Buffer Overflows in RealPlayer and GNU Chess
01/28/2002Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at two Linux kernel
bugs; buffer overflows in RealPlayer, GNU Chess, and sniffit; and
problems in rsync, Squirrelmail, PHP-Nuke, enscript, Tarantella
Enterprise 3, UnixWare and Open UNIX's sort, IPFilter/9000, and
Maelstrom.
- Linux Kernel Bug
- Linux CIPE
- rsync
- Squirrelmail
- RealPlayer
- GNU Chess
- PHP-Nuke
- enscript
- Tarantella Enterprise 3
- sniffit
- UnixWare and Open UNIX sort
- IPFilter/9000
- Maelstrom
Linux Kernel Bug
There is a bug in some Linux kernels' ICMP implementation that can be remotely exploited to read random selections of memory. This bug is reported to affect Linux 2.2 kernels 2.2.18 and earlier and 2.4 kernels 2.4.0-test6 and earlier.
It is recommended that affected users upgrade their kernel to a safe version as soon as possible.
Linux CIPE
There is a vulnerability in the Linux CIPE (Crypto IP Encapsulation) VPN tunnel Linux kernel code that can be used by a remote attacker to crash the system by sending a specially-crafted packet. The Linux CIPE code tunnels IP packets inside of encrypted UDP packets.
It is recommended that affected users upgrade CIPE to version 1.3.0-3 or newer, or watch for an updated Linux kernel version.
rsync
The rsync command is used to synchronize files and directories across
multiple machines. rsync has bugs related to signed integer handling
that can be used, under some circumstances, by a remote attacker to execute arbitrary commands on the server with root privileges.
Users should upgrade rsync to version 2.4.6 or newer, or contact their
vendor for a repaired version. It is also recommended that the "Use
chroot" option be used to reduce the impact of a successful attack.
Squirrelmail
The Squirrelmail Web-based email system has a vulnerability that can be used to execute arbitrary commands on the server with the permissions of the user executing the Web server. An additional vulnerability can be exploited to cause a user to send email messages or to execute JavaScript.
It is recommended that users watch for a version of Squirrelmail that fixes both of these vulnerabilities.
RealPlayer
RealPlayer, a streaming media player, has a buffer overflow in the code that parses the strings in its data files that may be exploitable to execute arbitrary code on the local machine with the user's permissions. RealNetworks reports that the following versions of RealPlayer are vulnerable: RealPlayer for Windows: RealOne Player, RealPlayer 7, RealPlayer 8, RealPlayer G2 (Build # 6.0.6.99 or higher), RealPlayer Intranet 8, RealPlayer and Intranet 7; RealPlayer for Macintosh: RealPlayer 8 and RealPlayer 7; and RealPlayer for Unix: RealOne Player Alpha for Linux 2.2, RealPlayer 7 for Unix, and RealPlayer 8 for Unix.
RealNetworks has released updates and replacement libraries for RealPlayer. Users should go to www.real.com for details.
GNU Chess
GNU Chess allows a computer to play the game of chess; it has a terminal interface, but supports other interfaces. GNU Chess contains a buffer overflow that can be exploited by a remote attacker to execute arbitrary commands if the attacker can send GNU Chess commands.
This buffer overflow has been fixed in the 5.03beta release of GNU Chess, available from the GNU FTP site. GNU Chess does not have a network interface and was designed to be run locally on the user's computer and, as a result, was not written with security in mind. Users who wish to use GNU Chess over a network should consider using a tool such as FICS or Zippy from Xboard to secure the connection.
PHP-Nuke
There is a vulnerability in PHP-Nuke that can be used by an attacker to
execute arbitrary commands on the server with the permissions of the
user executing the Web server. This vulnerability is the result of
unfiltered user-supplied data being used in an include() function.
Users should watch for an updated version of PHP-Nuke.
enscript
enscript is a tool that is used to convert text files to PostScript
and send them to a printer. Versions of enscript earlier than
1.6.2-4.1 are vulnerable to a temporary
file symbolic link race condition that can be used by a malicious user to overwrite arbitrary
files with the permissions of the user executing enscript.
Users should upgrade enscript to version 1.6.2-4.1 or newer.
Tarantella Enterprise 3
Tarantella Enterprise 3 is used to access enterprise resources via a Web interface. It is vulnerable to a race condition that can lead to a local root exploit during installation.
Users should consider placing the system in single-user mode while installing Tarantella Enterprise 3 until it has been patched to repair this vulnerability.
sniffit
sniffit, a packet sniffer for Linux and most versions of Unix, has a
buffer overflow that, if it installed set user id root, can be exploited
to gain root privileges.
|
Related Reading
|
Users should remove the set user id bit from sniffit until it has been
patched.
UnixWare and Open UNIX sort
The sort command supplied with UnixWare 7.1.* and Open UNIX 8.0.0 has
a temporary file race condition that can be used by a local attacker to
overwrite arbitrary files with the permissions of the user executing
sort.
Caldera recommends that users upgrade sort as soon as possible.
IPFilter/9000
Hewlett-Packard has announced a vulnerability in IPFilter/9000 running on HP-UX 11.00 or 11.11 that can be used to change its handling of packets.
Hewlett-Packard recommends that users upgrade to IPFilter/9000 version A.03.05.02.
Maelstrom
Maelstrom, an Asteroids-type game ported from the Macintosh, has a temporary file symbolic link race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing Maelstrom. It is reported that Maelstrom versions 3.0.1 and earlier are vulnerable.
Users should avoid executing Maelstrom on multiuser machines until it has been fixed.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
