LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Security Alerts: Remote Root Exploit in Telnet Daemon

07/23/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a root exploit in BSD-derived telnet daemons; buffer overflows in xman, the Merrit and Lucent RADIUS servers, ypbind, the AIX libi18n library, and tcpdump; temporary-file race conditions in lmail and tripwire; and vulnerabilities in SSH Secure Shell 3.0.0, Lotus Domino Server, IMP, SSLeay/OpenSSL, and squid.

Telnet

It has been reported that a buffer overflow in many BSD-derived telnet daemons may under some circumstances be exploitable by a remote attacker to gain root access. Systems that are reported to be vulnerable include: Linux netkit-telnetd before 0.14, OpenBSD 2.x and 1.x, FreeBSD, NetBSD 1.x, BSDI 4.x, IRIX 6.5, and Solaris 2.x Sparc. Versions reported to not be vulnerable were Linux netkit-telnetd 0.14 and newer, and OpenBSD current.

Users may wish to consider turning off affected telnet daemons until a fixed version has been installed.

SSH Secure Shell 3.0.0

SSH Secure Shell 3.0.0, available from ssh.com, has a flaw that will allow anyone to log in, with any password, on accounts that have a two-character password in the passwd file. In many cases accounts are locked with a "NP", "!!", or "LK" password entry. Using this flaw, an attacker can log into these locked accounts with any password and then leverage access to these accounts (examples include bin, lp, and adm) into root access to the machine.

It is recommended that users upgrade to version 3.0.1 of SSH Secure Shell as soon as possible. If it is not possible to upgrade immediately, then password authentication should be disabled and alternative methods should be used until the software has been upgraded.

lmail

lmail, a mail-delivery agent that is installed as part of the smail 2.5 mail package, has a temporary-file race condition that can be exploited to overwrite arbitrary files on the system with the permissions of the root user.

It is recommended that users of lmail should install a repaired version, or replace it with deliver or procmail.

xman

Alerts this week:

Telnet

SSH Secure Shell 3.0.0

lmail

xman

Lotus Domino Server

RADIUS

IMP

Solaris's ypbind

tripwire

SSLeay/OpenSSL

AIX libi18n Library

tcpdump

squid

The X-Windows-based system manual page reader xman has a buffer overflow that can be exploited to execute arbitrary code. On systems where xman is installed set user id root, exploiting the buffer overflow could be used to gain root privileges. Exploit scripts have been publicly released for this vulnerability.

Users should remove the set user id or set group id bits from xman until a repaired version has been installed.

Lotus Domino Server

The Lotus Domino Server has a cross-site scripting vulnerability that has been reported to affect version 5.0.6 and may affect other versions.

Lotus has announced that they plan to fix this vulnerability for the Domino version 5.0.9 release.

RADIUS

There are multiple buffer overflows in Merrit 3.6b and Lucent 2.1-2 RADIUS servers that can be used to execute arbitrary code with the permissions of the user running the daemon (often root). RADIUS is a system for user authentication using a client-server model.

Users of the Merit RADIUS server should upgrade to version 3.6B1.

The Lucent RADIUS server is no longer being maintained by Lucent. It is now being maintained by Simon Horms of VA Linux Systems. It has been reported that patches for Lucent RADIUS will be made available at ftp://ftp.vergenet.net/pub/lucent_radius.

In addition to applying these patches, it is also recommended that RADIUS servers be installed so that they run as a normal user and not with root permissions.

IMP

IMP, a Web-based mail reader that works with IMAP- and POP3-based mail servers, has several vulnerabilities that could be used by an attacker to execute arbitrary scripts on other users' client machines and execute arbitrary code on the server.

The Horde team recommends that users of IMP 2.2.x upgrade as soon as possible to version 2.2.6.

Solaris's ypbind

There is a remotely exploitable buffer overflow in Solaris's ypbind. ypbind runs on all machines that are using NIS, regardless of whether they are client or server machines.

Sun has released patches for this problem and recommends that users install them as soon as possible.

tripwire

The tripwire security tool is used to create a cryptographic snapshot of a system so that system integrity can be verified at a later time. tripwire has a temporary-file race condition, when scanning the file system and updating the database, that can be exploited by an attacker to overwrite files on the system with the permissions of the user running tripwire (normally root).

Users of tripwire should upgrade to a fixed version as soon as possible. It has been reported that a fixed version is available from http://sourceforge.net/projects/tripwire/. Once a fixed version has been installed it is suggested that the TEMPDIRECTORY configuration option be set to a directory that can only be written to by the user executing tripwire.

SSLeay/OpenSSL

The random-number generator in SSLeay/OpenSSL versions through 0.9.6a have a design error that may make its output predictable, which may lead to the compromise of the encrypted communications.

It is recommended that users upgrade to OpenSSL version 0.9.6b as soon as possible.

AIX libi18n Library

IBM has reported that there is a buffer overflow in the libi18n library supplied with AIX 4.3 and 5.1 that can be used by a local attacker to gain root privileges. The buffer overflow is exploited through the set user id root application aixterm, which is linked to the library.

Users should remove the set user id bit from aixterm until a patch has been produced by IBM.

tcpdump

tcpdump has a buffer overflow in the code that decodes AFC RPC packets that may be used to execute arbitrary commands as the root user. This is similar to a problem reported last month in tcpdump, where the buffer overflow was in the code that decoded AFC ACL packets.

Users should upgrade to the latest version of tcpdump and should only use tcpdump on networks that contain packets from trusted sources.

squid

A flaw in the squid Web proxy can be exploited by an attacker to perform anonymous port scans. This is caused by squid not properly using ACLs in the configuration file when squid is set up in httpd_accel mode.

Users should contact their vendor for updated squid packages.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: