Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Insecure Web Proxy Servers

by Noel Davis
02/25/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at insecure Web Proxy Servers; buffer overflows in ncurses, Squid, hanterm, and ripMime; and problems in gnujsp, the NetBSD kernel, jmcce, the IRIX Unified Name Service Daemon, and Chuid.

Insecure Web Proxy Servers

Some insecurely-configured Web proxy servers can be exploited by a remote attacker to make arbitrary connections to unauthorized hosts. Two common abuses of a misconfigured proxy server are to use it to bypass firewall restrictions and to send spam email. A server is used to bypass a firewall by connecting to the proxy from outside the firewall and then opening a connection to a host inside the firewall. A server is used to send spam by connecting to the proxy and then having it connect to a SMTP server. It has been reported that many Web proxy servers are distributed with insecure default configurations.

Users should carefully configure Web proxy servers to prevent unauthorized connections. It has been reported that http://www.monkeys.com/security/proxies/ contains secure configuration guidelines for many Web proxy servers. We can not verify the accuracy of this information, and if there are any questions users should contact their vendors.

ncurses

ncurses 5.0 is vulnerable to a buffer overflow that may, under some circumstances (a set user id or set group id application linked to ncurses 5.0), be exploitable by an attacker to execute arbitrary code with unauthorized permissions. Red Hat Linux has reported that the ncurses 4 libraries shipped with Red Hat Linux 7.0, 7.1, and 7.2 are vulnerable to this buffer overflow, but that in a default installation they cannot be exploited to gain additional privileges.

It is recommended that users upgrade their ncurses library to a repaired version. Red Hat has made repaired packages available for their version of ncurses 4.

Squid HTTP Proxy

The Squid HTTP proxy server is vulnerable to a denial-of-service attack and a buffer overflow that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user executing Squid. The denial-of-service attack vulnerability is in Squid's SNMP interface. The buffer overflow is in the code that handles FTP URLs, and can also be used in a denial-of-service attack. In addition, there is a bug in the HTCP interface that prevents it from being disabled if it is disabled in the squid.conf file. These vulnerabilities have been reported to affect versions of Squid through 2.4.STABLE3.

The developers of Squid have released Squid-2.4.STABLE4 and it is recommended that all users upgrade as soon as possible.

gnujsp

gnujsp, an application that executes Java source code when it is inserted into a Web page, has a bug that can be exploited to read the contents of arbitrary directories and files on the server and can bypass HTTPD file and directory restrictions.

Users should upgrade gnujsp to a repaired version.

NetBSD Kernel

A vulnerability has reported in versions of NetBSD released prior to January 14, 2002 that may be usable by a local attacker to gain root permissions. The attack is used with a set user id binary and involves using ptrace to modify the address space of the process.

Related Reading

Web Security, Privacy & Commerce
By Simson Garfinkel

The NetBSD Security Officer recommends that users upgrade or patch their kernel. It is also strongly recommended that that users of early versions of NetBSD, such as NetBSD-1.3.x, upgrade to a recent release.

jmcce

jmcce, a program that is used to provide a Linux console in Chinese characters, is vulnerable to a temporary-file symbolic-link race condition that can be used to overwrite any file on the system.

Users should contact their vendor for an updated package. Users should also consider restricting access to jmcce to trusted users until it has been updated.

hanterm

The Hangul terminal application hanterm is an X11 terminal application that reads and displays Korean characters. It is vulnerable to a buffer overflow that can be exploited to execute code with the permissions of the utmp group. An attacker that can execute code as the utmp group can write arbitrary information to the wtmp and utmp files that are user to log login information.

Users should watch for a patch to hanterm that fixes this vulnerability, and should consider restricting access to trusted users.

IRIX Unified Name Service Daemon

The IRIX unified name service daemon nsd has a bug in the function that limits the size of the cache. This bug can be remotely exploited, causing nsd's cache to grow until it fills the file system, resulting in a denial of service. SGI reports that this bug is present in the default installation of IRIX 6.5.4m/f through 6.5.11m/f.

SGI reports that the bug in nsd has been repaired in IRIX version 6.5.12m/f.

Chuid

Chuid, a utility that allows non-Web-server owned PHP scripts to upload files when the PHP server is configured to use safe mode, has vulnerabilities that can be abused to change the user id of files outside the compile-time-specified upload directory and in some cases, change root-owned files.

It is recommended that users upgrade to version 1.3 of Chuid.

ripMime

ripMime is a mail filtering application. There is a buffer overflow in ripMime that may be exploitable by a local attacker to obtain increased privileges. The buffer overflow is in the code that handles file names, and is reported to affect versions 1.2.6 and earlier of ripMime.

Affected users should upgrade to the latest release of ripMime as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.