LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

Linux Content

All Articles

Interviews

Linux in the Enterprise

Security Alerts


Linux Topics

Administration

Browsers

Caching

Certification

Community

Database

Desktop

Device Drivers

Devices

Email

Firewalls

Game Development

Getting Started

Kernel

LDAP

Multimedia

Networking

PDA

Programming

Security

Tools

Utilities

Web Design and Development

X Window System


Security Alerts Buffer Overflows in sendmail

by Noel Davis
03/11/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in sendmail, BIND, Snort, file, tcpdump, zlib, terminal emulators, Internet Message, Messaging in the Emacs World, and lprm.

sendmail

sendmail is vulnerable to a buffer overflow in the code that parses email message headers. This buffer overflow can be exploited by a remote attacker using a carefully crafted email message and can result in the execution of arbitrary code, with root permissions in most cases. The attack against sendmail can be carried out even against machines that do not directly connect to outside networks if the email message is passed to a vulnerable machine by another mail transfer agent. A successful attack is reported to not leave any record in the system logs.

Systems that are not running sendmail in daemon mode (-bd) may still be vulnerable to this buffer overflow under some conditions. Due to this possible vulnerability, users should ensure that old or unpatched copies of sendmail that have any set user and set group ID bits be removed.

Sendmail, Inc., and the sendmail Consortium recommend that users of an open source version of sendmail upgrade to sendmail 8.12.8 as soon as possible. For those who are unable to upgrade to 8.12.8, patches are reported to be available for versions 8.9, 8.10, 8.11, and 8.12 of sendmail. Users not running an open source version of sendmail should watch their vendor for an updated version.

Repaired versions of sendmail will write the line "Dropped invalid comments from header address" when an email message with an invalid header has been dropped. This may or may not indicate an attack on the system.

BIND

The Internet Software Consortium (ISC) has released BIND version 9.2.2. The ISC security web page states: "ISC has discovered or has been notified of several bugs, which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC." ISC strongly recommends that users upgrade.

Snort

The network intrusion detection system Snort has a buffer overflow in the RPC normalization code that can be exploited using carefully crafted network packets that result in the execution of arbitrary code with root permissions. Versions of Snort between 1.8 through 1.9.0 are reported to be vulnerable. The RPC normalization code was added to help detect attacks that were attempting to hide from the intrusion detection system using fragmented RPC traffic.

It is recommended that users upgrade to version 1.9.1 of Snort as soon as possible. If it is not possible to upgrade, users should comment out the line "preprocessor rpc_decode" in the file snort.conf.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

file

file, a command-line utility used to identify and display the type of file based on a system magic file, is vulnerable to a local attack using a specially constructed data file that, when identified with the utility file, will execute arbitrary code with the permissions of the user running file. Versions of the file utility through version 3.39 have been reported to be vulnerable. A script to generate an exploit data file has been released to the public.

Users should upgrade to the file version 3.41 or newer or they should watch their vendor for an updated package.

tcpdump

The network sniffer tcpdump is vulnerable to a denial- of-service attack use ISAKMP packets (UDP port 500). One possible use of this vulnerability by an attacker is to prevent the monitoring of other attacks. This vulnerability has been reported in tcpdump versions: 3.6, 3.6.3, and 3.7.1.

It is recommended that users filter packets with a destination of port 500 until tcpdump has been patched.

zlib

The function gzprintf() supplied with the zlib library has a buffer overflow. It may be exploitable to execute arbitrary code with the permissions of the user running any application linked to the library and using the function.

Users should upgrade to zlib 1.1.4 or they should watch their vendor for updated packages.

Terminal Emulators

Several terminal emulators have a set of features that can be abused by an attacker. For example, the terminal emulator Eterm can be used to create files on the victim's system, execute arbitrary commands, or to trick the user into changing the window title. Terminal emulators reported to be vulnerable to features such as this include: Eterm, xterm, rxvt, dtterm, uxterm, aterm, putty, gnome-terminal, and hanterm-xf. KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, and Sasha Vasko's aterm are reported to be unaffected by this problem.

It is recommended that users watch their vendor for updated packages of affected terminal emulators and that extra care be taken when viewing files that may have untrusted data in them. Users should consider using KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, or Sasha Vasko's aterm as their terminal emulator.

Red Hat Internet Message and Messaging in the Emacs World

The Internet Message (IM) packages distributed with Red Hat Linux 7, 7.1, and 7.2 and the Messaging in the Emacs World (Mew) packages distributed with Red Hat Linux 7.3 and 8.0 are vulnerable to a symbolic link-race, condition-based attack. This vulnerability can be exploited by a local attacker to overwrite arbitrary files on the system with the permission of the user running IM or Mew.

Affected users should upgrade to repaired packages as soon as possible.

OpenBSD lprm

The lprm utility under OpenBSD has a buffer overflow that may be exploitable to execute arbitrary code with the permissions of the user that lprm is running under (often root). A script to automate the exploitation of this vulnerability has been released. It is not known at this time if this buffer overflow affects other BSD distributions. It should be noted that starting at OpenBSD 3.2, lprm is installed as set-user id daemon, and not root.

lprm should be patched as soon as possible. On systems where the printing sub-system is not being used, users should consider removing it.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Recommended for You

Tagged Articles

Be the first to post this article to del.icio.us

Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


    		•

    Sponsored by: