LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Buffer Overflows in RealPlayer and GNU Chess

01/28/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at two Linux kernel bugs; buffer overflows in RealPlayer, GNU Chess, and sniffit; and problems in rsync, Squirrelmail, PHP-Nuke, enscript, Tarantella Enterprise 3, UnixWare and Open UNIX's sort, IPFilter/9000, and Maelstrom.

Linux Kernel Bug

There is a bug in some Linux kernels' ICMP implementation that can be remotely exploited to read random selections of memory. This bug is reported to affect Linux 2.2 kernels 2.2.18 and earlier and 2.4 kernels 2.4.0-test6 and earlier.

It is recommended that affected users upgrade their kernel to a safe version as soon as possible.

Linux CIPE

There is a vulnerability in the Linux CIPE (Crypto IP Encapsulation) VPN tunnel Linux kernel code that can be used by a remote attacker to crash the system by sending a specially-crafted packet. The Linux CIPE code tunnels IP packets inside of encrypted UDP packets.

It is recommended that affected users upgrade CIPE to version 1.3.0-3 or newer, or watch for an updated Linux kernel version.

rsync

The rsync command is used to synchronize files and directories across multiple machines. rsync has bugs related to signed integer handling that can be used, under some circumstances, by a remote attacker to execute arbitrary commands on the server with root privileges.

Users should upgrade rsync to version 2.4.6 or newer, or contact their vendor for a repaired version. It is also recommended that the "Use chroot" option be used to reduce the impact of a successful attack.

Squirrelmail

The Squirrelmail Web-based email system has a vulnerability that can be used to execute arbitrary commands on the server with the permissions of the user executing the Web server. An additional vulnerability can be exploited to cause a user to send email messages or to execute JavaScript.

It is recommended that users watch for a version of Squirrelmail that fixes both of these vulnerabilities.

RealPlayer

RealPlayer, a streaming media player, has a buffer overflow in the code that parses the strings in its data files that may be exploitable to execute arbitrary code on the local machine with the user's permissions. RealNetworks reports that the following versions of RealPlayer are vulnerable: RealPlayer for Windows: RealOne Player, RealPlayer 7, RealPlayer 8, RealPlayer G2 (Build # 6.0.6.99 or higher), RealPlayer Intranet 8, RealPlayer and Intranet 7; RealPlayer for Macintosh: RealPlayer 8 and RealPlayer 7; and RealPlayer for Unix: RealOne Player Alpha for Linux 2.2, RealPlayer 7 for Unix, and RealPlayer 8 for Unix.

RealNetworks has released updates and replacement libraries for RealPlayer. Users should go to www.real.com for details.

GNU Chess

GNU Chess allows a computer to play the game of chess; it has a terminal interface, but supports other interfaces. GNU Chess contains a buffer overflow that can be exploited by a remote attacker to execute arbitrary commands if the attacker can send GNU Chess commands.

This buffer overflow has been fixed in the 5.03beta release of GNU Chess, available from the GNU FTP site. GNU Chess does not have a network interface and was designed to be run locally on the user's computer and, as a result, was not written with security in mind. Users who wish to use GNU Chess over a network should consider using a tool such as FICS or Zippy from Xboard to secure the connection.

PHP-Nuke

There is a vulnerability in PHP-Nuke that can be used by an attacker to execute arbitrary commands on the server with the permissions of the user executing the Web server. This vulnerability is the result of unfiltered user-supplied data being used in an include() function.

Users should watch for an updated version of PHP-Nuke.

enscript

enscript is a tool that is used to convert text files to PostScript and send them to a printer. Versions of enscript earlier than 1.6.2-4.1 are vulnerable to a temporary file symbolic link race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing enscript.

Users should upgrade enscript to version 1.6.2-4.1 or newer.

Tarantella Enterprise 3

Tarantella Enterprise 3 is used to access enterprise resources via a Web interface. It is vulnerable to a race condition that can lead to a local root exploit during installation.

Users should consider placing the system in single-user mode while installing Tarantella Enterprise 3 until it has been patched to repair this vulnerability.

sniffit

sniffit, a packet sniffer for Linux and most versions of Unix, has a buffer overflow that, if it installed set user id root, can be exploited to gain root privileges.

Related Reading

Incident ResponseIncident Response
By Kenneth R. van Wyk & Richard Forno
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

Users should remove the set user id bit from sniffit until it has been patched.

UnixWare and Open UNIX sort

The sort command supplied with UnixWare 7.1.* and Open UNIX 8.0.0 has a temporary file race condition that can be used by a local attacker to overwrite arbitrary files with the permissions of the user executing sort.

Caldera recommends that users upgrade sort as soon as possible.

IPFilter/9000

Hewlett-Packard has announced a vulnerability in IPFilter/9000 running on HP-UX 11.00 or 11.11 that can be used to change its handling of packets.

Hewlett-Packard recommends that users upgrade to IPFilter/9000 version A.03.05.02.

Maelstrom

Maelstrom, an Asteroids-type game ported from the Macintosh, has a temporary file symbolic link race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing Maelstrom. It is reported that Maelstrom versions 3.0.1 and earlier are vulnerable.

Users should avoid executing Maelstrom on multiuser machines until it has been fixed.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: