LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts Postfix Attack

by Noel Davis
08/11/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Postfix, DB2, stunnel, OpenSSH, up2date, eroaster, wget, xfstt, xpcd, pam-pgsql, xtokkaetama, and Half-Life.

Postfix

A denial-of-service attack against Postfix that affects versions 1.1.12 and earlier has been reported. Versions of Postfix earlier than 1.1.9 are only vulnerable if append_dot_mydomain is turned off in the configuration file.

In addition an attacker can use Postfix versions 1.1.11 and earlier as a platform to launch denial-of-service attacks against other hosts or to scan and probe inside of a firewall.

Wietse Venema recommends that users of Postfix 1.1.9 through 1.1.12 should upgrade to 1.1.13 or apply an available patch, and users of versions of Postfix 1.1.9 and earlier who must use append_dot_mydomain=no should upgrade to a repaired version, or apply the available patch (which is reported to work with versions of Postfix newer than 19991231).

DB2

The db2job utility that is supplied with DB2 7.1 is reported to not properly drop its root permissions before creating its log files. This can be exploited with a symbolic-link-based attack by an attacker with permission to execute db2job. In a default installation, only the DB2-created accounts have permission to execute db2job. A script to automate the exploitation of this problem has been released to the public.

Concerned users should contact IBM for solutions or workarounds for this problem.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

stunnel

stunnel, an application that allows the encryption of arbitrary TCP traffic with SSL, is reported to be vulnerable to a denial-of-service attack. This condition is exploited by the early termination of child processes. The denial-of-service vulnerability is reported to affect versions 3.25 and 4.04 of stunnel.

It is recommend that stunnel be upgraded and that users of systems that have stunnel installed but not in use consider removing it.

OpenSSH

It has been reported that OpenSSH version 3.6.1p1 and earlier running under Linux with PAM enabled can be exploited to gain information about valid user accounts on the system. When an invalid user attempts to log in, the vulnerable versions of OpenSSH return an error message immediately, but when a valid user logs in with an invalid password, there is a delay before the error message is returned.

It is recommended that users upgrade the latest stable release of OpenSSH.

up2date

Red Hat Linux's up2date utility is used to connect to the Red Hat Network and download and install updated packages. Versions 3.0.7 and 3.1.23 of up2date do not properly validate the RPM GPG signatures of packages before installing them.

Red Hat believes that the threat from this problem is low, due to the requirement that an attacker crack the Red Hat Network servers to place their own packages for download and installation. Red Hat, however, still recommends that users upgrade their up2date package to a repaired version.

eroaster

eroaster is a GUI front end to the cdrecord command used to burn CDROMs. eroaster is vulnerable to a temporary file symbolic-link race condition attack that can be exploited by a local attacker to overwrite files on the system with the permissions of the user running eroaster.

Affected users should watch their vendor for an updated package. Debian has released a repaired package.

wget

The command-line web and FTP retrieval tool wget is reported to be vulnerable to a buffer overflow in the URL code.

Users should upgrade to a repaired version as soon as possible.

xfstt

xfstt, a TrueType font server for the X Window system, is vulnerable to several remotely exploitable buffer overflows that can be used in a denial-of-service attack or to execute arbitrary code with the permissions the server is running under, often the user nobody. Another problem in xfstt can be used by a remote attacker to read portions of xfstt's memory.

Affected users should watch their vendor for an updated version of xfstt.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

xpcd

xpcd, an X11 program for reading PhotoCD images, has a buffer overflow in the code that handles the home environmental variable, which may be exploitable to execute code with root permissions.

Users should watch their vendor for a repaired version and should consider removing any set user or group id bits from the application until it has been repaired and is being used.

pam-pgsql

pam-pgsql is vulnerable to a format-string-based attack that may be used by a remote attacker to execute arbitrary code with the permissions of the user under which the application calling pam-pgsql is running.

Users should watch their vendor for updated packages.

xtokkaetama

The game xtokkaetama is a Tetris-like game that supports up to two players. xtokkaetama is vulnerable to a buffer overflow when a long enough string is used as the -nickname command-line option. This buffer overflow can be exploited by a local attacker to gain the permissions of the games group.

Debian has released a repaired version of the game. Users of other systems should watch their vendors for an update.

Half-Life

The game Half-Life is vulnerable to a denial-of-service attack that can also be leveraged into a root shell on the server running Half-Life (when the server is running as root). A script has been released that automates the exploitation of this problem.

It is recommended that Half-Life be executed using an unprivileged user and that the server be protected from unauthorized connections by using a firewall.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: