A Root Exploit and DoS in the Linux Kernel10/22/2001
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a root exploit and a
denial-of-service attack in the Linux kernel; buffer overflows in
Snes9x and Oracle 9i Web Cache; and problems in PAM's
Apache, Mac OS X, W3Mail,
- Linux Kernel Root Exploit
- PAM Login
- Mac OS X
- Oracle 9i Web Cache
Some Linux kernels have vulnerabilities that can be exploited to gain root access and be used in a denial-of-service attack. It is reported that Linux kernels 2.2.19 and earlier in the 2.2.x series, and 2.4.9 and earlier in the 2.4.x series, are vulnerable.
The vulnerability that can be used to gain root permissions is
ptrace and a set user id program. When it is exploited, arbitrary code will be executed with root permissions. A script to automate the exploit using the
newgrp command has been released.
The denial-of-service attack is caused by making the kernel de-reference multiple symbolic links. The Linux Kernel version 2.4.10 has a partial fix for this vulnerability. A script has also been released that can be used to automate the denial-of-service attack.
It is recommended that affected users upgrade their Linux kernel to version 2.4.12 or a patched version of the 2.2.x kernel as soon as possible. At the time of this writing, it had been reported that updated packages had been released by Caldera, Red Hat, EnGarde Secure Linux, Trustix Secure Linux, and Immunix OS.
There is a problem in the way that PAM's
login implementation handles
users' credentials that, under some circumstances, can be exploited to gain
access to other users' accounts. The
login program stores the user's
credentials in a static buffer that, when used with other non-default
PAM modules (such as
pam_limits), may result in the credentials
overwriting another user's and allowing them access to the account.
Affected users should watch their vendor for an updated
package. Red Hat and Trustix Secure Linux have released updated
util-linux packages that repair this problem.
There is a bug in the way that Squid handles
mkdir PUT requests in a
FTP session that can be used by an attacker in a denial-of-service
It has been reported that this bug was fixed on September 18, 2001 and that users should upgrade to a version released after this date. Updated packages have been released for Red Hat Linux 6.2, 7.0, and 7.1.
Two remotely-exploitable problems have been reported in the Apache Web server: a specially crafted host header can be used by an attacker to overwrite arbitrary files on the server that have a name that ends in .log, and when multiviews are being used for a directory index, a directory listing may be returned instead of the proper content.
Users should upgrade to Apache 1.3.22 or newer as soon as possible. Updated packages have been announced for Conectiva Linux and EnGarde Secure Linux.
It has been reported that local users on Mac OS X can execute applications and shells as the root user. The menu bar on OS X runs as root and executes applications that it starts as the root user. For example, it will start a text editor with root permissions or execute applications from the "Recent Items" list as root.
It has been reported that Apple has a "Security Update 10-19-01" that will fix this problem.
The W3Mail Web mail package's CGI scripts fail to check for meta-characters and can be exploited to execute arbitrary commands as the user running the Web server.
Users should watch for an updated version of W3Mail and should consider removing or disabling the package until it has been repaired.
There is a temporary file race condition vulnerability in the
utility that may be exploitable by an attacker to overwrite arbitrary
It is recommended that users watch their vendor for an updated
sdiff package. Red Hat has released an updated
diffutils package for Red
Hat Linux 5.2, 6.2, 7.0, and 7.1.
looking-glasses is a set of scripts that are used to allow viewing of specific information about a Cisco router on a Web page. There are
multiple versions, but most are reported to have been written in Perl.
Some versions of
looking-glasses that are based on the original
looking-glasses have vulnerabilities that can be exploited by a remote
attacker to execute Cisco IOS commands or to view unauthorized
information on the router that
looking-glasses is reporting on.
looking-glasses version that can be obtained from
nitrous.digex.net is unsupported and no patches have been released for
Snes9x emulates a Super Nintendo Entertainment System under Linux. Version 1.37 of Snes9x, and possibly earlier versions, is vulnerable to a buffer overflow that may be exploitable to gain root access if the emulator is installed set user id root. Snes9x is sometimes installed set user id root so that it can be run in full screen mode.
Affected users should upgrade Snex9x as soon as possible and should consider removing the set user id bit.
The Oracle 9i Web Cache has a buffer overflow that can be used by an attacker to deny access to the server. The buffer overflow is exploited by sending a very long URL to the Web Cache and is reported to affect version 126.96.36.199.0 of the Web Cache on all platforms.
It is reported that Oracle has released patches for this problem. Affected users should contact Oracle for the patch for their system.
Read more Security Alerts columns.
Return to the Linux DevCenter.