Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Security Alerts: sudo root exploit

07/16/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in sudo, SuSE's dip, Scotty's ntping, and UnixWare's statd; a flaw in FreeBSD's rfork(); two vulnerabilities in Check Point's VPN-1/FireWall-1 firewall products; a new version of the rpm package manager; two vulnerabilities in Macromedia's ColdFusion Server; a minor Apache bug; a brute-force attack against SuSE's AXP Alpha xdm utility; and more on the cfingerd remote vulnerability.

sudo

sudo, an application that allows users to be given the ability to execute commands with the permissions of other users or the root user, has a buffer overflow that can be exploited to execute arbitrary commands with the permissions of the root user. In addition to this buffer overflow, the installation of sudo under EnGarde Secure Linux is configured to allow members of the "admin" group to execute commands, as root, that can be leveraged into obtaining full root access.

It is recommended that sudo be upgraded to version 1.6.3p6 or newer as soon as possible. Users of EnGarde Secure Linux who have users in the "admin" group that should not have full root access should remove sudo or modify the sudo configuration file so that the "admin" group does not have access.

FreeBSD 4.3

A flaw in FreeBSD's rfork() command can be exploited through shared signals to gain root privileges. This problem can only be exploited by a local user. It was reported to affect FreeBSD 4.3, but may affect earlier versions.

Alerts this week:

sudo

FreeBSD 4.3

VPN-1/FireWall-1

New Version of rpm

ColdFusion Server

SuSE dip

Scotty

UnixWare's statd

Minor Apache Bug

SuSE AXP Alpha xdm

cfingerd

It has been reported that this problem has been fixed in FreeBSD-4.3-current and FreeBSD-4.3-stable in the FreeBSD cvs repository.

VPN-1/FireWall-1

Two vulnerabilities have been reported in Check Point's VPN-1/FireWall-1 firewall products. The first vulnerability involves the use of the Reliable Data Protocol to build a tunnel that can be used to bypass the firewall. The second vulnerability is a denial-of-service attack against a VPN-1/FireWall-1 management station.

Check Point has released hot fixes for these vulnerabilities and users should apply them as soon as possible.

New Version of rpm

Red Hat has released a new version of their package tool rpm. This new version supports version 3 packages and the db1 database format used in Red Hat Linux versions 5.x and 6.x, and the rpm version 4 packages and the db3 database format used in Red Hat Linux 7.x.

Users of Red Hat Linux 5.x and 6.x who choose to install the new version of rpm will need to install the db3 packages and then convert to the db3 database format.

ColdFusion Server

Macromedia has announced two security vulnerabilities in the ColdFusion server. One of the vulnerabilities could allow unauthorized deletion or reading of files, and the other may allow a ColdFusion server template to be overwritten with a zero byte file. No details about the vulnerabilities have been released. Macromedia reported that versions 2.0 through 4.5.1. SP2 were affected and that version 5 was not.

Macromedia recommends that users of ColdFusion server versions 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, or 4.5.1 SP2 apply the appropriate patch. They warn that users will see a 3% to 8% drop in performance after applying this patch. They also recommend that users of ColdFusion server versions 2.0 or 3.0 upgrade to a more recent release.

SuSE dip

The version of the Dialup IP Protocol Driver dip distributed with SuSE 7.0 has a buffer overflow that could be used by users in the dialout group to obtain root privileges.

Users should remove the set user id bit from dip until a new version has been installed.

Scotty

Scotty is a TCL extension that is used to build network-management applications. The utility ntping, a ping and traceroute tool, is part of the Scotty package and has a buffer overflow in the code that reads a host name as part of the command line options. This buffer overflow can be used by a local user to execute arbitrary commands as the root user.

It is recommended that the set user id bit be removed from ntping until a repaired version of the Scotty package can be installed.

UnixWare's statd

The statd daemon (also known as rpc.statd) that was distributed with UnixWare 7.0 has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server as root.

Caldera recommends that users upgrade their statd binary as soon as possible.

Minor Apache Bug

A minor bug in the Apache Web server can be used to view the contents of a directory, even when the directory has an index page. This behavior is part of the FancyIndexing module and can be suppressed by adding the directive "IndexOptions +SuppressColumnSorting" to the configuration files.

SuSE AXP Alpha xdm

If xdm is compiled with certain options, it is vulnerable to a trivial brute force attack that can be used by an attacker to calculate the X cookie. It has been reported that the AXP Alpha releases of SuSE are vulnerable to this problem.

It is recommended that as a workaround, the X server on SuSE AXP machines should be started with the -nolisten tcp option or alternatively filter port 6000 with ipchains. Neither of these workarounds will protect against an attack by a local user.

cfingerd

This week, three independent exploits were released for the cfingerd remote vulnerability that was announced three months ago. I am not aware of a patch or update that successfully fixes the remote vulnerability in cfingerd. It has been reported that the authors have been unresponsive and may have abandoned the software. Users should consider replacing cfingerd with a alternative application.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.