Apache Vulnerabilities

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at buffer overflows in Apache, fetchmail, Heimdal, logsurfer, ghostview, kghostview, and WN Server; and problems in unzip, tar, gv, SMRSH, and rogue.

• Apache
• fetchmail
• unzip and tar
• gv
• SMRSH
• Heimdal
• logsurfer
• ghostview and kghostview
• WN Server

Apache

Several remotely-exploitable vulnerabilities in the Apache Web server have been reported. The reported vulnerabilities are:

A problem in the shared memory scoreboard that can be exploited to send a signal as root to any process running on the system, causing a denial of service. Any user who can execute code with the permissions of the user id running Apache can exploit this vulnerability. This includes users who can execute CGI applications and remote attackers that can exploit bugs in CGI applications to execute code.

On systems that allow wildcard DNS lookups and have UseCanonicalName set to off, Apache is vulnerable to a cross-site scripting attack on the default 404 page. This attack can be used to execute code in the viewer's Web browser.

There are buffer overflows in ApacheBench which may be exploitable as part of a denial-of-service attack and may, under some conditions, be used to execute code with the permissions of the user running ApacheBench.

It is highly recommended that users upgrade to version 1.3.27 of Apache as soon as possible.

fetchmail

The mail application fetchmail is vulnerable to several buffer overflows. One buffer overflow, in the code that parses the "Received" portion of the header of an incoming email message, can be exploited to execute code with the permissions of the user running fetchmail (root, in some cases).

Users should upgrade fetchmail to version 6.1.0 as soon as possible, and should consider disabling it until it this has been done.

Related Reading Unix Power Tools By Shelley Powers, Jerry Peek, Tim O'Reilly, Mike Loukides

unzip and tar

unzip and tar are vulnerable to directory traversal problems that can be used by an attacker to overwrite arbitrary files. An attacker can place files that contain ".." in their path into a .tar file, and files that start with a "/" in their path into a .zip file. unzip version 5.42 and GNU tar version 1.13.25 are reported to be vulnerable.

It is recommended that users upgrade to repaired versions of tar and unzip as soon as possible. Red Hat has released updated packages for unzip and tar. Users can also list the contents of a .zip file using unzip -l filename and a .tar file using tar -tf filename prior to extracting the files.

gv

The gv PDF and Postscript viewer can be exploited using a file with a carefully-crafted file name, causing gv to execute arbitrary shell commands with the permissions of the user using gv.

Users should watch their vendor for an update that repairs this problem and should consider disabling gv until it has been repaired. An update is reported to be available for Gentoo Linux.

SMRSH

SMRSH, a restricted shell from the Sendmail Consortium, is reported to be vulnerable to two attacks that can be used to bypass the shell restrictions and execute commands on the system. An attacker must have the ability to modify their .forward file before being able to conduct these attacks.

The Sendmail Consortium has released a patch to SMRSH that protects against these attacks and recommends that all affected users update SMRSH.

Heimdal

Heimdal is a Kerberos 4 and 5 implementation. Multiple buffer overflows and other security problems have been found in Heimdal that can be exploited to obtain root access and execute arbitrary code.

It is recommended that affected users upgrade to a repaired version as soon as possible. SuSE has released updated packages that repair this problem.

logsurfer

The utility logsurfer is used to watch logfiles in real time and perform actions based on a set of rules. logsurfer is vulnerable to a buffer overflow and a problem with a uninitialized buffer. logsurfer is only vulnerable to the buffer overflow when the pipe action is used. The buffer overflow can be used in a denial-of-service attack against logsurfer, or possibly be exploitable to execute arbitrary code as the user running logsurfer. The uninitialized buffer can cause a line of data in the buffer to be read in as a configuration statement.

Users should upgrade to version 1.5b of logsurfer.

ghostview and kghostview

It has been reported that ghostview and kghostview are vulnerable to multiple buffer overflows that can be exploited using a carefully-crafted file. This will cause arbitrary code to be executed with the permissions of the user viewing the file.

Affected users should watch their vendor for an update.

WN Server

The WN Web server is vulnerable to a buffer overflow in the code that parses the GET request. This buffer overflow can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running WN. Versions 1.18.2 through 2.0.0 of WN are reported to be vulnerable.

It is recommended that users upgrade to WN Server 2.4.4 as soon as possible.

rogue and dm

The rogue game is fantasy computer game. dm is a set group id games utility that is is used to wrap the execution of games. When rogue is started using dm, it does not drop the game group id and can be manipulated into giving the attacker group game permissions. A script to automate the exploitation of this problem has been released.

Affected users should disable the running of rogue by dm by editing /etc/dm.conf until rogue is modified to drop the group permissions.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.