Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Buffer-Overflow Problems in BIND

02/06/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer-overflow problems in BIND, gnuserv, and tinyProxy; format string attacks against ntop and LPRng; and denial-of-service attacks against inetd, CUPS, and InterNetNews (INN2).

Buffer-overflow weakness found in BIND

Buffer-overflow problems have been found in versions 4 and 8 of BIND, a domain-name-system daemon distributed by the Internet Software Consortium (ISC). This vulnerability has wide implications as most sites on the Internet use one of these versions of BIND, the Berkeley Internet Name Domain, to provide DNS resolution.

BIND version 8 (prior to version 8.2.3) has a bug in the signature-transaction code that could allow an attacker to execute arbitrary code as the user running BIND -- often the root user. This problem could affect both recursive and non-recursive DNS servers and does not require the attacker to have control of an authoritative DNS server.

BIND versions 4 through 4.9.7 were also discovered to have buffer-overflow weaknesses in the code that prepares a message to be logged with syslog. This buffer overflow can be exploited to allow an attacker (also often "root") to run arbitrary code on the server. To exploit this overflow, the attacker must gain control of an authoritative DNS server and use a recursive target name. BIND version 4 also has a format string bug that can be exploited to execute arbitrary code. This bug has the same restrictions as the buffer-overflow problem.

ISC recommends that users upgrade earlier versions of BIND to version 8.2.3 or 9.1.x. If you cannot upgrade to one of these versions, ISC recommends that you upgrade to version 4.9.8.

Security Alerts This Week:

BIND

kdesu

gnuserv

CUPS

tinyProxy

ntop

LPRng

INN2

ISC has also announced it will create a fee-based forum with access restricted to the ISC list, vendors who include BIND in their products, root and other top-level domain name-server operators, and others as determined by ISC. These members would sign strong non-disclosure agreements (NDAs) and encrypt their communications. They would receive access to the CVS versions of BIND 4, 8, and 9; early notice of security problems; admission to live meetings; and inclusion in a members-only BIND mailing list. Prior to this announcement, ISC's practice was to send security announcements out to the BIND-workers mailing list and in CERT advisories.

Reaction to ISC's announcement is mixed. Some wonder how the ISC will convince non-BIND-members to announce security problems only to BIND-members. Personally, I expect to see many BIND problems announced on forums such as bugtraq.

Red Hat inetd

The inetd (Internet superserver) shipped with Red Hat Linux 6.2 may fail to properly close sockets for internal services. This could result in a vulnerability to denial-of-service attacks.

Red Hat recommends that you download inetd-0.16-7 rpm from updates.redhat.com and upgrade your software.

kdesu

kdesu, a KDE front-end to the su command, has a bug that can allow a local user to obtain the root password. If you are using the "keep password" option, kdesu uses a Unix socket to send the password, but does not check the identity of the listener on the other side of the socket.

Users should upgrade to the latest version of kdesu or deselect the "keep password" option.

gnuserv

gnuserv, a remote-control program for GNU Emacs, also has a buffer-overflow vulnerability that can be exploited to allow an attacker to execute arbitrary code. gnuserv shipped with Emacs but can also be found as a standalone package. gnuserv typically must be started by the user with the gnuserver-start command.

If you use gnuserv, upgrade your installation gnuserv version 3.12. This version is included in XEmacs 21.1.14 or XEmacs Beta version 21.2.35.

CUPS

A problem has been found with the Common Unix Printing System (CUPS) that makes it vulnerable to denial-of-service attacks. If a client sends a line longer than the input buffer, the httpGets function will go into a loop.

Users should upgrade to version 1.1.6. In addition to fixing the denial-of-service bug, numerous function calls have been changed to reduce the risk of future buffer overflow issues.

tinyProxy

tinyProxy, an HTTP proxy designed to be fast and small, has a vulnerability due to a heap overflow. This can be used in a denial-of-service attack, allowing users running tinyProxy to execute arbitrary code. Users should upgrade to version 1.3.3a or newer.

ntop

ntop, an application for monitoring network usage, has a format string vulnerability. An exploit has been released that will brute force an offset and provide the attacker with a root shell if the package is installed suid root.

If the application is installed suid root, the bit should be removed.

LPRng

LPRng, an enhanced printer spooler, has a bug in the way it uses the syslog function call. An attacker can send string formatting operators to the daemon which may result in a root exploit.

If you use LPRng, you should upgrade to version 3.6.26 or newer.

INN2

The InterNetNews (INN2) daemon has two potential security problems -- a buffer overflow that can be used to execute arbitrary code and a denial-of-service attack vulnerability caused by 2-byte headers. The buffer overflow is in the code to cancel messages and is only a danger if verifycancels is enabled.

It is recommended that you upgrade to INN2.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Copyright © 2009 O'Reilly Media, Inc.