Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in sendmail, BIND, Snort,
zlib, terminal emulators, Internet
Message, Messaging in the Emacs World, and
sendmail is vulnerable to a buffer overflow in the code that parses email message headers. This buffer overflow can be exploited by a remote attacker using a carefully crafted email message and can result in the execution of arbitrary code, with root permissions in most cases. The attack against sendmail can be carried out even against machines that do not directly connect to outside networks if the email message is passed to a vulnerable machine by another mail transfer agent. A successful attack is reported to not leave any record in the system logs.
Systems that are not running sendmail in daemon mode (
-bd) may still
be vulnerable to this buffer overflow under some conditions. Due to
this possible vulnerability, users should ensure that old or unpatched
copies of sendmail that have any set user and set group ID bits be removed.
Sendmail, Inc., and the sendmail Consortium recommend that users of an open source version of sendmail upgrade to sendmail 8.12.8 as soon as possible. For those who are unable to upgrade to 8.12.8, patches are reported to be available for versions 8.9, 8.10, 8.11, and 8.12 of sendmail. Users not running an open source version of sendmail should watch their vendor for an updated version.
Repaired versions of sendmail will write the line "Dropped invalid comments from header address" when an email message with an invalid header has been dropped. This may or may not indicate an attack on the system.
The Internet Software Consortium (ISC) has released BIND version 9.2.2. The ISC security web page states: "ISC has discovered or has been notified of several bugs, which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC." ISC strongly recommends that users upgrade.
The network intrusion detection system Snort has a buffer overflow in the RPC normalization code that can be exploited using carefully crafted network packets that result in the execution of arbitrary code with root permissions. Versions of Snort between 1.8 through 1.9.0 are reported to be vulnerable. The RPC normalization code was added to help detect attacks that were attempting to hide from the intrusion detection system using fragmented RPC traffic.
It is recommended that users upgrade to version 1.9.1 of Snort as soon
as possible. If it is not possible to upgrade, users should comment
out the line "
preprocessor rpc_decode" in the file snort.conf.
file, a command-line utility used to identify and display the type of
file based on a system magic file, is vulnerable to a local attack
using a specially constructed data file that, when identified with the
utility file, will execute arbitrary code with the permissions of the
user running file. Versions of the
file utility through version 3.39 have
been reported to be vulnerable. A script to generate an exploit data
file has been released to the public.
Users should upgrade to the
file version 3.41 or newer or they should
watch their vendor for an updated package.
The network sniffer
tcpdump is vulnerable to a denial- of-service attack use ISAKMP packets (UDP port 500). One possible use of this
vulnerability by an attacker is to prevent the monitoring of other
attacks. This vulnerability has been reported in tcpdump versions:
3.6, 3.6.3, and 3.7.1.
It is recommended that users filter packets with a destination of port
tcpdump has been patched.
gzprintf() supplied with the
zlib library has a buffer
overflow. It may be exploitable to execute arbitrary code with the
permissions of the user running any application linked to the library
and using the function.
Users should upgrade to
zlib 1.1.4 or they should watch their vendor for
Several terminal emulators have a set of features that can be abused by an attacker. For example, the terminal emulator Eterm can be used to create files on the victim's system, execute arbitrary commands, or to trick the user into changing the window title. Terminal emulators reported to be vulnerable to features such as this include: Eterm, xterm, rxvt, dtterm, uxterm, aterm, putty, gnome-terminal, and hanterm-xf. KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, and Sasha Vasko's aterm are reported to be unaffected by this problem.
It is recommended that users watch their vendor for updated packages of affected terminal emulators and that extra care be taken when viewing files that may have untrusted data in them. Users should consider using KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, or Sasha Vasko's aterm as their terminal emulator.
The Internet Message (IM) packages distributed with Red Hat Linux 7, 7.1, and 7.2 and the Messaging in the Emacs World (Mew) packages distributed with Red Hat Linux 7.3 and 8.0 are vulnerable to a symbolic link-race, condition-based attack. This vulnerability can be exploited by a local attacker to overwrite arbitrary files on the system with the permission of the user running IM or Mew.
Affected users should upgrade to repaired packages as soon as possible.
lprm utility under OpenBSD has a buffer overflow that may be
exploitable to execute arbitrary code with the permissions of the user that
lprm is running under (often root). A script to automate the exploitation of this vulnerability has been released. It is not known at this time if this buffer overflow affects other BSD distributions. It should be noted that starting at OpenBSD 3.2,
lprm is installed as set-user id daemon, and not root.
lprm should be patched as soon as possible. On systems where the
printing sub-system is not being used, users should consider removing
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.