LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

More Telnet Daemon Vulnerabilities

08/13/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Linux telnet daemons, IBM AIX telnet daemons, the Kerberos 5 telnet daemon, Window Maker, and Solaris' xlock; temporary-file race conditions in AllCommerce and rcs2log; and vulnerabilities in ZyXEL Prestige 642R and 642R-I ADSL routers, groff, OpenLDAP, fetchmail, UnixWare Package Tools, docview, and ColdFusion Server 5.

telnet

We reported last month that a buffer overflow in many BSD-derived telnet daemons may, under some circumstances, be exploitable by a remote attacker to gain root access. At that time, it was reported that the Linux telnet daemon was vulnerable in netkit versions before 0.14. This appears to be incorrect, and reports indicate that versions of netkit earlier than 0.17 are vulnerable. Distributions that have been reported to be vulnerable include: Debian 2.2 potato; Caldera OpenServer 5; and Red Hat 5.2, 6.2, 7.0, and 7.1.

In addition to the problems with the telnet daemons in these Linux distributions, IBM has announced that AIX 4.3.x and 5.1 are vulnerable to this problem and has released temporary fixes for the vulnerability.

Kerberos 5 telnet

Kerberos 5 has a potential overflow in the included telnet server. This overflow could be used by a remote attacker to execute arbitrary commands with the permissions of the root user.

It is recommended that affected users watch their vendor for a patch for this problem.

AllCommerce

Alerts this week:

telnet

Kerberos 5 telnet

AllCommerce

ZyXEL Prestige 642R and 642R-I

groff

Window Maker

OpenLDAP

fetchmail

UnixWare Package Tools

Solaris xlock

docview

rcs2log

ColdFusion Server 5

There is a temporary-file race condition attack against the version of AllCommerce distributed with EnGarde Secure Linux. This race condition can be used by a local user to overwrite files on the server with the permissions of the user account running the Web server. The AllCommerce package that was distributed with EnGarde Secure Linux had several debugging options turned on, and created temporary files in the /tmp directory with predictable names.

It is recommended that users of AllCommerce under EnGarde Secure Linux should upgrade to the most recent version of the package.

ZyXEL Prestige 642R and 642R-I

On ZyXEL Prestige 642R and 642R-I ADSL routers, the FTP, telnet, and administrative services are available on the WAN interface. It also has been reported that a scan of ZyXEL Prestige routers found that 45% have never had their factory default password changed. These two problems can be used by an attacker to change the router's firmware, change its configuration, and attack devices on the internal network.

It is recommended that all network devices have their default passwords changed, and that owners of ZyXEL Prestige 642R and 642R-I ADSL routers change their remote node filter so that it does not allow outside connections to its services.

groff

groff, a front end for the groff document formatting system, is vulnerable to a format-string-based attack, in the pic command, that can be used to execute arbitrary code.

Users should upgrade groff to a repaired version.

Window Maker

The Window Maker window manager for X has a buffer overflow in the code that handles the window titles in the window list menu. Applications that set the window title using untrusted data may be usable by a remote attacker to execute arbitrary code on the local machine as the user running Window Maker.

It is recommended that users upgrade Window Maker as soon as possible.

OpenLDAP

OpenLDAP's slapd daemon will crash if it receives packets with an invalid BER length. This can be used by an attacker to deny access to the LDAP server.

It is recommended that users upgrade to OpenLDAP versions 1.2.12 and 2.0.8.

fetchmail

The fetchmail IMAP and POP client has two remotely-exploitable vulnerabilities. Both of these vulnerabilities require the attacker to be in control of, or impersonate, the mail server the user is attempting to download mail from.

Users should upgrade fetchmail to version 5.8.17 or newer as soon as possible.

UnixWare Package Tools

The package management tools distributed with UnixWare 7 can be used to view /etc/shadow, possibly leading to a root compromise of the server.

Caldera recommends that users apply patch sr847997 as soon as possible.

Solaris xlock

The xlock distributed with Solaris OpenView has a buffer overflow that may be exploitable by a local user to gain root privileges. The buffer overflow is exploited by using the environmental variables XFILESEARCHPATH and XUSERFILESEARCHPATH.

Users should remove the set user id bit from xlock until a patch has been installed from Sun.

docview

docview is a set of CGI scripts distributed with Caldera OpenLinux used to view system documentation via the Web. A failure to check a argument in one of docview's scripts can be exploited to execute arbitrary code with the permissions of the user running the Web server. Versions of OpenLinux that are vulnerable to this problem include OpenLinux Server 3.1 and OpenLinux Workstation 3.1.

Caldera recommends that users upgrade to the latest docview packages as soon as possible.

rcs2log

rcs2log, a utility that converts RCS logs into a ChangeLog file, has a temporary-file race condition that can be exploited by a local user to overwrite files with the permissions of the user executing rcs2log.

Users should watch their vendor for an update or patch for this problem.

ColdFusion Server 5

The ColdFusion Server 5 for Linux has a bug that can crash the server and dump ColdFusion's memory into a log directory, where it can be read by any local user. This bug can only be exploited by a user with permission to write ColdFusion code and place it on the server so that the Web server will cause it to be executed.

Users should watch Macromedia for a patch or an update for this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: