Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at problems in Samba,
Pine, FreeS/WAN, Solaris
priocntl(), Traceroute NANOG,
pServ, and Alcatel OmniSwitch switches.
The Samba server provides SMB network services to clients using NetBIOS over TCP/IP. Samba is vulnerable to a buffer overflow that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the Samba server (often root). The buffer overflow is triggered by sending an overly large encrypted password as part of a request to change the user's password. Versions 2.2.2 to 2.2.6 of Samba are vulnerable.
Users should upgrade to version 2.2.7 or a repaired package from their vendor as soon as possible. Users should consider removing Samba from their systems if it is not being used.
The Pine email client is vulnerable to a remote denial of service attack. It is possible that this attack could result in the execution of arbitrary code. The attack is conducted by sending a valid email with a carefully created From: header line.
It has been reported that this vulnerability would be repaired in version 4.50 of Pine. A user's email spool file can be repaired by deleting the affected message using an editor or another email client. Users should watch their vendor for an updated package that repairs this vulnerability.
Linux FreeS/WAN, an open source implementation of IPSEC (Internet Protocol SECurity) for Linux systems, has a bug in the processing of some very small packets. This bug can be used as part of a denial of service attack against a machine running FreeS/WAN, potentially causing a kernel panic.
Users should watch their vendor for an update. It may be possible to protect machines from this vulnerability by using a firewall to block small packets.
It has been reported that the system call
priocntl() on Sun Solaris
systems can be manipulated by a local attacker into loading an
arbitrary kernel module giving the attacker root access to the
system. Example code for a module that grants the attacker root
access has been released.
Users should contact Sun for patch information and work arounds.
Traceroute is a utility used to troubleshoot or explore network connections. The NANOG implementation of Traceroute requires root permissions in order to open a raw network socket and does not drop these permissions. Traceroute NANOG is vulnerable to a buffer overflow that can be exploited by a local attacker to execute code with root permissions. Code to automate the exploitation of this vulnerability has been released.
Update packages have been released to repair the buffer overflows, but it has been reported that these packages do not repair all exploitable vulnerabilities. It is recommended that the set user id bit be removed from the traceroute utility or that group permissions be used to limit access to a trusted set of users.
kon2, a VGA console Japanese language input manager, has a bug that
can be exploited to gain root permissions.
Users should consider removing
kon2 until it has been repaired.
The CGI library
libcgi-tuxbr is used to create CGI applications using
the C language.
Libcgi-tuxbr is vulnerable to a buffer overflow that
can be used to execute arbitrary code on the server with the
permissions of the user running the web server. A script to automate
the exploitation of this vulnerability has been released.
Users should watch for a repaired version of the library. It is recommended that vulnerable CGI applications be disabled until they have been linked against a repaired library or reworked to use another library or no library at all.
A temporary file race condition vulnerability in Python can be used by a local attacker to execute arbitrary code with the permissions of the user running a Python script.
Users should watch their vendor for updated packages that fix this problem and should consider disabling Python until it has been repaired.
pServ (pico Server), a small Web server written in C, is vulnerable to
a buffer overflow in the code that handles POST requests. The buffer
overflow can be exploited in a denial of service attack against the
Web server and, under some conditions, may be exploitable to execute
code with the permissions of the user pServ is running under. It is
also reported that
pServ "has no
setuid capability" and will often be
running as root.
The author has released version 2.0 beta 6 which is reported to hopefully fix this buffer overflow. It is recommended that no Web server be executed as root that does not drop its permissions once it has open its port and the run as an non-privileged user.
A back door has been discovered in the Alcatel OmniSwitch Lan switches running the Alcatel Operating System (AOS) version 5.1.1. Alcatel states that during development a telnet server was configured to listen on port 6778 so that developers could access the operating system and that the telnet server was accidentally left enabled in the release of the product. The back door can be used by a remote attacker to gain full administrative control over the switch.
Alcatel recommends that affected users upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03 as soon as possible. Users who are unable to upgrade at this time should consider a partial solution such as screening access to port 6778 using a firewall.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.