LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Multi-Homed Server Vulnerabilities

03/13/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in ircd, ePerl, MIT Kerberos 4 and 5, ascdc, and slrn; temporary file problems in MIT Kerberos 4 and 5, the GNU C Library, and the Athena widget libraries; other problems with proftpd under Debian, Midnight Commander, Cisco Aironet 340 Bridges, and man2html; and a discussion of loopback devices and multi-homed routing.

ircd

The tkserv program distributed with the Internet Relay Chat daemon (ircd) package has several problems: a remotely exploitable buffer overflow, a memory leak, and a format string bug. The buffer overflow can not be exploited without one or more "non-OPERed" lines in the tkserv.access file. These problems affect tkserv version 1.3.0 and earlier.

IRCnet has announced that the next release of ircd will fix these problems.

Debian proftpd

The proftpd program shipped with Debian 2.2 (Potato) will run as root even if the user selects otherwise. Also, when proftpd is restarted on systems where /var is a symbolic link, it will remove the symbolic link and create a file named /var.

Alerts for this week:

ircd

Debian proftpd

ePerl

Midnight Commander

Kerberos 4

ascdc

GNU C Library

slrn

Cisco Aironet 340

man2html

Athena Widgets

Loopback and multi-homed routing

These problems have been fixed in proftpd-1.2.0pre10-2.0potato1, and it is recommended that users upgrade as soon as possible.

ePerl

Several buffer overflows have been found in ePerl. On systems where ePerl has been installed suid root these buffer overflows can lead to a remote root compromise.

It is recommended that users upgrade ePerl immediately.

Midnight Commander

Midnight Commander is a console-based user interface and file manager. A vulnerability has been found that can be used by an attacker to execute arbitrary programs with the permissions of the user running Midnight Commander.

Users of Midnight Commander should upgrade as soon as possible.

Kerberos 4

In February, we reported three vulnerabilities in the FreeBSD version of Kerberos 4: a temporary-file race condition in the ticket handling code, improper handling of two environmental variables, and a buffer overflow in the libkrb authentication library. These vulnerabilities can all be exploited through telnetd to gain root access.

MIT has now found the same problems in MIT Kerberos 4 and 5, and in some versions derived from MIT Kerberos. Versions now known to be affected include: MIT Kerberos 5, MIT Kerberos 4, Kerbnet, Cygnus Network Security, and some releases of kth-krb.

Users of MIT Kerberos 5 should upgrade to version krb5-1.2.2. Users of other MIT-derived Kerberos packages should contact their vendor for an update.

ascdc

A program used to manage CDs under X, ascdc, has multiple buffer overflows that can be exploited to gain root privileges if the application has been installed suid root. Ascdc is not automatically installed suid under most circumstances, but some of the features require it to be suid root.

No patch for this problem has been released. Users on multi-user systems should remove the suid bit from the program.

GNU C Library

Two security problems have been found in the GNU C Library, glibc. First, an attacker can use LD_PRELOAD to load any library listed in /etc/ld.so.cache prior to executing a suid application, allowing the attacker to overwrite or create files without permission. Second, an attacker could use LD_PROFILE to cause suid programs to write data to a temporary file. This temporary file is written to insecurely and can be used by the attacker to overwrite arbitrary files on the system.

It is recommended that users upgrade their GNU C Library to version 2.1.3-17.

slrn

slrn is a console-based Usenet news reader for Unix systems. There is a potential buffer overflow in the wrapping and unwrapping functions that may be exploitable by a long header in a news message.

This problem has been fixed under Debian in version 0.9.6.2-9potato1.

Cisco Aironet 340

The web interface of the Cisco Aironet 340 series wireless bridge can be accessed and used to modify the bridge's configuration -- even when it has been disabled. This problem affects the following Cisco bridges: Aironet AP4500, Aironet AP4800, Aironet BR100, Aironet BR500, and Cisco Aironet AIR-BR340.

Cisco recommends that users upgrade to firmware version 8.55.

man2html

man2html is a program to convert system man pages to HTML documents. Versions prior to 1.5-22 can be manipulated to consume all the available memory on a server in a denial-of-service attack.

Users should upgrade to version 1.5-22 or 1.5-23.

Athena Widgets

The AsciiSrc and MultiSrc widgets in the Athena Widget set use temporary files insecurely. This vulnerability can be used by an attacker to overwrite arbitrary files on the system with the permissions of root. The Athena Widget set includes nextaw, xaw3d, and xaw95.

Users running X on multiuser systems should upgrade to a current version as soon as possible.

Loopback and Multi-homed Routing

Some operating systems when configured with two or more network interfaces (multi-homed) will deliver packets received from a network interface to the loopback interface. This is a not a bug in the TCP/IP stack of these operating systems. It is an unexpected result of following the applicable Internet standards. Systems that this affects include FreeBSD, NetBSD, and OpenBSD. It is not clear which Linux configurations, if any, are vulnerable.

Another example of this type of unexpected behavior is some TCP/IP stacks will allow a connection to be made to a broadcast address configured on an interface. Operating systems that exhibit this behavior include OpenBSD and some versions of FreeBSD.

Though this issue is the subject of much debate, there is general agreement that users should use the packet-filtering mechanism available under their operating system, and should not rely on traffic not being forwarded to an interface without careful testing. A safer security configuration is to have firewall rules to deny everything and then additional rules to allow only desired connections.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: