Quake 3 Arena Buffer Overflow08/20/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Raytheon SilentRunner, Quake 3 Arena,
elm, and a list of Lightweight Directory Access Protocol Servers; a temporary-file race condition in the Samsung ML-85G Linux printer driver; a new forms-based attack against Web browsers; problems in Arkeia, AdCycle,
uncgip, the Red Hat
util-linux package, and HP-UX's Login; and a race condition in the NetBSD kernel.
Arkeia, a multi-platform backup and recovery tool, has several problems that could lead to a remote root compromise. A combination of unencrypted communications between the GUI management tool and the backup agents and weak password encryption of the Arkeia password may allow access to the Arkeia account. Once the attacker has access to the Arkeia account, they have the ability to schedule an arbitrary command to be run before and after a backup. This command will be executed as root. To conduct this attack, the attacker must have the ability to sniff the traffic between the Arkeia GUI and one of its agents.
It is recommended that Arkeia be used through an encrypted tunnel created with a tool such as
Alerts this week:
Raytheon SilentRunner has multiple buffer overflows that can be exploited by an attacker to execute arbitrary code on the server or to cause a denial of service on the collector. SilentRunner is a network monitoring tool that passively collects data and then allows the data to be viewed from a central server. It has been reported that versions 1.61, 2.0, and 2.01 of SilentRunner are vulnerable.
Users should watch Raytheon for a patch for these problems.
A buffer overflow exists in Quake 3 Arena that can be used to crash the Quake server, and may be exploitable to execute arbitrary code with the permissions of the user executing the Quake server. It has been reported that Quake 3 Arena versions 1.29f and 1.29g are vulnerable.
Users should watch ID Software for an update.
AdCycle, a Web-based ad management system, does not properly check user input, allowing an attacker to insert SQL statements that will be parsed by the database server. Exploiting this vulnerability allows the attacker to bypass the administrator password.
Users of AdCycle should upgrade to version 1.16 or newer as soon as possible.
elm email client has a buffer overflow in the code that handles the message id. It has been reported that this causes header corruptions.
It is recommended that users check their vendor for an updated version of
The Linux printer driver for the Samsung ML-85G printer creates its temporary files insecurely. This leaves the driver vulnerable to a race condition that can be exploited to gain root permissions on the system.
It is recommended that users remove the set user id bit from the printer driver until a patched version has been installed.
uncgi is a CGI application that is designed to make writing CGI applications easier by parsing the
QUERY_STRING and placing the result into environmental variables. Versions of
uncgi earlier than 1.10 would not check for relative directories (they would parse
../ as part of the URL), and would execute a script even if the script was not executable.
Users should upgrade to
uncgi version 1.10 and should add the compile-time option of
EXECUTABLES_ONLY when it is compiled.
util-linux packages shipped with Red Hat Linux 7.1 could leave the
/etc/shadow file world-readable after editing it with
Red Hat recommends that users of Red Hat Linux 7.1 upgrade to the new
util-linux package and that if they have used
vipw, they should check the permissions on
The HP-UX login command can allow restricted shell users to execute unauthorized commands and break out of the restricted shell. This is reported to affect HP9000 series 700/800 machines with HP-UX 11.00, 11.11, and 10.20.
HP recommends that affected users apply the appropriate patch as soon as possible.
A race condition in NetBSD between the
ptrace() system call and the set user id and set group id handling of the
execve() system call can be exploited by a local attacker to execute arbitrary code with the permissions of the root user. NetBSD version 2.5.1 is not vulnerable.
Web Security & Commerce
Users of NetBSD-current should upgrade to a version dated June 15, 2001 or newer. Users of NetBSD 1.5 should upgrade to a version dated June 17, 2001 or newer. Users of NetBSD 1.4, 1.4.1, 1.4.2, and 1.4.3 should upgrade to a version dated July 19, 2001 or newer. Once the upgraded kernel source has been installed, the kernel should be rebuilt and installed, and then the system should be restarted.
Many implementations of the Lightweight Directory Access Protocol (LDAP) have errors, including buffer overflows, denial of service attacks, and escalation of privileges. Vulnerable systems include: iPlanet Directory Server, IBM SecureWay, Lotus Domino R5 Servers, Teamware Office, Qualcomm Eudora WorldMail, Microsoft Exchange 5.5 LDAP Service, Network Associates PGP Keyserver, Oracle 8i Enterprise Edition, and OpenLDAP. For more details on vulnerable versions, users should check The CERT advisory and should contact their vendor.
Users should contact their vendor for patches and workarounds for this problem.
Read more Security Alerts columns.
Return to the Linux DevCenter.