LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Quake 3 Arena Buffer Overflow

08/20/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Raytheon SilentRunner, Quake 3 Arena, elm, and a list of Lightweight Directory Access Protocol Servers; a temporary-file race condition in the Samsung ML-85G Linux printer driver; a new forms-based attack against Web browsers; problems in Arkeia, AdCycle, uncgip, the Red Hat util-linux package, and HP-UX's Login; and a race condition in the NetBSD kernel.

Arkeia

Arkeia, a multi-platform backup and recovery tool, has several problems that could lead to a remote root compromise. A combination of unencrypted communications between the GUI management tool and the backup agents and weak password encryption of the Arkeia password may allow access to the Arkeia account. Once the attacker has access to the Arkeia account, they have the ability to schedule an arbitrary command to be run before and after a backup. This command will be executed as root. To conduct this attack, the attacker must have the ability to sniff the traffic between the Arkeia GUI and one of its agents.

It is recommended that Arkeia be used through an encrypted tunnel created with a tool such as ssh.

HTML Form Protocol Attack

Jochen Topf has written a paper that describes a new attack against some Web browsers that can be used to send data to arbitrary TCP ports. This can potentially be used by an attacker to make a Web browser send email, post news, delete email, send FTP commands, etc. If Javascript is enabled in the Web browser, it can be used to submit the form as soon as the page is viewed. If the Web browser is inside a firewall-protected network, this attack could be used to access other machines inside the network. Software that has been reported to be vulnerable to this attack includes Opera version 5 for Linux, Internet Explorer, Junkbuster, Lynx, Mozilla 0.9.1 (ports greater than 1024), and Netscape 4.77 for Linux (blocks some ports but not all).

Alerts this week:

Arkeia

HTML Form Protocol Attack

Raytheon SilentRunner

Quake 3 Arena

AdCycle

elm

Samsung ML-85G Linux Printer Driver

uncgi

Red Hat util-linux

HP-UX Login

NetBSD Race Condition

Lightweight Directory Access Protocol Servers

Jochen Topf recommends that users disable Javascript in their Web browsers. Users should also consider upgrading to a Web browser that limits the ports to which data can be sent.

Raytheon SilentRunner

Raytheon SilentRunner has multiple buffer overflows that can be exploited by an attacker to execute arbitrary code on the server or to cause a denial of service on the collector. SilentRunner is a network monitoring tool that passively collects data and then allows the data to be viewed from a central server. It has been reported that versions 1.61, 2.0, and 2.01 of SilentRunner are vulnerable.

Users should watch Raytheon for a patch for these problems.

Quake 3 Arena

A buffer overflow exists in Quake 3 Arena that can be used to crash the Quake server, and may be exploitable to execute arbitrary code with the permissions of the user executing the Quake server. It has been reported that Quake 3 Arena versions 1.29f and 1.29g are vulnerable.

Users should watch ID Software for an update.

AdCycle

AdCycle, a Web-based ad management system, does not properly check user input, allowing an attacker to insert SQL statements that will be parsed by the database server. Exploiting this vulnerability allows the attacker to bypass the administrator password.

Users of AdCycle should upgrade to version 1.16 or newer as soon as possible.

elm

The elm email client has a buffer overflow in the code that handles the message id. It has been reported that this causes header corruptions.

It is recommended that users check their vendor for an updated version of elm.

Samsung ML-85G Linux Printer Driver

The Linux printer driver for the Samsung ML-85G printer creates its temporary files insecurely. This leaves the driver vulnerable to a race condition that can be exploited to gain root permissions on the system.

It is recommended that users remove the set user id bit from the printer driver until a patched version has been installed.

uncgi

uncgi is a CGI application that is designed to make writing CGI applications easier by parsing the QUERY_STRING and placing the result into environmental variables. Versions of uncgi earlier than 1.10 would not check for relative directories (they would parse ../ as part of the URL), and would execute a script even if the script was not executable.

Users should upgrade to uncgi version 1.10 and should add the compile-time option of EXECUTABLES_ONLY when it is compiled.

Red Hat util-linux

The util-linux packages shipped with Red Hat Linux 7.1 could leave the /etc/shadow file world-readable after editing it with vipw.

Red Hat recommends that users of Red Hat Linux 7.1 upgrade to the new util-linux package and that if they have used vipw, they should check the permissions on /etc/shadow.

HP-UX Login

The HP-UX login command can allow restricted shell users to execute unauthorized commands and break out of the restricted shell. This is reported to affect HP9000 series 700/800 machines with HP-UX 11.00, 11.11, and 10.20.

HP recommends that affected users apply the appropriate patch as soon as possible.

NetBSD Race Condition

A race condition in NetBSD between the ptrace() system call and the set user id and set group id handling of the execve() system call can be exploited by a local attacker to execute arbitrary code with the permissions of the root user. NetBSD version 2.5.1 is not vulnerable.

Web Security & CommerceWeb Security & Commerce
By Simson Garfinkel with Gene Spafford
1st Edition June 1997
1-56592-269-7, Order Number: 2697
503 pages, $34.95

Users of NetBSD-current should upgrade to a version dated June 15, 2001 or newer. Users of NetBSD 1.5 should upgrade to a version dated June 17, 2001 or newer. Users of NetBSD 1.4, 1.4.1, 1.4.2, and 1.4.3 should upgrade to a version dated July 19, 2001 or newer. Once the upgraded kernel source has been installed, the kernel should be rebuilt and installed, and then the system should be restarted.

Lightweight Directory Access Protocol Servers

Many implementations of the Lightweight Directory Access Protocol (LDAP) have errors, including buffer overflows, denial of service attacks, and escalation of privileges. Vulnerable systems include: iPlanet Directory Server, IBM SecureWay, Lotus Domino R5 Servers, Teamware Office, Qualcomm Eudora WorldMail, Microsoft Exchange 5.5 LDAP Service, Network Associates PGP Keyserver, Oracle 8i Enterprise Edition, and OpenLDAP. For more details on vulnerable versions, users should check The CERT advisory and should contact their vendor.

Users should contact their vendor for patches and workarounds for this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: