Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Serious Problem with sendmail

08/27/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a serious problem with sendmail; buffer overflows in HP-UX ftpd, UnixWare su, and AOLserver; and problems in procmail, phpSecurePages, HTTProtect, NetWin Authentication Module, Entrust GetAccess, Mathematica License Manager, HP JetDirect devices, SuSE sdb, Adobe Acrobat, Roxen Webserver, and SHOUTcast Server.

Sendmail

sendmail, a popular Mail Transfer Agent, has a locally-exploitable vulnerability that can be used to execute commands as root. Exploit scripts have been released that automate this exploitation.

The Sendmail Consortium recommends that all affected users upgrade to version 8.11.6 as soon as possible and then restart sendmail.

procmail

Alerts this week:

Sendmail

procmail

phpSecurePages

HTTProtect

HP-UX ftpd

NetWin Authentication Module

UnixWare su

Mathematica License Manager

HP JetDirect Devices

SuSE sdb

Adobe Acrobat

AOLserver

Roxen Webserver

SHOUTcast Server

The procmail mail handler does not handle signals properly. This problem can only be exploited by a local attacker.

Users should upgrade to procmail version 3.15.2 or 3.21 as soon as possible.

phpSecurePages

phpSecurePages, a PHP-based tool used to password protect web pages, can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the Web server.

It is recommended that users upgrade phpSecurePages to a version newer than 1.0.5.

HTTProtect

HTTProtect is designed to prevent unauthorized changes to files stored on a ext2 file system. A vulnerability has been found in HTTProtect that can be used under some circumstances to bypass its protections.

A patch for this vulnerability has been released by Omnisecure and users should install it as soon as possible.

HP-UX ftpd

There is a buffer overflow in the FTP daemon and client that was shipped with HP-UX versions 10.01, 10.10, 10.20, 11.00, and 11.11. The buffer overflow in the FTP daemon can be exploited to execute arbitrary code as the root user.

HP recommends that users apply the appropriate patch for their operating system as soon as possible.

NetWin Authentication Module

The NetWin Authentication Module that handles authentication for SurgeFTP, DMail, and so forth uses a weak encryption scheme and has several buffer overflows.

The encryption scheme is vulnerable because it is possible to decrypt the passwords' hashes, and a password hash can be matched by more than one password. A script has been released that will generate passwords that will match a given hash value. It is not known if any of the buffer overflows can be exploited.

Users should watch NetWin for an updated version of the NetWin Authentication Module that corrects these problems.

UnixWare su

The su command shipped with all versions of UnixWare 7 and version 8.0.0 of OpenUnix 8 is vulnerable to a buffer overflow that can be exploited to gain root privileges.

Caldera recommends that affected users update their su binaries as soon as possible.

Entrust GetAccess

Entrust GetAccess, a single sign-on system, has a vulnerability that under some circumstances can be used to execute arbitrary Java code on the GetAccess web server.

Users should watch Entrust for an update to GetAccess that fixes this vulnerability.

Mathematica License Manager

The Mathematica license manager is vulnerable to a trivial denial-of-service attack and can be spoofed so that it grants licenses to unauthorized machines.

A workaround for these problems is to block connections to port 16286 on the license machine from untrusted hosts.

HP JetDirect Devices

On some HP JetDirect products, when the administration password is set using the Web interface, the password on the telnet interface will not be set.

Administrators of HP JetDirect devices should ensure that the administration password is set both in the Web interface and in the telnet interface.

SuSE sdb

There is a problem in the Perl CGI script Sdbsearch.cgi (part of the SuSE sdb package) that can be used by a local attacker to execute arbitrary commands with the permissions of the user executing the Web server. This has been reported to affect SuSE versions 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, and 7.2. SuSE 7.1 and 7.2 use Perl's taint mode and are not currently thought to be exploitable.

SuSE recommends that all affected users upgrade their sdb package.

Adobe Acrobat

Adobe Acrobat creates a file named AdobeFnt.lst in the user's home directory and then sets its permissions to group- and world-writable. This problem has been reported for both the Linux and the Solaris versions of Adobe Acrobat.

A possible workaround is to write a wrapper script to fix the permissions of the file. Users should watch Adobe for a fix for this problem.

AOLserver

Web Security & CommerceWeb Security & Commerce
By Simson Garfinkel with Gene Spafford
1st Edition June 1997
1-56592-269-7, Order Number: 2697
503 pages, $34.95

The AOLserver Web server has a buffer overflow that can be used by a remote attacker to crash the server. It is not known if this buffer overflow can be exploited to execute arbitrary code. AOLserver versions 3.0 and 3.2 have been reported to be vulnerable to this attack.

Users of AOLserver should upgrade to a version 3.3.1 or newer.

Roxen WebServer

The Roxen WebServer has a vulnerability that can be used to retrieve any file on the Web server that is readable by the user running the Web server or, if the CGI-module is enabled, it can be used to execute any executable file on the Web server. This vulnerability has been reported to affect Roxen WebServer versions 2.0 to 2.0.92 and versions 2.1 to 2.1.264 on all OS platforms.

Roxen recommends that users apply the appropriate patches and restart the Web server.

SHOUTcast Server

SHOUTcast Server, a streaming audio server, can be crashed by a bad client request. This can be used as a denial-of-service attack against a SHOUTcast Server.

Users should watch Nullsoft for a patch for this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.