Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Samba Vulnerabilities

by Noel Davis
12/06/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at problems in Samba, Pine, FreeS/WAN, Solaris priocntl(), Traceroute NANOG, kon2, libcgi-tucbr, Python, pServ, and Alcatel OmniSwitch switches.

Samba

The Samba server provides SMB network services to clients using NetBIOS over TCP/IP. Samba is vulnerable to a buffer overflow that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the Samba server (often root). The buffer overflow is triggered by sending an overly large encrypted password as part of a request to change the user's password. Versions 2.2.2 to 2.2.6 of Samba are vulnerable.

Users should upgrade to version 2.2.7 or a repaired package from their vendor as soon as possible. Users should consider removing Samba from their systems if it is not being used.

Pine

The Pine email client is vulnerable to a remote denial of service attack. It is possible that this attack could result in the execution of arbitrary code. The attack is conducted by sending a valid email with a carefully created From: header line.

It has been reported that this vulnerability would be repaired in version 4.50 of Pine. A user's email spool file can be repaired by deleting the affected message using an editor or another email client. Users should watch their vendor for an updated package that repairs this vulnerability.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

Linux FreeS/WAN

Linux FreeS/WAN, an open source implementation of IPSEC (Internet Protocol SECurity) for Linux systems, has a bug in the processing of some very small packets. This bug can be used as part of a denial of service attack against a machine running FreeS/WAN, potentially causing a kernel panic.

Users should watch their vendor for an update. It may be possible to protect machines from this vulnerability by using a firewall to block small packets.

Solaris priocntl()

It has been reported that the system call priocntl() on Sun Solaris systems can be manipulated by a local attacker into loading an arbitrary kernel module giving the attacker root access to the system. Example code for a module that grants the attacker root access has been released.

Users should contact Sun for patch information and work arounds.

Traceroute NANOG

Traceroute is a utility used to troubleshoot or explore network connections. The NANOG implementation of Traceroute requires root permissions in order to open a raw network socket and does not drop these permissions. Traceroute NANOG is vulnerable to a buffer overflow that can be exploited by a local attacker to execute code with root permissions. Code to automate the exploitation of this vulnerability has been released.

Update packages have been released to repair the buffer overflows, but it has been reported that these packages do not repair all exploitable vulnerabilities. It is recommended that the set user id bit be removed from the traceroute utility or that group permissions be used to limit access to a trusted set of users.

kon2

kon2, a VGA console Japanese language input manager, has a bug that can be exploited to gain root permissions.

Users should consider removing kon2 until it has been repaired.

Libcgi-tuxbr

The CGI library libcgi-tuxbr is used to create CGI applications using the C language. Libcgi-tuxbr is vulnerable to a buffer overflow that can be used to execute arbitrary code on the server with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released.

Users should watch for a repaired version of the library. It is recommended that vulnerable CGI applications be disabled until they have been linked against a repaired library or reworked to use another library or no library at all.

Related Reading

Building Secure Servers with Linux
By Michael D. (Mick) Bauer

Python

A temporary file race condition vulnerability in Python can be used by a local attacker to execute arbitrary code with the permissions of the user running a Python script.

Users should watch their vendor for updated packages that fix this problem and should consider disabling Python until it has been repaired.

pServ

pServ (pico Server), a small Web server written in C, is vulnerable to a buffer overflow in the code that handles POST requests. The buffer overflow can be exploited in a denial of service attack against the Web server and, under some conditions, may be exploitable to execute code with the permissions of the user pServ is running under. It is also reported that pServ "has no setuid capability" and will often be running as root.

The author has released version 2.0 beta 6 which is reported to hopefully fix this buffer overflow. It is recommended that no Web server be executed as root that does not drop its permissions once it has open its port and the run as an non-privileged user.

Alcatel OmniSwitch AOS

A back door has been discovered in the Alcatel OmniSwitch Lan switches running the Alcatel Operating System (AOS) version 5.1.1. Alcatel states that during development a telnet server was configured to listen on port 6778 so that developers could access the operating system and that the telnet server was accidentally left enabled in the release of the product. The back door can be used by a remote attacker to gain full administrative control over the switch.

Alcatel recommends that affected users upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03 as soon as possible. Users who are unable to upgrade at this time should consider a partial solution such as screening access to port 6778 using a firewall.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.