oreilly.comSafari Books Online.Conferences.


Security Alerts

Open BSD Local Root Exploit


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at an OpenBSD local root exploit; problems with OpenBSD's rshd, rexecd, and atrun; new versions of Red Hat Linux's tcpdump, libpcap, and arpwatch; and problems in Webalizer, Open Unix and UnixWare's libX11, IMP, ntop, SuSE's ucd-snmp library, Anthill, INN, and several IRIX utilities.


A local root exploit has been found that affects OpenBSD versions released before April 8, 2002. This exploit is caused by a bug in the email application /usr/bin/mail. The /usr/bin/mail application will accept escape sequences that can be used to execute arbitrary commands. The /etc/daily script is executed daily by root and pipes its output through /usr/bin/mail. A local attacker can create a file with a carefully-crafted filename and permissions that, when the /etc/daily script is run, will execute an arbitrary command with root permissions. A script has been released to automate the exploitation of this vulnerability.

It is recommended that users apply the available patch as soon as possible. A temporary workaround is to remove or disable the /usr/bin/mail application until a patch has been applied.

OpenBSD rshd, rexecd, and atrun

Bugs in OpenBSD's rshd and rexecd utilities can, under some circumstances, cause a shell to execute as a different user. The atrun utility also has a similar bug that can cause "at" jobs to be executed in another user's home directory. These bugs are reported to only affect OpenBSD version 3.0.

Related Reading

The Linux Web Server CD Bookshelf
By O'Reilly Media, Inc.

A patch that fixes these bugs is reported to be available in the OpenBSD 3.0-stable branch.


Webalizer, a Web-server-logfile analysis tool that produces HTML output, has a buffer overflow in the code that does reverse DNS lookups that, under some circumstances, can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running Webalizer (often root). For this buffer overflow to be exploited, Webalizer must be configured to do reverse DNS lookups, and the attacker must control a DNS server that is queried by Webalizer during a reverse DNS lookup.

Affected users should watch for an update to Webalizer and should configure Webalizer so that it does not do reverse lookups until this buffer overflow has been fixed.


The Horde team has announced version 2.2.8 of their IMP Web mail system. This new version fixes problems that could be used in a cross-site scripting attack.

The Horde team recommends that users upgrade to IMP 3. If this is not possible, they recommend that users upgrade to IMP version 2.2.8.


ntop, a utility to show network usage, is remotely vulnerable to a bug in the logging code that can be exploited to execute arbitrary code with root permissions.

Users should consider disabling ntop until it has been repaired, and should restrict unauthorized connections using a firewall.

SuSE ucd-snmp Library

SuSE has released a new version of the ucd-snmpd library that repairs several bugs. These bugs can be exploited to effect a denial-of-service attack and may, under some circumstances, be remotely exploitable to execute arbitrary code. This new snmp library may break some linked applications. SuSE identified ethereal, gxsnmp, snmp, and tngfw as applications that are linked against the library. SuSE has also released a new mod_php4 package that requires the new ucd-snmpd library.

SuSE recommends that users upgrade the ucd-snmpd library and block SNMP access to their systems using a firewall.


Anthill, a Web-based bug tracking application written using PHP, has a vulnerability that can be used by an unauthorized user to bypass the application's account controls and enter data into the system; it is also vulnerable to cross-site scripting attacks.

It is recommended that users configure Web-server-based user or host-based authentication (htaccess) until Anthill has been fixed.

Red Hat Linux tcpdump, libpcap, and arpwatch

Red Hat has released new tcpdump, libpcap, and arpwatch packages for Red Hat Linux 6.2 and 7.x. Changes in these packages include a fix for a remote root exploit, a fix to a problem in tcpdump's AFS printing, and a patch to tcpdump that causes it to drop root by default.

Affected users should install these packages as soon as possible.


The INN application is vulnerable to several format-string bugs that can be exploited by a local attacker to execute arbitrary code with the permissions of the user account (often news) that the inews and rnews binaries are executing under. This vulnerability is reported to affect version 2.2.3 and earlier of INN. A script has been released that will create a set user id news shell on vulnerable systems.

Users should watch their vendor for an updated version of INN. Users should also consider removing any set user id or group id bits from inews and rnews.

Open Unix and UnixWare libX11 Library

The libX11A library of Open Unix 8.0.0 and Unixware 7.1.1 has a buffer overflow in the code that deals with the -xrm option. This buffer overflow will make any application linked to it that uses the -xrm command line option vulnerable.

Caldera recommends that users upgrade their libX11 library as soon as possible.

IRIX Problems

SGI has announced that there are vulnerabilities in the Mail, mailx, timed, sort, and gzip applications. The Mail, mailx, and timed applications are vulnerable to a denial-of-service attack; sort is vulnerable to a temporary-file symbolic link attack; and gzip is vulnerable to a buffer overflow. The vulnerability in timed can be exploited by a remote attacker; the other vulnerabilities are reported to require a local account.

SGI recommends upgrading to IRIX 6.5.16 when it is made available or applying the patches that are currently available.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: