Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Kernel DoS Vulnerability

by Noel Davis
06/28/2004

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at problems in the Linux kernel, www-sql, super, rssh, Horde-IMP, GNU GNATS, gzip, ISC DHCP, and sup.

Linux Kernel Denial-of-Service Attack

Linux kernels (2.4.2x and 2.6.x) are vulnerable to a denial-of-service attack that uses a series of fsave and frstor instructions to crash the system. The attacker must have the ability to execute an arbitrary application on the system to exploit this vulnerability. A C program that automates the exploitation of this vulnerability has been released to the public.

In addition, problems with the e1000 device driver can be exploited by a local attacker to read kernel memory.

New Linux kernel packages have been released for: EnGarde Secure Community 2, EnGarde Secure Professional v1.5, Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux 10.0, Mandrake Multi Network Firewall 8.2, Mandrake Corporate Server 2.1, Red Hat Desktop version 3, Red Hat Enterprise Linux AS version 3, Red Hat Enterprise Linux ES version 3, Red Hat Enterprise Linux WS version 3, SuSE Linux Database Server, SuSE eMail Server III 3.1, SuSE Linux Enterprise Server 7, SuSE Linux Enterprise Server 8, SuSE Linux Firewall on CD/Admin host, SuSE Linux Connectivity Server, SuSE Linux Office Server, Trustix Secure Linux 2.0, Trustix Secure Linux 2.1, and Trustix Operating System: Enterprise Server 2. Users of other distributions should contact their vendors for upgrade packages or compile a repaired kernel from source code.

www-sql

www-sql, a CGI application that allows the insertion of SQL statements inside of an HTML page, is reported to be vulnerable to a buffer overflow that can be exploited by anyone who can create a web page that will be parsed by www-sql. Successfully exploiting the buffer overflow will allow the attacker to execute arbitrary code with the same permissions as the web server.

Affected users should watch their vendors for a repaired version of www-sql. Debian has released a repaired version for woody and plans to also repair it in sid.

Super

Super allows specific users to execute commands with root permissions, in a manner similar to sudo. A format-string-based vulnerability can be exploited, under some circumstances, by any local user to execute commands with root permissions.

It is recommended that any set user or group id bits be removed from Super until it has been repaired. In addition, users should consider whether the risks associated with this type of application are worth the convenience it provides. In most cases, problems solved by this type of application can be solved in a way that does not require root permissions.

rssh

rssh is a restricted shell for use with OpenSSH that can place a user in a chroot jail and only allows the use of scp and sftp. A bug in rssh versions 2.0 through 2.1.x may be exploited to gather information about files outside of the chroot jail. The bug is caused by rssh parsing its command-line arguments before creating the chroot jail.

Users should upgrade to version 2.2.1 of rssh, but it should be noted that the author of rssh has stated that no additional development of rssh is planned.

Horde-IMP

The web-based Horde-IMP mail client is vulnerable to a web-browser scripting attack due to not properly sanitizing email content. The attacker sends the victim a carefully crafted email containing a script that, when viewed, will execute in the victim's browser and can result in the attacker gaining access to the victim's account or the compromise of cookies.

It is recommended that all administrators of machines with Horde-IMP installed upgrade to version 3.2.4 as soon as possible.

GNU GNATS

GNU GNATS, a suite of tools for centralized bug tracking, is reported to be vulnerable to a format-string-based attack that may, under some conditions, be exploitable by an attacker to execute arbitrary code.

Affected users should watch for a repaired version.

gzip (a.k.a. GNU Zip)

gzip is a compression program, designed as a replacement for compress, that has a much better compression algorithm that is not patented. A script named gzexe included with gzip is reported to contain a bug that, under some conditions, can cause arbitrary commands to be executed.

Users should watch for a repaired version of gzip and should consider not using gzexe in a manner that could allow an attacker to exploit it.

ISC's dhcp-server

A buffer overflow in the logging code of the ISC DHCP daemon can be used in a denial-of-service attack and may, under some circumstances, be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the daemon (in many cases, root).

The ISC DHCP daemon can, when compiled on a system that does not supply the vsnprintf() function, use the less secure vsprintf() function and result in the daemon being vulnerable to a buffer overflow that can crash the daemon and may be exploitable to execute arbitrary code.

Both ISC DHCPD 3.0.1rc12 and 3.0.1rc13 are reported to be vulnerable.

Mandrake has released a patched version of the ISC DHCP daemon for Mandrake Linux 10.0 and 9.2. Affected users of other distributions should watch their vendors for a repaired DHCP package.

Sup

Sup is a remote file synchronization package. Sup is reportedly affected by a format-string vulnerability that may be exploitable by an attacker to execute arbitrary code with the permissions of the supfilesrv process.

Users should watch for a repaired package and should consider disabling sup until it has been repaired. Debian has released repaired packages for woody and will soon fix sid.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.