Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

New Vulnerability in OpenSSH

12/10/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a local root vulnerability in OpenSSH and problems in OpenBSD, wmtv, Auto Nice Daemon, NetDynamics, Xitami Web server, libgtop_daemon, xtel, Lotus Domino, OpenServer's setcontext and sysi86, SuSE's Postfix installation, and fml.

OpenSSH

A new vulnerability in OpenSSH can, under some circumstances, be exploited by a local attacker to execute arbitrary code with the permissions of the root user. Exploiting this vulnerability requires that the "UseLogin" option be enabled, which most systems do not configure in the default installation. The vulnerability affects OpenSSH versions earlier than 3.0.2.

Users should upgrade their OpenSSH packages to version 3.0.2 or newer as soon as possible. Systems configured with the "UseLogin" option enabled should disable this option until OpenSSH has been upgraded.

OpenBSD

OpenBSD 2.9, 3.0, and possibly earlier versions are vulnerable to a local denial-of-service attack.

Users of OpenBSD should watch for a patch for this problem.

wmtv

wmtv is a TV video player for the Windowmaker window manager. A feature of wmtv allows a user to execute an application when the tv window is double-clicked. wmtv is installed set user id root, and does not drop these privileges when executing an application. This results in all applications it starts being executed with root permissions.

Users should remove the set user id bit from wmtv and upgrade it as soon as possible.

Auto Nice Daemon

AND, the Auto Nice Daemon, has a format-string bug that can be used by a local attacker to execute commands as the superuser. AND is a daemon that watches the system and dynamically changes the nice level of user processes if they exceed a configured threshold.

Affected users should upgrade AND to version 1.0.5 or newer as soon as possible.

NetDynamics

It has been reported that NetDynamics, a leading application server, has a bug that can be exploited by a remote attacker to hijack user sessions. The vulnerability is caused the user's session id remaining valid for approximately 15 seconds after they log out. The bug is reported to affect NetDynamics versions 4.x and 5.x under Sun Solaris 7 and 8, but may affect other versions.

It is recommended that users watch Sun for a patch for this problem. Users should also consider restricting access to the server using a firewall and configuring NetDynamics to not allow multiple logins from the same domain.

Xitami Web Server

By default, the Xitami Web server stores its administrator passwords in a world-readable file in clear text. This can be used by a local attacker to gain control of the Web server and execute commands as root.

It is recommended that the Web server be reconfigured so that it executes as a normal user account and that the permissions of the defaults.aut file be changed so that the file can only be read by the user executing the Web server.

libgtop_daemon

The libgtop_daemon, a daemon that monitors processes running on remote systems under GNOME, has a format-string vulnerability and a buffer overflow. Both vulnerabilities can be remotely exploited to execute arbitrary code with the permissions of the nobody user account.

The nobody user account, while often used as a low-security generic account, is also the default account that root is mapped to on NFS (Network File System)-mounted file systems, and access to this account on some systems may open up unexpected vulnerabilities.

Upgrading the Libgtop_daemon to version 1.0.13 will repair the format-string vulnerability, but users will need to watch for a newer version to repair the buffer overflow. The Libgtop_daemon should be disabled or not executed until a version that fixes both versions has been installed.

xtel

The xtel X emulator for minitel that is shipped with Debian GNU/Linux 2.2 is vulnerable to a symbolic-link race condition that can be exploited to overwrite arbitrary files on the system with the permissions of the user executing xtel.

Users should upgrade xtel to version 3.2.1-4.potato.1.

Lotus Domino

Lotus Domino versions 5.08 and earlier, running HTTP service with SSL enabled, are vulnerable to a denial-of-service attack that will crash the Domino server. The denial-of-service attack only requires sending null packets to a specific TCP/IP port.

Related Reading

Incident ResponseIncident Response
By Kenneth R. van Wyk & Richard Forno
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

It has been reported that Lotus Domino version 5.09, available as an incremental upgrade, will repair this problem. Users should contact Lotus for confirmation of this, and should consider restricting access to their Domino servers using a firewall.

SuSE Postfix Installation

Under some versions of SuSE Linux, there are vulnerabilities in the installation of Postfix that weakens its security and may cause Postfix to not remove unnecessary files, filling the disks it uses. It was reported that SuSE Postfix packages before December 2001 are vulnerable.

Affected users should watch SuSE for updated Postfix packages that fix this problem.

setcontext and sysi86

Caldera has released patches for OpenServer 5.0.6 and earlier that repair vulnerabilities that could be used by a regular user to change segment descriptors and other CPU registers. These changes will prevent some applications, such as the i286emul, from functioning. The system administrator may disable this patch to allow applications to run by editing /etc/conf/pack.d/kernel/space.c and changing the value of allow_dscr_remap to 1.

fml

Under Debian GNU/Linux 2.2, the fml mailing-list manager contains a cross-site scripting vulnerability that can be used by an attacker to inject malicious code into index pages for list archives.

Debian recommends that user upgrade the fml package to version 3.0+beta.20000106-5.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.