LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

IBM Websphere, Shockwave Flash, and emacs Advisories

01/08/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include minor problems with sendmail, exposure problems with Lotus Domino, problems in the default setup of Informix Webdriver and IBM Websphere Commerce Suite, a buffer overflow in Shockwave Flash, denial of service attacks against login, privacy problems in emacs, symlink attack in exmh, and a potential exploit against GTK+.

sendmail

Sendmail, Inc. and the Sendmail Consortium have released sendmail 8.11.2. Fixed in sendmail 8.11.2 is a segmentation fault in address test mode (not believed to be exploitable), IPv6 address problems, a problem with the Cyrus-SASL security layer, a problem with QueueSortOrder by host, delivery to set-user-ID files expanded from aliases, and many more.

Users should look at the changelog and upgrade if necessary.

Lotus Domino

Lotus Domino 5.0.5's web server has a vulnerability that can be used to read files outside the web server root. By using a carefully crafted URL, a remote user can read arbitrary files on the web server. This can be used to gather information on the system that can be used in an attack.

At this time no update or workaround for this problem is known.

News Desk

Security Alerts this week:

sendmail

Lotus Domino

News Desk

Informix Webdriver

Shockwave Flash

iTetris

login

emacs

exmh

IBM Websphere Commerce Suite

GTK_MODULES

News Desk, a CGI news-posting package, can be used to read files outside the web server root. By using a carefully crafted URL, a remote user can retrieve the News Desk password file or other arbitrary files. This can be used to gather data for an attack or, as in the example above, can be used to obtain the passwords to the News Desk software and lead to a web site defacement.

At this time no update or workaround for this problem is known.

Informix Webdriver

Informix Webdriver is the web interface to the Informix database. When installed with no additional configuration, it has vulnerabilities that allow a malicious user to modify or delete databases and overwrite files owned by the user nobody. If you are using this product you should ensure that it is configured properly.

Shockwave Flash

The Shockwave Flash plugin has a buffer overflow that can be used to execute arbitrary code on the user's machine. The overflow has been tested on Shockwave plugins versions 2 through 8 on Windows 95, 98, NT, MacOS 9, Solaris 2.6 and 2.7, and Linux. While each platform requires a different overflow in order to execute arbitrary code, a single Flash file can be created that contains working overflows for multiple platforms.

It is recommended that you turn off the Flash plugin until Macromedia releases a fixed version.

iTetris

The game iTetris, an enhanced Tetris, has a buffer overflow that is due to the game being suid root and can lead to a local root compromise.

It is recommended that you remove the suid bit or upgrade to version 1.6.3 or newer.

login

From the util-linux package, login sets a user's tty to mode 0622 (writable by group and world) during the authentication phase of logging in. This can be used by a malicious user to send arbitrary data to the user's terminal, causing a denial of service.

At this time no update or workaround for this problem is known.

emacs

A large, feature-rich text editor, emacs has a problem that can allow other users of the system to eavesdrop or forge responses to an emacs client. This is caused by emacs not properly setting permissions on PTY devices.

It is recommended that you upgrade to a version newer than 20.6.

exmh

A problem in the bug reporting system for exmh, an X-based interface for the MH mail, can cause overwriting of arbitrary system files that are writable by the user running exmhexmh encounters a problem in its code, it opens a dialog that asks the user what happened and then allows them to send a bug report to the author. If the user chooses to e-mail the bug report, exmh creates the file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink, overwriting the file that it is linked to.

As of this time, the author has not released a patch or updated version. It is recommended that the bug report feature not be used on multiuser systems until this problem has been fixed.

IBM Websphere Commerce Suite

A vulnerability has been found in the IBM Websphere Commerce Suite that can allow a user to obtain accounts and passwords for user accounts associated with the package. Access to these accounts can lead to a local root exploit. When the Websphere Commerce Suite is installed, it stores its user names and passwords in a world-readable file named admin.config.

It is recommended that the admin.config file be restricted to not be world-readable.

GTK_MODULES

GTK+ (an X-interface library used with GNOME) uses the environment variable GTK_MODULES to allow arbitrary modules to be loaded and executed when GTK+ starts. A security announcement discussed this functionality as being a security vulnerability by causing GTK+ to run an arbitrary module.

To my knowledge there are no current programs that run GTK+ suid and are vulnerable to this attack, but it does raise an interesting point about suid programs. Secure suid programs can be very difficult to write. Adding any complexity such as additional libraries can make them impossible to write securely. Just consider how many suid programs have had vulnerabilities.

If a program on your system is suid, especially suid root, then understand why it is suid and decide if you want it to be. If you or your users do not need it, then turn off the suid bit. For example, if your system does not use the printing system, why would you have a full suite of suid printing programs laying around? Turn them off, and then when you read about the buffer overflow in your printing system, you can just smile, secure in the knowledge that your system is secure.

The official GTK+ team position on suid GTK+ programs is never to do it. They point out that the GNOME games that run suid drop their privileges before initializing GTK+. They are planning to add code to the next stable release of GTK+ that will check for suid programs that have not dropped their privileges prior to starting GTK+.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: