Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Java Runtime Environment Vulnerability

03/25/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a local root vulnerability in Webmin; a bug in BSD-based TCP/IP stacks; a vulnerability in the Java Runtime Environment; buffer overflows in listar, Imlib, and Open Unix and UnixWare 7's rpc.cmsd; and problems in Netscape, QPopper, PHP's move_uploaded_file() function, Penguin Traceroute, PHP Net Toolpack, and Mandrake's kdm.

  • Webmin
  • BSD-based TCP/IP
  • Java Runtime Environment Bytecode Verifier
  • listar
  • Netscape
  • QPopper
  • PHP move_uploaded_file()
  • Penguin Traceroute
  • Imlib
  • PHP Net Toolpack
  • Mandrake kdm
  • Open Unix and UnixWare 7 rpc.cmsd
  • Webmin

    Webmin, a Web-based system administration interface for Unix, is vulnerable to attacks that can be exploited to log in to Webmin as the root user.

    When version Webmin 0.92-1 is installed from RPM, the /var/webmin directory is created with insecure permissions. These permissions allow any local user to read the Webmin log containing the root user's cookie session ID, which can be used by the user to log in to Webmin as root.

    If a user is granted a restricted set of Webmin functions they can, under some conditions, insert code that will read the root user's cookie session ID and permit them to connect to Webmin as root.

    When remote servers are configured in Webmin with auto login enabled, a local user may be able to read the login name and passwords for these remote servers.

    These problems have been repaired in Webmin version 0.93 and it is recommended that users upgrade as soon as possible. If remote servers were configured, users should consider changing their passwords on those servers.

    BSD-based TCP/IP

    There is a bug in the BSD-based TCP/IP networking code that deals with broadcast addresses. This bug could produce a security vulnerability in a network firewall, under some conditions. It has been reported that the bug affects FreeBSD, NetBSD, and OpenBSD. Affected users should watch for updates to FreeBSD, NetBSD, and OpenBSD, and should verify that their firewall rules are performing as expected with broadcast addresses.

    Java Runtime Environment Bytecode Verifier

    Related Reading

    Linux Network Administrator's Guide
    By Olaf Kirch, Terry Dawson

    Sun has announced that a vulnerability in the Java Runtime Environment's bytecode verifier can be exploited by an untrusted applet to increase its privileges. They also report that Netscape 6.2.1 and earlier and the Microsoft VM (through build 3802) are affected. The vulnerability does not affect the Java 2 SDK, Standard Edition, v 1.4.

    Sun recommends that users upgrade to the latest production release of the Java Runtime Environment.

    listar

    The listar mailing list manager (now renamed to Ecartis) has a buffer overflow in the code that deals with the user input buffers. This buffer overflow may be exploitable to execute arbitrary code with the permissions of the listar user account.

    The Ecartis Core Team recommends that users should upgrade to Ecartis version 1.0.0-snap20020125 or newer as soon as possible, or pull the latest version from the CVS tree.

    Netscape

    Netscape will execute JavaScript contained in comments embedded in GIF89a and JPEG images. This problem is reported to affect Netscape versions 4.76 and earlier.

    It is recommended that users upgrade Netscape or disable JavaScript.

    QPopper

    A bug in QPopper can be used in a denial-of-service attack. When a string is sent to QPopper that contains more than 2048 characters, the application will consume large amounts of CPU time. This bug is reported to affect versions 4.0.1 and 4.0.3 under Linux. It is not known if the bug affects earlier versions of QPopper.

    Affected users should watch their vendor for an repaired version of QPopper.

    PHP move_uploaded_file()

    The PHP function move_uploaded_file() is not restricted by safe_mode and may be usable to write to files to unauthorized locations. It should be noted that this is not a bug; it is a documented feature.

    It has been reported that the move_uploaded_file() function will be modified in the next release of PHP to be aware of safe_mode. Users should consider disabling move_uploaded_file() in their php.ini file.

    Penguin Traceroute

    Penguin Traceroute is a Perl script that provides a Web-based traceroute. The script does not properly filter user input, and can be exploited to execute arbitrary code on the server with the permissions of the user running the Web server.

    It is recommended that users disable the Penguin Traceroute script until it has been repaired.

    Imlib

    Imlib has vulnerabilities that can be exploited by creating images that can crash a viewer and, under some conditions, execute arbitrary code.

    Users should upgrade to version 1.9.13 or newer of Imlib. Red Hat Linux has released errata packages that contain a repaired version of Imlib.

    PHP Net Toolpack

    PHP Net Toolpack provides a Web-based interface to finger, traceroute, and whois. It does not properly check the user input for shell meta-characters, and can be exploited by a remote attacker to execute arbitrary commands on the server with the permission of the user running the Web server.

    It is recommended that users disable these scripts until they have been repaired.

    Mandrake kdm

    The default configuration of the kdm display manager in Mandrake Linux 7.1, 7.2, 8.0, and Corporate Server 1.0.1 allow XDMCP connections from any host. This can be used by a remote user to access a login screen that can be used to list users on the system and to bypass access control methods (such as tcpwrappers and root login restrictions). Mandrake Linux 8.1, 8.2, and systems not running kdm are not vulnerable.

    Mandrake recommends that users edit the file /etc/X11/xdm/Xaccess and change the line that reads:

    "*  CHOOSER BROADCAST      #any indirect host can get a chooser"

    to:

    "#*  CHOOSER BROADCAST      #any indirect host can get a chooser"

    Open Unix and UnixWare 7 rpc.cmsd

    The rpc.cmsd daemon distributed with Open Unix and UnixWare 7 is vulnerable to a buffer overflow that can, under come conditions, be exploited by a remote attacker to execute arbitrary code on the server with root permissions.

    Caldera recommends that users upgrade to the repaired versions of rpc.cmsd as soon as possible.

    Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


    Read more Security Alerts columns.

    Return to the Linux DevCenter.

    Copyright © 2009 O'Reilly Media, Inc.