Security Alerts: sudo root exploit07/16/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in
ntping, and UnixWare's
statd; a flaw in FreeBSD's
rfork(); two vulnerabilities in Check Point's VPN-1/FireWall-1 firewall products; a new version of the
rpm package manager; two vulnerabilities in Macromedia's ColdFusion Server; a minor Apache bug; a brute-force attack against SuSE's AXP Alpha
xdm utility; and more on the
cfingerd remote vulnerability.
sudo, an application that allows users to be given the ability to execute commands with the permissions of other users or the root user, has a buffer overflow that can be exploited to execute arbitrary commands with the permissions of the root user. In addition to this buffer overflow, the installation of
sudo under EnGarde Secure Linux is configured to allow members of the "admin" group to execute commands, as root, that can be leveraged into obtaining full root access.
It is recommended that
sudo be upgraded to version 1.6.3p6 or newer as soon as possible. Users of EnGarde Secure Linux who have users in the "admin" group that should not have full root access should remove
sudo or modify the
sudo configuration file so that the "admin" group does not have access.
A flaw in FreeBSD's
rfork() command can be exploited through shared signals to gain root privileges. This problem can only be exploited by a local user. It was reported to affect FreeBSD 4.3, but may affect earlier versions.
Alerts this week:
It has been reported that this problem has been fixed in
FreeBSD-4.3-stable in the FreeBSD
Two vulnerabilities have been reported in Check Point's VPN-1/FireWall-1 firewall products. The first vulnerability involves the use of the Reliable Data Protocol to build a tunnel that can be used to bypass the firewall. The second vulnerability is a denial-of-service attack against a VPN-1/FireWall-1 management station.
Check Point has released hot fixes for these vulnerabilities and users should apply them as soon as possible.
Red Hat has released a new version of their package tool
rpm. This new version supports version 3 packages and the db1 database format used in Red Hat Linux versions 5.x and 6.x, and the
rpm version 4 packages and the db3 database format used in Red Hat Linux 7.x.
Users of Red Hat Linux 5.x and 6.x who choose to install the new version of
rpm will need to install the db3 packages and then convert to the db3 database format.
Macromedia has announced two security vulnerabilities in the ColdFusion server. One of the vulnerabilities could allow unauthorized deletion or reading of files, and the other may allow a ColdFusion server template to be overwritten with a zero byte file. No details about the vulnerabilities have been released. Macromedia reported that versions 2.0 through 4.5.1. SP2 were affected and that version 5 was not.
Macromedia recommends that users of ColdFusion server versions 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, or 4.5.1 SP2 apply the appropriate patch. They warn that users will see a 3% to 8% drop in performance after applying this patch. They also recommend that users of ColdFusion server versions 2.0 or 3.0 upgrade to a more recent release.
The version of the Dialup IP Protocol Driver
dip distributed with SuSE 7.0 has a buffer overflow that could be used by users in the dialout group to obtain root privileges.
Users should remove the
set user id bit from
dip until a new version has been installed.
Scotty is a TCL extension that is used to build network-management applications. The utility
traceroute tool, is part of the Scotty package and has a buffer overflow in the code that reads a host name as part of the command line options. This buffer overflow can be used by a local user to execute arbitrary commands as the root user.
It is recommended that the
set user id bit be removed from
ntping until a repaired version of the Scotty package can be installed.
statd daemon (also known as
rpc.statd) that was distributed with UnixWare 7.0 has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server as root.
Caldera recommends that users upgrade their
statd binary as soon as possible.
A minor bug in the Apache Web server can be used to view the contents of a directory, even when the directory has an index page. This behavior is part of the
FancyIndexing module and can be suppressed by adding the directive "IndexOptions +SuppressColumnSorting" to the configuration files.
xdm is compiled with certain options, it is vulnerable to a trivial brute force attack that can be used by an attacker to calculate the X cookie. It has been reported that the AXP Alpha releases of SuSE are vulnerable to this problem.
It is recommended that as a workaround, the X server on SuSE AXP machines should be started with the
-nolisten tcp option or alternatively filter port 6000 with
ipchains. Neither of these workarounds will protect against an attack by a local user.
This week, three independent exploits were released for the
cfingerd remote vulnerability that was announced three months ago. I am not aware of a patch or update that successfully fixes the remote vulnerability in
cfingerd. It has been reported that the authors have been unresponsive and may have abandoned the software. Users should consider replacing
cfingerd with a alternative application.
Read more Security Alerts columns.
Return to the Linux DevCenter.