oreilly.comSafari Books Online.Conferences.


Security Alerts Slapper Worm

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at the Linux Slapper worm; a large set of vulnerabilities in NetBSD; and problems in, OS X's nidump, DB4Web, joe, BRU Workstation, xbreaky, and Tru64/OSF1 version 3.x.

The Slapper Worm (OpenSSL Library Vulnerability)

A network worm written to attack Linux machines running Apache is spreading. The worm uses vulnerabilities in the OpenSSL library (see below), used by mod_ssl, to spread. After breaking into a machine using the vulnerability in OpenSSL, the worm installs a distributed denial-of-service attack client on the machine and then starts to scan for other vulnerable systems.

There are four buffer overflows in the OpenSSL library that can be remotely exploited to execute arbitrary code or used in a denial-of-service attack against the application linked to the library.

Users should upgrade their OpenSSL library to version 0.9.6e or newer as soon as possible.

The library can, under some conditions, be manipulated into opening user-controlled libraries while executing a set user id application. Under some circumstances, this can be exploited to gain additional privileges.

It is recommended that users upgrade to a repaired version of the library as soon as possible. SuSE has released a new xf86 package that repairs this problem.

Related Reading

Unix Power Tools
By Shelley Powers, Jerry Peek, Tim O'Reilly, Mike Loukides

Buffer Overflows in Tru64/OSF1

Three buffer overflows have been reported that affect applications distributed with Tru64/OSF1 version 3.x. The buffer overflows are in uucp, the mail utility inc, and dxterm. They are reported to be exploitable by local attackers to gain root level access.

HP recommends that all users upgrade to Tru64 Unix V5.1 and apply all of the recommended patches. Removing the set user id bits from these three applications will protect against an attack, but will cause problems in their operation.

OS X nidump

The OS X nidump utility is reported to be usable by any user to get a listing of the encrypted passwords on the system. The user could then attempt to brute force the passwords using a password cracking tool.

Affected users can change the permissions on the nidump utility so that a restricted set of users are the only ones able to use it (perhaps just root).

DB4Web Problems

IBM's DB4Web product can be manipulated into making arbitrary TCP/IP connections and may, under some circumstances, be used as a port scanner. When DB4Web connects to an improper host and port, it generates an error page that, in addition to other information, tells if the connection was made or not.

Users of DB4Web should modify the default error page in such a way that it is no longer useful as a port scanner.

In addition, the DB4Web product can be exploited to view arbitrary files on the host.

IBM has released a patch for this problem and recommends that users apply it as soon as possible.


When a file that has the set user id bit set in its permissions is edited with joe, a backup copy will be made that has the same permissions but is owned by the user executing joe. It is hard to see this as being a very large problem, unless it is combined with a successful social engineering attack on a system that allows set user id shell scripts. It does, however, illustrate one of the harder parts of writing secure code: thinking of everything.

This problem has been repaired in joe's CVS repository and concerned users should upgrade.

NetBSD 1.6

The NetBSD Security Officer has announced a large number of security vulnerabilities that have been fixed in NetBSD 1.6.

These security problems include: there is a buffer overrun in the libc/libresolv DNS resolver; repeated TIOCSCTTY ioctl can corrupt session hold counts; there are multiple vulnerabilities in the OpenSSL code; there is a symlink race in pppd; the Sun RPC XDR decoder contains a buffer overflow; there is a buffer overrun in setlocale; there is a bug in the NFS server code that allows remote denial of service; there is a fd_set overrun in both mbone tools and pppd; shutdown on a TCP socket does not work as intended; and there multiple security issues with kfd daemon. They also state that there are security problems that are fixed in NetBSD 1.6 that have not been announced that "involve third parties, and are awaiting disclosure co-ordination."

The NetBSD Security Officer recommends that users upgrade to NetBSD 1.6. Users who cannot upgrade should upgrade to the current NetBSD-1.5 source, using anoncvs, and then rebuild. Users of NetBSD-current should upgrade to a version newer that September 11, 2002 and then rebuild. Once the system has been upgrade users must: recompile all statically linked binaries, remove old shared libraries, remove shared libraries used for OS emulation under /emul, and insure that a vulnerable version of kfd is not installed on the system. More details on these problems and their solutions are available from

BRU Workstation

BRU Workstation, a backup and restore tool, is vulnerable to a symbolic-link race condition that can be used to overwrite arbitrary files on the system, and can be used to gain root permissions under some conditions.

Users should watch for a repaired version of this tool.


xbreaky is a Breakout-style game written for X11. It is reported to be installed set user id root by default. If users run the game with root permissions, they can exploit the saving of high scores to overwrite any file on the system. Under OpenBSD and NetBSD, the game is reported to be installed without the set user id bit set.

It is recommended that affected users upgrade to version 0.0.5 of xbreaky as soon as possible, or remove the set user id bit.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: