Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a system call problem and a race condition in the Linux kernel; buffer-overflow problems in SSH-1 and XMail; denial-of-service vulnerabilities in BIND 9.0.1 and ProFTPD; string format problems in man; design flaws in wireless networking security code; and temporary file problems in FreeBSD's sort.
Two problems have been reported in the Linux kernel: a problem with the
syctl() system call and a race condition. The
sysctl() system call can be used to read large areas of kernel memory by passing it a negative offset. The race condition can be used to modify a running
setuid process using
Both problems have been fixed in the 2.2.19pre9 kernel. Users are advised to check with their vendor for updated kernel packages.
Alerts for this week:
Problems reported this week for SSH (secure shell) include: a buffer-overflow in version 1 of sshd, a buffer-overflow in the Kerberos ticket handling code in the SSH AFS/Kerberos v4 patches for SSH 1.2.2x, and a design flaw in the SSH 1.5 protocol.
The buffer-overflow in version 1 of SSHD can be exploited to gain root privileges. This vulnerability is present in most SSHD implementations including: SSH2 2.x with SSH1 fallback support, SSH1 1.2.x versions newer than 1.2.24, F-Secure SSH 1.3.x, OpenSSH prior to 2.3.0 (with version 1 support enabled), OSSH 1.5.7, and others that are derived from SSH1 or OpenSSH. Versions that are not vulnerable include OpenSSH 2.3.0, Cisco SSH, and LSH.
The buffer-overflow in the SSH AFS/Kerberos v4 patches to SSH 1.2.2x can be exploited remotely and used to gain root privileges. Users should upgrade to OpenSSH 2.3.0 or newer.
The design flaw in the SSH protocol version 1.5 can be used to recover session keys from an encrypted SSH session. The session key can then be used to decrypt the recorded session or potentially alter a live session. This vulnerability is present in OpenSSH but it is not possible to exploit it. SSH-1 versions up to version 1.2.31 are vulnerable.
It is recommended that you upgrade your SSHD to SSH-2 or a patched version of SSH-1 as soon as possible.
The BIND 9.1.0 name server can be crashed under certain conditions by a network scan. The crash is caused by a kernel bug in the
accept() system call. It is unclear which kernels are affected.
The ISC (Internet Software Consortium) has released BIND version 9.1.1rc1. This version contains work arounds that cause BIND to log errors instead of crashing. If you are being affected by this problem, you should upgrade to 9.1.1rc1.
man page-reader program has a format string vulnerability. Exploits of this vulnerability fall into the following sets:
man is installed
man is installed setuid man, or
man is installed
man is installed
setuid root, the vulnerability may be exploitable to gain root privileges. Some distributions install a
suid root wrapper program that drops root privileges before executing the real
man program, these distributions have not been reported as being vulnerable.
setuid man binaries, the vulnerability can be exploited to gain the permissions of the
man user ID. The attacker can then overwrite the
man binaries with an arbitrary program. A script has been released that exploits this vulnerability.
setgid binaries the vulnerability can be exploited to become a member of the "man" group. This can be used to write files in the
/var/man/cache directory, which may present security problems.
Users should check with their vendor for updated
XMail is a Internet mail server that supports SMTP, POP3, and more. It has a buffer-overflow in the CTRLServer daemon. This buffer overflow can be exploited by a remote user to execute arbitrary code with the permissions of the user running XMail.
Currently, there has not been a patch released. The author of XMail, Davide Libenzi, has announced that the next version (0.68) will have this problem fixed. A potential work around until the patch is released is to block access to CTRLServer with a firewall.
ProFTPD, a popular FTP daemon, has two memory leaks that can be used in a denial-of-service attack and a minor format string vulnerability. The memory leaks are caused by executing the
USER commands. The
SIZE command only leaks memory when there is not a scoreboard file. It is very difficult if not impossible to exploit the format string vulnerability. These vulnerabilities exist in all 1.2.0 test releases prior to 1.2.0rc3.
Users should upgrade to ProFTPD version 1.2.0.rc3 or newer.
802.11, the standard for wireless communication networks, uses WEP (Wired Equivalent Privacy) to provide protection from eavesdropping. Flaws have been found in the WEP protocol that can be used in several passive and active attacks to decrypt the wireless communications.
It is recommended that users of an 802.11 network not rely on WEP to protect the privacy of their communications, but use additional security measures.
The Chili!Soft ASP package allows Unix web servers to run ASP (Active Server Pages). There is a bug in Chili!Soft that can cause a script to retain group root privileges during execution. For this to occur Chili!Soft ASP must be running in inherited security mode. The vulnerability has only been tested under Red Hat Linux and it is not known if other distributions of Linux are affected.
Chili!Soft is planning to fix this bug in version 3.6. Until this version is released it is recommended that you change Chili!Soft's security mode to defined and specify a user and a group for the package to run under.
sort, an application that sorts lines of text, creates easily predictable temporary files. By exploiting this vulnerability a malicious user can cause
sort to crash. This could be used to disable system reporting and management scripts.
It is recommended that users upgrade their system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE; or download the patch to bring
sort to version 4.1.1.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.