Open BSD Local Root Exploit04/16/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at an OpenBSD local root
exploit; problems with OpenBSD's
atrun; new versions of
Red Hat Linux's
arpwatch; and problems in
Webalizer, Open Unix and UnixWare's
library, Anthill, INN, and several IRIX utilities.
- OpenBSD rshd, rexecd, and atrun
- SuSE ucd-snmp Library
- Red Hat Linux tcpdump, libpcap, and arpwatch
- Open Unix and UnixWare libX11 Library
- IRIX Problems
A local root exploit has been found that affects OpenBSD versions released
before April 8, 2002. This exploit is caused by a bug in the email
/usr/bin/mail application will accept
escape sequences that can be used to execute arbitrary commands. The
/etc/daily script is executed daily by root and pipes its output
/usr/bin/mail. A local attacker can create a file with a
carefully-crafted filename and permissions that, when the
script is run, will execute an arbitrary command with root
permissions. A script has been released to automate the exploitation
of this vulnerability.
It is recommended that users apply the available patch as soon as
possible. A temporary workaround is to remove or disable the
/usr/bin/mail application until a patch has been applied.
Bugs in OpenBSD's
rexecd utilities can, under some
circumstances, cause a shell to execute as a different user. The
utility also has a similar bug that can cause "at" jobs to
be executed in another user's home directory. These bugs are reported
to only affect OpenBSD version 3.0.
A patch that fixes these bugs is reported to be available in the OpenBSD 3.0-stable branch.
Webalizer, a Web-server-logfile analysis tool that produces HTML output, has a buffer overflow in the code that does reverse DNS lookups that, under some circumstances, can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running Webalizer (often root). For this buffer overflow to be exploited, Webalizer must be configured to do reverse DNS lookups, and the attacker must control a DNS server that is queried by Webalizer during a reverse DNS lookup.
Affected users should watch for an update to Webalizer and should configure Webalizer so that it does not do reverse lookups until this buffer overflow has been fixed.
The Horde team has announced version 2.2.8 of their IMP Web mail system. This new version fixes problems that could be used in a cross-site scripting attack.
The Horde team recommends that users upgrade to IMP 3. If this is not possible, they recommend that users upgrade to IMP version 2.2.8.
ntop, a utility to show network usage, is remotely vulnerable to a bug
in the logging code that can be exploited to execute arbitrary code
with root permissions.
Users should consider disabling
ntop until it has been repaired, and
should restrict unauthorized connections using a firewall.
SuSE has released a new version of the
ucd-snmpd library that repairs
several bugs. These bugs can be exploited to effect a denial-of-service attack and
may, under some circumstances, be remotely exploitable to execute
arbitrary code. This new
snmp library may break some linked applications. SuSE identified
tngfw as applications that are linked against the library. SuSE has
also released a new
mod_php4 package that requires the new
SuSE recommends that users upgrade the
ucd-snmpd library and block SNMP access to their systems using a firewall.
Anthill, a Web-based bug tracking application written using PHP, has a vulnerability that can be used by an unauthorized user to bypass the application's account controls and enter data into the system; it is also vulnerable to cross-site scripting attacks.
It is recommended that users configure Web-server-based user or host-based authentication (
htaccess) until Anthill has been fixed.
Red Hat has released new
arpwatch packages for
Red Hat Linux 6.2 and 7.x. Changes in these packages include a
fix for a remote root exploit, a fix to a problem in
printing, and a patch to
tcpdump that causes it to drop root by
Affected users should install these packages as soon as possible.
The INN application is vulnerable to several format-string bugs that
can be exploited by a local attacker to execute arbitrary code with the
permissions of the user account (often news) that the
binaries are executing under. This vulnerability is reported to
affect version 2.2.3 and earlier of INN. A script has been released
that will create a set user id news shell on vulnerable systems.
Users should watch their vendor for an updated version of INN. Users
should also consider removing any set user id or group id bits from
libX11A library of Open Unix 8.0.0 and Unixware 7.1.1 has a buffer overflow in the code that deals with the
-xrm option. This buffer overflow will
make any application linked to it that uses the
-xrm command line
Caldera recommends that users upgrade their
libX11 library as soon as
SGI has announced that there are vulnerabilities in the Mail,
gzip applications. The Mail,
are vulnerable to a denial-of-service attack;
sort is vulnerable to a
temporary-file symbolic link attack; and
gzip is vulnerable to a
buffer overflow. The vulnerability in
timed can be exploited by a
remote attacker; the other vulnerabilities are reported to require a
SGI recommends upgrading to IRIX 6.5.16 when it is made available or applying the patches that are currently available.
Read more Security Alerts columns.
Return to the Linux DevCenter.