LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

OpenBSD Local Root Exploit

06/18/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories.

In this column, we look at a race condition in the OpenBSD kernel; cross-site request forgeries; a new version of tcpdump; buffer overflows in rxvt, fetchmail, the HP-UX implementation of CDE, and UW-IMAP; a symbolic-link race condition in mandb; and vulnerabilities in SITEWare Editor's Desktop, Apache under Mac OS X client, LPRng, Caldera's Volution, and Slackware 7.1's /etc/shells.

OpenBSD vulnerability

OpenBSD versions 2.8 and 2.9 are vulnerable to a race condition in the kernel that can be exploited to execute arbitrary code as the root user. An exploit has been publicly distributed. This vulnerability is similar to the ptrace exploit of the Linux kernel that was announced a few months ago. It is unclear what versions, if any, of FreeBSD and NetBSD may be vulnerable to this exploit.

Users of OpenBSD should apply the source code patch to repair the vulnerability. Users of FreeBSD and NetBSD should watch for announcements and patches.

Cross-site request forgeries

Cross-site request forgeries are a new type of attack against web-based applications. They use HTML tags to hide an URL that will be processed by the client application without the user's knowledge or permission. Examples of client applications include web browsers, email clients, and news readers that process inline HTML code.

This type of attack is enacted by inserting an URL into an <img> tag that causes an action on a web application. When the client application parses the page, it will query the URL inside the image attack in an attempt to download an image. This instead causes an action in a web application. Attacks that use this method can use a user's cookies or saved passwords and will appear to the web application as being initiated by the user.

Most methods of protection from this type of attack will have to be provided by the makers of the client applications. However, some things users can do to lower their vulnerability include: using an email client that does not render HTML, not using a newsgroup reader that is embedded in your web browser, being careful about what passwords your browser saves, and logging off any important web sites.

Alerts this week:

OpenBSD Vulnerability

Cross-Site Request Forgeries

rxvt

fetchmail

tcpdump

SITEWare Editor's Desktop

HP-UX CDE

UW-IMAP

Mac OS X Apache

mandb

LPRng

Caldera's Volution

Slackware 7.1 /etc/shells

rxvt

The rxvt X-Windows terminal emulator, has a locally-exploitable buffer overflow that can be used to gain additional privileges. Version 2.6.2 was reported to be vulnerable; version 2.6.3 may also be vulnerable, as there is no mention of this problem in the changelog file. An exploit script has been publicly released.

Users should remove any set user ID or set group ID bits from rxvt until it has been patched.

fetchmail

fetchmail is a very nice mail retrieval and forwarding tool. Versions of the program prior to 5.8.6 have a buffer overflow that can be exploited when fetchmail processes a message with a long header.

Users should upgrade to fetchmail version 5.8.6 or newer as soon as possible.

tcpdump

A new version of tcpdump, a network monitoring tool, has been released. This new version fixes several remote buffer overflows and a vulnerability with decoding AFS ACL packets, which could be used to execute arbitrary code on the machine running tcpdump with the permissions of the root user.

All users of tcpdump should upgrade to version 3.6.2 as soon as possible.

SITEWare Editor's Desktop

A vulnerability in the SITEWare Editor's Desktop, a web-based administration tool for ScreamingMedia content, has a vulnerability that can be used by an attacker to retrieve arbitrary files, such as the unencrypted password file from a ScreamingMedia server.

Users should contact ScreamingMedia for an update.

HP-UX CDE

The HP-UX implementation of the Common Desktop Environment (CDE) contains buffer overflows that can be exploited to gain root permissions. These buffer overflows are present in HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11.

Users should apply the appropriate patch from HP for their version of HP-UX.

UW-IMAP

UW-IMAP, the IMAP (Internet Message Access Protocol) server from the University of Washington, has several buffer overflows that can be exploited by an authorized user to gain access to a remote interactive shell running as the user. Systems that provide interactive shells to users are not affected by this problem.

Users should watch their vendors for updated packages.

Mac OS X Apache

Under some conditions, Apache on the client version of Mac OS X will not protect directories from view or script execution despite being configured to do so. This problem only affects directories mounted on a HFS+ volume. Mac OS X Server ships with a mod_hfs_apple.so Apache module that corrects this problem, but this module is not available as source or as part of the Apache distribution.

A workaround for this problem is to place all of the directories that need to be protected on a UFS volume. Users should watch Apple for a patch to solve this problem.

mandb

The mandb application has a symbolic-link race condition that can be exploited to overwrite files with the permissions of the man user.

Users should upgrade to mandb version 2.3.16-4.

LPRng

LPRng does not drop any supplemental group memberships it has when it drops uid and gid during startup. This may cause LPRng and its child processes to have unnecessary privileges.

Users should watch their vendor for an update.

Caldera's Volution

Under some conditions, the Volution client can be controlled by an unauthorized Volution server.

Caldera recommends that users upgrade to the latest release of the Volution client and server as soon as possible.

Slackware 7.1 /etc/shells

Slackware 7.1 installs the file /etc/shells with world-writable permissions. This can be exploited by a local user to deny other users access and, in the case of a user with a restricted shell, may be used to increase their access.

It is recommended that users correct the permissions of the /etc/shells file.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: