Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Security Alerts: Linux IP Masquerading

by Noel Davis
08/06/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in xloadimage, ucd-snmp, Oracle dbsnmp, and xmcd's cda; and vulnerabilities in phpMyAdmin, wvdial, Slackware's man, Linux IP masquerading, and Slackware's locate.

phpMyAdmin

phpMyAdmin is vulnerable to an attack that can be used to execute arbitrary code with the permissions of the user running the Web server. For this vulnerability to be exploited, the attacker must have the ability to modify a table of a database.

Users should watch for an update to phpMyAdmin and should only grant access to trusted users. They should also consider removing all access to the software until a fixed version has been installed.

wvdial

wvdial, a dialer for modem-based connections, under some circumstances will create a configuration file with world-readable permissions. If wvdial's configuration file contains a password for the dialup connection, it will be readable by any user on the system.

It is recommended that users restrict access to wvdial's configuration file or not place a password in the configuration file and instead use the Ask Password = 1 option.

xloadimage

xloadimage is a X Window image viewer used by Netscape to display TIFF, PNG, and Sun Raster images. It has a buffer overflow that can be used by an attacker to execute arbitrary code on the machine running Netscape, with the permissions of the user running Netscape. An exploit script for this buffer overflow has been released to the public. The attack is launched when the user opens a page containing the exploit code disguised as a TIFF image.

It is recommended that the lines in the pluggerrc file that reference xloadimage be commented out or that the application be upgraded to a repaired version.

Slackware man

Under Slackware 8.0 and possibly earlier versions, the directory permissions of the /var/man/cat* directories are world-writable. An attacker can create links in these directories that will cause the manual page reader man to execute arbitrary code as the user executing man.

Users should modify the /var/man/cat* directories so that they are not world-writable, and should inspect these directories for suspicious files.

ucd-snmp

The ucd-snmp Simple Network Management Protocol Daemon snmpd has a buffer overflow that may be exploitable to execute arbitrary code. On systems that install snmpd set user id or set group id, this vulnerability could be used by a local attacker to gain additional privileges. The buffer overflow has been reported to affect version 4.2.1. It is not known if the buffer flow is in earlier versions.

It is recommended that any set user id or set group id bits be removed from snmpd until a fixed version has been installed.

Oracle dbsnmp

The dbsnmp binary that is distributed as part of Oracle has a buffer overflow in the code that handles the ORACLE_HOME environmental variable. This buffer overflow may be exploitable to gain root privileges. Versions 8.1.5, 8.1.6, 8.1.7, and 9i of Oracle have been reported as being vulnerable.

Users should watch Oracle for a patch for this problem and should consider removing the set user id bit from dbsnmp or making it only executable by a group that only contains trusted users.

cda / xmcd

cda, a command line tool used with the xmcd X Window CD player, is vulnerable to both a buffer overflow and a symbolic-link attack. Systems that have cda installed set user id are vulnerable to an attacker gaining additional privileges or overwriting files on the system.

Users should upgrade to version 3.0 patch level 2 of xmcd as soon as possible or should remove any set user id bits from xmcd and cda.

Linux IP masquerading

Under some circumstances, a vulnerability in Linux IP masquerading can be used by an attacker to bypass a Linux-based firewall and gain access to a protected network. This new vulnerability is similar to an attack reported earlier this year that used FTP protocol to open a hole through the firewall, but instead uses a flaw in the IRC DCC helper (ip_masq_irc module).

Users of Linux IP masquerading should evaluate their security needs and consider options to increase the security of their firewall, such as configuring the NAT server to only allow a range of ports in connection requests (such as only ports above 1024) or not installing helper modules (such as ip_masq_irc) on their server.

Slackware locate

Under Slackware 8.0 and 7.1, the locate database is owned by the user nobody. If an attacker can execute commands as the user nobody, they can modify the locate database to execute arbitrary code when the locate command is executed by a user. Default Slackware systems execute the Web server as the user nobody and any user that can execute CGI scripts would be able to modify the locate database. An exploit for this vulnerability has been released.

The nobody account was created as the account used to map the root user to under NFS, and should not own any sensitive files. It is a better practice to create a "www" or "web" account and use that to run the Web server or, in this example, create a "locate" account and have it own the locate database.

Users of Slackware 8.0 and 7.1 that use locate should create an unprivileged account for locate and move the line that updates the database from the nobody user's crontab file to the new account. It is also suggested that the Web server also be reconfigured to run under its own account.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.