Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Sudo Contains Root Exploit

04/24/2001

Alerts this week

sudo

Samba

Red Hat FTP iptables

VMware

innfeed

exuberant-ctags

DCForum

nedit

Cyberscheduler

sendfiled

Red Hat mgetty

Bubblemon

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in sudo, innfeed, and Cyberscheduler; symbolic-link race conditions in Samba, VMware, exuberant-ctags, and nedit; and problems in Red Hat FTP iptables, mgetty, DCForum, Cyberscheduler, and sendfiled.

sudo

sudo allows the root user to delegate the ability for a user to run commands with the permission of root or another user. Versions of sudo prior to version 1.6.3p6 are vulnerable to a buffer overflow that can be exploited to execute arbitrary code and obtain root privileges.

It is recommended that users upgrade to version 1.6.3p6 as soon as possible. If sudo is not being used, the set user ID bit should be removed.

Samba

The Samba daemon provides file and print services using the SMB protocol used by Microsoft Windows products. Versions of Samba prior to 2.0.8 are vulnerable to a symbolic-link file race condition attack that can be used by an attacker to overwrite system files, destroy file systems, or obtain root privileges.

All users of Samba should upgrade as soon as possible to version 2.0.8 or newer, and should restart the Samba server once it has been upgraded.

Red Hat FTP iptables

Under some conditions, Red Hat Linux systems can have their firewall rules bypassed by a carefully constructed FTP PORT command. This vulnerability affects Red Hat Linux 7.1 systems using a 2.4 Linux kernel that has been configured to use a firewall based on iptables instead of ipchains, and has also turned on the feature that allows FTP RELATED connections to be passed through the firewall. The default configuration of Red Hat 7.1 uses ipchains for its firewall configuration and is not vulnerable to this attack.

Red Hat recommends that users of iptables disable the FTP RELATED feature, and watch Red Hat for an updated 2.4 Linux kernel.

VMware

The VMware suite of products allow the execution of multiple operating systems on the same machine at the same time. The vmware-mount.pl script provided with VMware creates a temporary file insecurely, and can be used by a malicious user to create and overwrite arbitrary files on the system.

A workaround for this temporary-file race condition vulnerability is to set the $TMPDIR environment variable to a temporary directory that only you can write to, such as $HOME/tmp. Doing this will cause VMware to use the specified location that is pointed to by the $TMPDIR variable for the temporary file and will provide protection against this attack.

Users of VMware should upgrade to a repaired version as soon as one becomes available.

innfeed

innfeed is part of the INN news package and uses the NNTP protocol to send news from one system to another. In versions of INN other than the current CVS version, it is possible for newsgroup users to execute the set user ID wrapper startinnfeed, pass it very long arguments, and exploit a buffer overflow in the innfeed program.

Exploiting this buffer overflow may allow the attacker to execute commands with the permission of the news user ID. If any of the applications owned by news are executed by the root user, the attacker can leverage access to the news user ID to obtain root privileges.

It is recommended that users, who do not have access to the news user ID, not be placed in the newsgroup, and that the root user never execute any part of the news system.

exuberant-ctags

The exuberant-ctags package insecurely creates symbolic-link files. An attacker may exploit this vulnerability to overwrite files with the permissions of the user running exuberant-ctags.

Users should upgrade to version 3.5 of exuberant-ctags as soon as possible.

DCForum

DCForum, a web-based message board system produced by DCScripts, has several bugs that a remote user can exploit to upload files and execute Perl code with the permissions of the user running the web server.

DCScripts has released a patch for this problem and recommends that users apply it as soon as possible.

nedit

The Nirvana Editor, nedit, is a text editor similar to editors used with Microsoft Windows. While printing, nedit creates a temporary file insecurely causing a race condition that can be used by an attacker to overwrite system files with the permissions of the user running nedit. No workaround is known, as nedit ignores the $TMPDIR environmental variable.

Users of nedit should upgrade to version 5.1.1.

Cyberscheduler

Cyberscheduler is a calendaring and scheduling package produced by Crosswind that is available for Linux, Solaris, and Windows. Cyberscheduler has a buffer overflow in the time zone variable that can be exploited to execute arbitrary code as the user running the web server.

Users of Cyberscheduler should upgrade to the most recent version as soon as possible.

sendfiled

sendfiled, a server daemon that implements the Simple Asynchronous File Transfer (SAFT) protocol, does not drop its privileges correctly. This can be easily exploited by a local user to execute code with the permissions of the root user.

Users should upgrade to version 2.1-20 as soon as possible.

Red Hat mgetty

The mgetty program distributed with Red Hat Linux 5.2, 6.2, 7.0, and 7.1 does not log error messages correctly.

Users should obtain the appropriate update from Red Hat.

Bubblemon

Bubblemon is a Gnome panel applet that displays the system load as bubbles rising through a liquid. Bubblemon does not properly drop its permissions and this allows a user to click the Bubblemon applet and execute a script or application that will run with its egid as kmem.

Users should upgrade to a version newer than 1.32.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.