Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Linux Kernel Root Hole

by Noel Davis
03/24/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a root hole in the Linux kernel; buffer overflows in Samba, qpopper, ircii, Mutt, DeleGate, SuSE's lprold, and Ethereal; and problems in OpenSSL, MySQL, man, tcpdump, and Red Hat's rxvt.

Linux Kernel Problems

Linux 2.2 and 2.4 kernels have a bug in ptrace that can be exploited by a local attacker to execute code with root permissions. The Linux 2.5 kernels are not reported to be affected.

Linux 2.2.x kernel users should upgrade to Linux 2.2.25 as soon as possible. Linux 2.4.x users should apply the patch that has been released or should watch their vendor for an updated kernel package.

Samba

A Samba server daemon provides SMB network services to clients using NetBIOS on a TCP/IP network. Several buffer overflows and a chown race condition have been found in the Samba server. One of the buffer overflows can be exploited by a remote attacker to execute code with root permissions.

Users should watch their vendor for updated packages. If a system has Samba installed but it is not being used, users should consider removing it.

OpenSSL

Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have demonstrated an attack against OpenSSL that can be exploited to use the server's private key in an operation on ciphertext of the attacker's choice. This attack does not compromise the server's RSA key. The vulnerability is reported to affect OpenSSL releases through 0.9.6i and 0.9.7a.

The OpenSSL Project has released a patch that protects against this attack. Users should apply this patch or watch their vendor for updated OpenSSL packages..

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

MySQL

The SQL database MySQL is vulnerable to a remote root exploit and several other security-related problems.

Users should upgrade to version 3.23.56 of MySQL.

qpopper

The POP email server qpopper is vulnerable to a buffer overflow that can be exploited, by a remote attacker who has the ability to authenticate with qpopper, to execute arbitrary code with the permissions of a user and the group permissions of the mail group.

It is recommended that affected users upgrade to qpopper version 4.0.5. If qpopper is not being used on the system, users should consider removing or disabling it.

man

The man page reader man has a bug that, under some conditions, can cause a user to execute a application named unsafe. If the man program encounters an unsafe string in a man page, it returns the string "unsafe." The string "unsafe" is then passed to a system() call. If an executable named unsafe is in the user's path, it will then be executed.

While many conditions have to be met before this vulnerability can become a problem, it is still be a good idea to upgrade to man 1.5l. One possible workaround for this vulnerability is to link /bin/unsafe to something safe, such as /bin/true.

ircii

The IRC client ircii is reported to be vulnerable to several buffer overflows that can be exploited remotely, under some circumstances. These buffer overflows can only be exploited by an attacker that controls an IRC server to which the client has connected. Other users of IRC are not reported to be able to exploit these vulnerabilities.

Affected users should upgrade to ircii-20030313. It is also recommended that care be taken in what servers are connected to using the /server command.

Mutt

Mutt, a small text-based email client, contains a buffer overflow in the code that handles IMAP connections.

Affected users should upgrade to version 1.4.1 of Mutt as soon as possible.

DeleGate

DeleGate is an application-level proxy server that runs under Unix, Windows, MacOS X, and OS/2. DeleGate contains a buffer overflow that can be exploited by a remote attacker using a carefully-crafted and unusually large robots.txt file. Exploiting this vulnerability can result in the execution of arbitrary code with the permissions of the user running DeleGate.

It is recommended that users upgrade to Delegate version 8.5.0 as soon as possible.

SuSE lprold

The SuSE package lprold, which shipped as the default printing system for SuSE Linux until SuSE 7.3, contains the lprm command, which is vulnerable to a buffer overflow that can be exploited by a local attacker to execute arbitrary code with root permissions.

SuSE recommends that users upgrade to the appropriate package. If the printing system is not in use, users should consider removing it.

tcpdump

The network sniffer tcpdump may be vulnerable to a remote attack due to a bug in the code that handles NFS packets.

Users of tcpdump should watch for more information on this vulnerability and should consider not using tcpdump on an untrusted network until it has been resolved. A tool such as a firewall could be used to screen NFS packets from external sources.

Ethereal

The Ethereal network sniffer is vulnerable to a format-string bug in the code that handles SOCKS and a buffer overflow in the code that handles NTLMSSP. Both of these vulnerabilities may be exploitable by a remote attacker through a carefully-crafted network packet to execute arbitrary code on the server.

Users should watch their vendor for updated packages.

Red Hat rxvt

Red Hat has released a new version of the rxvt color VT102 terminal emulator. The new version repairs several problems in the escape-sequence handling of the terminal emulator.

Red Hat recommends that all users upgrade to this new version. Updated packages have been released for Red Hat Linux 6.2 through 7.3.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.