Problems in GProFTPDby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in GProFTPD,
bsmtpd, Uim, phpMyAdmin, Vim, Cyrus IMAPd, the Kodak Color Management System on Solaris, Arkeia Network Backup,
curl, and PuTTY.
- Cyrus IMAPd
- Kodak Color Management System on Solaris
- Arkeia Network Backup
GProFTPD is a administration utility based on GTK+ for the ProFTPD FTP Daemon. Problems in the
gprostats log-parsing tool distributed with GProFTPD can be exploited, under some conditions, by a remote attacker using a format-string-based attack and could result in arbitrary code being executed on the victim's machine.
It is recommended that users of GProFTPD upgrade to version 8.1.9.
bsmtpd, a batch emailer that works with
postfix, is reported to not properly sanitize email addresses parsed during mail delivery. An attacker could carefully create a list of email addresses that would exploit this problem and cause arbitrary commands to be executed as the user running
bsmtpd should watch their vendors for a repaired version.
The multilingual input method library Uim improperly trusts all environmental variables. If Uim is linked into a set user id application, an attacker can exploit this problem and execute arbitrary code with the permissions of the user account running the application. The only set user id application that is reported to be vulnerable is
immodule for Qt-enabled QT applications. This problem affects all versions of Uim except 0.4.5.1 and 0.4.6beta1.
It is recommended that all affected users of Uim upgrade to version 0.4.5.1 or newer as soon as possible.
The web-based MySQL database administration tool phpMyAdmin contains file inclusion bugs that, if exploited, allow the attacker to load and view arbitrary files. phpMyAdmin is also vulnerable to cross-site scripting attacks. The file inclusion bugs are located in the files css/phpmyadmin.css.php and libraries/database_interface.lib.php. These problems affect version 2.6.1 of phpMyAdmin.
All users of phpMyAdmin should upgrade to version phpMyAdmin 2.6.1-pl3 or newer as soon as possible and should insure that phpMyAdmin is protected from unauthorized access using a .htaccess file or other security methods.
Vim (Vi Improved)
Vim is reported to be vulnerable, under some conditions, to a temporary-file, symbolic-link-based race condition that may be exploitable to overwrite arbitrary files on the system with the permissions of the victim running Vim. The vulnerabilities are located in the tcltags and vimspell.sh scripts supplied with Vim.
Users should watch their vendors for an updated version of Vim. Packages that repair this vulnerability and the modlines vulnerability reported in January 2005 have been released for versions of Red Hat Linux and Ubuntu Linux.
The Cyrus IMAPd daemon is vulnerable to several buffer overflows that may be exploitable (by a remote attacker who is authenticated as a user or an admin) and result in arbitrary code being executed with the permissions of the user running the IMAP daemon. The buffer overflows are in the code that handles the annotate extension, the mailbox,
fetchnews, the back end, and
imapd. The buffer overflow in
fetchnews can only be exploited by a peer news admin.
The maintainers of Cyrus IMAPd have released version 2.2.11 to repair these buffer overflows.
Kodak Color Management System
kcms_configure command that is distributed on Sun Solaris systems as part of the Kodak Color Management System is reported to be vulnerable to a temporary-file, symbolic link race condition. This race condition can be exploited by a local attacker to overwrite arbitrary files on the system with logging information that the attacker can cause to be generated by
kcms_configure by selecting an incorrect monitor profile argument. This problem affects Solaris 7,8, and 9, but not Solaris 10.
Sun has released patches to repair this problem for Solaris 7, 8, and 9 for both the SPARC and x86 platforms. If the Kodak Color Management System is not being used, other options are to remove it or to remove the set user id root bit from
Arkeia Network Backup
A new version of Arkeia Network Backup has been released to repair a buffer overflow that could be exploited by a remote attacker to gain root-level access to the server. Multiple scripts that automate the exploitation of this buffer overflow have been released to the public.
Arkeia strongly advises that anyone who uses Arkeia Network Backup on an untrusted network should upgrade to version 5.3.5 as soon as possible and should carefully read the Arkeia user manual's "Appendix B: System Security."
The command line tool
curl is used to transfer files using Internet protocols such as HTTP, HTTPS, FTP, FTPS, Gopher, DICT, and LDAP. It also supports many methods of authenticating to remote servers. When
curl is used with NT LAN Manager (NTLM) authentication, it is vulnerable to a buffer overflow. The attacker must control a remote server that the user connects to using NTLM before the buffer overflow can be exploited.
It is recommended that all users of
libcurl upgrade to version 7.13.1 or newer or watch their vendors for an updated package.
PuTTY, a free version of
telnet and SSH for Windows and Unix machines, is reported to contain buffer overflows in the PSCP and PSFTP clients that, under some circumstances, can be exploited by a remote attacker when the victim connects to a SFTP server under the attacker's control. Successful exploitation of these buffer overflows could result in arbitrary code being executed on the victim's machine.
All users of PuTTY should upgrade to version 0.57 or newer as soon as possible.
Read more Security Alerts columns.
Return to LinuxDevCenter.com