Buffer Overflows in uidadmin09/24/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Open Unix and UnixWare's
uidadmin, and HP-UX's
swverify; an anouncement about the Cerberus Internet Scanner; and problems in Tivoli SecureWay WebSEAL Proxy Policy Director, IMP,
glFTPD, OpenView Network Node Manager, POP3Lite, Basilix, PGPsdk, Informix-SQL,
rlmadmin, and NetCode NC Book.
Also learn to recognize and protect your system from the Nimda worm in last Friday's special edition of Security Alerts.
- Tivoli SecureWay WebSEAL Proxy Policy Director
- OpenView Network Node Manager
- Open Unix and UnixWare uidadmin
- HP-UX swverify
- Cerberus Internet Scanner
- NetCode NC Book
The Tivoli SecureWay WebSEAL Policy Director Proxy Server is an access-control and presentation tool for the Web. Versions 3.01, 3.6, 3.7, and 3.7.1 do not properly filter out hex codes in URLs. This problem can be used to bypass the access controls in WebSEAL and can be used to view any file on the server. Affected users should download a patch for this problem from Tivoli as soon as possible.
IMP is a Web-based mail reader that works with IMAP- and POP3-based mail servers. Versions earlier than 2.2.6 have several vulnerabilities that can be used by an attacker to execute arbitrary scripts on other users' client machines and execute arbitrary code on the server.
Users of systems with IMP installed should upgrade it to version 2.2.6 or newer, or remove it if it is not needed.
glFTPD, an FTP daemon for Linux and BSD, has a bug in the LIST command that, when exploited, will cause the daemon to consume 99% of the server's CPU.
Users should upgrade to
glFTPD version 1.24.
Hewlett-Packard has announced a vulnerability in OpenView Network Node Manager that can be used by an attacker to gain unauthorized privileges. This vulnerability affects the Network Node Manager running on HP9000 servers with HP-UX 10.20 and 11.00, Solaris, and Microsoft Windows NT 4 and Windows 2000 running Network Node Manager 6.1.
Hewlett-Packard recommends that users apply the appropriate patch for their version and operating system as soon as possible.
uidadmin utility supplied with Open Unix 8.0.0 and all releases of UnixWare 7 have a buffer overflow that may be exploitable by an attacker to gain root permissions.
Caldera recommends that users update their systems with the available patch as soon as possible.
The POP3Lite POP3 email daemon has a flaw that can be used to send arbitrary server responses embedded in an email message. This can lead to strange client behavior and can be used as a denial-of-service attack against the POP email client. The flaw is present in version 0.2.3b of POP3Lite and may be present in earlier versions.
Users of POP3Lite should upgrade to version 0.2.4 or newer.
Basilix, a Web-based email system, has a vulnerability that can be exploited by an attacker to execute arbitrary commands as the user running the Web server.
Users should watch for an update to Basilix.
The HP-UX set user id root command
swverify and other commands matching the pattern
/usr/sbin/sw* have been reported to be vulnerable to a buffer overflow. An exploit script has been released to the public.
Users should consider removing the set user id bit from
/usr/sbin/sw*. It has been reported that this problem was fixed in the PHCO_23483 patch.
There is a key-validation vulnerability in some PGP-based products that can lead to the importing of unsigned keys that will appear to be signed.
Hotfixes have been released for PGP Corporate Desktop v7.1, PGP Personal Security v7.0.3, PGP Freeware v7.0.3, and PGP E-Business Server v7.1. Upgrades have been released for PGP E-Business Server v6.5.8x and PGP E-Business Server v7.0.4.
The Informix-SQL database server has a bug that allows a local attacker to create arbitrary files with root privileges. This exploit can then be leveraged into full root access.
Users should watch for an update to Informix-SQL and should consider removing the set user id bits from Informix-SQL utilities.
There is a locally-exploitable problem in
vpopmail that can be used to retrieve arbitrary MySQL data and may be usable to execute arbitrary commands as the
vpopmail versions 4.19.35 and earlier are vulnerable when installed with the MySQL authentication module.
Users should upgrade to the latest version of
vpopmail or should remove the set user id bits from commands located in
David Litchfield announced that the Cerberus Internet Scanner has been updated and released with a new name of Typhon. Improved features include SNMP, ICMP, port scanning, and Web scanning modules.
rlmadmin, a user-management tool for RADIUS servers that is distributed with the Merit AAA server, has a vulnerability that can be exploited to view any file on the system with the permissions of the root user. This vulnerability has been reported to affect versions 3.8M and earlier.
Users should remove the set user id bit from the
NetCode NC Book is a guest book application written in Perl. A bug in NetCode NC Book can be exploited to execute arbitrary code with the permissions of the user executing the Web server.
This problem is a good example of how a little Web server application can leave a giant hole in a server, and why each application should be carefully chosen and inspected prior to use.
It is also a reminder of why administrators need to secure machines that run a Web server but do not have users on them. Any CGI application that runs on a Web server has the potential to give an attacker command line access.
Read Security Alerts from previous weeks.
Return to the Linux DevCenter.