Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts

Solaris Buffer Overflows


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Solaris' admintool, Solaris' cachefsd, the Kerberos4 FTP client, and dtprintinfo; problems in mod_python, Nautilus, Red Hat Linux's DocBook stylesheet, IRIX's nsd, and Solaris' rwall; and talk about reducing the risk of security problems.

Solaris admintool

The X Window based Solaris administration utility admintool is vulnerable to several buffer overflows that can be exploited to execute arbitrary code with root permissions. Buffer overflows have been found in the code that handles the -d command line parameter, the PRODVERS configuration file variable, and in the media installation path.

It has been reported that Sun has released patches that repair the -d and PRODVERS buffer overflows. No patches have been announced for the media installation path buffer overflow. Users should apply the available patches and should consider removing the set user id bit from admintool. In most situations, admintool is being executed by root and will not need a set user id bit for normal use.


mod_python versions 2.7.6 and earlier will allow the execution of imported modules by a published module. This may allow a remote attacker to execute arbitrary code with the permissions of the user running the Web server.

Users should upgrade to mod_python version 2.7.8 as soon as possible. It has been reported that updated packages are available for Red Hat Linux.


The GNOME graphical shell Nautilus is vulnerable to a symbolic-link race condition attack that can be used by an attacker to overwrite another user's files. Nautilus version 1.0.4 has been reported to be vulnerable.

Users should upgrade to the latest CVS version of Nautilus or should watch their vendor for a patch. Patches have been released for Red Hat Linux and Slackware.

Red Hat Linux DocBook Stylesheet

The DocBook stylesheet that is distributed with Red Hat Linux 6.2, 7.0, 7.1, and 7.2 has an insecure option enabled that allows an untrusted document to write files outside of the current directory, if the identifiers use a full path name.

Red Hat has released an updated docbook-utils package that corrects this problem.

Solaris cachefsd

The Solaris cachefsd daemon is vulnerable to a buffer overflow (in mounts supplied by a user) that can be used by a local attacker to execute code as root. cachefsd is also vulnerable to a remote denial- of-service attack. Both attacks are reported to affect Solaris 2.6, 7, and 8, for both Sparc and x86 architectures.

Users should block remote access to cachefsd using a firewall, and should consider disabling it until patches have been released by Sun.

Kerberos4 FTP Client

The Kerberos4 FTP client is vulnerable, under some conditions, to a buffer overflow that can be exploited by a remote attacker to execute code as the user running the client. The attacker must control an FTP server that has been modified to send a long reply when the client requests passive mode. Version 4-1.1.1 of the Kerberos4 FTP client is reported to be vulnerable.

Users should watch for an update to the Kerberos4 FTP client.

IRIX nsd

The IRIX name service daemon nsd is vulnerable to a symbolic-link race condition attack when it writes its dump file.

SGI recommends that users upgrade to IRIX 6.5.11 or newer.

Solaris rwall

The rwall application supplied with Solaris 6, 7, and 8 is vulnerable, under some conditions, to a remotely-exploitable attack that can be used to obtain root access. A script to automate part of the attack has been released.

It is recommended that users disable rwall by commenting out the appropriate line in inetd.con and that they watch Sun for a patch for this problem. Systems that do not receive wall messages from other machines may never need to have this application turned back on.


dtprintinfo, used to open the CDE Print Manager window, is vulnerable to a buffer overflow that can be used by a local attacker to gain root access. This vulnerability is reported to affect: Solaris 2.4, 2.5, 2.5.1, 2.6, 7, and 8; AIX 4.3, 4.3.1, 4.3.2, and 4.3.3; HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11; and Tru64 5.1A, 5.1, 5.0A, 4.0G, and 4.0F.

Users should apply the available patches as soon as possible and should consider removing the set user id bit from dtprintinfo if it is not needed.

Preventing Security Problems

This week's vulnerabilities in dtprintinfo and walld are very good examples of a more generic problem in modern operating systems. Many modern systems have many set user id or set group id applications, and other applications that run as the root user that are never used or noticed until a security alert is written about them, or crackers begin to exploit them. It can even sometimes be difficult to figure out what some of these applications are used for. Most systems' default installation is optimized for ease of use and to maximize available features, and not with security foremost in mind.

Very few systems need to have wall work across the network, but many distributions have it enabled. Many systems sit with a printer daemon listening to the network, but no printers attached or configured.

One way to protect a system from vulnerabilities is to remove or disable applications that are not needed. If the system does not use a printer, then disable the printing subsystem. If dtprintinfo is not being used, it does not need to be set user id root. It is important to watch for security vulnerabilities, but it is even better to know that the last five bugs in unused applications have not made your system vulnerable.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.