Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Linux Kernel Problems

by Noel Davis
05/19/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Linux 2.4 kernels, sendmail, IMAP clients, cdrecord, lv, GNU Privacy Guard, EnGarde Secure Linux's sudo, SCO OpenLinux's mgetty and faxspool directory, BEA WebLogic Server, Unreal Engine, and WebLogic Express.

Linux 2.4 Kernel Problems

Problems in the Linux 2.4 kernel have been reported. They include a denial-of-service attack that can be remotely exploited (through the use of network packets with forged source addresses that cause excessive growth of the network hash tables), and a security problem with the ioperm() function call that can be used by an attacker to gain unauthorized access to I/O ports.

Users should watch their vendor for updated kernel packages. Red Hat has released new kernel packages that fix these and additional problems.

sendmail

Three scripts included with sendmail (doublebounce.pl, expn, and checksendmail) have been reported to be vulnerable to a symbolic-link race condition that can be exploitable, under some circumstances, to overwrite arbitrary files on the system, and may allow an attacker to gain additional privileges.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

Affected users should consider disabling these three scripts until they have been updated with repaired versions.

IMAP Client Buffer Overflows

Several IMAP clients have been reported to be vulnerable to buffer overflows. Pine, UW-imapd, Evolution, Mozilla, and Eudora are reported to have a potentially exploitable vulnerability, and OE6, Sylpheed, Balsa, and mutt are reported to have a denial-of-service vulnerability. Exploiting these buffer overflows requires that the attacker control an IMAP server that the user connects and logs into.

Users should consider upgrading to imap version 2002c or Evolution version 1.3.2 (Beta). Affected users of other clients should watch for repaired versions. In addition, users should exercise care in what servers they connect to with any client software.

cdrecord

There is a format-string vulnerability in cdrecord that can be exploited by a local attacker to execute arbitrary code with root's permissions on systems that have cdrecord installed set user id root. A script to automate exploiting this vulnerability has been released to the public. It has been reported that Mandrake Linux installs cdrecord with both a set user id bit and a set group id bit.

Affected user should watch their vendor for an updated version of cdrecord and should consider removing the set user and set group id bits. Mandrake has released packages containing a repaired version of cdrecord.

lv

lv, a file viewer similar to less, contains a bug that may, under some conditions, be exploitable by a local attacker to execute arbitrary shell commands with the permission of the user running lv. The bug causes lv to read its configuration file (.lv) from the current working directory, if it contains a configuration file. If a user has executed lv in a directory with a malicious configuration file and then uses the editor command from within lv, lv will execute arbitrary commands configured in the .lv file.

It is recommended that users consider not using lv until it has been repaired. Updated packages have been released for Red Hat Linux.

GNU Privacy Guard

GNU Privacy Guard (GPG) has a key-validation bug that can result in keys gaining more trust than they should. This bug affects keys with multiple userids and results in all userids gaining the same level of trust as the most trusted user.

Affected users should watch their vendor for an repaired version of GNU Privacy Guard.

EnGarde Secure Linux's sudo

The sudo command supplied with EnGarde Secure Community 2, EnGarde Secure Professional v1.2, and EnGarde Secure Professional v1.5 are vulnerable to a heap corruption that may be exploitable to execute arbitrary code with root permissions.

Guardian Digital recommends that affected users upgrade as soon as possible. On systems where sudo is not being used, users should consider removing it or removing its set user id root bit.

SCO OpenLinux's mgetty and faxspool Directory

The mgetty supplied with OpenLinux 3.1.1 server and workstation is reported to be vulnerable to a buffer overflow in the code that handles the name of a caller on a modem. In addition, OpenLinux's faxspool directory is world-writable.

SCO recommends that users upgrade to a new mgetty package that contains a repaired version of mgetty as soon as possible.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

BEA WebLogic Server and WebLogic Express

There are several passwords that have been found to be stored or displayed in plain text. These include the JDBCConnectionPoolRuntimeMBean password being displayed on the screen by weblogic.Admin, and CredentialMapper storing passwords on the disk in plain text inside of a binary file.

BEA recommends that WebLogic Server and Express 7.0 and 7.0.0.1 users apply service pack 2 and an available patch (CR104520_700sp2.zip). When service pack 3, is released the patch will no longer be needed.

Unreal Engine

Flaws in the networking code of the Unreal game engine are exploitable as a denial-of-service attack and may, under come conditions, be exploitable to execute arbitrary code. These bugs affect both the Windows and Linux versions of the engine. Games based on the Unreal engine include Unreal Tournament, Star Trek: The Next Generation: Klingon Honor Guard, Unreal, The Wheel of Time, Deus Ex, Mobile Forces, Rune, Hired Guns, Navy Seals, TNN Outdoor Pro Hunter, Werewolf, X-Com: Alliance, Adventure Pinball, America's Army, and Unreal Tournament 2003. The possible code execution is exploited using map files. A tool to automate a denial-of-service attack has been released to the public.

Users should be careful that they use map files from only trusted sources and should watch for updated version of the game engine with more robust networking and map code.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.