Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Vulnerabilities in FreeBSD

04/29/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in OpenSSH, Squid, Listar/Ecartis, slrnpull, and IRIX's syslogd; problems in Sudo, MHonArc, and Mosix; and a local root hole and denial-of-service attack vulnerability in FreeBSD.

OpenSSH

Under some conditions OpenSSH is vulnerable to a buffer overflow that can be used to execute arbitrary code as root. This buffer overflow affects all versions of OpenSSH that have AFS or Kerberos token passing compiled and configured. The buffer overflow is locally exploitable in versions of OpenSSH earlier than 3.2.1; versions of OpenSSH earlier than 2.9.9 are remotely vulnerable. It is reported that if UsePrivilegeSeparation is configured, it is not possible to exploit this buffer overflow to obtain root permissions.

It is recommended that users apply the patches to OpenSSH that have been made available or watch for updated packages from their vendor.

Sudo

Sudo is a utility designed to allow the root user to delegate specific tasks that require root's (or some other account's) permissions to specified users. A heap corruption vulnerability has been discovered that may be usable by a local attacker to execute arbitrary code with root permissions.

Version 1.6.6, which repairs this vulnerability, of Sudo has been released. Updated Sudo packages have been announced for Mandrake Linux, Red Hat Linux, Conectiva Linux, Slackware, and Debian. Users should upgrade as soon as possible. If Sudo is not being used, users should consider removing its set user id bit or uninstalling the package.

Squid

The Squid Web proxy server has a buffer overflow in its code that deals with compressed DNS replies that will crash the server and may be exploitable by an attacker. This buffer overflow can be exploited using a DNS server under the control of an attacker to create a carefully constructed DNS reply. Vulnerable versions of Squid include Squid-2.3, Squid-2.4, Squid-2.5 before March 12 2002, and Squid-2.6/Squid-HEAD before March 12 2002.

It is recommended that users upgrade to Squid-2.4.STABLE6 or the Squid-2.5 or Squid-2.6/Squid-HEAD nightly snapshots. It is possible to compile Squid so that it uses external DNS server support, but this is not recommended. Updated Squid packages have been announced for Mandrake Linux and OpenLinux.

MHonArc

MHonArc, an application written using Perl that converts email into HTML pages, does not filter all versions of script tags. This can be exploited by an attacker to insert malicious scripts into the HTML email archive that will be executed when the message is viewed in a Web browser.

Users should watch for an updated version of MHonArc and recreate their archives after it is installed.

Listar/Ecartis

A buffer overflow vulnerability has been found in the Listar/Ecartis mailing list manager that can be exploited to execute code with the permissions of the user running Listar/Ecartis. A script has been released that automates the exploitation of the buffer overflow.

It is recommended that users upgrade to ecartis-1.0.0-snap20020427 as soon as possible. Because all the known bugs have not been fixed, it is also suggested that users watch for and install additional bug fixes as they become available.

Mosix

Mosix is a cluster computing system for Linux. It is vulnerable to a denial-of-service attack using malformed packets. In addition, the ClumpOS-Mosix client CD configures VNC with no password set, allowing other machines to gain root access to the ClumpOS-Mosix client machine.

Users should watch for a update to Mosix and the ClumpOS-Mosix client.

FreeBSD Standard IO File Descriptors

The FreeBSD keyinit utility, and possibly other set user id utilities, has a vulnerability that can be used by an attacker to gain additional permissions. This vulnerability is exploited by closing the standard in, out, or error file descriptors prior to executing the set user or group id utility. Steven Bellovin has pointed out that this type of bug was known as far back as 1987 when it was listed in Henry Spencer's suid man page.

Users should upgrade their system to FreeBSD 4.5-STABLE or RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11), dated after the correction date. Users should consider removing the set user id bit from keyinit until their system has been upgraded.

FreeBSD Syncache and Syncookies

A bug in the implementation of syncache and syncookies under FreeBSD can, under some conditions, cause a system crash. The syncache and syncookies code was added to the TCP/IP stack to increase protection from SYN flood denial-of-service attacks. The syncache and syncookies code was added in the FreeBSD 4.5-RELEASE, and this is the only version affected. In addition to a deliberate attack, it is possible that normal TCP/IP traffic can cause a crash.

Users should upgrade their system to 4.5-STABLE or the RELENG_4_5 branch dated after the repair. A partial workaround is to disable syncookies with the command sysctl -w net.inet.tcp.syncookies=0.

slrnpull

slrnpull is a tool that will get a small news feed from a NNTP news server. It is vulnerable to a buffer overflow in the code that handles the -d command line parameter. As slrnpull is installed set user or group id, this buffer overflow can be exploited by a local attacker to gain additional privileges. A script has been released that automates the exploitation of this buffer overflow.

It is recommended that users remove the set user id bit from slrnpull until it has been repaired.

Snort

Snort version 1.8.7beta1 has been released. This new version of Snort corrects issues relating to the fragroute tool. Snort users affected by previous problems should upgrade to this new version.

IRIX syslogd

The version of syslogd supplied with IRIX 6.5 is vulnerable to a buffer overflow that can be used by a remote attacker in a denial-of-service attack. The attacker can use this denial-of-service attack to hide information relating to other attacks on the system.

SGI recommends that users upgrade to IRIX 6.5.10.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.