Device-Driver Trouble
by Noel Davis07/13/2004
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, Apache
2, the Linux Virtual Server, Pure-FTPd, FreeBSD's Linux binary compatibility
mode, Domino, Shorewall, libpng, and the X Display Manager.
- Linux Kernel Problems
- Apache 2
- Linux Virtual Server
- Pure-FTPd
- FreeBSD Linux Binary Compatibility Mode
- Domino
- Shorewall
libpng- X Display Manager (XDM)
Linux Kernel Problems
Problems in multiple device drivers may be exploitable by a local attacker
to gain root permissions or read kernel memory. Affected drivers include aironet,
asus_acpi, decnet, mpu401, msnd, and pss.
Under
some circumstances, a missing check in the fchown() function can be abused by a local user to change the ownership of files that the local user does
not have the permissions to change. It may be possible to exploit this problem
and gain root permissions.
A permissions problem with the file /proc/scsi/qla2300/HbaApiNode may be exploited in a local denial-of-service attack.
Users should upgrade to repaired kernel packages supplied by their vendors.
Apache 2
The Apache 2.x line of web servers are vulnerable to a remote denial-of-service attack that, under some conditions, may be exploitable as a buffer overflow that results in the execution of arbitrary code running with the same permissions as the web server. The attack uses header lines that start with a tab or a space character to exploit a flaw in a function located in the server/protocol.c file. On 32-bit machines, this flaw can be exploited to use all available memory, causing Apache to stop responding and, possibly, crashing the machine. Under some conditions on a 64-bit machine with 4GB or more of virtual memory, a related buffer overflow may be exploitable to execute arbitrary code. The 1.3.x line of Apache web servers is reported to not be vulnerable.
This vulnerability has been fixed in Apache 2.0.50 and all users are encouraged to upgrade as soon as possible. There is no reported workaround for this vulnerability.
Linux Virtual Server
The Linux Virtual Server modifies the Linux kernel to provide virtual servers
that run under one kernel but have virtual user spaces with their own password
files and root logins. A flaw in the way the procfs filesystem was handled in
virtual server spaces has been discovered. The flaw allows users in one virtual
space to make changes (to permissions, ownership, etc.) to the procfs that would
apply throughout all of the virtual spaces and the host system. The procfs file
system is a virtual file system in the Linux kernel that only exists in memory
and allows userland applications access to certain information from the kernel.
Affected users of the Linux Virtual Server should upgrade to Version 1.28 as
soon as possible or, as a workaround, mount the procfs filesystem read-only on
the host system.
Pure-FTPd
Pure-FTPd is an open source FTP daemon designed to be secure, reliable, and
follow the FTP standard. It is based upon the Troll-FTPd server. The Pure-FTPd
FTP daemon is vulnerable to a denial-of-service attack that uses a bug in the
accept_client() function. When the maximum number of connections has been reached
on the FTP server, the attacker can cause Pure-FTPd to crash.
Version 1.0.19 of Pure-FTPd has been released to repair this vulnerability.
FreeBSD Linux Binary Compatibility Mode
Linux binary compatibility mode provides FreeBSD with the capability to execute Linux binaries without having to recompile them. Bugs in the way that multiple Linux system calls are handled may be exploitable by an attacker to read or write portions of kernel memory, resulting in a denial-of-service condition, the gaining of root permissions, or an information disclosure.
It is recommended that the Linux binary compatibility mode be disabled until it has been upgraded, or patched to a repaired version.
Domino
It has been reported that any user of IBM's Domino application server can, under some conditions, change their quota limits to any arbitrary value by exploiting a flaw in Domino's IMAP support. The Domino server and the user's email account must have IMAP enabled before this attack can take place.
Users should watch IBM for a solution to this problem.
Shorewall
Shorewall, a tool for configuring the Linux kernel firewall Netfilter, is vulnerable to a symbolic-link temporary-file race condition that can be exploited by a local attacker to overwrite arbitrary files on the server with root permissions.
Affected users should upgrade to version 1.4.10f or newer as soon as possible.
libpng
The libpng graphics library provides support for Portable Network Graphics (PNG)
images. libpng contains buffer overflows in code that handles loop offset values
and in code that handles grayscale images. These buffer overflows can, under
some conditions, be exploitable to execute arbitrary code with the permissions
the linked application is running as (sometimes root). Applications commonly
linked against libpng include apache, blender, cups, emacs, gd, gif2png, gimp,
gnuplot, gqview, gtk2, imagemagick, imlib, latex2html, lbreakout, libwmf, mplayer,
netpbm, php, php3, php5, povray, pstoedit, scribus, transfig, webalizer, wv,
xplanet, and xv.
All users should upgrade to a repaired version of libpng as soon as possible.
X Display Manager (XDM)
Some versions of the X Display Manager will allow users to log in even when
it is configured to not allow remote logins (i.e., DisplayManager.requestPort is
set to 0). The attacker must have access to a local account before they can
connect. Many older versions of XDM will not be vulnerable to this problem,
but it is not clear which version the bug was introduced.
Affected users should watch their vendors for an updated version of XDM.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
