Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Buffer Overflows Abound

02/11/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in mutt, groff, OpenServer's lpstat, and mIRC; and problems in Plesk, OpenLDAP, mrtgconfig, dnrd, Perdition, DeleGate, BSCW, Oracle9iAS Web Cache, and FreeBSD's AIO.

mutt

The email client mutt has a buffer overflow that can be exploited by a remote attacker to execute code with the permissions of the user running mutt.

Users should watch their vendor for an updated mutt package that repairs this problem.

Plesk

Plesk is a Web-based front end for administrating Unix-based Web servers that is written in PHP. Versions of Plesk before 2.0 have a vulnerability that can allow an attacker to read the source of all of the PHP files in Plesk and obtain information (such as passwords).

PLESK recommends that users upgrade to version 2.0 and turn off the UserDir directive in their Web server.

OpenLDAP

A problem in OpenLDAP can be used to make unauthorized changes to non-mandatory fields in the database. In the 2.0.8 and later versions of OpenLDAP only authenticated users can exploit this problem but in versions earlier than 2.0.8 anonymous users can abuse this problem. OpenLDAP versions 1.2.x are not vulnerable to this problem.

It is recommended that users upgrade OpenLDAP to version 2.0.21 or newer.

mrtgconfig

mrtgconfig is a Web-based front end for the Multi Router Traffic Grapher (MRTG). MRTG monitors network traffic and creates HTML pages with the statistics. mrtgconfig has a path discloser vulnerability and also can be manipulated into displaying the first line of any file on the system that is readable by the user executing the Web server. Version 0.5.9 of mrtgconfig has been reported to be vulnerable to these problems.

Users should watch mrtgconfig's home page for a repaired version.

dnrd\

The proxy DNS daemon dnrd has a vulnerability that can be used to crash the server and, under some circumstances, may be exploitable to gain additional permissions.

Users should watch their vendor for an updated package.

Perdition

Perdition, a mail-retrieval proxy server, is vulnerable to a format-string bug in the required library vanessa_logger. This vulnerability can be used by a remote attacker to execute arbitrary code on the server with the permissions of the user executing Perdition. Version 0.0.1 of the library vanessa_logger is reported to be vulnerable.

It is recommended that users disable Perdition until the vanessa_logger library has been upgraded to version 0.0.2 or newer. It is reported that the vanessa_logger library can be found here. It is also recommended that Perdition be executed using the --username and --group options to cause it to run with normal user permissions.

DeleGate

DeleGate is a multi-purpose application-level gateway, or proxy server. Versions 7.7.1 and 7.7.0 are vulnerable to a cross-site scripting vulnerability that can be used by an attacker to execute arbitrary scripts in the victim's browser.

Users should upgrade to DeleGate version 7.8.0.

BSCW

BSCW (Basic Support for Cooperative Work), a Web-based groupware server, has a problem in the default configuration that allows users to register accounts on the server, and a vulnerability related to unfiltered shell meta characters that can be used by an attacker to execute arbitrary commands on the server with the permissions of the user running the Web server.

It is recommended that users decide if self-registration is acceptable and configure the system appropriately, and that they watch for a patch for the unfiltered shell meta characters vulnerability.

Oracle9iAS Web Cache

The Oracle9iAS Web Cache is vulnerable to an attack that can be used by a local attacker to overwrite files with the permissions of the Oracle user, gain access to the Oracle account, and obtain the password for the Web Cache administrator account.

Users should contact Oracle for a patch to repair this problem.

groff

The grn preprocessor that is part of the groff document-formatting system has a buffer overflow that may be exploitable to gain additional privileges.

Related Reading

Learning Red Hat Linux
A Guide to Red Hat Linux for New Users
By Bill McCarty

Affected users should upgrade to a repaired version as soon as possible. If printing is not needed on the system, users should consider removing or disabling the printing system.

FreeBSD AIO

AIO is a POSIX standard for asynchronous I/O. Under some conditions, AIO under FreeBSD can be exploited to gain additional privileges. AIO is not enabled by default in the FreeBSD kernel.

The security requirements of the system should be considered before AIO is enabled on a FreeBSD machine.

OpenServer lpstat

The lpstat commands supplied with OpenServer versions 5.0.6a and earlier have a buffer overflow that can be used by a local attacker to gain additional privileges.

Caldera recommends that users upgrade the lpstat command as soon as possible, or remove its set group id bit.

mIRC

The windows IRC client mIRC has a buffer overflow that can be exploited by a specially-crafted IRC server to execute arbitrary code on the user's machine. It is possible to create a Web page that, when viewed with Internet Explorer, will execute mIRC and connect it to the specified IRC server. This vulnerability affects all versions of mIRC prior to version 6.0.

Anyone with mIRC installed on their machine should remove it or upgrade it to version 6.0 as soon as possible.

UnixWare 7 and Open Unix timed

The time daemon in.timed that is supplied with all versions of UnixWare 7 and with version 8.0.0 of Open Unix does not enforce null termination of strings. This may be exploitable as part of a denial-of-service attack.

Caldera recommends that affected users upgrade the in.timed binary or, if timed is not needed, disable the binary.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.