Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at the Linux Slapper
worm; a large set of vulnerabilities in NetBSD; and problems in
libX11.so, OS X's
joe, BRU Workstation,
xbreaky, and Tru64/OSF1 version 3.x.
A network worm written to attack Linux machines running Apache is
spreading. The worm uses vulnerabilities in the OpenSSL library (see
below), used by
mod_ssl, to spread. After breaking into a machine using
the vulnerability in OpenSSL, the worm installs a distributed denial-of-service attack client on the machine and then starts to scan for other
There are four buffer overflows in the OpenSSL library that can be remotely exploited to execute arbitrary code or used in a denial-of-service attack against the application linked to the library.
Users should upgrade their OpenSSL library to version 0.9.6e or newer as soon as possible.
libX11.so library can, under some conditions, be manipulated into
opening user-controlled libraries while executing a set user id
application. Under some circumstances, this can be exploited to gain
It is recommended that users upgrade to a repaired version of the
libX11.so library as soon as possible. SuSE has released a new
package that repairs this problem.
Three buffer overflows have been reported that affect applications
distributed with Tru64/OSF1 version 3.x. The buffer overflows are in
uucp, the mail utility
dxterm. They are reported to be
exploitable by local attackers to gain root level access.
HP recommends that all users upgrade to Tru64 Unix V5.1 and apply all of the recommended patches. Removing the set user id bits from these three applications will protect against an attack, but will cause problems in their operation.
The OS X
nidump utility is reported to be usable by any user to
get a listing of the encrypted passwords on the system. The user
could then attempt to brute force the passwords using a password
Affected users can change the permissions on the
nidump utility so that a
restricted set of users are the only ones able to use it (perhaps just
IBM's DB4Web product can be manipulated into making arbitrary TCP/IP connections and may, under some circumstances, be used as a port scanner. When DB4Web connects to an improper host and port, it generates an error page that, in addition to other information, tells if the connection was made or not.
Users of DB4Web should modify the default error page in such a way that it is no longer useful as a port scanner.
In addition, the DB4Web product can be exploited to view arbitrary files on the host.
IBM has released a patch for this problem and recommends that users apply it as soon as possible.
When a file that has the set user id bit set in its permissions is
joe, a backup copy will be made that has the same
permissions but is owned by the user executing
joe. It is hard to see
this as being a very large problem, unless it is combined with a successful
social engineering attack on a system that allows set user id shell
scripts. It does, however, illustrate one of the harder parts of writing
secure code: thinking of everything.
This problem has been repaired in
joe's CVS repository and concerned
users should upgrade.
The NetBSD Security Officer has announced a large number of security vulnerabilities that have been fixed in NetBSD 1.6.
These security problems include: there is a buffer overrun in the
libc/libresolv DNS resolver; repeated
TIOCSCTTY ioctl can corrupt
session hold counts; there are multiple vulnerabilities in the OpenSSL code; there is a
symlink race in
pppd; the Sun RPC XDR decoder contains a buffer overflow; there is a
buffer overrun in
setlocale; there is a bug in the NFS server code that allows
remote denial of service; there is a
fd_set overrun in both
mbone tools and
shutdown on a TCP socket does not work as intended; and there multiple
security issues with
kfd daemon. They also state that there are
security problems that are fixed in NetBSD 1.6 that have not been
announced that "involve third parties, and are awaiting disclosure
The NetBSD Security Officer recommends that users upgrade to NetBSD
1.6. Users who cannot upgrade should upgrade to the current
NetBSD-1.5 source, using
anoncvs, and then rebuild. Users of
NetBSD-current should upgrade to a version newer that September 11,
2002 and then rebuild. Once the system has been upgrade users must:
recompile all statically linked binaries, remove old shared libraries,
remove shared libraries used for OS emulation under
/emul, and insure
that a vulnerable version of
kfd is not installed on the system. More
details on these problems and their solutions are available from http://www.netbsd.org/Security/.
BRU Workstation, a backup and restore tool, is vulnerable to a symbolic-link race condition that can be used to overwrite arbitrary files on the system, and can be used to gain root permissions under some conditions.
Users should watch for a repaired version of this tool.
xbreaky is a Breakout-style game written for X11. It is reported to
be installed set user id root by default. If users run the game with
root permissions, they can exploit the saving of high scores to overwrite
any file on the system. Under OpenBSD and NetBSD, the game is reported
to be installed without the set user id bit set.
It is recommended that affected users upgrade to version 0.0.5 of
xbreaky as soon as possible, or remove the set user id bit.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.