Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at a local root
vulnerability in Webmin; a bug in BSD-based TCP/IP stacks; a vulnerability in the Java Runtime Environment; buffer overflows in
listar, Imlib, and Open Unix and UnixWare 7's
rpc.cmsd; and problems
in Netscape, QPopper, PHP's
move_uploaded_file() function, Penguin Traceroute,
PHP Net Toolpack, and Mandrake's
Webmin, a Web-based system administration interface for Unix, is vulnerable to attacks that can be exploited to log in to Webmin as the root user.
When version Webmin 0.92-1 is installed from RPM, the
directory is created with insecure permissions. These permissions allow any local user to read the Webmin log containing the root user's cookie session ID, which can be used by the user to log in to Webmin as root.
If a user is granted a restricted set of Webmin functions they can, under some conditions, insert code that will read the root user's cookie session ID and permit them to connect to Webmin as root.
When remote servers are configured in Webmin with auto login enabled, a local user may be able to read the login name and passwords for these remote servers.
These problems have been repaired in Webmin version 0.93 and it is recommended that users upgrade as soon as possible. If remote servers were configured, users should consider changing their passwords on those servers.
Sun has announced that a vulnerability in the Java Runtime Environment's bytecode verifier can be exploited by an untrusted applet to increase its privileges. They also report that Netscape 6.2.1 and earlier and the Microsoft VM (through build 3802) are affected. The vulnerability does not affect the Java 2 SDK, Standard Edition, v 1.4.
Sun recommends that users upgrade to the latest production release of the Java Runtime Environment.
listar mailing list manager (now renamed to Ecartis) has a buffer overflow in the code that deals with the user input buffers. This buffer overflow may be exploitable to execute arbitrary code with the permissions of the
listar user account.
The Ecartis Core Team recommends that users should upgrade to Ecartis version 1.0.0-snap20020125 or newer as soon as possible, or pull the latest version from the CVS tree.
A bug in QPopper can be used in a denial-of-service attack. When a string is sent to QPopper that contains more than 2048 characters, the application will consume large amounts of CPU time. This bug is reported to affect versions 4.0.1 and 4.0.3 under Linux. It is not known if the bug affects earlier versions of QPopper.
Affected users should watch their vendor for an repaired version of QPopper.
The PHP function
move_uploaded_file() is not restricted by
safe_mode and may be usable to write to files to unauthorized locations. It
should be noted that this is not a bug; it is a documented feature.
It has been reported that the
move_uploaded_file() function will be modified in the next release of PHP to be aware of
should consider disabling
move_uploaded_file() in their
Penguin Traceroute is a Perl script that provides a Web-based
traceroute. The script does not properly filter user input, and can be exploited to execute arbitrary code on the server with the permissions of the user running the Web server.
It is recommended that users disable the Penguin Traceroute script until it has been repaired.
Imlib has vulnerabilities that can be exploited by creating images that can crash a viewer and, under some conditions, execute arbitrary code.
Users should upgrade to version 1.9.13 or newer of Imlib. Red Hat Linux has released errata packages that contain a repaired version of Imlib.
PHP Net Toolpack provides a Web-based interface to
whois. It does not properly check the user input for shell
meta-characters, and can be exploited by a remote attacker to execute
arbitrary commands on the server with the permission of the user
running the Web server.
It is recommended that users disable these scripts until they have been repaired.
The default configuration of the
kdm display manager in Mandrake Linux 7.1, 7.2, 8.0, and Corporate Server 1.0.1 allow XDMCP connections from any host. This can be used by a remote user to access a login
screen that can be used to list users on the system and to bypass
access control methods (such as
tcpwrappers and root login
restrictions). Mandrake Linux 8.1, 8.2, and systems not running
are not vulnerable.
Mandrake recommends that users edit the file
change the line that reads:
"* CHOOSER BROADCAST #any indirect host can get a chooser"
"#* CHOOSER BROADCAST #any indirect host can get a chooser"
rpc.cmsd daemon distributed with Open Unix and UnixWare 7 is
vulnerable to a buffer overflow that can, under come conditions, be
exploited by a remote attacker to execute arbitrary code on the server
with root permissions.
Caldera recommends that users upgrade to the repaired versions of
rpc.cmsd as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.