Security Alerts: Linux IP Masqueradingby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in
cda; and vulnerabilities in phpMyAdmin,
man, Linux IP masquerading, and Slackware's
phpMyAdmin is vulnerable to an attack that can be used to execute arbitrary code with the permissions of the user running the Web server. For this vulnerability to be exploited, the attacker must have the ability to modify a table of a database.
Users should watch for an update to phpMyAdmin and should only grant access to trusted users. They should also consider removing all access to the software until a fixed version has been installed.
wvdial, a dialer for modem-based connections, under some circumstances will create a configuration file with world-readable permissions. If
wvdial's configuration file contains a password for the dialup connection, it will be readable by any user on the system.
It is recommended that users restrict access to
wvdial's configuration file or not place a password in the configuration file and instead use the
Ask Password = 1 option.
xloadimage is a X Window image viewer used by Netscape to display TIFF, PNG, and Sun Raster images. It has a buffer overflow that can be used by an attacker to execute arbitrary code on the machine running Netscape, with the permissions of the user running Netscape. An exploit script for this buffer overflow has been released to the public. The attack is launched when the user opens a page containing the exploit code disguised as a TIFF image.
It is recommended that the lines in the
pluggerrc file that reference
xloadimage be commented out or that the application be upgraded to a repaired version.
Under Slackware 8.0 and possibly earlier versions, the directory permissions of the
/var/man/cat* directories are world-writable. An attacker can create links in these directories that will cause the manual page reader
man to execute arbitrary code as the user executing
Users should modify the
/var/man/cat* directories so that they are not world-writable, and should inspect these directories for suspicious files.
The ucd-snmp Simple Network Management Protocol Daemon
snmpd has a buffer overflow that may be exploitable to execute arbitrary code. On systems that install
snmpd set user id or set group id, this vulnerability could be used by a local attacker to gain additional privileges. The buffer overflow has been reported to affect version 4.2.1. It is not known if the buffer flow is in earlier versions.
It is recommended that any set user id or set group id bits be removed from
snmpd until a fixed version has been installed.
dbsnmp binary that is distributed as part of Oracle has a buffer overflow in the code that handles the
ORACLE_HOME environmental variable. This buffer overflow may be exploitable to gain root privileges. Versions 8.1.5, 8.1.6, 8.1.7, and 9i of Oracle have been reported as being vulnerable.
Users should watch Oracle for a patch for this problem and should consider removing the set user id bit from
dbsnmp or making it only executable by a group that only contains trusted users.
cda, a command line tool used with the
xmcd X Window CD player, is vulnerable to both a buffer overflow and a symbolic-link attack. Systems that have
cda installed set user id are vulnerable to an attacker gaining additional privileges or overwriting files on the system.
Users should upgrade to version 3.0 patch level 2 of
xmcd as soon as possible or should remove any set user id bits from
Under some circumstances, a vulnerability in Linux IP masquerading can be used by an attacker to bypass a Linux-based firewall and gain access to a protected network. This new vulnerability is similar to an attack reported earlier this year that used FTP protocol to open a hole through the firewall, but instead uses a flaw in the IRC DCC helper (
Users of Linux IP masquerading should evaluate their security needs and consider options to increase the security of their firewall, such as configuring the NAT server to only allow a range of ports in connection requests (such as only ports above 1024) or not installing helper modules (such as
ip_masq_irc) on their server.
Under Slackware 8.0 and 7.1, the
locate database is owned by the user nobody. If an attacker can execute commands as the user nobody, they can modify the
locate database to execute arbitrary code when the
locate command is executed by a user. Default Slackware systems execute the Web server as the user nobody and any user that can execute CGI scripts would be able to modify the
locate database. An exploit for this vulnerability has been released.
The nobody account was created as the account used to map the root user to under NFS, and should not own any sensitive files. It is a better practice to create a "www" or "web" account and use that to run the Web server or, in this example, create a "locate" account and have it own the
Users of Slackware 8.0 and 7.1 that use
locate should create an unprivileged account for locate and move the line that updates the database from the nobody user's
crontab file to the new account. It is also suggested that the Web server also be reconfigured to run under its own account.
Read more Security Alerts columns.
Return to the Linux DevCenter.