Kernel DoS Vulnerabilityby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open-source security
advisories. In this column, we look at problems in the Linux kernel,
rssh, Horde-IMP, GNU GNATS,
gzip, ISC DHCP, and
Linux Kernel Denial-of-Service Attack
Linux kernels (2.4.2x and 2.6.x) are vulnerable to a denial-of-service
attack that uses a series of
frstor instructions to crash the system.
The attacker must have the ability to execute an arbitrary application on the
system to exploit this vulnerability. A C program that automates the exploitation
of this vulnerability has been released to the public.
In addition, problems with the e1000 device driver can be exploited by a local attacker to read kernel memory.
New Linux kernel packages have been released for: EnGarde Secure Community 2, EnGarde Secure Professional v1.5, Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux 10.0, Mandrake Multi Network Firewall 8.2, Mandrake Corporate Server 2.1, Red Hat Desktop version 3, Red Hat Enterprise Linux AS version 3, Red Hat Enterprise Linux ES version 3, Red Hat Enterprise Linux WS version 3, SuSE Linux Database Server, SuSE eMail Server III 3.1, SuSE Linux Enterprise Server 7, SuSE Linux Enterprise Server 8, SuSE Linux Firewall on CD/Admin host, SuSE Linux Connectivity Server, SuSE Linux Office Server, Trustix Secure Linux 2.0, Trustix Secure Linux 2.1, and Trustix Operating System: Enterprise Server 2. Users of other distributions should contact their vendors for upgrade packages or compile a repaired kernel from source code.
www-sql, a CGI application that allows the insertion of SQL statements inside
of an HTML page, is reported to be vulnerable to a buffer overflow that can
be exploited by anyone who can create a web page that will be parsed by
Successfully exploiting the buffer overflow will allow the attacker to execute
arbitrary code with the same permissions as the web server.
Affected users should watch their vendors for a repaired version of
Debian has released a repaired version for
woody and plans to also repair it
Super allows specific users to execute commands with root permissions, in a
manner similar to
sudo. A format-string-based vulnerability can be exploited, under some circumstances, by any local user to execute commands with root permissions.
It is recommended that any set user or group id bits be removed from
until it has been repaired. In addition, users should consider whether the risks associated
with this type of application are worth the convenience it provides. In most
cases, problems solved by this type of application can be solved in a way that
does not require root permissions.
rssh is a restricted shell for use with OpenSSH that can place a user in a
chroot jail and only allows the use of
sftp. A bug in
2.0 through 2.1.x may be exploited to gather information about files outside
chroot jail. The bug is caused by
rssh parsing its command-line arguments
before creating the
Users should upgrade to version 2.2.1 of
rssh, but it should be noted that
the author of
rssh has stated that no additional development of
rssh is planned.
The web-based Horde-IMP mail client is vulnerable to a web-browser scripting attack due to not properly sanitizing email content. The attacker sends the victim a carefully crafted email containing a script that, when viewed, will execute in the victim's browser and can result in the attacker gaining access to the victim's account or the compromise of cookies.
It is recommended that all administrators of machines with Horde-IMP installed upgrade to version 3.2.4 as soon as possible.
GNU GNATS, a suite of tools for centralized bug tracking, is reported to be vulnerable to a format-string-based attack that may, under some conditions, be exploitable by an attacker to execute arbitrary code.
Affected users should watch for a repaired version.
gzip (a.k.a. GNU Zip)
gzip is a compression program, designed as a replacement for
compress, that has
a much better compression algorithm that is not patented. A script named
gzip is reported to contain a bug that, under some conditions,
can cause arbitrary commands to be executed.
Users should watch for a repaired version of
gzip and should consider not using
gzexe in a manner that could allow an attacker to exploit it.
A buffer overflow in the logging code of the ISC DHCP daemon can be used in a denial-of-service attack and may, under some circumstances, be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the daemon (in many cases, root).
The ISC DHCP daemon can, when compiled on a system that does not supply the
vsnprintf() function, use the less secure
vsprintf() function and result in the
daemon being vulnerable to a buffer overflow that can crash the daemon and may
be exploitable to execute arbitrary code.
Both ISC DHCPD 3.0.1rc12 and 3.0.1rc13 are reported to be vulnerable.
Mandrake has released a patched version of the ISC DHCP daemon for Mandrake Linux 10.0 and 9.2. Affected users of other distributions should watch their vendors for a repaired DHCP package.
Sup is a remote file synchronization package.
Sup is reportedly affected by
a format-string vulnerability that may be exploitable by an attacker to execute
arbitrary code with the permissions of the
Users should watch for a repaired package and should consider disabling
until it has been repaired. Debian has released repaired packages for
and will soon fix
Read more Security Alerts columns.
Return to LinuxDevCenter.com