Linux Buffer Overflows and an old SSH Daemon10/29/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a Linux Kernel problem that can be used to bypass quotas; buffer overflows in Solaris's
ufsrestore and Oracle Trace Collection; and problems in SSH, RWhoisd, Red Hat's printing system, Linux's
iptables, Red Hat Linux's
mod_auth_pgsql, Java Runtime Environment, and the Oracle binary.
- Bypassing Linux Quotas
- Red Hat Printing System
- Solaris ufsrestore
- Linux iptables
- Red Hat Linux mod_auth_pgsql
- Java Runtime Environment
- Solaris Xlock
- Oracle Trace Collection
It has been reported that a bug in the Linux kernel can be exploited using almost any set user id binary to create files that exceed a user's quota limits. This bug is caused by the process having
CAP_SYS_RESOURCE capability enabled during the write to the file.
Affected users should watch for a kernel patch that repairs this bug.
Under some conditions, systems that were upgraded from SSH version 1 to SSH version 2 will still have a
sshd1 daemon installed. This
sshd1 daemon can still be executed when an incoming old SSH version 1 client connects. If this
sshd1 binary was vulnerable to an exploit, the system will still be vulnerable. It has been reported that this problem is being actively scanned for and exploited.
Systems that have the
sshd1 daemon but do not use SSH version 1 should disable the daemon. If SSH version 1 is still in use, it is recommended that it be upgraded to 1.2.32 or replaced with OpenSSH as ssh.com's SSH version 1 is no longer being maintained.
There is a format string vulnerability in RWhoisd that can be exploited to execute arbitrary code with the permissions of the user running RWhoisd. Under some circumstances, the permissions of the user running RWhoisd can be leveraged into root access.
ARIN Engineering has released a patch for
RWhoisd and recommends that users apply it as soon as possible.
Under Red Hat Linux, the postscript interpreter Ghostscript can be used to read arbitrary files on the system with the permissions of the printer daemon. The problem exists even when the
-dSAFER flag is used. This problem affects Red Hat Linux versions 5.2, 6.2, 6.2J, 7.0, 7.0J, and 7.1.
Red Hat recommends that users apply the appropriate update for their system. On systems that do not use the printing subsystem, users should consider disabling it.
Sun has reported that the Solaris
ufsrestore utility has a buffer overflow in the pathname parameter of the extract command that can be exploited to gain root permissions. Sun has reported that Solaris versions 2.5, 2.5.1, 2.6, 7, and some versions of 8 are vulnerable, but that Solaris 8 04/01, Solaris 8 Maintenance Update 4, and later releases are not vulnerable.
Sun recommends that affected users apply the appropriate patch as soon as possible. The set user id bit should be removed from
ufsrestore until it has been patched.
iptables module allows firewall rules to be configured using a machine's ethernet hardware address in filter rules. A flaw in the MAC module fails to correctly match packets that are very small. This can be used by a malicious user to bypass firewall rules and, in some cases, may be used to bypass an application being restricted to specified MAC addresses.
Affected users can upgrade to the latest version of
iptables and configure additional rules to match the small packets using the "length" module.
mod_auth_pgsql package that shipped with Red Hat Linux 7.2 has a vulnerability that can be used by an attacker to execute arbitrary SQL commands, and there is a bug in the MDF password code that can prevent valid passwords from being authenticated.
Red Hat has released a new
mod_auth_pgsql package that fixes both problems and recommends that users upgrade.
Under some conditions, there is a flaw in the Java Runtime Environment that can be used by an untrusted applet to access the system clipboard. Sun has reported that Netscape 6 is vulnerable if Java Runtime Environment versions 1.3.0_02 or 1.3.0_01 are used. They have also reported that the following are vulnerable: Windows DSK and JRE versions 1.3.0_02 and earlier, 1.2.2_007 and earlier, 1.2.1, and 1.2; Solaris Reference releases SDK and JRE versions 1.2.2_007 and earlier, 1.2.1, and 1.2; Solaris Production releases 1.3.0_02 and earlier, 1.2.2._07 and earlier, 1.2.1, and 1.2; and Linux Production Releases 1.3.0_02 and earlier and 1.2.2_007 and earlier.
Sun recommends that users upgrade to version 1.3.1 of the Java 2 SDK.
The Oracle binary has a vulnerability that can be exploited by a local attacker to overwrite arbitrary files on the system with a trace file. This problem affects all Oracle database server releases on Unix platforms.
Oracle recommends that users make the Oracle binary only executable by the Oracle user and dba group. If this is done, remote users will be required to use the IPC driver that connects to the TNS listener. This listener must be started by a user that can execute the Oracle binary. Oracle plans to fix this vulnerability only in Oracle9i release 2.
It has been announced that the patch for Xlock under Solaris 2.6 has been released by Sun.
The Oracle utilities
otrcrep contain a buffer overflow in the code that handles the
ORACLE_HOME environmental variable. These buffer overflows can be exploited to execute arbitrary code with the permissions of the Oracle user and the dba group.
Oracle recommends that the set user id bits be removed from the
otrcrep utilities and that the Oracle Trace be disabled by setting its control parameter in
oracle_trace_enable=FALSE). Oracle is only planning to fix these buffer overflows in Oracle9i, Release 2.
Read more Security Alerts columns.
Return to the Linux DevCenter.