Security Alerts: Vixie cron Exploit and More11/20/2000
Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. This week we cover a multitude of vulnerabilities. They range from Denial of Service attacks on telnetd and Sun AnswerBook2, to local and remote exploits on tcpdump, phf, SOCKS5, and more.
An exploit was announced that uses
fopen() and a preserved
umask vulnerability in Paul Vixie's
cron. An attacker can use this vulnerability to create a world-writable file in
/var/spool/cron. They would then be able to write arbitrary
cron entries into that file, which would run as the user being attacked. It is reported that Mandrake 7.0, Red Hat versions 6.1 and earlier, Cobalt Linux, and Trustix are not vulnerable. Debian 2.2 and systems where Vixie
cron has been installed manually are vulnerable. FreeBSD versions 2.1.x, 2.2.x, 3.x, 4.x, and -CURRENT are not vulnerable if launched by a normal user, but members of the wheel group can use the exploit successfully. A quick workaround is to
chmod 700 /var/spool/cron.
Versions of OpenSSH prior to 2.3.0 are vulnerable to a compromised or hostile
sshd server. Basically, if you disable the X11 forwarding in the client, the server can still forward X11 connections later in the session. A short-term workaround is to clear the
$DISPLAY and the
$SSH_AUTH_SOCK variables before connecting with OpenSSH, but it is recommended that you upgrade to version 2.3.0 or above.
gnupg version of PGP (Pretty Good Privacy) digital signature/encryption can generate false positive results for messages with multiple signatures. In other words, if only some of the signatures are valid, it could still report that they were all correct. There are packages out for FreeBSD and Debian, or you can upgrade to a version newer than 1.04.
Vulnerabilities this week:
Versions 2.3.0 to 2.3.20 of
modutils have a local root exploit. Vulnerable systems include Redhat 6.2, 6.2EE, 7.0 and 7.0J; Mandrake versions 7.1 and 7.2; Immunix OS 6.2 and 7.0-beta; SUSE 6.4 and 7.0; and perhaps more. Older systems using a version prior to 2.3.0 of
modutils are not vulnerable. You should upgrade your
modutils to a version newer than 2.3.20 as soon as you can.
A problem with how
tcsh versions before 6.09.00-10 handled temporary files when using the << syntax can be used with a symlink attack to overwrite arbitrary files. Debian has packages out, or you can upgrade to version 6.09.00-10 or newer.
There is a potential Denial of Service attack using Sun's AnswerBook2. Sun's AnswerBook2 provides access to Sun documentation through its web server. The web server that Sun's AnswerBook2 uses is
dwhttpd. As users read the documentation,
dwhttpd builds PostScript files in
/tmp and then downloads them to the user. If the user downloads the file, it is deleted; if the connection is broken, then the file is left in
/tmp is not mounted with a size limit, this could lead to a system crash. Possible workarounds include: turning off AnswerBook2, setting a size limit on
/tmp, or running a cron job to remove the AnswerBook2 files from
tcpdump network analysis tool and packet sniffer is often used as part of an intrusion detection system. Vulnerabilities have been found in
tcpdump that can be used by a remote attacker to crash
tcpdump or cause a buffer overflow. The buffer overflow could lead to a root compromise, as under normal conditions,
tcpdump requires root privileges to run. This problem has been reported for SUSE 6.0, 6.1, 6.2, 6.3, 6.4, and 7.0, but any machine using versions earlier than 3.4a6 may be vulnerable. It is recommended that you stop using
tcpdump until you upgrade to version 3.4a6 or newer.
Anyone who still has the
phf cgi-bin program sitting in their web server's
cgi-bin directory should remove it. Yet another exploit for it has been released. This current exploit claims to work on all versions of
phf, including patched versions.
A remote exploit of
SOCKS5 for X86 Linux has been announced.
SOCKS5 provides port forwarding and is often used to provide services though a firewall. It is also part of NEC's e-Border proxy software. The exploit claims to work against SOCKS versions compiled under Turbolinux 4.05 and Red Hat 6.0 up to SOCKS5 version 1.0r10. I am no longer using
SOCKS5, so I was unable to verify this exploit, and at the current time I am not aware of a workaround. The latest version available from NEC, the SOCKS v5 Reference Implementation, is version 1.0r11. I do not know that this version is safe, but I would upgrade to it if I was using
CUPS (Common Unix Printing System)
CUPS (the Common Unix Printing System) is a portable printing layer for Unix. Earlier versions had a vulnerability that made CUPS printers accessible from anywhere on the Internet. Anyone using CUPS should upgrade to version 1.1.4-5 or newer.
Local root exploit in LBNL traceroute
Traceroute is a network tool used for looking at the path on a network between two hosts. It is normally installed
setuid root because of its use of raw network sockets. A local root exploit has been reported that affects systems with and without nonexecutable stacks. You should remove traceroute's suid bit until you can upgrade the package.
FreeBSD’s version of the commonly used remote connection server
telnetd can be used as a Denial of Service attack by setting the
TERMCAP variable and causing
telnetd to search an arbitrary file for termcap information, thus using I/O resources. This occurs before the authentication phase of the Telnet session, allowing an attacker to start a large number of connections. A patch has been released for FreeBSD.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.