Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts BIND Issues

by Noel Davis
11/18/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a large set of problems in BIND; buffer overflows in KDE's LISA, libpng, masqmail, FreeBSD resolver code, Windowmaker, Tiny HTTPd, and Zeroo HTTP Server; and problems in Lib HTTPd, KDE's telnet and rlogin KIO code, Kgpg, Squid, and UnixWare and OpenUnix's talkd.

BIND

BIND has a collection of vulnerabilities that can be used by a remote attacker to execute arbitrary code and that can be used in a denial of service attack against the name server. All versions of BIND earlier than 9.2.1, 8.3.4, 8.2.7, and 4.9.11 are affected..

ISC recommends that users upgrade to version 9.2.1 or newer of BIND as soon as possible. Users who can not upgrade to 9.2.1 can upgrade to BIND versions 8.3.4, 8.2.7, or 4.9.11.

LISA

KDE's LISA is a LAN browsing utility package. LISA is vulnerable to buffer overflows that can be used by an attacker to execute code with the permissions that LISA is running under (often root). Additionally under some conditions an attacker may be able to access a users account using a bug in LISA.

Users should upgrade to KDE 3.0.5 , apply the appropriate patches, disable LISA, and remove its set user id bits, or remove LISA from the system.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

Lib HTTPd

Lib HTTPd, a library implementing web server capabilities, contains a bug that can be exploited to execute arbitrary code on the server with the permissions of the user running the application linked to the library. A script to automate the exploitation of this bug has been released.

Users should watch for an update to Lib HTTPd and should consider disabling applications built with it until they have been recompiled using a repaired library.

libpng

It has been reported that there are several buffer overflows in the libpng library that can be exploited in a denial of service attack against any application linked to the library and may be exploitable to execute code.

Affected users should watch their vendor for updated packages.

masqmail

masqmail is a mail transfer agent designed for machines without a continuous Internet connection. masqmail has buffer overflows that can be exploited under some circumstances to execute code with root permissions.

Users should upgrade to a repaired version as soon as possible.

KDE telnet and rlogin

A flaw in the implementation of the KIO subsystem of KDE 2.1 and higher and KDE 3 to 3.0.4 can be exploited using a specially contrived URL in a KIO enabled application, HTML email, or HTML page to execute arbitrary commands on the system with the users permissions.

It is recommended that KDE 3 users upgrade to KDE 3.0.5 or apply patches to KDE 3.0.4. KDE 2 users unable to upgrade to KDE 3 should disable the telnet and rlogin KIO protocols.

FreeBSD Resolver Code

The resolver code in FreeBSD is used to query host names and IP addresses. It is vulnerable to several buffer overflows that may be exploitable in a remote denial of service attack.

Users should upgrade their system to FreeBSD 4.7-RELEASE or 4.7-STABLE. Users that choose not to upgrade should apply the appropriate patches and recompile any affected statically linked applications.

Related Reading

Building Secure Servers with Linux
By Michael D. (Mick) Bauer

Windowmaker

Windowmaker, a popular X Window manager, has a buffer overflow in the code that handles showing images. Exploiting this buffer overflow could under some circumstances be used to execute code with the permissions of the user running Windowmaker.

It is recommended that users upgrade to Windowmaker version 0.80.2 or the CVS version as soon as possible.

Tiny HTTPd

Tiny HTTPd, a small web server, is vulnerable to a buffer overflow that can be used to execute code on the server with the permissions of the user running Tiny HTTPd and is also vulnerable to a bug that can be used to view arbitrary files on the server.

The last update to the sourceforge page for Tiny HTTPd was in April 2001. Users should consider looking for a web server that is being actively maintained.

Kgpg

A bug in Kgpg (a frontend to GnuPG) results in the creation of wizard generated secret keys that have empty passphrases. An empty passphrase in a secret key would allow any user that has access to your key file or physical access to the computer they are stored on to decrypt any file without the use of a key phrase.

It is possible to edit the secret keys and add a passphrase but it is recommended that any wizard generated keys be deleted and replaced. Users should also upgrade Kgpg to version 0.9.

squid

A number of security problems have been repaired in the web caching software Squid. Code that has been repaired includes code that parses FTP directory listings into HTML pages, Gopher client code, code dealing with the MSNT auth helper, code that deals with FTP data connections, and code that forwards proxy authentication credentials.

The Squid team recommends that users upgrade to version 2.4.STABLE7 of Squid.

Zeroo HTTP Server

The Zeroo HTTP server is vulnerable to a buffer overflow that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released.

Users should watch for an update that repairs this vulnerability.

UnixWare and OpenUnix talkd

The talk daemon supplied with UnixWare 7.1.1 and OpenUnix 8.0.0 is vulnerable to a remotely exploitable format string bug.

Caldera recommends that users upgrade to the latest talk packages.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.