Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
gzip, Oracle 9iAS, snmpnetstat, SAS Job Spawner, and Imlib2; format-string bugs in NQS (Network Queuing System) and pfinger; problems in
OpenBSD's lpd, DCForum, Shell Here-Document Processing, IPRoute, Magic
Enterprise Edition, Namazu, and tac_plus version F4.0.4.alpha; and a
trojan back door and other surprises in AIM Filter.
The gzip file compression utility has a buffer overflow and will crash
if its input file name is larger than 1020 characters. It is reported
that the buffer overflow can be exploited if gzip is being executed on
a server (the example given is an FTP server).
This problem has been fixed in the latest gzip beta and a patch has
been made available. Affected users should update their version of gzip as soon
as possible.
NQS (Network Queuing System) is a job control and batch processing
system. It has a format string bug that can be exploited to execute
arbitrary commands as root by any local user that can submit a job
with qsub.
Users should watch Cray for an update to the Network Queuing System.
The line printer daemon lpd, distributed with OpenBSD, has a
vulnerability that under some conditions can be used to create files
in the root directory. The exploit can only be carried out by an attacker
that has root on a machine listed in the /etc/hosts.lpd or
/etc/hosts.equiv files. It should also be noted that the default
installation of OpenBSD does not start the line printer daemon.
Patches have been released to fix this vulnerability for OpenBSD 2.8, 2.9, and 3.0.
DCForum, a Web-based forum system, has a vulnerability that can be used by a remote attacker to access any account in the forum. The vulnerability is caused by DCForum using the first six characters of the user's session ID, which is stored in a cookie, as the password.
The author of DCForum has released a patch for this vulnerability and it is recommended that all users apply the patch as soon as possible.
Caldera has released an updated patch to fix a set of security problems in OpenServer's shell here-document processing. The earlier patch is reported to have problems that result in a "variety of unusual behaviors." These problems affect OpenServer version 5.0.6a and earlier.
Caldera recommends that users apply the new patches as soon as possible and does not suggest a workaround.
IPRoute, a PC-based IP router, is vulnerable to a denial-of-service attack using tiny fragmented packets. An attack will lock up the machine and require that the system be restarted to regain functionality.
Users should watch for an update to IPRoute.
Several vulnerabilities have been discovered in Magic Enterprise Edition that can be exploited by a local attacker to execute arbitrary commands with the permissions of the user executing the Web server. There are also other vulnerabilities that can be used to overwrite files and corrupt memory.
Users should watch for a repair for these problems.
pfinger, a finger daemon written in C, has a format-string
vulnerability in both the client and the server that can be used
by an attacker to execute arbitrary code with the permissions of the
user nobody.
It is recommended that users upgrade to version 0.7.8 or newer of
pfinger.
The Oracle PL/SQL Apache Module supplied with Oracle 9iAS has a buffer overflow that can be exploited to execute code with the permissions of the user executing Apache.
Users should apply the patch available from Oracle.
The snmpnetstat tool released as part of the ucd-snmp package has a
buffer overflow that can be exploited remotely to execute arbitrary
code with, in many cases, root permissions.
It is recommended that users watch their vendors for an update and
consider not using snmpnetstat until it has been repaired.
Namazu, a full-text search engine, has vulnerabilities that can be exploited by an attacker to insert scripts and HTML tags into dynamically-generated pages and has a buffer overflow in an environmental variable.
Users of Namazu should upgrade to version 2.0.10 or newer as soon as possible.
tac_plus version F4.0.4.alpha is an example Tacacs+ daemon. It
creates its accounting files with unsafe permissions and is vulnerable
to a symbolic-link race condition if its accounting files are written
into a directory in which the attacker can create symbolic links.
It is reported that a patched and supported tacacs+ application is
available from http://www.gazi.edu.tr/tacacs.
It has been reported that sastcpd, the SAS Job Spawner, has
vulnerabilities (that include buffer overflows and format-string
vulnerabilities) that can be exploited to gain root.
These vulnerabilities are reported to be fixed in version 8.2.
The library Imlib2 has a buffer overflow that can be exploited using the set group id application Eterm to gain additional privileges. Under some circumstances, it may be possible for an attacker to leverage these additional privileges into root access on the machine.
It is recommend that users upgrade to Imlib2 1.0.5 or newer or watch their vendor for and updated version.
Robbie Saunders' AIM Filter was announced as being a temporary solution to protecting AIM users from buffer overflow attacks. It has now been reported that, in fact, AIM Filter also had code for a back door, cash-based click-throughs, and can launch Web browsers that load porn sites. This is a good reminder to be sure of the author of your applications and a good example of how open source code can (eventually at least) protect users of software from this type of problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.