a remote attacker to gain root access to the server.
Caldera recommends that users upgrade their
getty program to a repaired version.
Load Sharing Facility is a set of utilities that are used to share, monitor, and analyze work across multiple computers. Load Sharing Facility has several problems that can be used to read any file on the system, and several buffer overflows in set user id root executables that can be used to execute arbitrary code with root permissions.
Platform has released a patch for Load Sharing Facility version 4.2 on all major platforms, and is working on patches for other versions and platforms. Users should contact Platform for details and help with configuration changes that may fix many of the vulnerabilities.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.