LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Buffer Overflow in WU FTP daemon

12/03/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in wu-ftpd, Open Unix and UnixWare's xlock, and NetBSD's line printer daemon; and problems in Red Hat Linux's makewhatis, UUCP, gnupg, Oracle's dbsnmp, procmail, Mandrake Linux's teTex, Hypermail, and SafeWord PremierAccess.

Wu-Ftpd

The Washington University FTP daemon, wu-ftpd, has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server with root permissions. To exploit this buffer overflow, the attacker must be able to log in to the FTP daemon with an account or the anonymous account (if configured). Many Linux distributions use wu-ftpd and are vulnerable, including Red Hat Linux 5.2, 6.0, 6.1, 6.2, 7.0, 7.1, and 7.2; Linux Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1; OpenLinux Server 3.1 and Workstation 3.1; Conectiva Linux 6.0 and 7.0; Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, and 5.1; Debian Linux 2.2; and SuSE Linux 6.1, 6.2, 6.3, and 6.4.

If wu-ftpd is configured to use RFC 931 authentication and debug mode, it is vulnerable to a format-string vulnerability that may be exploitable by a remote attacker to execute code as root. To exploit this vulnerability, the attacker must be able to log in as a user or as the anonymous account and must control or imitate the ident server to which wu-ftpd sends the ident request.

Affected users should contact their vendor for an update to wu-ftpd that fixes these problems. Administrators of systems that do not require a FTP daemon should consider disabling or removing the software.

Red Hat makewhatis

Red Hat Linux's makewhatis command has a bug that can be exploited to overwrite or create arbitrary files with root permissions.

Users should watch Red Hat for a patch for this problem.

Open Unix and UnixWare xlock

The xlock X Window screen locker utility supplied with Open Unix 8.0.0 and UnixWare 7 versions 7.1.0 and 7.1.1 has a buffer overflow that can be exploited by a local attacker to gain root access.

Caldera recommends that users remove the set user id bit from xlock until it has been replaced with the repaired version.

UUCP

Vulnerabilities have been reported in Red Hat's and BSDI's UUCP applications that can be used to execute commands with the uucp user's account permissions. Access to the uucp account can, under some circumstances, be leveraged into root access on the machine.

Users should watch their vendor for a patch for this problem, and should consider removing or disabling uucp if it is not needed.

gnupg

gnupg, the GNU Privacy Guard, has a format-string vulnerability that can be used by an attacker to execute arbitrary commands with the permissions of the user executing gnupg.

It is recommended that users contact their vendor for an update.

Oracle dbsnmp

The Oracle dbsnmp command has several vulnerabilities that can be exploited to execute arbitrary commands and modify the file ownership and permissions on arbitrary files with the permissions of the Oracle system account. The dbsnmp command can be made to execute programs from the incorrect directory, will execute its chown and chmod commands without verifying the path, and by manipulating the ORACLE_HOME environmental variable, an attacker can make it execute arbitrary commands. If the dbsnmp command is installed set user id root, then these vulnerabilities can be exploited to gain root access.

Oracle recommends that users remove the set user id bit from dbsnmp and download and apply the patch for this vulnerability.

procmail

Some versions of procmail have a vulnerability that can be exploited by an attacker by using specific signals. If procmail is installed set user id, this vulnerability can be exploited to gain additional privileges.

It is recommended that affected users upgrade procmail to version 3.20 (unstable) or version 3.15.2.

Mandrake teTex

The teTex print filters that are used when printing .dvi files with the lpr daemon under Mandrake Linux 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1 have a problem that may be used by an attacker to gain additional privileges.

Mandrakesoft recommends that affected users update their teTex packages as soon as possible.

Hypermail

Hypermail converts email into html pages and is often used to create Web page archives for email lists. Attachments in email messages are converted to files with the same file name used in the email message, including file extensions. An attacker can therefore create an arbitrary file on the Web server hosting the archive that can contain server-side include instructions, or an executable CGI script. This vulnerability can be exploited to execute arbitrary commands on the server with the permissions of the user running the Web server.

Users should watch for a version of Hypermail that repairs this vulnerability.

SafeWord PremierAccess

Related Reading

Incident ResponseIncident Response
By Kenneth R. van Wyk & Richard Forno
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

Secure Computing's SafeWord PremierAccess application contains a modified SSH server that is vulnerable to the CRC-32 compensation attack that was reported last month in Security Alerts. It has been reported that this vulnerability in SafeWord PremierAccess is being actively exploited.

Users should contact Secure Computing for an updated SSH server or replace the supplied SSH server with OpenSSH.

NetBSD Line Printer Daemon

The NetBSD line printer daemon lpd has a remotely-exploitable buffer overflow that can be exploited to gain increased privileges. On NetBSD 1.3 and later systems, the line printer daemon is disabled by default.

It is recommended that users patch the line printer daemon or upgrade their system.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: