LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Security Alerts: Twig, Midnight Commander, and More

12/06/2000

Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include arbitrary code execution in Twig, new symlink attacks, a hidden control code attack on Midnight Commander, and a LANGUAGE attack on glibc.

Twig

Twig, a popular web mail system that was once named Muppet, has a vulnerability that can lead to the execution of arbitrary code on your web server. There is a problem with the virtual hosting setup in Twig that can allow an attacker to cause a remote file to be loaded and executed. At this time there does not seem to be an official fix for this problem. But a workaround has been posted that says to add:

unset($config);
unset($vhosts);

to the top of config/config.inc.php3.

Midnight Commander

Midnight Commander is a file manager for Unix machines. Carefully crafted directory names with control codes in them can cause Midnight Commander to execute keystroke commands. If the directory name is long enough, Midnight Commander will not display the entire name. This can allow an attacker to hide the control codes. There is no fix out for this at this time, and it is recommended that Midnight Commander not be used on multiuser systems or by root.

There is also a denial of service attack in the cons.saver screen saver that is included in the Midnight Commander package. When it is started, it does not check to see if it is started with a valid stdout. This has been fixed in version 4.5.42-11.

Vulnerabilities this week:

Twig

Midnight Commander

glibc

slocate

Ident buffer overflow

GNU ed

fsh

Sun JDK/JRE

ptrace and non-readable files

Majordomo

IBM Net.Data

glibc

The glibc library has a LANGUAGE environmental variable vulnerability that can be exploited through the su command. It was reported to affect Red Hat 6.2, 6.1, SuSE 6.2, and Debian GNU/Linux Potato 2.2. It is reported that this vulnerability was fixed in glibc-2.1.3-12 and is incorporated into Debian GNU/Linux Potato (2.2r1). You should check with your vendor for an updated glibc newer than 2.1.3-12.

slocate

A security enhanced version of the GNU Locate, slocate, has a problem that can reveal the location of private files to an unauthorized user. Early versions had a buffer overflow that occurred when the user provided an invalid database as a command line parameter. There is also a problem with slocate not dropping privileges that can also lead to a user being able to view the location of private files. For many systems, a user being able to view the location of files will not be a problem. If this is a problem, you may want to turn off slocate until a patch is released.

ident buffer overflow

A buffer overflow in the ident shipped with SuSE Linux can cause the identd daemon to fail. This can cause a denial of service for services that rely on the identd daemon. At this time, no fix has been released for this. If you are not using the identd daemon, then you should turn it off. Otherwise, watch your vendor for an update.

GNU ed

GNU ed, a line-based text editor, creates temporary files unsafely. This can allow a malicious user to read or write arbitrary files belonging to the user who is executing ed. Upgrading to a version newer than 0.2-18.1 will fix this problem.

fsh

A tool to quickly run remote commands over rsh, ssh, and lsh, fsh is vulnerable to a symlink attack. When fsh starts it creates its sockets in a directory under the /tmp directory. It checks the directory to make sure that the user running fsh owns it. But is still vulnerable to a race condition attack on this directory. This has been fixed in Debian GNU/Linux with fsh version 1.0.post.1-3potato.

Sun JDK/JRE

Sun's JDK/JRE (Java Development Kit/Java Runtime Environment) versions prior to Java 2 Standard Edition SDK v 1.3, including HotSpot 1.0 and 1.0.1, can allow an untrusted Java class to call into a disallowed class. This can create a security issue in code using the JRE to execute it. There are many commercial software packages for Unix systems that use the JRE to interpret their code. Sun recommends that you upgrade to the latest JDK/JRE releases. Specifically, they recommend that for Solaris you upgrade to versions JDK/JRE 1.2.2_06 or JDK/JRE 1.1.8_12 and for Linux you upgrade to JDK/JRE 1.2.2_006.

ptrace and non-readable files

Linux ptrace can be used to trace unreadable files. Using ptrace, you can trace any executable that you have execute rights to. This can allow a local user to dump the memory of a program and read its contents. This is just one more reminder against security through obscurity.

Majordomo

Majordomo, a mailing list manager package, under some conditions can leave its passwords exposed. When Majordomo checks the admin password, it first compares it to the line in the config file. If this does not match, it tries to open the password as a file. So if the password is in a separate file, there are two valid passwords. Many tutorials have recommended that you store passwords in a separate file named after the list. Doing this makes the password very easy to guess. It is recommended that you move the passwords into the config files.

IBM Net.Data

IBM's Net.Data package can be used to disclose system paths and file locations. It is often used in conjunction with NetCommerce3 and db2www. While not a major security problem, it can be used by an attacker to gather information about a system while planning an attack.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.

Return to the Linux DevCenter.

 




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: