Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Buffer Overflow in OpenServer's Mana

09/10/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a buffer overflow in OpenServer's mana; symbolic link race conditions in Solaris' patchadd and the Netscape 6.01a installation scripts; and problems in ProFTPd, Conectiva Linux's tcltk, NetBSD's dump, mailman, mod_auth_mysql, Directory Manager, Taylor UUCP, screen, PHProjekt, and Red Hat's lpd.

Red Hat lpd
Taylor UUCP
ProFTPd Reverse DNS
Conectiva Linux tcltk
NetBSD dump
mailman
mod_auth_mysql
Directory Manager
screen
OpenServer mana
PHProjekt
Solaris ksh / patchadd
Netscape 6.01a

Red Hat lpd

Red Hat systems that are running the line printer daemon lpd without any access controls and that have the tetex-dvips packages installed are vulnerable to an attack that can be used to execute arbitrary commands as the lp user. Red Hat Linux 7.0 has been reported vulnerable, but Red Hat Linux 7.1 has been reported not vulnerable.

It has been reported that a workaround for this vulnerability is to change, in the file /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi, the line dvips -f $DVIPS_OPTIONS < $TMP_FILE to dvips -R -f $DVIPS_OPTIONS < $TMP_FILE. Users should watch Red Hat for a patch for this problem.

Taylor UUCP

The Taylor UUCP package has problems with argument handling that an attacker can exploit to gain the permissions of the uucp user and group. Once the attacker has uucp user and group permissions, they can use this access to gain root, create files, or conduct denial-of-service attacks against the system.

Users of Taylor UUCP should watch their vendor for an updated package. Systems that do not use UUCP should remove the uucp packages.

ProFTPd Reverse DNS

When ProFTPd is configured to use reverse DNS (UseReverseDNS is set in the configuration file), it does not verify the host names returned. It then may be vulnerable to an attacker spoofing, in the log file, the host name they are connecting from, or bypassing access control lists.

Users of ProFTPd should not use reverse DNS and should instead record the IP addresses of connecting hosts in their log files. Users should also consider running ProFTPd using TCP wrappers, with its paranoid DNS checking, or using mod_wrap.

Conectiva Linux tcltk

The tcl and expect applications shipped with Conectiva Linux are configured to look for libraries in a world-writable directory. An attacker can use this vulnerability to execute arbitrary code by placing modified libraries in the world-writable directory that will be executed when a user runs a tcl-, tk-, or expect-based program.

The Conectiva Linux security team recommends that users upgrade their tcltk packages for versions 6.0 and 7.0 of Conectiva Linux.

NetBSD dump

The dump utility supplied with NetBSD does not drop its tty group membership before performing actions that a local attacker can exploit to execute arbitrary commands with the permissions of the tty group. It has been reported that NetBSD 1.5.2 is not vulnerable.

It is recommended that dump be upgraded or patched as soon as possible.

mailman

The mailman mailing list manager has been reported to have a problem that can be used to gain access to the administrative interface for a mailing list, and one that can be used by the list administrator to retrieve the plain text of a users mailing list password.

Users of mailman should upgrade to version 2.0.6 or newer.

mod_auth_mysql

mod_auth_mysql, a module for the Apache Web server that allows users to authenticate against a MySQL database, has a vulnerability that can be used by an attacker to modify the SELECT statement that is sent to the MySQL database.

Users of mod_auth_mysql should upgrade the module and then restart Apache.

Directory Manager

The LDAP directory tool Directory Manager has a vulnerability that can be used to execute arbitrary commands with the permissions of the user running the Web server.

Users should upgrade Directory Manager to version 0.91 or newer as soon as possible.

screen

screen, a full-screen window manager, has a vulnerability that can be used by a local attacker to gain root if screen has been installed set user id root and if there is a directory below /tmp/screens. screen requires installation as set user id root to provide several features, such as multi-attached sessions.

It is recommended that screen be upgraded to version 3.9.10 or newer as soon as possible, and in most cases should not be installed set user id root.

OpenServer mana

The mana utility (/usr/internet/admin/mana/mana) in OpenServer has a buffer overflow that can be used to gain root access. This buffer overflow is reported to affect OpenServer 5.0.6a and earlier.

Caldera recommends that users upgrade mana as soon as possible.

PHProjekt

PHProjekt, a groupware application written in PHP, has a vulnerability that can be used to read, change, and delete any other user's content.

Users of PHProjekt should upgrade to version 2.4a.

Solaris ksh / patchadd

An exploit has been released for an old symbolic link race condition problem in the Solaris ksh shell that affects the patchadd utility. It is reported to successfully exploit the race condition on a Solaris 2.8 Sparc with a current patch cluster applied.

Users should watch Sun for a patch. Until a patch has been released, it is recommended that users either shutdown and then boot the system into single user mode with boot -s or change to single user mode with init S and ensure that there are no dangerous files in the /tmp directory before applying any patches.

Netscape 6.01a

The installation of Netscape 6.01a has a symbolic link race condition vulnerability that can be used by an attacker to overwrite arbitrary files with the permissions of the user installing Netscape (in many cases root).

Users should consider shutting the system down to single user mode before installing Netscape.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.