oreilly.comSafari Books Online.Conferences.


Security Alerts

Security Alerts: Koules Local Root Exploit And More.


Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include suid Oracle helper programs, replacement syslogd problems, and a couple of problems with Alladin Ghostscript.

Koules 1.4

It has been reported that there is a local root vulnerability and exploit for the SVGA game Koules. It requires that Koules be installed with a setuid root bit set, so some installations may not be affected.

Oracle Connection Manager Control binary

The Oracle Connection Manager Control binary (cmctl) has a local exploit that allows any user to become the user and group that Oracle is installed under. It works by exploiting a buffer overflow in cmctl. There is a published exploit for Linux, but this may have been ported to other architectures. A workaround for this problem is to remove the suid bit from the program. If you do not use the setuid bits on this program or on other Oracle helper programs, you may want to consider removing the suid bits on all of the Oracle helper programs.


A getty replacement for use with fax and data modem lines, mgetty has a vulnerability that can permit a local user to create or overwrite any file on the system. The problem is with the faxrunqd daemon that runs as root. The faxrunqd daemon will follow a symlink named .last_run that has been created in the world-writable /var/spool/fax/outgoing/ directory. The fix for this is to uninstall the package and replace it with a version dated after 10 Sep 2000.

WinVNC 3.3.x

The WinVNC program is a desktop remote control package. WinVNC 3.3.x has a problem in that the software stores its passwords in the Windows NT registry, and this can allow a remote user to remove the password using regedit. There are several problems with WinVNC: The passwords cross the network in the clear and are limited to 8 characters. If you need to use this software, make sure that you do not trust its security.


The multi-protocol file retrieval application curl has a buffer overflow that can be exploited by a hostile server that can cause curl to execute arbitrary code on the client. The fix for this is to upgrade your version of curl to the latest version.


The thttpd web server is a small and fast web server designed for simplicity. Versions prior to 2.20 allow remote viewing of arbitrary files on the server. This problem is caused by errors in the ssi cgi script. The script does not prevent the use of ".." in the path and will show files that are outside the root web directory. It will only show files that are readable by the user running the web server. The solution to this is to upgrade to a version newer than 2.20.

Big Brother

Big Brother is a Web-based network monitoring tool. Versions prior to 1.5d3 can allow an attacker to gather sensitive information about the system that Big Brother is running on and aid in brute force password attacks. It is recommended that users upgrade it to a version later than 1.5d3.

Balabit syslog-ng

Balabit syslog-ng is a replacement for the syslogd daemon. It can be crashed by sending it a malformed syslog message. This can be used by an attacker to limit the information recorded during an attack. The recommended solution is to upgrade to version 1.49a or newer.


A new problem with modutilities has been identified in the modprobe utility. It has a buffer overflow that can be used to execute arbitrary code as root. Specifically, the potential exploit uses ping to exploit modprobe. Check with your vendor for an updated package and, as a workaround, disable modprobe and take away the setuid bit from ping.

IBM HTTP server Denial of Service vulnerability

The IBM HTTP server based on Apache has a Denial of Service vulnerability. Passing the server an unusually long GET request will cause the server to stop responding. There is a possibility that this could be exploitable as a remote buffer overflow. To my knowledge at this time, no patches have been released to fix this problem.

Alladin Ghostscript

Alladin Ghostscript, a PostScript interpreter has two problems:

First there is a problem with the manner in which it uses the LD_RUN_PATH environment variable that can cause it to use libraries that are in the current directory. An attacker could use this problem to execute arbitrary code from a shared library. You should check with your vendor and upgrade to a version with this fixed.

The second problem is a race condition that can be used for a symbolic link attack. This can allow the attacker to read or write system files and possibly lead to a root compromise. The same fix that was applied for the first problem will also fix this one.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.


Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: