Linux Kernel Root HoleWelcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a root hole in the Linux kernel; buffer overflows in Samba, qpopper, ircii, Mutt, DeleGate, SuSE's lprold, and Ethereal; and problems in OpenSSL, MySQL, man, tcpdump, and Red Hat's rxvt.
Linux 2.2 and 2.4 kernels have a bug in ptrace that can be exploited by
a local attacker to execute code with root permissions. The Linux 2.5
kernels are not reported to be affected.
Linux 2.2.x kernel users should upgrade to Linux 2.2.25 as soon as possible. Linux 2.4.x users should apply the patch that has been released or should watch their vendor for an updated kernel package.
A Samba server daemon provides SMB network services to clients using
NetBIOS on a TCP/IP network. Several buffer overflows and a chown
race condition have been found in the Samba server. One of the buffer
overflows can be exploited by a remote attacker to execute code with
root permissions.
Users should watch their vendor for updated packages. If a system has Samba installed but it is not being used, users should consider removing it.
Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have demonstrated an attack against OpenSSL that can be exploited to use the server's private key in an operation on ciphertext of the attacker's choice. This attack does not compromise the server's RSA key. The vulnerability is reported to affect OpenSSL releases through 0.9.6i and 0.9.7a.
The OpenSSL Project has released a patch that protects against this attack. Users should apply this patch or watch their vendor for updated OpenSSL packages..
|
Related Reading 
Practical UNIX and Internet Security |
The SQL database MySQL is vulnerable to a remote root exploit and several other security-related problems.
Users should upgrade to version 3.23.56 of MySQL.
qpopperThe POP email server qpopper is vulnerable to a buffer overflow that
can be exploited, by a remote attacker who has the ability to
authenticate with qpopper, to execute arbitrary code with the
permissions of a user and the group permissions of the mail group.
It is recommended that affected users upgrade to qpopper version
4.0.5. If qpopper is not being used on the system, users should
consider removing or disabling it.
manThe man page reader man has a bug that, under some conditions, can cause
a user to execute a application named unsafe. If the man program
encounters an unsafe string in a man page, it returns the string
"unsafe." The string "unsafe" is then passed to a system() call. If
an executable named unsafe is in the user's path, it will then be
executed.
While many conditions have to be met before this
vulnerability can become a problem, it is still be a good idea to
upgrade to man 1.5l. One possible workaround for this vulnerability
is to link /bin/unsafe to something safe, such as /bin/true.
irciiThe IRC client ircii is reported to be vulnerable to several buffer
overflows that can be exploited remotely, under some circumstances.
These buffer overflows can only be exploited by an attacker that
controls an IRC server to which the client has connected. Other users
of IRC are not reported to be able to exploit these vulnerabilities.
Affected users should upgrade to ircii-20030313. It is also
recommended that care be taken in what servers are connected to using
the /server command.
Mutt, a small text-based email client, contains a buffer overflow in the code that handles IMAP connections.
Affected users should upgrade to version 1.4.1 of Mutt as soon as possible.
DeleGate is an application-level proxy server that runs under Unix, Windows, MacOS X, and OS/2. DeleGate contains a buffer overflow that can be exploited by a remote attacker using a carefully-crafted and unusually large robots.txt file. Exploiting this vulnerability can result in the execution of arbitrary code with the permissions of the user running DeleGate.
It is recommended that users upgrade to Delegate version 8.5.0 as soon as possible.
lproldThe SuSE package lprold, which shipped as the default printing system
for SuSE Linux until SuSE 7.3, contains the lprm command, which is
vulnerable to a buffer overflow that can be exploited by a local
attacker to execute arbitrary code with root permissions.
SuSE recommends that users upgrade to the appropriate package. If the printing system is not in use, users should consider removing it.
tcpdumpThe network sniffer tcpdump may be vulnerable to a remote attack due
to a bug in the code that handles NFS packets.
Users of tcpdump should watch for more information on this
vulnerability and should consider not using tcpdump on an untrusted
network until it has been resolved. A tool such as a firewall could
be used to screen NFS packets from external sources.
The Ethereal network sniffer is vulnerable to a format-string bug in the code that handles SOCKS and a buffer overflow in the code that handles NTLMSSP. Both of these vulnerabilities may be exploitable by a remote attacker through a carefully-crafted network packet to execute arbitrary code on the server.
Users should watch their vendor for updated packages.
rxvtRed Hat has released a new version of the rxvt color VT102 terminal
emulator. The new version repairs several problems in the escape-sequence handling of the terminal emulator.
Red Hat recommends that all users upgrade to this new version. Updated packages have been released for Red Hat Linux 6.2 through 7.3.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.