Buffer-Overflow Problems in BIND02/06/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer-overflow problems in BIND,
tinyProxy; format string attacks against
LPRng; and denial-of-service attacks against
inetd, CUPS, and InterNetNews (INN2).
Buffer-overflow problems have been found in versions 4 and 8 of BIND, a domain-name-system daemon distributed by the Internet Software Consortium (ISC). This vulnerability has wide implications as most sites on the Internet use one of these versions of BIND, the Berkeley Internet Name Domain, to provide DNS resolution.
BIND version 8 (prior to version 8.2.3) has a bug in the signature-transaction code that could allow an attacker to execute arbitrary code as the user running BIND -- often the root user. This problem could affect both recursive and non-recursive DNS servers and does not require the attacker to have control of an authoritative DNS server.
BIND versions 4 through 4.9.7 were also discovered to have buffer-overflow weaknesses in the code that prepares a message to be logged with
syslog. This buffer overflow can be exploited to allow an attacker (also often "root") to run arbitrary code on the server. To exploit this overflow, the attacker must gain control of an authoritative DNS server and use a recursive target name. BIND version 4 also has a format string bug that can be exploited to execute arbitrary code. This bug has the same restrictions as the buffer-overflow problem.
ISC recommends that users upgrade earlier versions of BIND to version 8.2.3 or 9.1.x. If you cannot upgrade to one of these versions, ISC recommends that you upgrade to version 4.9.8.
Security Alerts This Week:
ISC has also announced it will create a fee-based forum with access restricted to the ISC list, vendors who include BIND in their products, root and other top-level domain name-server operators, and others as determined by ISC. These members would sign strong non-disclosure agreements (NDAs) and encrypt their communications. They would receive access to the CVS versions of BIND 4, 8, and 9; early notice of security problems; admission to live meetings; and inclusion in a members-only BIND mailing list. Prior to this announcement, ISC's practice was to send security announcements out to the BIND-workers mailing list and in CERT advisories.
Reaction to ISC's announcement is mixed. Some wonder how the ISC will convince non-BIND-members to announce security problems only to BIND-members. Personally, I expect to see many BIND problems announced on forums such as bugtraq.
inetd (Internet superserver) shipped with Red Hat Linux 6.2 may fail to properly close sockets for internal services. This could result in a vulnerability to denial-of-service attacks.
Red Hat recommends that you download
inetd-0.16-7 rpm from updates.redhat.com and upgrade your software.
kdesu, a KDE front-end to the
su command, has a bug that can allow a local user to obtain the root password. If you are using the "keep password" option,
kdesu uses a Unix socket to send the password, but does not check the identity of the listener on the other side of the socket.
Users should upgrade to the latest version of
kdesu or deselect the "keep password" option.
gnuserv, a remote-control program for GNU Emacs, also has a buffer-overflow vulnerability that can be exploited to allow an attacker to execute arbitrary code.
gnuserv shipped with Emacs but can also be found as a standalone package.
gnuserv typically must be started by the user with the
If you use
gnuserv, upgrade your installation
gnuserv version 3.12. This version is included in XEmacs 21.1.14 or XEmacs Beta version 21.2.35.
A problem has been found with the Common Unix Printing System (CUPS) that makes it vulnerable to denial-of-service attacks. If a client sends a line longer than the input buffer, the
httpGets function will go into a loop.
Users should upgrade to version 1.1.6. In addition to fixing the denial-of-service bug, numerous function calls have been changed to reduce the risk of future buffer overflow issues.
tinyProxy, an HTTP proxy designed to be fast and small, has a vulnerability due to a heap overflow. This can be used in a denial-of-service attack, allowing users running tinyProxy to execute arbitrary code. Users should upgrade to version 1.3.3a or newer.
ntop, an application for monitoring network usage, has a format string vulnerability. An exploit has been released that will brute force an offset and provide the attacker with a root shell if the package is installed
If the application is installed
suid root, the bit should be removed.
LPRng, an enhanced printer spooler, has a bug in the way it uses the
syslog function call. An attacker can send string formatting operators to the daemon which may result in a root exploit.
If you use
LPRng, you should upgrade to version 3.6.26 or newer.
The InterNetNews (INN2) daemon has two potential security problems -- a buffer overflow that can be used to execute arbitrary code and a denial-of-service attack vulnerability caused by 2-byte headers. The buffer overflow is in the code to cancel messages and is only a danger if
verifycancels is enabled.
It is recommended that you upgrade to INN2.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.