Sudo Contains Root Exploit04/24/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in
innfeed, and Cyberscheduler; symbolic-link race conditions in Samba, VMware,
exuberant-ctags, and nedit; and problems in Red Hat FTP
mgetty, DCForum, Cyberscheduler, and
sudo allows the root user to delegate the ability for a user to run commands with the permission of root or another user. Versions of
sudo prior to version 1.6.3p6 are vulnerable to a buffer overflow that can be exploited to execute arbitrary code and obtain root privileges.
It is recommended that users upgrade to version 1.6.3p6 as soon as possible. If
sudo is not being used, the set user ID bit should be removed.
The Samba daemon provides file and print services using the SMB protocol used by Microsoft Windows products. Versions of Samba prior to 2.0.8 are vulnerable to a symbolic-link file race condition attack that can be used by an attacker to overwrite system files, destroy file systems, or obtain root privileges.
All users of Samba should upgrade as soon as possible to version 2.0.8 or newer, and should restart the Samba server once it has been upgraded.
Under some conditions, Red Hat Linux systems can have their firewall rules bypassed by a carefully constructed FTP PORT command. This vulnerability affects Red Hat Linux 7.1 systems using a 2.4 Linux kernel that has been configured to use a firewall based on
iptables instead of
ipchains, and has also turned on the feature that allows FTP RELATED connections to be passed through the firewall. The default configuration of Red Hat 7.1 uses
ipchains for its firewall configuration and is not vulnerable to this attack.
Red Hat recommends that users of
iptables disable the FTP RELATED feature, and watch Red Hat for an updated 2.4 Linux kernel.
The VMware suite of products allow the execution of multiple operating systems on the same machine at the same time. The
vmware-mount.pl script provided with VMware creates a temporary file insecurely, and can be used by a malicious user to create and overwrite arbitrary files on the system.
A workaround for this temporary-file race condition vulnerability is to set the
$TMPDIR environment variable to a temporary directory that only you can write to, such as
$HOME/tmp. Doing this will cause VMware to use the specified location that is pointed to by the
$TMPDIR variable for the temporary file and will provide protection against this attack.
Users of VMware should upgrade to a repaired version as soon as one becomes available.
innfeed is part of the INN news package and uses the NNTP protocol to send news from one system to another. In versions of INN other than the current CVS version, it is possible for newsgroup users to execute the set user ID wrapper
startinnfeed, pass it very long arguments, and exploit a buffer overflow in the
Exploiting this buffer overflow may allow the attacker to execute commands with the permission of the news user ID. If any of the applications owned by news are executed by the root user, the attacker can leverage access to the news user ID to obtain root privileges.
It is recommended that users, who do not have access to the news user ID, not be placed in the newsgroup, and that the root user never execute any part of the news system.
Pages: 1, 2