Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Problems with Pine and Stunnel

01/07/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a problem with the Pine mail client; buffer overflows in Mutt, awhttpd, and BOOZT! Standard; and problems in Stunnel, the Linux Encrypted Loop Back Device, Rwhoisd, Exim, gpm, and Mailman.

Pine

There is a vulnerability in Pine's URL-handling code that can be exploited by a remote attacker to execute arbitrary commands with the permissions of the user executing Pine, and could, under some circumstances, be used as part of a worm-style attack. This vulnerability varies in severity based on the habits of the user running Pine, as it requires that the user view URLs from within Pine. Versions 4.21 and 4.33 are known to be vulnerable, but all versions through 4.43 are suspected to be vulnerable.

It is recommended that users not use the view URL feature in Pine until it has been patched.

Stunnel

Stunnel, an SSL wrapper that can be used as a client or as a server, has format-string bugs that may be used by an attacker to execute code with the permissions of the user running Stunnel, if the user is using the SMTP, POP, or NNTP client negotiations. It has been reported that the vulnerable versions of Stunnel are versions 3.15 through 3.21c.

It is recommended that affected users upgrade to version 2.22 or higher of Stunnel and that whenever possible, Stunnel be executed as a unprivileged user by using the -s option or starting it as an unprivileged user.

Encrypted Loop Back Device

A problem has been found in the encrypted loop-back device under Linux that can be used by a local attacker to modify the data stored in the device without being detected. To exploit this problem, the attacker must have the Unix file system permissions to write to the file system, either by being root or by having write access as a normal user. The attack can be used to corrupt the encrypted data as a denial-of-service attack, or can be used to gain information that may be used to recover the encryption key.

Users of encrypted loop-back devices should keep in mind that encrypting a disk protects from an attacker mounting the disk and reading unencrypted data from it, but is not a complete protection against other types of attack.

Rwhoisd

The Rwhoisd RWHOIS daemon developed by Network Solutions Inc. has several format-string vulnerabilities that can be exploited, under some circumstances, by a remote attacker to execute arbitrary code with the permissions of the user executing Rwhoisd. The variable use-syslog must be set to YES (the default value) before an attacker can exploit these vulnerabilities.

Users of Network solutions' Rwhoisd should set the variable of use-syslog to NO and should watch for an updated daemon.

Exim

The Exim Message Transfer Agent has a bug that under some circumstances can be used by an attacker to execute arbitrary code with the permissions of the user executing Exim. The bug cannot be exploited unless Exim is configured in a manner that allows a mail message to be sent to a pipe without any local address verification. An example of this type of configuration is one in which all mail is piped to a virus detector.

It is recommended that users of Exim upgrade to version 3.34, 3.952, or newer as soon as possible.

Mutt

Mutt, a popular mail package, has a buffer overflow that can be exploited by a remote attacker to execute arbitrary code with the permissions of the user executing Mutt. The buffer overflow is in Mutt's address-handling code.

The maintainers of Mutt recommend that users upgrade to the latest BETA version of Mutt version 1.2.5, or upgrade to the latest stable version of Mutt, version 1.2.5.1, which fixes the buffer overflow but does not fix all the bugs that are fixed in the beta version.

gpm

The set user id root gpm-root application that is distributed with the gpm package has a format-string vulnerability that can be exploited to gain root access.

The format-string vulnerability has been fixed in version 1.17.8-18.1, and it is recommended that users upgrade as soon as possible. If it is not possible to upgrade, the set user id bit should be removed from gpm-root until it has been updated.

awhttpd

awhttpd is a simple, single-process Web server that was written to be secure and robust. Versions of awhttpd earlier than 2.2.1 have several vulnerabilities that include a local denial-of-service vulnerability and several buffer overflows that may be usable to execute arbitrary code with the permissions of the user running awhttpd.

Users of awhttpd should upgrade to version 2.2.1 or newer as soon as possible.

Mailman

Mailman, a mailing list manager, has cross-site scripting bugs that can be exploited by an attacker to obtain private information from other Mailman users and possibly gain access to the user's authentication cookies.

It is recommended that users of Mailman upgrade to version 2.0.8 or newer.

BOOZT! Standard

The BOOZT! Standard banner advertisement management system has a buffer overflow that may be exploitable by a remote attacker to execute arbitrary code as the user that is executing the Web server. It is not known if this problem also affects the BOOZT! Premium product.

Users of BOOZT! Standard and Premium should contact Boozt for a patch or update to fix the buffer overflow, and should consider restricting which hosts can contact BOOZT! with a firewalling product.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.