LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Insecure Temporary File Functions

01/15/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include a problem with glibc, a possible problem with ReiserFS, a buffer overflow in exrecover, a stack overflow in arp, temporary file race conditions in a long list of programs, and a back door in Borland InterBase.

GNU C library

The GNU C library, or glibc, has a vulnerability that allows a non-privileged user to read protected files and preload arbitrary libraries in /lib and /usr/lib even if they have not been allowed by the system administrator.

It is recommended that you check with your vendor for a patched version of glibc as soon as possible.

ReiserFS

It has been reported that ReiserFS, a journaling file system, has a bug in its handling of long file names. Under some situations it appears to cause a kernel oops with a potential buffer overflow. Other people have reported that they can hide pieces of the file system from ls. The reports have been contradictory, and it is not clear to me what versions and Linux versions have this problem or the conditions where you would be safe.

I suggest that if you are running ReiserFS, you should watch your vendor for an alert and patches about this problem.

exrecover

The recovery command for the ex editor, exrecover, has a buffer overflow. On many systems this program is unnecessarily suid root, opening up the possibility for a local root exploit. The problem is caused by not checking the length of the second argument.

There is no reason for this program to be suid, so remove its suid bit and update it to the latest version.

Security Alerts this week:

GNU C library

ReiserFS

exrecover

arp

linuxconf

HP-UX inetd

Immunix OS Security Audit

Back Door in Borland InterBase

squid

Lotus Domino

catman

Shockwave Flash

arp

The arp program allows you to view and modify the Internet-to-Ethernet address translation table. In versions of Solaris prior to Solaris 8, arp is vulnerable to a stack overflow that could be used to execute arbitrary code. Due to arp's being setgid, this could be leveraged into a local root exploit.

All users of Solaris prior to version 8 should remove the sgid bit from arp until they can download and apply the patch from Sun.

linuxconf

Some versions of linuxconf have a race condition in the way the vpop3d program handles its temporary files. This can be used by a malicious user to overwrite arbitrary files on the system and may lead to a root compromise. The affected versions of linuxconf seem to be 1.19r through 1.23r.

Users should update their linuxconf to a version newer than 1.23r.

HP-UX inetd

The HP-UX version of inetd (the Internet super server) on systems running HP-UX releases 10.20, 10.24, 11.00, and 11.04 can be hung by a remote user. This only affects servers that have a service configured to use the "swait" state.

If you are affected, you should download the patched version of inetd from HP.

Immunix OS Security Audit

During a recent audit done while working on Immunix Linux 7.0, many potential temporary file race condition problems were discovered. The following programs were found to use insecure temp file functions: apache (htpasswd and htdigest in 1.3.14 and 2.0a9), arpwatch (2.1a4), squid (2.3 STABLE and 2.4), linuxconf (vpop3d 1.19r through 1.23r), mgetty (1.1.22 and 1.1.23), gpm (1.19.3), wu-ftpd (privatepw 2.6.1), inn (2.2.3), diffutils (sdiff 2.7), getty_ps (2.0.7j), rdist (6.1.5), and shadow-utils (useradd 19990827 and 20000902). A race condition in the temporary file code can be used to overwrite arbitrary files that the user running the program has permission to write to.

If you are using any of these programs you should check with your vendor for an updated version.

Back door in Borland InterBase

Interbase is a open source database package that in the past was distributed as a closed source package. A back door was coded into InterBase in 1992 that affects both the open and closed source versions. This back door has a fixed user name and password and allows full access to all databases on the server. This user id and password is in the published source code, and once it is known that there is a back door, it can be easily found by an attacker.

The recommended solution is to upgrade to Firebird 0.9.3 or download a patch from Borland. Jim Starkey has also developed a patch program that will overwrite the back door with random byte codes. If you are unable to update your software or apply a patch, then a possible workaround is to block tcp connections to port 3050. (Users inside your firewall may still be able to connect to the port and exploit the back door.)

squid

The caching web server squid has a temporary file race problem. When squid sends an e-mail to the administrator, there is a race condition with its temporary files that can be used to overwrite files that the user id that squid is running under has permission to write to.

Anyone using squid should upgrade to the latest stable or development version.

Lotus Domino

A pair of workarounds for the problem reported with Domino last week have been released. The first workaround is to add a map *..* /something.nsf in your httpd.conf. The second workaround is to add a File Protection Document in your PAB/DD, with the path set to /.box/../ and the Access Control set to -Default- - No Access. You should repeat this for .ns4 and .nsf. Lotus is recommending the first workaround, but they have changed it at least once, so it may not protect you against all possible attacks against this problem.

catman

I reported in an earlier column that catman was suid root under Solaris 2.x. This was incorrect. You should still exercise care because the symlink attack can still be used against the root user if he executes catman or has it in a script, and it can of course be used against a regular user to overwrite their files.

Shockwave Flash

After more review of the Shockwave Flash buffer overflow, it has been determined that the overflow cannot be used to execute code on the user's machine. The overflow can only be used as a denial of service attack against the machine running Shockwave Flash.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: