Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at trojaned networking tools; a new version of OpenSSH; buffer overflows in
mnews, Debian Solaris Netstd, Informix, and BannerWheel; and problems in
dhcpd, Sendmail, Solaris'
rwalld, and FreeBSD's
fetchmail, a very useful email retrieval and forwarding client, is vulnerable to a buffer overflow. This buffer overflow is reported to affect versions of
fetchmail before 5.9.10.
Users should upgrade
fetchmail to version 5.9.10 or newer as soon as possible. Red Hat and Mandrake have announced updated packages that repair this problem.
On May 17th, 2002, the
fragrouter-1.6 tar files on monkey.org were replaced with versions that included trojan back door code. This was discovered and the system was restored a week later. Monkey.org has taken steps to increase their security and has installed OpenBSD-current.
Anyone who downloaded one of these packages during this time period should disable the package, if it was installed, and replace it with a new version. It is also recommended that anyone running a version that was downloaded during this time period check their system carefully for any sign that their system has been cracked.
dhcpd, a daemon that provides Dynamic Host Configuration Protocol (DHCP) support, is vulnerable to a format-string-based attack that can be used by a remote attacker to execute commands with the permissions of the user running
dhcpd (often root). The format string vulnerability is in the portion of the code that deals with the DNS update feature. Under SuSE Linux,
dhcpd is not installed in the default installation, but if installed will execute as root. Under Mandrake Linux, the daemon runs as root except under version 8.x, where it runs as the
Affected users should upgrade to the latest
dhcpd package as soon as possible. Users can disable the DNS update feature in
dhcpd by adding the following lines to the
dhcpd configuration file:
ddns-update-style none; ddns-updates off;
Mandrake and SuSE have released updated DHCP packages.
OpenSSH version 3.2.3 has been released. This version corrects a problem on OpenBSD and BSD/OS systems using Yellow Pages that can, under some conditions, result in the database entry of a different user being used during authentication. This problem could cause a user that has been denied access to be allowed to log in, and an authorized user to not be allowed to log in. Also fixed in this release are problems with
ttys under Solaris and build problems on Sygwin systems.
Sendmail is vulnerable to a denial-of-service attack using a problem in
fcntl() file locking. This vulnerability can be exploited in a denial-of-service attack by a local user who opens and locks certain files used by Sendmail. The user that is locking a file and causing a denial-of-service attack can be determined by using a tool such as
lsof. Files that can be used in a denial-of-service attack against Sendmail include: aliases, maps, statistics, and the
Users can protect their Sendmail installation by modifying file permissions so that users on the system can not open the affected files.
rwalld daemon that is distributed with Solaris is vulnerable to a format string attack that may, under some conditions, be exploited by a remote attacker to execute code with the permissions of the user running
rwalld. This vulnerability has been reported to affect Solaris versions 2.5.1, 2.6, 7, and 8.
It is recommended that users apply the patch available from Sun and consider disabling
rwalld if it is not needed.
mnews, an email and news client, is vulnerable to buffer overflows and can be exploited by a local (or, in some cases, remote) user to execute arbitrary code (often as group mail). This vulnerability is reported to affect version 1.22.
Users should consider disabling
mnews until it is repaired.
The FreeBSD startup script
rc does not safely handle file globbing. This can be exploited, under some conditions, by a local attacker to remove arbitrary files during a system startup.
Users should upgrade to FreeBSD 4.5-STABLE, security branches, or remove the line
rm -f /tmp/.X*-lock /tmp/.X11-unix/* from
Netstd is a legacy set of network daemons and applications that has in the past been distributed with Debian Linux. It has been reported that there are buffer overflows in several applications in Netstd that can be exploited by a remote attacker who controls a name server. This package was distributed as part of the Debian Potato release, but is reported to not be distributed with the Woody release.
Users should consider removing the Netstd package.
rarpd is a reverse
arp utility. The Solaris version of
rarpd is reported to be vulnerable to three remotely-exploitable buffer overflows and two format string vulnerabilities.
Users should watch for an update that repairs these vulnerabilities. They should also consider disabling or uninstalling
rarpd until it has been repaired.
BannerWheel, a random banner ad display script, has been reported to be vulnerable to a buffer overflow that can be exploited remotely to execute arbitrary code as the user running the Web server.
Users should disable BannerWheel until it has been repaired.
A buffer overflow has been reported in Informix that can be exploited by a local attacker to obtain root permissions. This buffer overflow is reported to affect Informix version SE-7.25 under Linux, but may affect other platforms.
Users should watch IBM for a patch.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.