Serious Problem with sendmail08/27/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a serious problem with
sendmail; buffer overflows in HP-UX
ftpd, UnixWare su, and
AOLserver; and problems in
procmail, phpSecurePages, HTTProtect,
NetWin Authentication Module, Entrust GetAccess, Mathematica License
Manager, HP JetDirect devices, SuSE
sdb, Adobe Acrobat, Roxen Webserver, and SHOUTcast Server.
sendmail, a popular Mail Transfer Agent, has a locally-exploitable
vulnerability that can be used to execute commands as root. Exploit
scripts have been released that automate this exploitation.
The Sendmail Consortium recommends that all affected users upgrade to version 8.11.6 as soon as possible and then restart
Alerts this week:
procmail mail handler does not handle signals properly. This
problem can only be exploited by a local attacker.
Users should upgrade to
procmail version 3.15.2 or 3.21 as soon as
phpSecurePages, a PHP-based tool used to password protect web pages, can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the Web server.
It is recommended that users upgrade phpSecurePages to a version newer than 1.0.5.
HTTProtect is designed to prevent unauthorized changes to files stored on a ext2 file system. A vulnerability has been found in HTTProtect that can be used under some circumstances to bypass its protections.
A patch for this vulnerability has been released by Omnisecure and users should install it as soon as possible.
There is a buffer overflow in the FTP daemon and client that was shipped with HP-UX versions 10.01, 10.10, 10.20, 11.00, and 11.11. The buffer overflow in the FTP daemon can be exploited to execute arbitrary code as the root user.
HP recommends that users apply the appropriate patch for their operating system as soon as possible.
The NetWin Authentication Module that handles authentication for SurgeFTP, DMail, and so forth uses a weak encryption scheme and has several buffer overflows.
The encryption scheme is vulnerable because it is possible to decrypt the passwords' hashes, and a password hash can be matched by more than one password. A script has been released that will generate passwords that will match a given hash value. It is not known if any of the buffer overflows can be exploited.
Users should watch NetWin for an updated version of the NetWin Authentication Module that corrects these problems.
su command shipped with all versions of UnixWare 7 and version
8.0.0 of OpenUnix 8 is vulnerable to a buffer overflow that can be
exploited to gain root privileges.
Caldera recommends that affected users update their
su binaries as soon
Entrust GetAccess, a single sign-on system, has a vulnerability that under some circumstances can be used to execute arbitrary Java code on the GetAccess web server.
Users should watch Entrust for an update to GetAccess that fixes this vulnerability.
The Mathematica license manager is vulnerable to a trivial denial-of-service attack and can be spoofed so that it grants licenses to unauthorized machines.
A workaround for these problems is to block connections to port 16286 on the license machine from untrusted hosts.
On some HP JetDirect products, when the administration password is set using the Web interface, the password on the
interface will not be set.
Administrators of HP JetDirect devices should ensure that the
administration password is set both in the Web interface and in the
There is a problem in the Perl CGI script
of the SuSE
sdb package) that can be used by a local attacker to
execute arbitrary commands with the permissions of the user executing
the Web server. This has been reported to affect SuSE versions 6.0,
6.1, 6.2, 6.3, 6.4, 7.0, 7.1, and 7.2. SuSE 7.1 and 7.2 use Perl's
taint mode and are not currently thought to be exploitable.
SuSE recommends that all affected users upgrade their
Adobe Acrobat creates a file named
AdobeFnt.lst in the user's home directory
and then sets its permissions to group- and world-writable. This
problem has been reported for both the Linux and the Solaris versions
of Adobe Acrobat.
A possible workaround is to write a wrapper script to fix the permissions of the file. Users should watch Adobe for a fix for this problem.
Web Security & Commerce
The AOLserver Web server has a buffer overflow that can be used by a remote attacker to crash the server. It is not known if this buffer overflow can be exploited to execute arbitrary code. AOLserver versions 3.0 and 3.2 have been reported to be vulnerable to this attack.
Users of AOLserver should upgrade to a version 3.3.1 or newer.
The Roxen WebServer has a vulnerability that can be used to retrieve any file on the Web server that is readable by the user running the Web server or, if the CGI-module is enabled, it can be used to execute any executable file on the Web server. This vulnerability has been reported to affect Roxen WebServer versions 2.0 to 2.0.92 and versions 2.1 to 2.1.264 on all OS platforms.
Roxen recommends that users apply the appropriate patches and restart the Web server.
SHOUTcast Server, a streaming audio server, can be crashed by a bad client request. This can be used as a denial-of-service attack against a SHOUTcast Server.
Users should watch Nullsoft for a patch for this problem.
Read more Security Alerts columns.
Return to the Linux DevCenter.