Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a security
vulnerability in LIDS; buffer overflows in CUPS, jgroff, Sun Solstice
Enterprise Master Agent, and Ettercap; and problems in Sawmill,
Faq-O-Matic, pforum, GNAT, Taylor UUCP, and IRIX O2 Video.
LIDS is a Linux kernel patch and admin tool that enhances Linux kernel
security and provides a reference monitor and Mandatory Access Control
in the kernel. There are several vulnerabilities in LIDS that can be
exploited by a local attacker to execute arbitrary commands with root
permissions and bypass or disable LIDS. These vulnerabilities include
problems with the LD_PRELOAD environment variable, writing directly to
/dev/kmem, and a race condition in applications that are launched
prior to LIDS being sealed.
The LIDS team recommends that users upgrade to
lids-1.1.1pre2-2.4.16.tar.gz for 2.4-series kernel users and that 2.2
kernel users apply the patch
LIDS-security-patch-0.10.1-2.2.20.diff.gz.
Sawmill, a Web server log file analysis and report generator, has a vulnerability that can be exploited by a local attacker to overwrite the Sawmill password file, replacing the Sawmill password with a arbitrary password. When Sawmill is executed and the user enters the initial password, the password file is created with world-writable permissions. As the password is stored in an MD5 hash, an arbitrary password can be easily created.
It is recommended that users upgrade to Sawmill version 6.2.15 and
change the permissions of the AdminPassword file to 600.
CUPS, the Common Unix Printing System, has a potentially-exploitable buffer overflow in the code that handles the names of attributes. It has been reported that this buffer overflow affects all versions of CUPS earlier than version 1.1.14.
Users should upgrade CUPS to version 1.1.14 or newer as soon as possible and if the printing system is not needed, they should consider removing it or turning it off.
|
Related Reading 
Understanding the Linux Kernel |
The Faq-O-Matic Frequently Asked Question manager is vulnerable to a cross-site scripting attack that can be used by an attacker to run JavaScript in other users' browsers. This vulnerability can be used to steal cookies from the Faq-O-Matic administrator or one of the moderators.
It is recommended that users watch their vendor for an update to repair this problem or download the latest stable version from the Faq-O-Matic Web site.
jgroff is a version of the groff document-formatting system that has
been modified to support the Japanese character set. It has a buffer
overflow that may be exploitable to execute arbitrary code with the
permissions of the printing system.
Affected users should upgrade to a repaired version as soon as
possible or replace jgroff with a version of groff that supports Japanese
character sets.
pforum, a Web-based bulletin board system written using PHP and MySQL, does not properly check all user input under some circumstances. This
problem can be exploited, if the Web server does not have Magic-Quotes
enabled, to log in to pforum as the administrator or another user.
Users should ensure that the Web server that pforum is installed on
has Magic-Quotes enabled in the php.ini file. It has been reported
that there is a patch available for those users who do not have the
ability to change the php.ini file on their Web server.
A buffer overflow in the Sun Solstice Enterprise Master Agent snmpdx
may be exploitable by a remote attacker to execute arbitrary code with
root permissions.
Affected users should obtain and apply the appropriate patch for their system. Patches have been released by Sun for Solaris (X86 and Sparc versions) 2.6, 7, and 8.
Executables created with GNAT (the GNU Ada compiler) that use the facility to create named temporary files are vulnerable to temporary-file symbolic-link race condition attacks by a local attacker. Versions 3.12p, 3.13po, and 3.14p are known to be affected.
Users should watch for an update that repairs this vulnerability.
A flaw in Taylor UUCP can be used by an attacker to write arbitrary files to any location to which UUCP can write. On some systems, this may be usable to gain root access.
It is recommended that users watch for a patch or an upgrade to repair this flaw, and that if the UUCP system is not needed, it be removed or disabled.
The Ettercap network sniffer package has a bug that, under some conditions, can be exploited by a remote attacker to execute arbitrary code with root permissions. An exploit script has been created that will allow a remote root login if Ettercap is listening on an interface with a MTU larger than 2000. On interfaces with MTUs smaller than 2000, Ettercap can be crashed with a carefully-crafted packet.
Users should not use Ettercap to listen on an interface with a MTU that is set to 2000 or larger until they have upgraded Ettercap to a repaired version.
On all SGI O2 systems, a remote attacker can view the system's screen, even
if the xhosts or xauth configuration would normally provide
protection. If the vcp default input is configured to "Output Video,"
the remote attacker can execute videoout and videoin and will see the
screen.
SGI recommends that all affected users watch for a patch and add the following to /var/X11/xdm/Xstartup:
#
# Set the permissions of /dev/mvp so only
# the console user has access
#
if [ -r /dev/mvp ]; then
chown $USER /dev/mvp
chmod 600 /dev/mvp
fiand add the following to /var/X11/xdm/Xreset:
#
# Reset the permissions on /dev/mvp
#
if [ -r /dev/mvp ]; then
chown root /dev/mvp
chmod 666 /dev/mvp
fiNoel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.