Postfix AttackWelcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Postfix, DB2, stunnel, OpenSSH, up2date, eroaster, wget, xfstt, xpcd,
pam-pgsql, xtokkaetama, and Half-Life.
A denial-of-service attack against Postfix that affects versions
1.1.12 and earlier has been reported. Versions of Postfix earlier
than 1.1.9 are only vulnerable if append_dot_mydomain is turned off in
the configuration file.
In addition an attacker can use Postfix versions 1.1.11 and earlier as a platform to launch denial-of-service attacks against other hosts or to scan and probe inside of a firewall.
Wietse Venema recommends that users of Postfix 1.1.9
through 1.1.12 should upgrade to 1.1.13 or apply an available patch, and
users of versions of Postfix 1.1.9 and earlier who must use
append_dot_mydomain=no should upgrade to a repaired version, or apply
the available patch (which is reported to work with versions of Postfix
newer than 19991231).
The db2job utility that is supplied with DB2 7.1 is reported to not
properly drop its root permissions before creating its log files.
This can be exploited with a symbolic-link-based attack by an attacker
with permission to execute db2job. In a default installation, only the
DB2-created accounts have permission to execute db2job. A script to
automate the exploitation of this problem has been released to the
public.
Concerned users should contact IBM for solutions or workarounds for this problem.
|
Related Reading 
Linux Security Cookbook |
stunnelstunnel, an application that allows the encryption of arbitrary TCP
traffic with SSL, is reported to be vulnerable to a denial-of-service
attack. This condition is exploited by the early termination of child
processes. The denial-of-service vulnerability is reported to affect
versions 3.25 and 4.04 of stunnel.
It is recommend that stunnel be upgraded and that users of systems
that have stunnel installed but not in use consider removing it.
It has been reported that OpenSSH version 3.6.1p1 and earlier running under Linux with PAM enabled can be exploited to gain information about valid user accounts on the system. When an invalid user attempts to log in, the vulnerable versions of OpenSSH return an error message immediately, but when a valid user logs in with an invalid password, there is a delay before the error message is returned.
It is recommended that users upgrade the latest stable release of OpenSSH.
up2dateRed Hat Linux's up2date utility is used to connect to the Red Hat
Network and download and install updated packages. Versions 3.0.7 and
3.1.23 of up2date do not properly validate the RPM GPG signatures of
packages before installing them.
Red Hat believes that the threat from this problem is low, due to the
requirement that an attacker crack the Red Hat Network servers to
place their own packages for download and installation. Red Hat,
however, still recommends that users upgrade their up2date package to a
repaired version.
eroastereroaster is a GUI front end to the cdrecord command used to burn
CDROMs. eroaster is vulnerable to a temporary file symbolic-link race
condition attack that can be exploited by a local attacker to overwrite
files on the system with the permissions of the user running eroaster.
Affected users should watch their vendor for an updated package. Debian has released a repaired package.
wgetThe command-line web and FTP retrieval tool wget is reported to be
vulnerable to a buffer overflow in the URL code.
Users should upgrade to a repaired version as soon as possible.
xfsttxfstt, a TrueType font server for the X Window system, is vulnerable
to several remotely exploitable buffer overflows that can be used in a
denial-of-service attack or to execute arbitrary code with the
permissions the server is running under, often the user nobody.
Another problem in xfstt can be used by a remote attacker to read
portions of xfstt's memory.
Affected users should watch their vendor for an updated version of
xfstt.
|
Also in Security Alerts: |
xpcdxpcd, an X11 program for reading PhotoCD images, has a buffer
overflow in the code that handles the home environmental variable, which
may be exploitable to execute code with root permissions.
Users should watch their vendor for a repaired version and should consider removing any set user or group id bits from the application until it has been repaired and is being used.
pam-pgsqlpam-pgsql is vulnerable to a format-string-based attack that may
be used by a remote attacker to execute arbitrary code with the
permissions of the user under which the application calling pam-pgsql is
running.
Users should watch their vendor for updated packages.
xtokkaetama
The game xtokkaetama is a Tetris-like game that supports up to two
players. xtokkaetama is vulnerable to a buffer overflow when a long
enough string is used as the -nickname command-line option. This
buffer overflow can be exploited by a local attacker to gain the
permissions of the games group.
Debian has released a repaired version of the game. Users of other systems should watch their vendors for an update.
The game Half-Life is vulnerable to a denial-of-service attack that can also be leveraged into a root shell on the server running Half-Life (when the server is running as root). A script has been released that automates the exploitation of this problem.
It is recommended that Half-Life be executed using an unprivileged user and that the server be protected from unauthorized connections by using a firewall.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.