Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

ELF Trouble

by Noel Davis
12/01/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, sudo, TWiki, phpBB, cscope, Cyrus IMAP, Bugzilla, ProZilla, unarj, libxml2, and fetch.

Linux ELF Binary Loader

The Linux kernel's ELF binary loader contains multiple errors that may, under some conditions, be exploitable by a local unprivileged user to execute arbitrary code with root permissions. These errors are reported to affect versions of the Linux kernel including 2.4 through 2.4.27, and 2.6 through 2.6.8. Code to automate the exploitation of this vulnerability has been released to the public.

It is recommended that all affected Linux servers be upgraded to a repaired kernel as soon as possible.

sudo

The sudo command allows a permitted user to execute a command as the superuser or as another user, as specified in the sudoers file. sudo reportedly does not clean Bash functions and the CDPATH variable when it executes the authorized command. Under some conditions, this can be abused by any user authorized to use sudo to execute arbitrary commands or code with the addition permissions granted by sudo.

All affected users should watch their vendors for a repaired version of sudo and should consider disabling sudo until it has been repaired. Anyone that uses sudo to grant a user partial but not complete root access should keep in mind that this type of application is notoriously difficult to completely secure, and should consider alternatives to giving an untrusted user access to superuser-level authority. Debian is reported to have released a repaired version of sudo.

TWiki

The web-based groupware tool TWiki does not properly escape shell meta-characters in the code that handles searches. This bug may be trivially exploited by a remote attacker to execute arbitrary shell commands on the server with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released to the public.

The maintainers of TWiki recommend that all users upgrade to the latest patched production release or apply the available patches.

phpBB

phpBB, an open source, web-based bulletin board system, is reported to be vulnerable to several bugs that, under some conditions, can be exploited by a remote attacker to execute arbitrary code with the permission of the web server, or to execute arbitrary SQL commands on phpBB's database server.

It is recommended that all users of phpBB upgrade to version 2.0.11 or newer as soon as possible.

cscope

The C source-code browser cscope is reported to be vulnerable to a temporary-file symbolic link race condition that may be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the victim's account. This vulnerability is reported to affect all versions of cscope earlier than 15.5.

Users of cscope should watch for a repaired version and decide if their acceptable level of risk will allow them to use cscope prior to its update.

Cyrus IMAP

The Cyrus IMAP daemon is reported to contain several buffer overflows that may, under some conditions, be exploited remotely and result in arbitrary code being executed with root permissions. The buffer overflow is located in the code that parses the partial and fetch commands. There is also an additional buffer overflow vulnerability that may be exploitable when the system runs out of memory.

All users of Cyrus IMAP should watch their vendors for an updated version.

Bugzilla

The web-based bug-tracking system Bugzilla is vulnerable to several bugs that can be exploited by a remote attacker to make unauthorized changes to a bug, or that can result in private information being leaked to an unauthorized user. These problems are reported to affect all versions of Bugzilla earlier than 2.16.7.

The Bugzilla team recommends that all users upgrade to version 2.16.7 or newer as soon as possible.

ProZilla

ProZilla, a download accelerator, is vulnerable to several buffer overflows that may, under some conditions, result in arbitrary code being executed with the victim's permissions.

As it has been reported that this package is no longer being maintained by its author, users should consider switching to an alternative download accelerator.

unarj

The unarj ARJ-archive decompression utility is reported to contain a buffer overflow in the code that handles file names stored in an archive. This buffer overflow may be exploitable to execute arbitrary code with the victim's permissions, and a directory traversal bug may be exploitable to overwrite arbitrary files or directories with the victim's permissions. Both of these bugs are exploited by creating a carefully crafted archive file and then convincing the user to uncompress it using the unarj utility.

Users should exercise great care when opening any archive from an untrusted source. They should also watch their vendors for a repaired version of unarj.

libxml2

The XML parsing library libxml2 is reported to be vulnerable to several buffer overflows that, under some circumstances, may be exploitable by a remote attacker and used to execute arbitrary code on the server with the permissions of the web server.

All users of libxml2 should upgrade to version 2.6.16 or newer.

fetch

fetch is a command-line utility used to download files using the FTP, HTTP, and HTTPS protocols. A buffer overflow that has been found in the fetch command can be exploited by a remote attacker who controls a web server that the victim has connected to using fetch. Exploiting this buffer overflow could result in code being executed on the victim's machine.

It is recommended that fetch not be used until it has been updated.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.