Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a problem with the
Oracle9i Database Server; buffer overflows in XPilot, Tru64 Unix's
dtprintinfo, and the Melange Chat Server; and problems in Snort, Mandrake's
rsync, Raptor Firewall, restricted shells, and the
Informix Web DataBlade.
The Oracle9i Database Server has a vulnerability in the SQL syntax for outer joins that can be used by an attacker to read unauthorized data in the database. Oracle 9 release 9.0.1.x is affected by this vulnerability, but Oracle 8i, Oracle 8, and Oracle 7 are not affected.
Oracle has fixed this vulnerability in Oracle 9i release 2 and has made patches available (bug fix number 2121935) for supported releases of Oracle 9i release 9.0.1.x. Oracle also recommends that all views created before the application of the patch be recompiled after the patch, and that users test the stability of their system prior to deleting any of the files replaced by the patch.
A tool named Fragroute has been released that can hide network attacks from the Snort Intrusion Detection System (IDS) by fragmenting the attack's packets in a very specific way. Linux- and OpenBSD-based firewalls are reported to reassemble the packets so that a Snort IDS inside the firewall will detect the attack. However, many other firewalls will not reassemble the packets.
Affected users should watch for an updated version of the Snort IDS and should attempt to keep Snort or any other IDS as up to date as possible to protect against future attacks.
The XPilot game, a multi-player tactical game for Unix machines running the X Window system, has a buffer overflow in the XPilot server that can be used execute arbitrary code with the permissions of the user running XPilot.
It is recommended that users upgrade to version 4.5.2 of XPilot as soon as possible.
Mandrake has released a new version of
rsync for Mandrake Linux 7.1,
7.2, 8.0, 8.1, Corporate Server 1.0.1, and Single Network Firewall
7.2. This version repairs the problem of
rsync not dropping some group
permissions, and also fixes
zlib-related problems. It should be noted
that Mandrake Linux's default configuration is not vulnerable to the
group permissions problem in
The Mandrake Linux Security Team recommends that all users upgrade to
rsync version 2.5.4.
Some versions of FreeBSD have a memory leak in the routing table that can be used by a remote attacker in a denial-of-service attack that exhausts the machine's memory. FreeBSD 4.5-RELEASE and FreeBSD 4-STABLE from the dates 2001-12-07 09:23:11 UTC through 2002-03-22 16:54:19 UTC are vulnerable.
Users should upgrade to a repaired version of FreeBSD. A suggested workaround is to deny ICMP echo packets using the packet filter.
The Raptor Firewall is vulnerable, under some conditions, to an FTP bounce attack that can be used to scan hosts while hiding the source of the attack. The Raptor Firewall version 6.5.3 for Solaris and the Symantec Enterprise Firewall version 7.0 for Solaris are reported to be vulnerable to this attack.
Symantec recommends that all affected users apply the available hotfix. This hotfix provides an updated and enhanced FTP module that provides configurable logging of potential attacks, and optional strict port checking. Symantec is investigating their other supported platforms and products for a vulnerability to this attack.
Compaq has announced buffer overflows in the standard
dtprintinfo utility. The
libc buffer overflow is in the code
that deals with the environmental variables
LOCPATH, and can
be exploited to gain additional privileges when used to exploit set
user id or set group id applications that are linked with
dtprintinfo utility is used to open the CDE Print Manager window. As
dtprintinfo is installed set user id root, the buffer overflow can be
used by a local attacker to gain root permissions.
Compaq recommends that users apply the appropriate patches for their system. Systems that do not use the printing subsystem should consider disabling the system and removing the set user id bits from associated utilities.
It has been reported that, under some conditions, it is possible to
escape from a restricted shell and execute arbitrary commands,
including unrestricted shells. The attacker uses
rcp to copy
a script to a world-writable directory and then uses
execute that script and escape the restrictions of their shell.
Affected systems may be able to work around this problem with a
careful configuration of the
r* commands and SSH.
Several problems have been reported in the Informix Web DataBlade: under some circumstances, local users can exploit the Perl scripting feature to execute arbitrary code with the permissions of the user executing the database (often root), an attacker can sometimes inject arbitrary SQL code, and under some additional conditions, an attacker can avoid some user input checks and inject SQL code.
Users should watch IBM for an announcement and fix for these problems. The database should be executed by a user with the minimum permissions needed, and developer access should be restricted to required users. Users should also consider disabling the Perl scripting feature if it is not needed.
The Melange Chat Server is vulnerable to multiple remotely-exploitable, buffer overflow attacks that can be used to crash the server in a denial-of-service attack and may be exploitable to execute arbitrary code with the permissions of the user executing Melange. Due to several design decisions, Melange may often be run with root permissions. A script to automate a denial-of-service attack against Melange has been released.
It is reported that the Melange Chat Server is not under active development. Users should consider replacing Melange with a chat server that is being maintained.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.