LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

Linux Content

All Articles

Interviews

Linux in the Enterprise

Security Alerts


Linux Topics

Administration

Browsers

Caching

Certification

Community

Database

Desktop

Device Drivers

Devices

Email

Firewalls

Game Development

Getting Started

Kernel

LDAP

Multimedia

Networking

PDA

Programming

Security

Tools

Utilities

Web Design and Development

X Window System


Security Alerts MySQL Vulnerabilities

by Noel Davis
12/16/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a problem with Perl's safe mode; some serious vulnerabilities in MySQL; buffer overflows in wget, tcpdump, Canna, and GTetrinet; and problems in lynx, mICQ, Sun Cobalt RaQ 4 Server Appliances, xdvi, dvips, and Exim.

Perl

The safe extension module safe.pm that is distributed with all versions of the Perl programming language has a security flaw that is exploitable when a Safe compartment is used multiple times.

Affected users should contact their vendor for updated packages.

MySQL

MySQL has several vulnerabilities that can be used to execute arbitrary code or used in a denial-of-service attack against the database server. These vulnerabilities include:

  • A buffer overflow in the code that handles COM_TABLE_DUMP can be used in a denial-of-service attack. The buffer overflow is reported to affect Linux, FreeBSD, and MS Windows systems.

  • There is a flaw in the password authentication system in MySQL that makes it possible for an attacker to authenticate as another user in no more than 32 attempts. The attacker must have a valid account and can only attack accounts that have permission to log in from the host they are on. A local user or a remote user in an environment that allows remote root logins can gain full access to all databases. There is also a buffer overflow in the password authentication system.

  • The MySQL client is vulnerable to a buffer overflow when it reads rows from the database. This vulnerability can be used in a denial-of-service attack against the client and may, under some circumstances, be exploitable to execute code on the client machine.

It is recommended that users upgrade to MySQL 3.23.54 as soon as possible. Any software that is linked against libmysql should also be upgraded or recompiled.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

wget

Several problems have been reported in wget, a file retrieval utility that uses FTP or HTTP to fetch files across a network. These problems include a buffer overflow in the code that handles the URL of the file to be retrieved, and a problem with the processing of FTP server responses that can result, under some conditions, in arbitrary local files being overwritten.

Users should watch their vendor for an updated package that repairs this problem.

lynx

The text-based Web browser lynx does not properly filter all illegal characters. This can be used by an attacker to insert extra HTTP headers into a request.

Affected users should watch their vendor for an updated version.

mICQ

The text-based ICQ client mICQ is vulnerable to a denial-of-service attack. This attack is conducted by sending the client ICQ messages that do not contain the required separator 0xFE.

Users of mICQ should watch for a repaired version.

Sun Cobalt RaQ 4 Server Appliances

The Sun Cobalt RaQ 4 server appliances package, with the Security Hardening package (RaQ4-SHP Release 1.x.x) installed, has a vulnerability that can be exploited by a remote attacker to execute arbitrary code with root permissions. The vulnerability is in a CGI application installed on the server. It is reported that a script to automate exploitation of this vulnerability is available.

It is recommended that users apply the update available from Sun as soon as possible.

xdvi and dvips (kpathsea library)

The kpathsea library, which is used by xdvi and dvips, calls system() in an insecure manner. This may be exploitable using a carefully-crafted DVI file to execute arbitrary commands with the permissions of the user running xdvi or dvips (often the printer user account lp).

Users should watch their vendor for an updated version of the kpathsea library and should recompile any applications that were statically linked to the vulnerable version.

Related Reading

Building Secure Servers with Linux
By Michael D. (Mick) Bauer

tcpdump

tcpdump is vulnerable to a remotely exploitable buffer overflow in the code that handles BGP decoding. This buffer overflow can be used to crash tcpdump and may under some conditions be exploited to execute code with the permissions of the user running tcpdump (often root).

Users should contact their vendors for a repaired version of tcpdump and should consider disabling it until it has been repaired.

GTetrinet

GTetrinet, a multi-player game, is vulnerable to several buffer overflows that can be exploited by a GTetrinet server.

Affected users should upgrade to GTetrinet 0.4.4 as soon as possible. If GTetrinet is not being used, users should consider removing it from the system.

Exim

The Exim message transfer agent has a vulnerability that can be exploited by a local attacker who has access to the admin user of Exim to gain root permissions. The admin user of Exim is set when the software is compiled. A program to automate the exploitation of this vulnerability has been released.

Concerned users should upgrade Exim to a repaired version.

Canna

Canna, a server used to enable Japanese-language input, has a buffer overflow that can be exploited to execute code with the permissions of the user running Canna (usually bin). The buffer overflow is present in all version of Canna through version 3.5b2. An additional vulnerability can be exploited in a remote denial-of-service attack and affects versions of Canna through 3.6.

Users should watch their vendor for updated packages which repair these problems.

OpenLDAP2

OpenLDAP2 is an open source version of Lightweight Directory Access Protocol (LDAP) tools and servers. Buffer overflows have been found in OpenLDAP2 that can be remotely exploited to execute arbitrary commands on the server. Also, other locally-exploitable problems have been found.

Users should watch their vendor for an update to OpenLDAP2 and apply it as soon as it is available.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Recommended for You

Tagged Articles

Be the first to post this article to del.icio.us

Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


    		•

    Sponsored by: