Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Buffer Overflows in sendmail

by Noel Davis
03/11/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in sendmail, BIND, Snort, file, tcpdump, zlib, terminal emulators, Internet Message, Messaging in the Emacs World, and lprm.

sendmail

sendmail is vulnerable to a buffer overflow in the code that parses email message headers. This buffer overflow can be exploited by a remote attacker using a carefully crafted email message and can result in the execution of arbitrary code, with root permissions in most cases. The attack against sendmail can be carried out even against machines that do not directly connect to outside networks if the email message is passed to a vulnerable machine by another mail transfer agent. A successful attack is reported to not leave any record in the system logs.

Systems that are not running sendmail in daemon mode (-bd) may still be vulnerable to this buffer overflow under some conditions. Due to this possible vulnerability, users should ensure that old or unpatched copies of sendmail that have any set user and set group ID bits be removed.

Sendmail, Inc., and the sendmail Consortium recommend that users of an open source version of sendmail upgrade to sendmail 8.12.8 as soon as possible. For those who are unable to upgrade to 8.12.8, patches are reported to be available for versions 8.9, 8.10, 8.11, and 8.12 of sendmail. Users not running an open source version of sendmail should watch their vendor for an updated version.

Repaired versions of sendmail will write the line "Dropped invalid comments from header address" when an email message with an invalid header has been dropped. This may or may not indicate an attack on the system.

BIND

The Internet Software Consortium (ISC) has released BIND version 9.2.2. The ISC security web page states: "ISC has discovered or has been notified of several bugs, which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC." ISC strongly recommends that users upgrade.

Snort

The network intrusion detection system Snort has a buffer overflow in the RPC normalization code that can be exploited using carefully crafted network packets that result in the execution of arbitrary code with root permissions. Versions of Snort between 1.8 through 1.9.0 are reported to be vulnerable. The RPC normalization code was added to help detect attacks that were attempting to hide from the intrusion detection system using fragmented RPC traffic.

It is recommended that users upgrade to version 1.9.1 of Snort as soon as possible. If it is not possible to upgrade, users should comment out the line "preprocessor rpc_decode" in the file snort.conf.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

file

file, a command-line utility used to identify and display the type of file based on a system magic file, is vulnerable to a local attack using a specially constructed data file that, when identified with the utility file, will execute arbitrary code with the permissions of the user running file. Versions of the file utility through version 3.39 have been reported to be vulnerable. A script to generate an exploit data file has been released to the public.

Users should upgrade to the file version 3.41 or newer or they should watch their vendor for an updated package.

tcpdump

The network sniffer tcpdump is vulnerable to a denial- of-service attack use ISAKMP packets (UDP port 500). One possible use of this vulnerability by an attacker is to prevent the monitoring of other attacks. This vulnerability has been reported in tcpdump versions: 3.6, 3.6.3, and 3.7.1.

It is recommended that users filter packets with a destination of port 500 until tcpdump has been patched.

zlib

The function gzprintf() supplied with the zlib library has a buffer overflow. It may be exploitable to execute arbitrary code with the permissions of the user running any application linked to the library and using the function.

Users should upgrade to zlib 1.1.4 or they should watch their vendor for updated packages.

Terminal Emulators

Several terminal emulators have a set of features that can be abused by an attacker. For example, the terminal emulator Eterm can be used to create files on the victim's system, execute arbitrary commands, or to trick the user into changing the window title. Terminal emulators reported to be vulnerable to features such as this include: Eterm, xterm, rxvt, dtterm, uxterm, aterm, putty, gnome-terminal, and hanterm-xf. KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, and Sasha Vasko's aterm are reported to be unaffected by this problem.

It is recommended that users watch their vendor for updated packages of affected terminal emulators and that extra care be taken when viewing files that may have untrusted data in them. Users should consider using KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, or Sasha Vasko's aterm as their terminal emulator.

Red Hat Internet Message and Messaging in the Emacs World

The Internet Message (IM) packages distributed with Red Hat Linux 7, 7.1, and 7.2 and the Messaging in the Emacs World (Mew) packages distributed with Red Hat Linux 7.3 and 8.0 are vulnerable to a symbolic link-race, condition-based attack. This vulnerability can be exploited by a local attacker to overwrite arbitrary files on the system with the permission of the user running IM or Mew.

Affected users should upgrade to repaired packages as soon as possible.

OpenBSD lprm

The lprm utility under OpenBSD has a buffer overflow that may be exploitable to execute arbitrary code with the permissions of the user that lprm is running under (often root). A script to automate the exploitation of this vulnerability has been released. It is not known at this time if this buffer overflow affects other BSD distributions. It should be noted that starting at OpenBSD 3.2, lprm is installed as set-user id daemon, and not root.

lprm should be patched as soon as possible. On systems where the printing sub-system is not being used, users should consider removing it.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.