Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

AIM Filter's Back Door and gzip's Buffer Overflow

by Noel Davis
02/04/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in gzip, Oracle 9iAS, snmpnetstat, SAS Job Spawner, and Imlib2; format-string bugs in NQS (Network Queuing System) and pfinger; problems in OpenBSD's lpd, DCForum, Shell Here-Document Processing, IPRoute, Magic Enterprise Edition, Namazu, and tac_plus version F4.0.4.alpha; and a trojan back door and other surprises in AIM Filter.

gzip

The gzip file compression utility has a buffer overflow and will crash if its input file name is larger than 1020 characters. It is reported that the buffer overflow can be exploited if gzip is being executed on a server (the example given is an FTP server).

This problem has been fixed in the latest gzip beta and a patch has been made available. Affected users should update their version of gzip as soon as possible.

Network Queuing System

NQS (Network Queuing System) is a job control and batch processing system. It has a format string bug that can be exploited to execute arbitrary commands as root by any local user that can submit a job with qsub.

Users should watch Cray for an update to the Network Queuing System.

OpenBSD lpd

The line printer daemon lpd, distributed with OpenBSD, has a vulnerability that under some conditions can be used to create files in the root directory. The exploit can only be carried out by an attacker that has root on a machine listed in the /etc/hosts.lpd or /etc/hosts.equiv files. It should also be noted that the default installation of OpenBSD does not start the line printer daemon.

Patches have been released to fix this vulnerability for OpenBSD 2.8, 2.9, and 3.0.

DCForum

DCForum, a Web-based forum system, has a vulnerability that can be used by a remote attacker to access any account in the forum. The vulnerability is caused by DCForum using the first six characters of the user's session ID, which is stored in a cookie, as the password.

The author of DCForum has released a patch for this vulnerability and it is recommended that all users apply the patch as soon as possible.

Shell Here-Document Processing

Caldera has released an updated patch to fix a set of security problems in OpenServer's shell here-document processing. The earlier patch is reported to have problems that result in a "variety of unusual behaviors." These problems affect OpenServer version 5.0.6a and earlier.

Caldera recommends that users apply the new patches as soon as possible and does not suggest a workaround.

IPRoute

IPRoute, a PC-based IP router, is vulnerable to a denial-of-service attack using tiny fragmented packets. An attack will lock up the machine and require that the system be restarted to regain functionality.

Users should watch for an update to IPRoute.

Magic Enterprise Edition

Several vulnerabilities have been discovered in Magic Enterprise Edition that can be exploited by a local attacker to execute arbitrary commands with the permissions of the user executing the Web server. There are also other vulnerabilities that can be used to overwrite files and corrupt memory.

Users should watch for a repair for these problems.

pfinger

pfinger, a finger daemon written in C, has a format-string vulnerability in both the client and the server that can be used by an attacker to execute arbitrary code with the permissions of the user nobody.

It is recommended that users upgrade to version 0.7.8 or newer of pfinger.

Oracle 9iAS

The Oracle PL/SQL Apache Module supplied with Oracle 9iAS has a buffer overflow that can be exploited to execute code with the permissions of the user executing Apache.

Users should apply the patch available from Oracle.

snmpnetstat

The snmpnetstat tool released as part of the ucd-snmp package has a buffer overflow that can be exploited remotely to execute arbitrary code with, in many cases, root permissions.

It is recommended that users watch their vendors for an update and consider not using snmpnetstat until it has been repaired.

Namazu

Namazu, a full-text search engine, has vulnerabilities that can be exploited by an attacker to insert scripts and HTML tags into dynamically-generated pages and has a buffer overflow in an environmental variable.

Users of Namazu should upgrade to version 2.0.10 or newer as soon as possible.

tac_plus version F4.0.4.alpha

tac_plus version F4.0.4.alpha is an example Tacacs+ daemon. It creates its accounting files with unsafe permissions and is vulnerable to a symbolic-link race condition if its accounting files are written into a directory in which the attacker can create symbolic links.

It is reported that a patched and supported tacacs+ application is available from http://www.gazi.edu.tr/tacacs.

SAS Job Spawner

It has been reported that sastcpd, the SAS Job Spawner, has vulnerabilities (that include buffer overflows and format-string vulnerabilities) that can be exploited to gain root.

These vulnerabilities are reported to be fixed in version 8.2.

Imlib2

The library Imlib2 has a buffer overflow that can be exploited using the set group id application Eterm to gain additional privileges. Under some circumstances, it may be possible for an attacker to leverage these additional privileges into root access on the machine.

It is recommend that users upgrade to Imlib2 1.0.5 or newer or watch their vendor for and updated version.

AIM Filter

Robbie Saunders' AIM Filter was announced as being a temporary solution to protecting AIM users from buffer overflow attacks. It has now been reported that, in fact, AIM Filter also had code for a back door, cash-based click-throughs, and can launch Web browsers that load porn sites. This is a good reminder to be sure of the author of your applications and a good example of how open source code can (eventually at least) protect users of software from this type of problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.