New Version of Apache

04/08/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a new release of Apache; buffer overflows in VNC, Icecast, Progress, and Solaris' Xsun; and problems in LogWatch, talkd, popper_mod, EMU Webmail, wwwisis 3.x, and OpenLinux's KDE.

• Apache 1.3.24
• VNC
• Icecast
• LogWatch
• talkd
• Progress
• Xsun
• popper_mod
• EMU Webmail
• wwwisis 3.x
• OpenLinux KDE

Apache 1.3.24

The Apache Software Foundation and The Apache Server Project have released version 1.3.24 of Apache. This new version fixes many bugs, including a bug in the Win32 version of Apache that can be exploited by a remote attacker to execute arbitrary commands, and a bug that could cause invalid client host names to be written to the log file.

Users should consider upgrading Apache to this new version.

VNC

VNC (Virtual Network Computing) is a remote desktop control application that allows the control of remote systems and the viewing of the remote system's desktop. Many versions of the VNC client are vulnerable to a zlib-related exploit that can, under some circumstances, allow arbitrary code to be executed with the permissions of the user running the client. To exploit this vulnerability, the attacker must control the VNC server to which the client is attempting to connect. Versions reported to be vulnerable include TightVNC (earlier than 1.2.3), TridiaVNC (earlier than 1.5.6), TridiaVNC Pro (earlier than 1.2.00), TridiaVNC for Unix (all versions through version 1.4.00), VNCThing for the Mac (earlier than 2.3), VNC for the Apple Newton, and the JRE VNC viewer.

Affected users should upgrade to a repaired version of VNC and the zlib system libraries as soon as possible. It is also recommended that VNC should be run with the permissions of a normal user, the VNC viewer's listen mode should be avoided, and connections should only be made to trusted servers.

Icecast

Icecast, an open source audio streaming server, is remotely vulnerable to a buffer overflow that can be exploited to execute arbitrary code on the server with the permissions of the user running Icecast (often root). An automated exploit script has been released.

Users should watch for a patch or release that fixes this vulnerability. They should also consider disabling Icecast until it has been repaired. It is also recommended that Icecast run as a normal user with the fewest permissions possible.

LogWatch

The LogWatch logfile-analysis tool is vulnerable to a new temporary-file symbolic link race condition that can be exploited to gain root access to the system. This is not the same race condition that was fixed by an upgrade to LogWatch version 2.5.

Users should upgrade to LogWatch version 2.6 or newer as soon as possible, and should consider disabling LogWatch until it has been repaired.

talkd

Related Reading The Linux Web Server CD Bookshelf By O'Reilly Media, Inc.

A talk-chat-system-based identity spoofing tool named talksp00f has been released. It exploits a design flaw in the talkd chat daemon to impersonate an arbitrary user. As an example, this flaw can be used in a social-engineering attack by impersonating the root user.

Users should exercise caution when they receive a talk connection from another user, and verify that the user is logged into the system and is the user that is executing the talk session. The system administrator, as a general rule, will never need a user's password or their credit card number, and such requests should be viewed with skepticism.

Progress

The Progress database is vulnerable to a buffer overflow (in the set user id root executable sqlcpp) that can be exploited by a local attacker to execute arbitrary code as root. It has been reported that this executable was added as part of the patch 91C09.tar.Z.

Users should watch for a patch to repair this problem and should remove the set user id bit from sqlcpp if it is not needed.

Xsun

The Solaris X Window server Xsun is vulnerable to a buffer overflow in the command line parameter -co. This can be exploited by a local attacker to execute arbitrary code with root group permissions on a Sparc, and root user permissions on a X86-based machine.

Users should consider removing set user id or set group id bits from Xsun and should watch Sun for a patch to repair this vulnerability.

popper_mod

popper_mod, a Web-based POP email client, can, under some conditions, expose the administrative interface and allow an unauthorized user to read user accounts and passwords, delete accounts, and change account settings.

It is recommended that users upgrade to version 1.2.2 or newer of popper_mod or use htaccess authentication to protect the administrative interface.

EMU Webmail

The EMU Webmail messaging gateway does not properly check all user input and can be used by a remote attacker to view arbitrary directories and files on the server.

Users should watch for an updated version of EWU Webmail.

wwwisis 3.x

wwwisis is a CGI script that is used to query bibliographical and other databases. It has vulnerability that, under some circumstances, may be exploitable by a remote attacker to execute arbitrary commands on the server with the permissions of the user executing the Web server.

It is recommended that users upgrade to wwwisis version 5.0, as the 3.x series is no longer being maintained.

OpenLinux KDE

Under OpenLinux 3.1.1, the startkde script will set the LD_LIBRARY_PATH to a value that includes the current working directory. This can potentially be exploited by a local attacker by creating a customized shared library that will under some conditions be used instead of the proper library.

Caldera recommends that users upgrade to the latest packages for their system.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

---

Read more Security Alerts columns.

Return to the Linux DevCenter.