oreilly.comSafari Books Online.Conferences.


Security Alerts Monkey Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Portable OpenSSH, Portable OpenSSH under AIX, ATM on Linux, Qpopper's poppassd, Monkey HTTPd, Red Hat's mod_auth_any, pptpd, EPIC4, HPUX's rexec, and vulnerabilities in Cisco equipment.

Portable OpenSSH

A remote attacker is reported to be able to identify valid user IDs of users of systems running Portable OpenSSH with PAM enabled. This vulnerability is caused by Portable OpenSSH having a delay when an attempt to log in using a valid user ID and an invalid password and having little or no delay when making an attempt to log in using an invalid user ID. This problem is reported to affect Debian GNU/Linux, Red Hat Linux, and Mandrake Linux; it may also affect SuSE Linux, Caldera/SCO Linux, Apple OS-X, and other Linux distributions that use OpenSSH_3.6.1p1 or earlier with PAM support compiled in (--with-pam). A proof-of-concept application has been developed that exploits this vulnerability has been released to the public.

Users should upgrade to OpenSSH 3.6.1p2 or newer.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

Portable OpenSSH Under AIX

It has been reported that versions of Portable OpenSSH prior to 3.6.1p2, when compiled under AIX with GCC or other non-IBM compilers, will first look for its shared libraries in its current working directory. The runtime linker under AIX has a flaw in that by default, it will link applications so that they will look for shared (dynamic) libraries in the current directory. Versions of Portable OpenSSH prior to version 3.6.1p2 have code to work around the flaw in the linker, but only if the IBM compiler is selected.

Portable OpenSSH 3.6.1p2 uses the proper compiler flags to work around this problem. One possible work around is to remove the set-user-ID bits from all SSH applications. Removing set-user-ID bits will also remove some functionality from SSH.

ATM on Linux

The experimental code that supports ATM under Linux has a bug that can be exploited by a local attacker to execute arbitrary code with root permissions. Code to automate the exploitation of this bug has been released to the public.

Users should watch for updates to this software.

Qpopper v4.0.x poppassd

poppassd is a daemon provided with Qpopper that provides remote users the ability to change their passwords. A flaw in poppassd is reported to be exploitable by a local user to gain root permissions.

It is recommended that the set-user-ID bit be removed from poppassd until it has been repaired.

Monkey HTTPd

The Monkey web server is vulnerable to a buffer overflow in the code that handles POST requests. This buffer overflow may be exploitable by remote attackers to execute arbitrary code as the user that is running the web server. Monkey HTTPd v0.6.1 is reported to be vulnerable.

It is recommended that users upgrade to Monkey HTTPd version 0.6.2 as soon as possible. Users that are unable to upgrade Monkey HTTPd immediately should consider disabling it until it is upgraded.

Red Hat mod_auth_any

Red Hat has released new mod_auth_any packages for Red Hat Linux 7.2 and 7.3. mod_auth_any is an Apache module that Apache uses to call external applications to verify user passwords. The new mod_auth_any package repairs a problem that could be used by a remote attacker to execute shell commands with the permissions of the user running the web server. In addition, the current version of mod_auth_any is reported to not differentiate between a non-response due to a crash of the called application and a success.

Red Hat recommends that affected users upgrade to the proper errata package as soon as possible.


pptpd, a Virtual Private Networking (VPN) Server, has a buffer overflow that can be exploited by a remote attacker to execute arbitrary code as root. It is reported that an automated script to exploit this buffer overflow has been made available.

Users should watch their vendor for updated packages that fix the buffer overflow. Packages for Debian GNU/Linux have been released.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


EPIC4 (the Enhanced Programmable IRCII Client), a client for Internet Relay Chat, is vulnerable to buffer overflows that can be exploited by a remote server to which the client has connected. The buffer overflows are exploitable as a denial-of-service attack and, under some conditions, may be used to execute arbitrary code on the local machine with the permissions of the user running the client.

Users should watch their vendor for an update to EPIC4 that repairs the buffer overflows and should be careful about to which IRC servers they connect.

HPUX rexec

The rexec command under HPUX B.10.20 has been reported to have a buffer overflow in the code that handles the "-l" command line option.

Users should watch HP for a Security Bulletin and a patch for this problem. Users should consider disabling recex until it has been patched.

Cisco Vulnerabilities

Cisco has announced denial-of-service vulnerabilities in the FTP or Telnet services of certain Cisco equipment. These vulnerabilities were found using the Nessus security scanner. Affected equipment includes: "Cisco ONS15454 Optical Transport Platform, the Cisco ONS15327 Edge Optical Transport Platform, the Cisco ONS15454SDH Multiplexer Platform, and the Cisco ONS15600 Multiservice Switching Platform." The recommended configuration, where the control cards for these machines are connected to a private network that is not connected to the Internet, will prevent the exploitation of these vulnerabilities by outside attackers.

Cisco has released upgraded software fixes for these problems and recommends that affected users upgrade as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: