Abuse Attack

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at buffer overflows in Abuse, log2mail, kadmind, Heimdal, ypserv, and trek; and problems in PHP-Nuke, lprng, pam_ldap, uudecode, and bzip2.

• Abuse
• log2mail
• PHP-Nuke
• lprng
• pam_ldap
• kadmind
• uudecode
• bzip2
• ypserv
• trek

Abuse

The Abuse video game is vulnerable to a buffer overflow that can be used by a local attacker to execute arbitrary code. If Abuse is installed set user id or set group id, this buffer overflow can be used to gain additional privileges. In addition, Abuse can be made to execute arbitrary Lisp script files that can launch other processes or modify files. According to the author, "Abuse has a number of other vulnerabilities and should never be installed on a multi-user system where security is a concern." Debian Linux is reported to install Abuse set user id root.

Users with Abuse installed on their system should consider removing it from the system or remove any set user id or group id bits from Abuse.

log2mail

log2mail is a utility that watches a log file and emails any lines that match configured patterns. It is normally run as root and is started at system startup. log2mail is vulnerable to a remote attack using a carefully-crafted log message to overflow a buffer and execute arbitrary code.

Affected users should upgrade to a repaired version as soon as possible.

Related Reading Practical UNIX and Internet Security By Simson Garfinkel, Gene Spafford, Alan Schwartz

PHP-Nuke

PHP-Nuke is vulnerable to a SQL injection-style attack exploitable by any registered user. This attack can be used to modify the user database table and can be used in a denial-of-service attack or to gain additional permissions by changing arbitrary users' passwords.

Users should upgrade to version 6.0 or newer of PHP-Nuke as soon as possible.

lprng

The utility runlpr distributed with the lprng package is used to execute the lpr command with root permissions. It can manipulated into executing arbitrary commands as root, but can only be executed by the lp user.

The html2ps print filter also distributed with the lprng package has a vulnerability that can be used by a remote attacker to execute arbitrary commands with the permissions of the lp user.

The combination of these two vulnerabilities can be used by a remote attacker to execute commands with the permissions of the root user.

It is recommend that users upgrade lprng to a repaired version as soon as possible. A workaround for this vulnerability is to uninstall the html2ps print filter and restrict access to the printer to authorized hosts using the /etc/lpd.perms file.

pam_ldap

It has been reported that pam_ldap is vulnerable to a format-string-based attack that can be used to execute code with additional permissions. Versions 143 and earlier have been reported to be vulnerable.

Users should watch their vendor for an updated package that that contains pam_ldap version 144 or newer. Gentoo Linux has released a repaired package.

kadmind

There is a buffer overflow in the Kerberos v4 administration server kadmind that may be exploitable to gain root permissions. It has been reported that a script to automate the exploitation of this vulnerability is available.

Heimdal, a free replacement to Kerberos, is also vulnerable to this buffer overflow and, in addition, is reported to be vulnerable to a buffer overflow in the roken library.

Affected users should upgrade Kerberos or Heimdal to a repaired version as soon as possible. Users should also consider protecting the administration server using a tool such as a firewall.

uudecode

uudecode is reported to be vulnerable to a symbolic-link race condition that can be used, under some conditions, by an attacker to overwrite files with the permissions of the user executing uudecode. This vulnerability is reported to affect the uudecode that is supplied as part of the GNU Sharutils package. It is not known if other versions of uudecode are also affected.

It is recommended that users watch their vendor for an update package that repairs this vulnerability and that users avoid using uudecode while in a world- or group-writable directory (such as /tmp).

bzip2

bzip2 has several problems that can lead to files being overwritten or data being disclosed. bzip2 does not warn a user if a file will be overwritten when a file is uncompressed. When bzip2 uncompresses a file, it creates the new file with world-readable permissions, uncompresses the data, and then changes the file's permissions to the correct state. This creates a race condition in which a local user may read the data as it is being uncompressed. When bzip2 is used to compress a file using a symbolic link to that file, the symbolic link's permissions are used instead of those of the original file, possibly resulting in the wrong permissions being used on the created archive.

When uncompressing a file with bzip2, care should be taken that other files are not replaced, and file permissions of new archives should be verified.

ypserv

ypserv, distributed with Network Information Services packages, has a memory leak bug that can expose data when a user requests an invalid map.

Users should watch their vendor for an update to ypserv. Updated packages have been released for Gentoo Linux.

trek

The game trek is vulnerable to a buffer overflow if a user enters more than 100 characters. Under some conditions, this buffer overflow could be used to gain the permissions of the game user id.

If trek is not in use, users should consider removing it from the system; otherwise, they should watch their vendor for an update.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.