Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

FTP Buffer Overflows

04/17/2001

Alerts this week:

FTP Globbing

Pine

Netscape

Midnight Commander

Oracle Application Server

Solaris ipcs

mkpasswd

Solaris Xsun

Alcatel ADSL-Ethernet Bridges

HylaFAX

cfingerd

SCO OpenServer

Trend Micro Interscan VirusWall

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in many FTP daemons, Oracle Application Server, Solaris ipcs, Solaris Xsun, and a whole list of programs in SCO OpenServers; temporary file race conditions in pine and pico; format string bugs in HylaFAX and cfingerd; a bug that allows Netscape to execute JavaScript placed in a GIF comment; and problems in Midnight Commander, mkpasswd, Alcatel ADSL-Ethernet Bridges, and Interscan VirusWall.

FTP globbing

Many FTP daemons are vulnerable to a buffer overflow attack when executing FTP commands such as CWD, DELE, MKD, and STOU that use the glob() function call. Systems that are vulnerable to this type of attack include: FreeBSD 4.2, OpenBSD 2.8, NetBSD 1.5, IRIX 6.5.x, HPUX 11, Solaris 2.6, Solaris 7, and Solaris 8.

It has been reported that NcFTPd and vsftpd are not vulnerable to this attack. It is not clear which daemons have a remotely exploitable condition and which have only a denial-of-service vulnerability.

Users should watch their vendors for an update for their FTP daemons.

Pine

The pine email package, including the pico editor, does not properly create temporary files. A race condition in the creation of these temporary files can be used by a malicious user to overwrite arbitrary files on the system with the permissions of the user executing pine or pico.

This race condition has been fixed in pine 4.33 and it is recommended that users of pine upgrade as soon as possible.

Netscape

Under some circumstances, Netscape can be made to execute JavaScript code embedded inside a GIF comment. A remote attacker may be able to exploit this bug and obtain data stored on the local machine. This problem affects Netscape version 4.76.

Users should disable JavaScript or upgrade to Netscape 4.77 or newer.

Midnight Commander

Midnight Commander is a Ncurses console-based file manager for Unix systems. A vulnerability has been discovered that can be exploited by a malicious user to execute arbitrary commands as the user running Midnight Commander. The attacker exploits the vulnerability by creating directories with carefully crafted names that are then parsed by Midnight Commander as it traverses these directories.

Anyone using Midnight Commander should upgrade to version 4.5.51 or newer as soon as possible.

Oracle Application Server

It has been reported that Oracle Application Server 4.0.8.2 has a buffer overflow in the shared library ndwfn4.so that is exploitable when used by the iPlanet Web Server.

Although Oracle has been unable to duplicate this problem, users should watch Oracle for a patch if one becomes available.

Solaris ipcs

The Solaris ipcs application has a buffer overflow in its use of the TIMEZONE environmental variable that may be exploited by a malicious user to gain root user privileges.

It is recommended that users remove the set user ID bit from ipcs and watch Sun for a patch.

mkpasswd

The expect script mkpasswd shipped with Red Hat Linux versions 6.2 and 7 generates a small total number of potential passwords. The small number of potential passwords introduces a vulnerability that can be used by an attacker to minimize the time necessary to find user passwords using a dictionary-based password-cracking program.

Users of Red Hat Linux versions 6.2 or 7 should check the Red Hat Web site for updated versions, and should manually select their passwords until mkpasswd has been fixed.

Solaris Xsun

The Solaris Xsun application has a buffer overflow that can be exploited by a local user to execute arbitrary code with elevated permissions. The SPARC version of Solaris has Xsun installed "set user group root," while the X86 versions of Solaris have Xsun installed "set user ID root."

If Xsun is executed via dtlogin or xdm, users can remove the set user ID and set group ID bits without losing any functionality. Users should watch the Sun web site for a patch.

Alcatel ADSL-Ethernet Bridges

A set of problems in the Alcatel ADSL-Ethernet bridge can allow a remote attacker to modify the bridge's configuration, upload new firmware, and stop it from communicating with the ADSL provider. The following problems have been reported. By default, these devices ship with no password set; if the password was set by the user, it can be retrieved by an attacker using TFTP. There is also a cryptographic back door that can be used to bypass the password and other security features.

Users should check the Alcatel web site for updated firmware.

HylaFAX

HylaFAX is an application used to send and receive facsimiles, and send alphanumeric pages. It has been reported that there is a format string bug in HylaFAX that may be exploited to gain root privileges.

Anyone using HylaFAX should watch for confirmation and a fix for this problem.

cfingerd

Cfingerd, a configurable replacement for the finger daemon, has a format string vulnerability that can be used by a remote attacker to obtain root privileges. This vulnerability affects version 1.4.3 and earlier.

Users of cfingerd should disable the daemon until a fix has been made to the software.

SCO OpenServer

Buffer overflows have been found in SCO OpenServer 5.0.00 through 5.0.6. Applications found to have buffer overflows include:

All administrators of affected SCO OpenServer systems should install the SSE072B patch dated April 11, 2001.

Trend Micro Interscan VirusWall

Trend Micro Interscan VirusWall, a real-time virus detection and clean-up tool that runs on Linux and other Unix systems, has several bugs that could allow a remote attacker to obtain root privileges.

Users should upgrade to Interscan VirusWall version 3.6 as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.