Serious Problem with sendmail
08/27/2001Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a serious problem with sendmail; buffer overflows in HP-UX ftpd, UnixWare su, and
AOLserver; and problems in procmail, phpSecurePages, HTTProtect,
NetWin Authentication Module, Entrust GetAccess, Mathematica License
Manager, HP JetDirect devices, SuSE sdb, Adobe Acrobat, Roxen Webserver, and SHOUTcast Server.
Sendmail
sendmail, a popular Mail Transfer Agent, has a locally-exploitable
vulnerability that can be used to execute commands as root. Exploit
scripts have been released that automate this exploitation.
The Sendmail Consortium recommends that all affected users upgrade to version 8.11.6 as soon as possible and then restart sendmail.
procmail
|
Alerts this week: • Sendmail • procmail • NetWin Authentication Module • SuSE sdb |
The procmail mail handler does not handle signals properly. This
problem can only be exploited by a local attacker.
Users should upgrade to procmail version 3.15.2 or 3.21 as soon as
possible.
phpSecurePages
phpSecurePages, a PHP-based tool used to password protect web pages, can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the Web server.
It is recommended that users upgrade phpSecurePages to a version newer than 1.0.5.
HTTProtect
HTTProtect is designed to prevent unauthorized changes to files stored on a ext2 file system. A vulnerability has been found in HTTProtect that can be used under some circumstances to bypass its protections.
A patch for this vulnerability has been released by Omnisecure and users should install it as soon as possible.
HP-UX ftpd
There is a buffer overflow in the FTP daemon and client that was shipped with HP-UX versions 10.01, 10.10, 10.20, 11.00, and 11.11. The buffer overflow in the FTP daemon can be exploited to execute arbitrary code as the root user.
HP recommends that users apply the appropriate patch for their operating system as soon as possible.
NetWin Authentication Module
The NetWin Authentication Module that handles authentication for SurgeFTP, DMail, and so forth uses a weak encryption scheme and has several buffer overflows.
The encryption scheme is vulnerable because it is possible to decrypt the passwords' hashes, and a password hash can be matched by more than one password. A script has been released that will generate passwords that will match a given hash value. It is not known if any of the buffer overflows can be exploited.
Users should watch NetWin for an updated version of the NetWin Authentication Module that corrects these problems.
UnixWare su
The su command shipped with all versions of UnixWare 7 and version
8.0.0 of OpenUnix 8 is vulnerable to a buffer overflow that can be
exploited to gain root privileges.
Caldera recommends that affected users update their su binaries as soon
as possible.
Entrust GetAccess
Entrust GetAccess, a single sign-on system, has a vulnerability that under some circumstances can be used to execute arbitrary Java code on the GetAccess web server.
Users should watch Entrust for an update to GetAccess that fixes this vulnerability.
Mathematica License Manager
The Mathematica license manager is vulnerable to a trivial denial-of-service attack and can be spoofed so that it grants licenses to unauthorized machines.
A workaround for these problems is to block connections to port 16286 on the license machine from untrusted hosts.
HP JetDirect Devices
On some HP JetDirect products, when the administration password is set using the Web interface, the password on the telnet
interface will not be set.
Administrators of HP JetDirect devices should ensure that the
administration password is set both in the Web interface and in the
telnet interface.
SuSE sdb
There is a problem in the Perl CGI script Sdbsearch.cgi (part
of the SuSE sdb package) that can be used by a local attacker to
execute arbitrary commands with the permissions of the user executing
the Web server. This has been reported to affect SuSE versions 6.0,
6.1, 6.2, 6.3, 6.4, 7.0, 7.1, and 7.2. SuSE 7.1 and 7.2 use Perl's
taint mode and are not currently thought to be exploitable.
SuSE recommends that all affected users upgrade their sdb package.
Adobe Acrobat
Adobe Acrobat creates a file named AdobeFnt.lst in the user's home directory
and then sets its permissions to group- and world-writable. This
problem has been reported for both the Linux and the Solaris versions
of Adobe Acrobat.
A possible workaround is to write a wrapper script to fix the permissions of the file. Users should watch Adobe for a fix for this problem.
AOLserver
|
|
The AOLserver Web server has a buffer overflow that can be used by a remote attacker to crash the server. It is not known if this buffer overflow can be exploited to execute arbitrary code. AOLserver versions 3.0 and 3.2 have been reported to be vulnerable to this attack.
Users of AOLserver should upgrade to a version 3.3.1 or newer.
Roxen WebServer
The Roxen WebServer has a vulnerability that can be used to retrieve any file on the Web server that is readable by the user running the Web server or, if the CGI-module is enabled, it can be used to execute any executable file on the Web server. This vulnerability has been reported to affect Roxen WebServer versions 2.0 to 2.0.92 and versions 2.1 to 2.1.264 on all OS platforms.
Roxen recommends that users apply the appropriate patches and restart the Web server.
SHOUTcast Server
SHOUTcast Server, a streaming audio server, can be crashed by a bad client request. This can be used as a denial-of-service attack against a SHOUTcast Server.
Users should watch Nullsoft for a patch for this problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
