CUPS Vulnerabilities

by Noel Davis
01/13/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in libmcrypt, HSphere Webshell, HTTP Fetcher Library, LCDproc, and UnixWare and Open UNIX's ps; and problems in the Common Unix Printing System, BitKeeper, FreeBSD's fpathconf(), S-PLUS, dhcpcd, leafnode, and Middleman.

Common Unix Printing System
BitKeeper
FreeBSD fpathconf()
libmcrypt
S-PLUS
dhcpcd
HSphere Webshell
HTTP Fetcher Library
leafnode
LCDproc
Middleman
UnixWare and Open UNIX ps

Common Unix Printing System

The Common Unix Printing System (CUPS) is vulnerable to a collection of problems that can be used by a remote or local attacker in a denial-of-service attack to execute arbitrary code and, under some conditions, obtain root access to the system. These vulnerabilities include a file race condition, a bug that can be used to add printers remotely, a buffer overflow in code that handles images, a buffer overflow in the HTTP interface, and additional vulnerabilities.

It is recommended that users upgrade to CUPS version 1.1.18 as soon as possible. SuSE has released updated CUPS packages that repair these problems.

BitKeeper

BitKeeper, a source-code management system, is vulnerable to a remote attack that can, under some conditions, be used to execute arbitrary shell commands on the server with the permission of the user running Bitkeeper. In addition, there is a temporary file, symbolic-link race condition that can be used to gain control over Bitkeeper.

Users should watch for an updated version of Bitkeeper and should consider not running it in daemon mode until it has been repaired.

FreeBSD fpathconf()

A bug in the fpathconf() function call under FreeBSD can improperly increment a file descriptor's reference count. The increased reference count can be used by a local attacker in a denial-of-service attack and, under some conditions, can allow the attacker unauthorized access to privileged files.

It has been reported that a patch has been released for FreeBSD 4.4, 4.5, 4.6, and 4.7 kernels.

libmcrypt

libmcrypt is an encryption library used by mcrypt. mcrypt is a replacement for the crypt utility that supports the encryption algorithm Blowfish, Twofish, DES, TripleDES, 3-WAY, SAFER, LOKI97, GOST, RC2, RC6, MARS, IDEA, RIJNDAEL, SERPENT, CAST, ARCFOUR, and WAKE. libmcrypt is vulnerable to several buffer overflows and a memory leak.

Affected users should upgrade to libmcrypt 2.5.5 as soon as possible.

S-PLUS

S-PLUS, a tool for "exploratory data analysis and statistical modeling," is vulnerable to a symbolic-link race condition in its temporary files that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running S-PLUS.

dhcpcd

The DHCP daemon dhcpd may, under some circumstances, be exploitable by a remote attacker to execute arbitrary shell commands on the system with the permissions of the user running the daemon. This vulnerability is due to insufficient input validation by the script /sbin/dhcpd-<interface>.exe'. This script is not installed by default in any known distribution.

Affected users should remove or disable the /sbin/dhcpd-<interface>.exe' script until it has been replaced by a secure version.

HSphere Webshell

HSphere Webshell is a Web-based front end for FTP that runs with root permissions so that it can access the shadow file to authenticate users. Webshell is vulnerable to a buffer overflow that can be used by a remote or local attacker to execute arbitrary code with root permissions. The buffer overflow is reported to affect HSphere Webshell 20020224 and may also affect earlier releases. Both a local and a remote automated exploit for this vulnerability have been released.

All users of Webshell should upgrade to version 2.4 or newer as soon as possible and should consider disabling it until it can be upgraded.

HTTP Fetcher Library

The HTTP Fetcher library has several buffer overflows that may, under some conditions, be exploitable by a remote attacker to execute arbitrary code. The file download utility fetch is reported to be affected by this vulnerability.

Users should disable fetch and any other application linked against HTTP Fetcher until it has been repaired and the applications recompiled or replaced with a safe version.

leafnode

leafnode, a proxy server for Usenet news, has a bug that can be used as part of a denial-of-service attack against the system.

It is suggested that users upgrade leafnode to version 1.9.30 or 1.9.31.

LCDproc

LCDproc is used to display realtime system data on a LCD display. LCDproc is vulnerable to several buffer overflows that may be usable in a denial-of-service attack or to execute arbitrary code with the permissions of the user running the software (often root or another privileged account). The buffer overflows are reported to only affect version 0.4 of LCDproc. An automated exploit of this problem has been released.

Affected users can upgrade to version v0.4.3 (which appears to repair the buffer overflows) or downgrade to version 0.3.

Middleman

The proxy server Middleman is vulnerable to an off-by-one attack that may be exploitable by a remote attacker to execute arbitrary code with, in most cases, root permissions.

Users should watch for a repaired version and should consider running Middleman under an unprivileged user account or configuring it to drop unneeded permissions after starting up.

UnixWare and Open UNIX ps

The ps command distributed with UnixWare 7.1.1 and Open UNIX 8.0.0 has a buffer overflow that can be exploited by a local attacker to execute code with increased permissions.

SCO recommends that users upgrade their ps command as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.