Insecure Temporary File Functions01/15/2001
Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include a problem with
glibc, a possible problem with ReiserFS, a buffer overflow in exrecover, a stack overflow in arp, temporary file race conditions in a long list of programs, and a back door in Borland InterBase.
The GNU C library, or
glibc, has a vulnerability that allows a non-privileged user to read protected files and preload arbitrary libraries in
/usr/lib even if they have not been allowed by the system administrator.
It is recommended that you check with your vendor for a patched version of
glibc as soon as possible.
It has been reported that ReiserFS, a journaling file system, has a bug in its handling of long file names. Under some situations it appears to cause a kernel oops with a potential buffer overflow. Other people have reported that they can hide pieces of the file system from
ls. The reports have been contradictory, and it is not clear to me what versions and Linux versions have this problem or the conditions where you would be safe.
I suggest that if you are running ReiserFS, you should watch your vendor for an alert and patches about this problem.
The recovery command for the
exrecover, has a buffer overflow. On many systems this program is unnecessarily suid root, opening up the possibility for a local root exploit. The problem is caused by not checking the length of the second argument.
There is no reason for this program to be suid, so remove its suid bit and update it to the latest version.
Security Alerts this week:
arp program allows you to view and modify the Internet-to-Ethernet address translation table. In versions of Solaris prior to Solaris 8,
arp is vulnerable to a stack overflow that could be used to execute arbitrary code. Due to arp's being setgid, this could be leveraged into a local root exploit.
All users of Solaris prior to version 8 should remove the sgid bit from
arp until they can download and apply the patch from Sun.
Some versions of
linuxconf have a race condition in the way the
vpop3d program handles its temporary files. This can be used by a malicious user to overwrite arbitrary files on the system and may lead to a root compromise. The affected versions of linuxconf seem to be 1.19r through 1.23r.
Users should update their
linuxconf to a version newer than 1.23r.
The HP-UX version of
inetd (the Internet super server) on systems running HP-UX releases 10.20, 10.24, 11.00, and 11.04 can be hung by a remote user. This only affects servers that have a service configured to use the "swait" state.
If you are affected, you should download the patched version of inetd from HP.
During a recent audit done while working on Immunix Linux 7.0, many potential temporary file race condition problems were discovered. The following programs were found to use insecure temp file functions: apache (htpasswd and htdigest in 1.3.14 and 2.0a9), arpwatch (2.1a4), squid (2.3 STABLE and 2.4), linuxconf (vpop3d 1.19r through 1.23r), mgetty (1.1.22 and 1.1.23), gpm (1.19.3), wu-ftpd (privatepw 2.6.1), inn (2.2.3), diffutils (sdiff 2.7), getty_ps (2.0.7j), rdist (6.1.5), and shadow-utils (useradd 19990827 and 20000902). A race condition in the temporary file code can be used to overwrite arbitrary files that the user running the program has permission to write to.
If you are using any of these programs you should check with your vendor for an updated version.
Interbase is a open source database package that in the past was distributed as a closed source package. A back door was coded into InterBase in 1992 that affects both the open and closed source versions. This back door has a fixed user name and password and allows full access to all databases on the server. This user id and password is in the published source code, and once it is known that there is a back door, it can be easily found by an attacker.
The recommended solution is to upgrade to Firebird 0.9.3 or download a patch from Borland. Jim Starkey has also developed a patch program that will overwrite the back door with random byte codes. If you are unable to update your software or apply a patch, then a possible workaround is to block tcp connections to port 3050. (Users inside your firewall may still be able to connect to the port and exploit the back door.)
The caching web server
squid has a temporary file race problem. When squid sends an e-mail to the administrator, there is a race condition with its temporary files that can be used to overwrite files that the user id that
squid is running under has permission to write to.
squid should upgrade to the latest stable or development version.
A pair of workarounds for the problem reported with Domino last week have been released. The first workaround is to add a
map *..* /something.nsf in your
httpd.conf. The second workaround is to add a File Protection Document in your PAB/DD, with the path set to
/.box/../ and the Access Control set to
-Default- - No Access. You should repeat this for
.nsf. Lotus is recommending the first workaround, but they have changed it at least once, so it may not protect you against all possible attacks against this problem.
I reported in an earlier column that
catman was suid root under Solaris 2.x. This was incorrect. You should still exercise care because the symlink attack can still be used against the root user if he executes
catman or has it in a script, and it can of course be used against a regular user to overwrite their files.
After more review of the Shockwave Flash buffer overflow, it has been determined that the overflow cannot be used to execute code on the user's machine. The overflow can only be used as a denial of service attack against the machine running Shockwave Flash.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.