Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts New Apache

by Noel Davis
11/05/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a new release of Apache, and problems in fileutils, coreutil, anonftp, Kpopup, CUPS, Libnids, PostgreSQL, thttpd, mod_security, and the Linux Java Installer.

Apache 2.0.48

A new version of Apache has been released that fixes two security problems. The mod_cgid module can, when threaded MPM is being used, send the output of a CGI application to the wrong client. The mod_alias and mod_rewrite modules contain buffer overflows that may be exploitable by a local user when a regular expression is configured that contains more than nine captures.

It is recommended that users upgrade to Apache 2.0.48.

fileutils and coreutils

The ls command distributed with the fileutils and coreutils packages can be used in a denial-of-service attack when it is used with certain command-line parameters. It also has a buffer overflow bug in the code that handles its command-line parameters, which is reported to not be exploitable. Both of these problems can be exploited remotely through applications such as wu-ftp.

Users should watch their vendor for updated fileutils and coreutils packages. Updated packages have been released for Red Hat Linux 7.1, 7.2, 7.3, and 8.0, and Conectiva Linux versions 7.0, 8, and 9.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

anonftp

The anonftp packages contain a version of the ls command that has the same problems as the ls command in the fileutils and coreutils packages.

All users of anonftp should watch their vendor for an updated version. Updated anonftp packages have been released for Conectiva Linux versions 7.0, 8, and 9.

Kpopup

Kpopup, an application used to send and receive Microsoft Windows WinPopup Messages, can be exploited by a local attacker to gain a root shell. Kpopup is reported to be installed set user id root and uses the system() function to call the killall command. By creating an exploit script named killall, and by manipulating the path prior to executing Kpopup, the attacker can cause Kpopup to execute the exploit script with root permissions. A script to automate the exploitation of this vulnerability has been released.

Anyone not using the functionality of Kpopup should remove any set user id or set group id permissions from it until it has been patched or upgraded. Users should watch their vendors for a repaired version.

CUPS

The printing system CUPS has a bug in the IPP (Internet Printing Protocol) code that can be used by a remote attacker to cause a denial-of-service in the printer daemon. The attacker must be able to connect to the IPP port (631 in a default installation) to execute this attack.

Users of CUPS should upgrade to a repaired version or watch their vendors for updated packages. Red Hat has released updated packages for Red Hat Linux 8.0 and 9. If CUPS is not being used on a system, then disabling it or removing it should be considered.

Libnids

Libnids is a component of a network intrusion detection system that emulates the IP stack of Linux 2.0.x and provides IP defragmentation, TCP stream assembly, and TCP port scan detection. Libnids contains a buffer overflow in the code that handles packet reassembly that, under some conditions, may be exploitable to execute code with root permissions.

It is recommended that all users of Libnids upgrade to version 1.18 or newer as soon as possible. Packages containing Libnids version 1.18 have been released for Conectiva Linux 7.0, 8, and 9.

PostgreSQL

The PostgreSQL database is vulnerable to a buffer overflow in the code contained in the to_ascii() set of function calls that may be used by a remote attacker to execute arbitrary code with the permissions the database is running under.

Affected users should upgrade to PostgreSQL version 7.3.4 or a repaired package from their vendors as soon as possible. The OpenPKG project and Conectiva Linux have released repaired packages.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

thttpd

A buffer overflow and an information disclosure vulnerability have been found in thttpd. thttpd is a small web server that is designed to be fast and secure. The buffer overflow can be remotely triggered but is not thought to be exploitable. The information disclosure bug is in the code that handles virtual hosting. When exploited, this bug will allow a remote attacker to read any file on the system that the user account that thttpd is running under can read.

Users should watch their vendor for an updated version that repairs these problems. SuSE has released a repaired package for SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0.

mod_security

The mod_security in Apache 2 is reported to be vulnerable to a buffer overflow in the sec_filter_out() function that can, under some conditions, be exploited by a remote attacker to execute code with the permissions of the user running Apache. The remote attacker must have some method of uploading a script onto the server before this attack can be successful.

Users should upgrade to version 1.7.2 of mod_security as soon as possible.

Linux Java Installer

The install program used to install Sun's JRE/JDK under Linux is vulnerable to several symbolic-link race conditions that can be used by a local attacker to overwrite arbitrary files on the system with, in most cases, root permissions. This problem is reported to affect both the binary installer and the RPM-based install.

On multiuser machines, it may be wise to bring the machine to single-user mode and check the contents of the /tmp directory for the files /tmp/.mailcap1, /tmp/.mime.types1, and /tmp/unpack.log before doing the install.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.