LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Security Alerts: Vixie cron Exploit and More

11/20/2000

Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. This week we cover a multitude of vulnerabilities. They range from Denial of Service attacks on telnetd and Sun AnswerBook2, to local and remote exploits on tcpdump, phf, SOCKS5, and more.

Vixie cron

An exploit was announced that uses fopen() and a preserved umask vulnerability in Paul Vixie's cron. An attacker can use this vulnerability to create a world-writable file in /var/spool/cron. They would then be able to write arbitrary cron entries into that file, which would run as the user being attacked. It is reported that Mandrake 7.0, Red Hat versions 6.1 and earlier, Cobalt Linux, and Trustix are not vulnerable. Debian 2.2 and systems where Vixie cron has been installed manually are vulnerable. FreeBSD versions 2.1.x, 2.2.x, 3.x, 4.x, and -CURRENT are not vulnerable if launched by a normal user, but members of the wheel group can use the exploit successfully. A quick workaround is to chmod 700 /var/spool/cron.

OpenSSH

Versions of OpenSSH prior to 2.3.0 are vulnerable to a compromised or hostile sshd server. Basically, if you disable the X11 forwarding in the client, the server can still forward X11 connections later in the session. A short-term workaround is to clear the $DISPLAY and the $SSH_AUTH_SOCK variables before connecting with OpenSSH, but it is recommended that you upgrade to version 2.3.0 or above.

gnupg

The gnupg version of PGP (Pretty Good Privacy) digital signature/encryption can generate false positive results for messages with multiple signatures. In other words, if only some of the signatures are valid, it could still report that they were all correct. There are packages out for FreeBSD and Debian, or you can upgrade to a version newer than 1.04.

Vulnerabilities this week:

Vixie cron

OpenSSH

gnupg

Linux modutils

tcsh

Sun AnswerBook2

tcpdump

phf

SOCKS5

CUPS (Common Unix Printing System)

Local root exploit in LBNL traceroute

telnetd


Previous Features

More from the Linux DevCenter

Linux modutils

Versions 2.3.0 to 2.3.20 of modutils have a local root exploit. Vulnerable systems include Redhat 6.2, 6.2EE, 7.0 and 7.0J; Mandrake versions 7.1 and 7.2; Immunix OS 6.2 and 7.0-beta; SUSE 6.4 and 7.0; and perhaps more. Older systems using a version prior to 2.3.0 of modutils are not vulnerable. You should upgrade your modutils to a version newer than 2.3.20 as soon as you can.

tcsh

A problem with how tcsh versions before 6.09.00-10 handled temporary files when using the << syntax can be used with a symlink attack to overwrite arbitrary files. Debian has packages out, or you can upgrade to version 6.09.00-10 or newer.

Sun AnswerBook2

There is a potential Denial of Service attack using Sun's AnswerBook2. Sun's AnswerBook2 provides access to Sun documentation through its web server. The web server that Sun's AnswerBook2 uses is dwhttpd. As users read the documentation, dwhttpd builds PostScript files in /tmp and then downloads them to the user. If the user downloads the file, it is deleted; if the connection is broken, then the file is left in /tmp. If /tmp is not mounted with a size limit, this could lead to a system crash. Possible workarounds include: turning off AnswerBook2, setting a size limit on /tmp, or running a cron job to remove the AnswerBook2 files from /tmp.

tcpdump

The tcpdump network analysis tool and packet sniffer is often used as part of an intrusion detection system. Vulnerabilities have been found in tcpdump that can be used by a remote attacker to crash tcpdump or cause a buffer overflow. The buffer overflow could lead to a root compromise, as under normal conditions, tcpdump requires root privileges to run. This problem has been reported for SUSE 6.0, 6.1, 6.2, 6.3, 6.4, and 7.0, but any machine using versions earlier than 3.4a6 may be vulnerable. It is recommended that you stop using tcpdump until you upgrade to version 3.4a6 or newer.

phf

Anyone who still has the phf cgi-bin program sitting in their web server's cgi-bin directory should remove it. Yet another exploit for it has been released. This current exploit claims to work on all versions of phf, including patched versions.

SOCKS5

A remote exploit of SOCKS5 for X86 Linux has been announced. SOCKS5 provides port forwarding and is often used to provide services though a firewall. It is also part of NEC's e-Border proxy software. The exploit claims to work against SOCKS versions compiled under Turbolinux 4.05 and Red Hat 6.0 up to SOCKS5 version 1.0r10. I am no longer using SOCKS5, so I was unable to verify this exploit, and at the current time I am not aware of a workaround. The latest version available from NEC, the SOCKS v5 Reference Implementation, is version 1.0r11. I do not know that this version is safe, but I would upgrade to it if I was using SOCKS5.

CUPS (Common Unix Printing System)

CUPS (the Common Unix Printing System) is a portable printing layer for Unix. Earlier versions had a vulnerability that made CUPS printers accessible from anywhere on the Internet. Anyone using CUPS should upgrade to version 1.1.4-5 or newer.

Local root exploit in LBNL traceroute

Traceroute is a network tool used for looking at the path on a network between two hosts. It is normally installed setuid root because of its use of raw network sockets. A local root exploit has been reported that affects systems with and without nonexecutable stacks. You should remove traceroute's suid bit until you can upgrade the package.

telnetd

FreeBSD’s version of the commonly used remote connection server telnetd can be used as a Denial of Service attack by setting the TERMCAP variable and causing telnetd to search an arbitrary file for termcap information, thus using I/O resources. This occurs before the authentication phase of the Telnet session, allowing an attacker to start a large number of connections. A patch has been released for FreeBSD.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.

 




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: