Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Remote Root Exploit in QPopper

06/11/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories.

In this column, we look at buffer overflows in the Solaris mail utility, Qpopper, and TIAtunnel; temporary-file race conditions in Imp, kmmodreg, and ispell; format-string vulnerabilities in GnuPG and exim; denial-of-service attacks against NetBSD and Fpf; and problems in OpenSSH, the Cisco Content Service Switch, and BestCrypt.

GnuPG

The GNU privacy guard, GnuPG, has a format-string vulnerability that can be used by an attacker to execute arbitrary code with the permissions of the user executing GnuPG. The use of the --batch parameter (often used when GnuPG is called by an email client) prevents the exploitation of this vulnerability.

It is recommended that users upgrade GnuPG to version 1.0.6.

NetBSD DOS

A vulnerability in NetBSD's IP stack can be attacked by sending a large number of fragmented IP packets. For each fragment that NetBSD receives it will create a reassembly queue that is maintained for 30 seconds. If an attacker quickly sends enough fragmented packets that each have a different IP identification field, the machine may stop communicating on the network. It has been reported that several automated exploits for this vulnerability have been distributed.

It is recommended that systems running NetBSD-current from before April 17, 2001, upgrade to the latest NetBSD-current. Systems running NetBSD 1.5.x dated before April 24, 2001, should upgrade to NetBSD 1.5.x dated after April 24, 2001. These new versions introduce a new sysctl variable net.inet.ip.maxfragpackets that is used to control the upper limit of reassembly queues.

Alerts this week:

GnuPG

NetBSD DOS

OpenSSH

Solaris mail

Imp

Cisco Content Service Switch

Fpf

HPUX kmmodreg

BestCrypt

Qpopper

exim

TIAtunnel

Red Hat's xinetd

ispell

VirtualCart Shopping Cart

OpenSSH

OpenSSH can be manipulated into deleting any file on the system that is named cookies. This vulnerability only affects OpenSSH clients that have X-forwarding enabled.

This vulnerability has been fixed in the OpenSSH CVS repository. Users of OpenSSH should watch for an updated release or compile a version from the CVS repository.

Solaris mail

There is a buffer overflow in the Solaris version of the /usr/bin/mail program that could be used by an attacker to gain the permissions of the mail group. It has been reported to affect the SPARC and X86 version of Solaris 2.6, 7, and 8.

Users should remove access to /usr/bin/mail from untrusted users until a patch from SUN has been installed.

Imp

Imp, a web-based email client, does not safely create its temporary files when uploading or viewing attachments. This vulnerability creates a race condition that, if exploited, may allow an attacker to overwrite arbitrary files writable by the user running the web server. This vulnerability affects version 1.2.4 but may also affect earlier versions.

Users of Imp should upgrade to version 1.2.5 or newer as soon as possible.

Cisco Content Service Switch

The Cisco Content Service Switch does not properly restrict access to its web management system allowing unauthenticated users access to secure data. This affects versions of Cisco WebNS earlier than 4.01B29s or 4.10B17s.

Users should upgrade as soon as possible to Cisco WebNS version 4.01B29s or 4.10B17s.

Fpf

The Fpf kernel module alters the Linux TCP/IP stack so that it emulates other operating systems TCP/IP fingerprints and appears to applications such as nmap or queso to be a different OS. A bug in Fpf causes the kernel to panic when the IP stack receives a fragmented packet.

Users should watch for a new version of Fpf that fixes this problem.

HPUX kmmodreg

The HPUX utility kmmodreg has a symbolic-link race condition that an attacker can use to overwrite or create arbitrary files.

Users should install patch PHCO_24112 as soon as possible.

BestCrypt

BestCrypt allows users to create an encrypted loopback file system. The Linux version of BestCrypt has a vulnerability in the set user ID root utility bctool that can be used to execute arbitrary code with the permissions of the root user.

Users of BestCrypt should remove the set user ID bit from bctool and upgrade to version 0.8 as soon as possible.

Qpopper

Qpopper, a server for POP mail, has a buffer overflow that may be exploitable to execute arbitrary code as the root user.

Users should upgrade to version 4.0.3 or newer of Qpopper as soon as possible.

exim

The Message Transfer Agent exim has a format-string vulnerability that may be exploitable if headers_check_syntax has been turned on.

Users of exim should watch for a patch.

TIAtunnel

TIAtunnel, an IRC relay or bouncer, has a remotely executable buffer overflow that can be used by an attacker to execute arbitrary code on the server with the permissions of the user executing TIAtunnel. An automated exploit for this vulnerability has been released.

Users should watch for an updated version of TIAtunnel and should consider turning TIAtunnel off until it has been fixed.

Red Hat's xinetd

xinetd, under Red Hat Linux 7 and 7.1, is started with a umask of 0. This will cause applications xinetd starts that do not set their own umask to create world-writable files. It has also been reported that there is a potential buffer overflow in the version of xinetd distributed with Red Hat Linux 7.

Affected users should upgrade xinetd to the latest package available from Red Hat.

ispell

The ispell spell-checking program is vulnerable to a symbolic-link race condition attack. This vulnerability may be used to overwrite files with the permissions of the user executing ispell.

Users should upgrade to a patched version of ispell.

VirtualCart Shopping Cart

The VirtualCart Shopping Cart web-based application has a bug that can be exploited by an attacker to execute arbitrary code with the permissions of the user running the web server.

Users of VirtualCart Shopping Cart should contact the vendor for a patch.


Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.