More Telnet Daemon Vulnerabilities08/13/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Linux
telnet daemons, IBM AIX
telnet daemons, the Kerberos 5
telnet daemon, Window Maker, and Solaris'
xlock; temporary-file race conditions in AllCommerce and
rcs2log; and vulnerabilities in ZyXEL Prestige 642R and 642R-I ADSL routers,
fetchmail, UnixWare Package Tools,
docview, and ColdFusion Server 5.
We reported last month that a buffer overflow in many BSD-derived
telnet daemons may, under some circumstances, be exploitable by a remote attacker to gain root access. At that time, it was reported that the Linux
telnet daemon was vulnerable in netkit versions before 0.14. This appears to be incorrect, and reports indicate that versions of netkit earlier than 0.17 are vulnerable. Distributions that have been reported to be vulnerable include: Debian 2.2 potato; Caldera OpenServer 5; and Red Hat 5.2, 6.2, 7.0, and 7.1.
In addition to the problems with the
telnet daemons in these Linux distributions, IBM has announced that AIX 4.3.x and 5.1 are vulnerable to this problem and has released temporary fixes for the vulnerability.
Kerberos 5 has a potential overflow in the included telnet server. This overflow could be used by a remote attacker to execute arbitrary commands with the permissions of the root user.
It is recommended that affected users watch their vendor for a patch for this problem.
Alerts this week:
There is a temporary-file race condition attack against the version of AllCommerce distributed with EnGarde Secure Linux. This race condition can be used by a local user to overwrite files on the server with the permissions of the user account running the Web server. The AllCommerce package that was distributed with EnGarde Secure Linux had several debugging options turned on, and created temporary files in the
/tmp directory with predictable names.
It is recommended that users of AllCommerce under EnGarde Secure Linux should upgrade to the most recent version of the package.
On ZyXEL Prestige 642R and 642R-I ADSL routers, the FTP,
telnet, and administrative services are available on the WAN interface. It also has been reported that a scan of ZyXEL Prestige routers found that 45% have never had their factory default password changed. These two problems can be used by an attacker to change the router's firmware, change its configuration, and attack devices on the internal network.
It is recommended that all network devices have their default passwords changed, and that owners of ZyXEL Prestige 642R and 642R-I ADSL routers change their remote node filter so that it does not allow outside connections to its services.
groff, a front end for the
groff document formatting system, is vulnerable to a format-string-based attack, in the
pic command, that can be used to execute arbitrary code.
Users should upgrade
groff to a repaired version.
The Window Maker window manager for X has a buffer overflow in the code that handles the window titles in the window list menu. Applications that set the window title using untrusted data may be usable by a remote attacker to execute arbitrary code on the local machine as the user running Window Maker.
It is recommended that users upgrade Window Maker as soon as possible.
slapd daemon will crash if it receives packets with an invalid BER length. This can be used by an attacker to deny access to the LDAP server.
It is recommended that users upgrade to OpenLDAP versions 1.2.12 and 2.0.8.
fetchmail IMAP and POP client has two remotely-exploitable vulnerabilities. Both of these vulnerabilities require the attacker to be in control of, or impersonate, the mail server the user is attempting to download mail from.
Users should upgrade
fetchmail to version 5.8.17 or newer as soon as possible.
The package management tools distributed with UnixWare 7 can be used to view
/etc/shadow, possibly leading to a root compromise of the server.
Caldera recommends that users apply patch sr847997 as soon as possible.
xlock distributed with Solaris OpenView has a buffer overflow that may be exploitable by a local user to gain root privileges. The buffer overflow is exploited by using the environmental variables
Users should remove the set user id bit from
xlock until a patch has been installed from Sun.
docview is a set of CGI scripts distributed with Caldera OpenLinux used to view system documentation via the Web. A failure to check a argument in one of
docview's scripts can be exploited to execute arbitrary code with the permissions of the user running the Web server. Versions of OpenLinux that are vulnerable to this problem include OpenLinux Server 3.1 and OpenLinux Workstation 3.1.
Caldera recommends that users upgrade to the latest
docview packages as soon as possible.
rcs2log, a utility that converts RCS logs into a ChangeLog file, has a temporary-file race condition that can be exploited by a local user to overwrite files with the permissions of the user executing
Users should watch their vendor for an update or patch for this problem.
The ColdFusion Server 5 for Linux has a bug that can crash the server and dump ColdFusion's memory into a log directory, where it can be read by any local user. This bug can only be exploited by a user with permission to write ColdFusion code and place it on the server so that the Web server will cause it to be executed.
Users should watch Macromedia for a patch or an update for this problem.
Read more Security Alerts columns.
Return to the Linux DevCenter.