LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

New Security Problems and a Warning About Checking User Input

01/30/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include buffer overflows in splitvt, bing, write, and Lotus Domino's SMTP server; temporary file problems with webmin and Apache's mod_rewrite; format string problems with icecast; ip firewalling problems with FreeBSD; and SQL problems in Postaci.

splitvt

The splitvt program splits a vt100 compatible terminal or screen into an upper and lower window that can each execute a different program. Versions before 1.6.5 have a format string vulnerability and several buffer overflows. Since splitvt is installed suid root on many systems, this vulnerabilty can be exploited to obtain root privileges.

It is recommended that you upgrade to version 1.6.5 or newer. If you are not using splitvt or do not wish to upgrade, then the suid and sgid bits should be removed from the application.

bing

A throughput measurement tool, bing has a buffer overflow that can lead (on systems with it installed suid root) to a root exploit. The buffer overflow is in the code that handles the host name that it uses. The overflow requires that the attacker be able to create an arbitrary resolvable host name that they can pass to the application.

Security Alerts This Week:

splitvt

bing

webmin

icecast

Apache

Oracle XSQL Servlet

write

sash

Lotus Domino SMTP server

ipfw and ip6fw

Postaci

It is recommended that you remove the suid bit from bing.

webmin

A web-based administrative interface for Unix machines, webmin creates temporary files insecurely. This problem can be used to overwrite and create arbitrary files and can lead to a root compromise. Versions prior to 0.84 are affected.

It is recommended that webmin be upgraded to version 0.84 or newer.

icecast

The icecast audio stream server has a format string vulnerability that can be used to execute arbitrary commands. Since icecast normally runs as the root user, this can lead to a remote root compromise.

A patch has been published and incorporated in several distributions. I was not able to find out if the fix has been made to the version that can be downloaded from the icecast.org web site. I recommend that you check with your vendor for an updated version.

Apache

The mod_rewrite module for the Apache webserver has a problem in the way it uses its temporary files. This can be exploited to read any protected file on the system.

It is recommended that you upgrade Apache to version 1.3.14 or newer. This version also fixes problems with mod_vhost_aliases.

The Apache Project has also announced that they will not be making any more updates to the 1.2.x versions of Apache and users of that series are encouraged to upgrade to the latest 1.3.x version.

Oracle XSQL Servlet

The Oracle XSQL Servlet has a problem that can be used to execute arbitrary Java code on an Oracle database server. Versions affected include the 8.1.7.0.0 database server, Oracle8i release 8.1.7.0.0 and the Enterprise Edition running Oracle Internet Application server with XSQL release 1.0.0.0, and XSQL releases 1.0.1.0 to 1.0.3.0 on all platforms.

If you are using any of these products you should download release 1.0.4.0 of XSQL. Oracle will also be correcting this problem when they release Oracle8i, release 8.1.7.1.

write

The write command allows you to send lines of text to other users of a system. The write command under Solaris 7 has a buffer overflow in the handling of its second command line argument. By exploiting this vulnerability, an attacker can execute arbitrary code with the permissions of the group tty.

It is recommended that the set group id bit be removed from write until a patch has been released by Sun. This problem has been fixed in Solaris 8.

sash

The stand-alone shell, sash, is a statically linked shell that contains many built-in utilities. These include chmod, chown, grep, file, ls, tar, mount, and many more. It can be used to replace shared libraries safely or used in emergencies. Versions prior to 3.4-4 did not clone the shadow file properly. This could lead to this file becoming exposed.

It is recommended that users upgrade to 3.4-4 or newer as soon as possible.

Lotus Domino SMTP server

The Lotus Domino SMTP server has a buffer overflow in the relay policy checking code. This can lead to a remote execution of arbitrary code or a denial of service.

To recover from the denial of service, you may have to remove the log.nsf or mail.box files, so care should be taken when testing for this problem.

Lotus has fixed this problem in their 5.0.6 release of Domino server.

ipfw and ip6fw

The FreeBSD tools ipfw and ip6fw provide packet-filtering redirecting and accounting functions. A TCP/IP packet crafted so that the ECE flag is set can incorrectly be passed through by the packet filters if a rule exists to allow established connections. An example of such a rule would be "allow tcp from any to any established." How vulnerable this will make a system or network will vary according to the exact rules in place.

You can work around this problem by rewriting any rule that contains the established keyword. It is however recommended that you upgrade to FreeBSD 3.5-STABLE or 4.2-STABLE after the correction date (01-12-01), or apply the ipfw and ip6fw patches.

Postaci

Postaci, a popular web mail package, does not properly check for malicious SQL code in variables coming from the user when using the PostgreSQL database. This can allow a user to execute arbitrary SQL queries.

At this time a patch to fix this problem has not been released.

This sort of problem is easy for a programmer to fall into. It occurs when the programmer fails to check all possible user-supplied input. With PHP, this can be any variable that you use in your forms and scripts. Remember that the user is in control of his client and can send you whatever data they choose. You need to check or initialize every variable before you use it or send it to your SQL database as part of a query. Numbers should be numbers and not SQL statements, and so on.

An interesting exercise is to trade places with the attacker. Put yourself in their shoes and see what unexpected things you can make your system or software do when you put your mind into it. You may be surprised with what you find out, and that is much better than being surprised by a system cracker.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Discuss this article in the O'Reilly Network Linux Forum.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: