by Noel Davis
Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include root exploits in the MarkVision printer drivers package, local and remote root exploits in KTH Kerberos, buffer overflows in Red Hat's PAM, a discussion of security problems with web-based applications, and an example of one of these web-based security problems in phpGroupWare.
Kerberos is a network authentication protocol that uses a secret-key to provide authentication over insecure networks. There are two primary Kerberos packages: MIT and KTH. KTH Kerberos is included in OpenBSD and FreeBSD. There are three vulnerabilities in KTH Kerberos IV: It honors some environmental variables, there is a buffer overflow in the protocol parsing code, and there is a race condition in the ticket file writing code. These problems can lead to local and remote root vulnerabilities. Anyone who has KTH Kerberos installed on their system should upgrade or apply a patch.
Red Hat PAM
There is a problem with the PAM system in Red Hat 7 and an update that was issued for Red Hat 6.x. Both versions included a module named pam_localuser. This module is vulnerable to a buffer overflow. Even though this module is not used by default, Red Hat has released a new version that fixes the buffer overflow and fixes some other bugs. If you are running Red Hat 6.x or 7, it is recommended that you upgrade immediately.
There is a race condition in diskcheck's temporary file code. This race condition can allow a malicious user to write to arbitrary files belonging to the user who is executing diskcheck. All users of diskcheck should upgrade to the latest version.
Insecurities this week:
A suggested fix for the generic insecure temporary directory race condition problem is to set the
$TMP environment variable to a temporary directory that only you can write to, such as something like
$HOME/tmp. This will cause many programs to use the specified location (
$TMP) for their temporary files and provide some protection against this type of attack. I mention this as a generic defense as I have not tested diskcheck to see if it uses the
RIPE, APNIC, RADB update insecurities
RIPE, APNIC, and RADB are all top-level DNS registries. A problem has been identified for users who use the DES-encrypted CRYPT-PW method of update authentication. Other methods to authenticate changes to DNS records include NONE, MAIL-FROM, and PGP. The problem is twofold. First, for anyone who has your plain text (cracked), CRYPT-PW can make any changes they want with no human intervention. The second problem is that the
whois registries contain the DES-encrypted passwords as part of the publicly available data. A program has been distributed that helps extract CRYPT-PWs from the database and puts them into a Unix password file format so that they can be easily be run through password crackers such as Crack. Until the community decides not to present this information, you should switch to the PGP method. If you choose to continue to use CRYPT-PW, you should be careful to pick a password that is difficult to crack.
MarkVision drivers package
The MarkVision drivers package for Unix is an administration system for printers supplied by Lexmark. It allows printers to be remotely administered and provides drivers for different versions of Unix. Several command line programs that come with this package have buffer overflows. Some of these exploitable programs are installed
setuid root and will allow a malicious attacker to execute arbitrary code. It is recommended that you upgrade to the latest version of the package.
There has been a lot of mail lately discussing web-based applications. One of the common security problems with them is that they have
include files that are inside the file system space that is served out by the web server. In many cases,
include files that are inside this space will be served out as text or as some other readable format and will expose passwords or other sensitive data. In other cases the include file will be executed by the web server and may accept user-supplied variables. Suggested solutions are: Make sure that the include files use an extension that the web server will not serve out as text, place them in a subdirectory and use a
.htaccess control or something similar to prevent access, or move them outside the file system hierarchy that is served out by the web server. When you are evaluating or installing web-based applications, you should be very careful that you do not select or install a new back door for crackers.
phpGroupWare, a multi-user web-based groupware application, has a vulnerability that allows remote users to execute arbitrary commands. The commands will be executed as the same user that the web server is running under. This is an example of the web-based application problem referenced earlier. This application has an
include file that can be executed directly and fed form variables, causing it to execute arbitrary commands. It is recommended that you upgrade to version 0.9.7 of phpGroupWare.
MailMan Webmail, a web-based interface to POP3 and SMTP e-mail, has a remote exploit that allows arbitrary commands to be executed. The commands will be executed as the user that the web server is running as. The vulnerable versions are all 3.x versions that are below 3.0.26. Anyone using this package should upgrade to version 3.0.26 or newer.
Watchguard SOHO Firewall
The Watchguard SOHO Firewall is a hardware-based firewall used for cable, ISDN, and DSL connections designed for home or small office users. There is a web-based configuration interface available on both sides of the firewall. An exploit has been published that conducts a denial of service attack on the firewall. The attack results in the firewall crashing or rebooting. If it crashes, it must be unplugged to bring it back up, and a reboot makes it unavailable for one to five minutes. It is recommended that the firmware be upgraded to a version newer than 2.2.1.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.