Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Subverted

by Noel Davis
06/14/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Subversion, Apache's mod_proxy and mod_ssl, Squid, MIT's krb5, RealOne, RealPlayer, ksymoops-gznm, smtp.proxy, FreeBSD's Jail(), Aspell, Tripwire, and icecast.

Subversion

Subversion is an open source version control system designed to be usable as a CVS replacement. Versions of Subversion through 1.0.4 are reported to be vulnerable, under some conditions, to a buffer overflow that can be used in a denial-of-service attack and may be exploitable to execute arbitrary code with the permissions of the user running the svnserve daemon or other software using the related svn://, svn+ssh://, or tunneled svn+:// protocols.

The Subversion project recommends that users upgrade to Subversion version 1.0.5 or newer as soon as possible and suggests as a possible workaround for users that cannot upgrade that svnserve be turned off and replaced with http:// access (DAV).

Apache mod_proxy

The mod_proxy module distributed with Apache 1.3.31 or earlier contains a buffer overflow that may, under some circumstances, be exploitable by a remote attacker to execute code with the permissions of the user running Apache.

Affected users should consider disabling mod_proxy until a repaired version of Apache has been installed.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

Apache mod_ssl

mod_ssl contains a bug that can be remotely exploited as a denial-of-service attack or that possibly could result in code execution as the user the web server is running under. Only installations of Apache that have FakeBasicAuth enabled and trust client certificates with an unusually long subject DN are vulnerable. The bug is reported to affect versions of mod_ssl earlier than 2.8.18, and Apache 2.0.49-r2 and earlier.

Affected users should upgrade to a repaired version of mod_ssl or Apache 2.*.

Squid

Squid is a free, open source Web proxy cache server designed for Unix systems with many features, including: proxying and caching of HTTP, FTP, and other URL types; proxying for SSL; transparent caching; extensive access controls; HTTP server acceleration; SNMP; and caching of DNS queries. A buffer overflow in the NTLM authentication function ntlm_check_auth() can be used by a remote attacker to execute arbitrary code with the permissions of the user Squid is running under. Only Squid installations that are using the NTLM authentication helper are vulnerable to this buffer overflow.

Affected users should recompile Squid without the NTLM authentication helper support, watch for a new Squid release, or wait for a vendor-supplied package.

MIT's krb5

MIT's krb5 is an implementation of Kerberos, a network authentication protocol designed to provide strong cryptographic, secret-key-based authentication for client/server applications. Under some non-default configurations, a remote attacker can exploit multiple buffer overflows in the function krb5_aname_to_localname() and cause arbitrary code to be executed with (in most cases) root permissions. Versions of krb5 through krb5-1.3.3 are reported to be vulnerable, but only in non-default configurations.

The krb5 maintainers recommend upgrading to version krb5-1.3.4 of krb5, disabling the vulnerable functionality (explicit mapping or rules-based mapping), or applying an available patch.

RealOne and RealPlayer

The media players RealOne and RealPlayer are reported to be vulnerable to a buffer-overflow-based attack that can result in arbitrary code being executed as the user running the player. The attack uses a carefully crafted .RM, .RV, .RMJ, or .RA file to cause the buffer overflow.

RealNetworks has released upgrade information for Windows users, but it is not clear if RealOne and RealPlayer users on other platforms are affected. Users should contact RealNetworks for upgrade details. In all cases, users should exercise care in viewing content from untrusted sources.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

ksymoops-gznm

The ksymoops-gznm script distributed with Mandrake Linux 10.0, 9.1, 9.2, and Corporate Server 2.1 is vulnerable to a temporary-file, symbolic-link-based attack that can, under some conditions, result in an attacker overwriting an arbitrary file with root's permissions.

Mandrake has released updated packages for all affected releases.

smtp.proxy

The email application gateway smtp.proxy is reported to have a remotely exploitable format-string bug that may result in code being exploited on the server with the permissions smtp.proxy is running under (which may be root).

Version 1.3.3 of smtp.proxy is reported to be repaired.

icecast

icecast is reported to be vulnerable to a remotely exploitable denial-of-service attack.

Users of icecast should watch their vendors for a repaired version.

Aspell

The Aspell utility was written by the GNU project as a accurate and better replacement for the popular ispell spell-checking utility. The word-list-compress utility is distributed with Aspell and is used to compress and decompress word lists for use by Aspell. If by some method (perhaps a social engineering attack) an attacker could introduce arbitrary words into another user's word list, a buffer overflow in the word-list-compress utility could be exploited, and arbitrary code executed with the victim's permissions.

Concerned users should watch their vendors for a repaired version of Aspell and should not let strangers put words into their wordlists.

FreeBSD Jail()

The Jail() function call is used to restrict a process and all of its descendants in a virtual "jail" that restricts access to the real system, even for root-owned processes. A bug in the FreeBSD Jail() function can be abused by root-owned processes in a jail to manipulate the host's route tables.

It is recommended that affected users upgrade to FreeBSD 4.10-RELEASE or a repaired version of RELENG_4_8 or RELENG_4_9, or apply an available patch.

Tripwire

Tripwire is a utility used to make a cryptographic snapshot or fingerprint of the state of a machine so that changes to files on the machine can be recognized. The email functionality of Tripwire is vulnerable to a format-string-based attack that may be exploitable to execute arbitrary code (most often as root). Versions 2.4 and earlier of the commercial version of Tripwire and version 2.3.1 and earlier of the open source version of Tripwire are reported to be vulnerable.

Affected users should stop using the email functionality until they have upgraded to a repaired version of Tripwire.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the LinuxDevCenter.com.

Copyright © 2009 O'Reilly Media, Inc.