Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Sendmail Trouble

by Noel Davis
09/22/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Sendmail OpenSSH, Pine, saned, MySQL, gtkhtml, and Solstice AdminSuite.

Sendmail

There is a remotely exploitable buffer overflow in versions of Sendmail through version 8.12.9. The buffer overflow is located in the prescan() function and can be exploited by a remote attacker to execute arbitrary code on the server with (in most cases) root permissions. There is also an additional buffer overflow in the code that handles rule set parsing that may be exploitable under some conditions.

All users of Sendmail should upgrade to Sendmail 8.12.10 or a repaired package from their vendors as soon as possible. Repaired packaged have been announced for Red Hat Linux 7.1, 7.2, 7,3, 8.0, and 9; FreeBSD; Immunix 7+; Debian GNU/Linux 3.0 (both the stable and unstable branches have packages); Mandrake Linux 8.2, 9.0, 9.1, and the Mandrake Corporate Server 2.1; OpenPKG CURRENT, 1.2, and 1.3; SuSE Linux 7.2, 7.3, 8.0, 8.1, and 8.2; Conectiva Linux 7.0, 8, and 9; and Gentoo Linux. Users of other distributions or versions should contact their vendors for more information.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

OpenSSH

A problem in the dynamic reallocation and allocation of memory in OpenSSH can cause a buffer overflow that can crash sshd and may, under some conditions, possibly be exploitable to run arbitrary code with root permissions. In addition, there are several other buffer overflows that are not thought to be exploitable. All of these buffer overflows are reported to affect OpenSSH versions through 3.7. In addition to the Unix operating systems affected by these problems, Cisco has announced that the following network software packages are vulnerable: Cisco Catalyst Switching Software (CatOS), CiscoWorks 1105 Hosting Solution Engine (HSE), CiscoWorks 1105 Wireless LAN Solution Engine (WLSE), and Cisco SN 5428 Storage Router.

Users should upgrade to version 3.7.1 of OpenSSH as soon as possible. Updated packages which repair this problem have been released for Conectiva Linux 7.0, 8, and 9; EnGarde Secure Linux EnGarde Secure Community v1.0.1 and 2, EnGarde Secure Professional v1.1, v1.2, and v1.5; FreeBSD, Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9; OpenPKG; Mandrake Linux 8.2, 9.0, 9.1, Corporate Server 2.1, and Multi Network Firewall 8.2; Slackware 8.1, 9.0, and current; Sorcerer Linux; and Debian Linux (stable version).

MySQL

The MySQL database has a buffer overflow in the code that handles password checks (the get_salt_from_password() function). A user with global administrative permissions can exploit the buffer overflow to execute arbitrary code on the server with the permissions of the user running the daemon (often root). It is reported that the buffer overflow affects MySQL servers through version 4.0.14. A program to automate the exploitation of this vulnerability has been released to the public.

It is recommended that users upgrade to MySQL 4.0.15 as soon as possible and that they configure MySQL to run as a normal user using the --user=<dedicated user> command-line parameter.

Pine

The Pine email client available from the University of Washington is vulnerable to two buffer overflows that can be exploited by a remote attacker using a carefully constructed email. When the user opens the attacker's email, the buffer overflow will occur and arbitrary code will be executed with the permissions of the user.

It is recommended that all users upgrade to Pine 4.58 as soon as possible and that users consider not using Pine until it has been repaired.

saned

The SANE network daemon (Scanner Access Now Easy) is reported to have the following problems: users can make an initial connection to the daemon even if their host is not allowed to use the scanner; a buffer overflow can occur when a connection is dropped, under some conditions; when the connection is dropped just before saned mallocs memory to hold a string, a denial-of-service condition on the server can occur; saned does not validate RPC numbers before reading the parameters; when debug messages are turned on and a connection is dropped, saned can crash; and under some conditions, saned may allocate too much memory.

Users should watch for a repaired version. A workaround for saned allocating too much memory is to use ulimit to restrict the amount of memory it can allocate. Debian has released an updated package that repairs these problems.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

gtkhtml

The gtkhtml library is used by Gnome applications, such as Evolution, to render HTML. The gtkhtml library contains two bugs that a remote attacker, using a carefully crafted web page, can exploit to crash applications that are linked to the library.

Users should upgrade to version 1.1.10 of the gtkhtml library.

Solstice AdminSuite

Flaws in the Solstice AdminSuite can be exploited by a remote attacker to execute arbitrary commands as root. The attacker can send a series of Remote Procedure Call (RPC) requests to the sadmind daemon that will allow the attacker to authenticate to the server as an authorized user of Solstice AdminSuite. The attacker can then spawn a root shell or issue other commands.

Users that do not require the Solstice AdminSuite should comment out sadmind from /etc/inetd.conf and then restart the inetd daemon. Users that require Solstice AdminSuite should protect it from unauthorized connections using a firewall and configure it to use STRONG (AUTH_DES) security by changing the line in /etc/inetd.conf to read:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

It has been reported that Sun is not planning a patch for this issue.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.