Buffer Overflows in OpenSSH and mod_frontpage03/11/2002
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a local root exploit in OpenSSH; buffer overflows in mod_frontpage, MTR, EasyBoard 2000, and Netwin WebNews; and problems in Cistron Radius, SIPS, Astaro Security Linux, Tarantella Enterprise 3, Ethereal, Zope, Apache-SSL, KAME Derived IPsec, and ntop.
- Cistron Radius
- EasyBoard 2000
- Astaro Security Linux
- Tarantella Enterprise 3
- Netwin WebNews
- KAME Derived IPsec
Versions of OpenSSH between 2.0 and 3.0.2 are vulnerable to a buffer overflow that can be exploited by a local attacker to execute arbitrary code as root. In addition this vulnerability can be used by a specially modified SSH server to exploit connecting SSH clients.
All users of OpenSSH should upgrade to version 3.1p1 or newer as soon as possible. It has been reported that updated packages have been released for Red Hat Linux, SuSE, EnGarde Secure Linux, Conectiva, and OpenBSD.
mod_frontpage, an Apache module that allows the use of Microsoft
FrontPage compatible web pages, has a buffer overflow that can be
exploited by a remote attacker to execute arbitrary code with the
permissions of the root user.
It is recommended that users upgrade
mod_frontpage to version 1.6.1 or
newer as soon as possible and that they consider disabling
mod_frontpage until it has been upgraded.
The Cistron Radius server's implementation of the RADIUS (Remote Authentication Dial In User Service) protocol contains bugs that can under some circumstances be exploited by a remote attacker to gain additional privileges or deny service to other users.
Users of the Cistron Radius server should upgrade to version 1.6.6 or newer.
The MTR network testing tool is a combined traceroute and ping utility. MTR has a buffer overflow that can be exploited to execute arbitrary code with the permissions of the user it is executing as (in many cases root).
It is recommended that MTR be upgraded to the latest version and if it is installed set user id root that only trusted users be granted permission to execute it.
EasyBoard 2000, a web based bulletin board application, is vulnerable to a buffer overflow in the code that handles the "Content-Type" header. This buffer overflow can be exploited by a remote attacker to execute code with the permissions of the user running the web server. Version ezboard 1.27(BUILD 515) was reported to be vulnerable it is not known if other versions are also vulnerable. A script to automate exploiting this vulnerability has been released.
Users should watch for a repaired version to be released and should consider disabling EasyBoard 2000 until it has been repaired.
SIPS is a weblog and link indexing system written using PHP that does not require the use of a back end database such as MySQL. A bug in SIPS can be exploited to gain administrator privileges in the application.
It is recommended that users upgrade to SIPS version 0.3.1.
Astaro Security Linux, a Linux based firewall, has a security problem that may be used in a denial of service attack and may under some circumstances be exploitable by a local attacker to gain additional permissions. The security problem is caused by files and directories that are installed with world writable permissions.
Astaro AG has repaired these problems in Up2Date 2.022.
Tarantella Enterprise 3 server access application is vulnerable during its installation to a symbolic link race condition attack that can be used by a local attacker to write to any file on the system.
Users should watch for an update to Tarantella Enterprise 3 that
addresses this vulnerability. A work around for this vulnerability is
to install Tarantella Enterprise 3 in single user mode after verifying
/tmp directory does not have a link named "spinning".
It has been reported that Netwin WebNews, a server based application that is used to read and post to Internet News Groups, contains four users that are compiled into the binary along with their passwords and can not be changed and is also vulnerable to a buffer overflow.
The buffer overflow is reported to fixed by a patch available at ftp://netwinsite.com/pub/webnews/beta/.
A carefully crafted malformed packet can crash the Ethereal sniffer causing a denial of service.
It has been reported that the CVS version of Ethereal has a fix for this problem. Users can upgrade Ethereal to the CVS version or watch for a patch or updated version.
The application server Zope has a flaw that can be exploited to gain unauthorized access to folders. This flaw is reported to affect Zope versions 2.2.0 through 2.5.x. A user account is required to exploit this flaw.
It is recommended that users apply the hot fix Hotfix_2002-03-01.
The version of Apache-SSL released on March 1, 2002 to fix a buffer overflow has a bug that will prevent the software from working.
Users should upgrade to version 1.3.22+1.47 of Apache-SSL as soon as possible.
KAME derived IPsec implementations does not properly apply inbound policy checks on forwarded packets. Systems affected by this include: NetBSD 1.5.2, NetBSD-current, FreeBSD 4.5, FreeBSD-current, and KAME versions of NetBSD and FreeBSD.
Affected users should patch their system or upgrade to a updated kernel.
ntop, a network usage utility, is vulnerable to a format string vulnerability that can be used by a remote attacker to execute arbitrary code.
It is recommended that users upgrade to a version of ntop released
March 1, 2002 or later and that ntop be started using the
<username> parameter that will cause it to drop its privileges and
run as the specified user.
Read more Security Alerts columns.
Return to the Linux DevCenter.