LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Vulnerabilities in sendmail, speechd, and OpenServer vi

10/08/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a vulnerability in sendmail; buffer overflows in Solaris's Yellow Pages password server, dtterm, and AIX's lpd; and problems in CDE ToolTalk, OpenUnix 8's xlock, speechd, FreeBSD's login, BSAFE SSL-J Software Developer Kit, OpenServer's vi, and FreeBSD's OpenSSH.

sendmail

sendmail, a commonly used email server, has been reported to be vulnerable to several local attacks that can be used by an attacker to destroy information, gain access to unauthorized information, and execute arbitrary code with the permissions of the user running the email server.

It is recommended that users upgrade to version 8.12.1 of sendmail as soon as possible.

CDE ToolTalk

The CDE (Common Desktop Environment) ToolTalk RPC database service is a message-brokering system that allows CDE applications to communicate between different hosts and platforms. The ToolTalk RPC database server rpc.ttdbserverd has a format-string vulnerability that can be exploited to run arbitrary code as root. Vulnerable systems include: UnixWare, Open Linux, AIX, HP-UX, and Solaris.

Affected users should check with their vendor for a patch for this problem. Vendors that have announced a patch include Compaq Computer, Hewlett-Packard, IBM, The Open Group, and Sun.

Solaris Yellow Pages

The Solaris Yellow Pages (also known as NIS) password server rpc.yppasswdd has a buffer overflow that can be exploited by a remote attacker to gain root permissions. Solaris 2.6, 7, and 8 have been reported to be vulnerable by this buffer overflow if they are running the rpc.yppasswdd daemon. A script to automate exploiting this vulnerability has been released. Symptoms of a possible attack include the rpc.yppasswdd not running (the attack causes the process to crash), and the presence of an additional running inetd process.

A workaround for this vulnerability is to stop the rpc.yppasswdd server. Doing this will prevent Yellow Pages users from changing their password. It is recommended that affected users apply the appropriate patch to their system.

dtterm

The terminal application dtterm has a buffer overflow that on some platforms can be exploited by a local attacker to gain root access. It has been reported that the buffer overflow is exploitable under OpenUnix 8, Unixware, True64 5.1, and HP-UX.

It is suggested that any set user id bits be removed from dtterm until a patch has been installed that fixes this buffer overflow.

OpenUnix 8 xlock

The xlock application distributed with OpenUnix 8 has been reported to have a vulnerability that can be exploited to execute commands with root permissions.

Users of OpenUnix 8 should watch Caldera for a patch for this problem.

AIX lpd

There are three buffer overflows in the line printer daemon lpd distributed with AIX versions 4.3 and 5.1 (and possibly earlier versions) that can be used by an attacker to gain root permissions. Exploiting two of the buffer overflows requires that the attacker's machine be listed in /etc/hosts.lpd or /etc/hosts.equiv. To exploit the remaining buffer overflow, the attacker must be able to control the machine's DNS server.

IBM recommends that users upgrade AIX 4.3 with patch APAR #IY23037 and AIX 5.1 with patch APAR #IY23041 as soon as they become available. Versions of AIX earlier than 4.3 are no longer supported by IBM, and no patches for these operating systems will be released.

speechd

The speechd daemon implements a device named /dev/speech that will convert any text written to it into speech. Versions 0.54 and earlier have a vulnerability that can be exploited to execute arbitrary code with root permissions.

It is recommended that users upgrade to version 0.55 or newer as soon as possible.

FreeBSD login Problem

The FreeBSD login application can be abused by any local user to read arbitrary files on the system as root. The login application checks for nologin while still retaining superuser permissions.

This problem is reported to be corrected in the current CVS version. Users can upgrade login to this version or watch for an official patch.

BSAFE SSL-J Software Developer Kit

It has been reported that there is a security vulnerability in the BSAFE SSL-J Software Developer Kit released by RSA Security that can be used by a remote attacker to bypass client authentication by using a false client certificate. This vulnerability has been reported to affect version 2.0 of Cisco's iCDN (Internet Content Distribution Network).

Cisco recommends that users of iCDN upgrade to version 2.0.1. Users of the BSAFE SSL-J Software Developer Kit should contact RSA Security for a repaired version.

Hushmail.com

Hushmail.com is a Web-based email service. A vulnerability was announced in the Hushmail.com software that could be used by an attacker to cause the email recipient to execute arbitrary Javascript or VBScript.

This problem was repaired quickly by Hushmail.com. They described the problem as a straightforward problem caused by not using htmlspecialchars() in a portion of their code.

OpenServer vi

The vi editor that is included in all versions of OpenServer is vulnerable to a symbolic link race condition attack against its temporary files. This vulnerability can be used to write arbitrary files with the permissions of the user running vi.

Caldera recommends that all users of OpenServer upgrade their vi editor as soon as possible.

FreeBSD OpenSSH

OpenSSH on FreeBSD machines can be used by a local attacker to read any file on the system with root privileges. The problem is caused by OpenSSH not dropping privileges before processing the login class capability database and files.

Affected users should watch FreeBSD for a patch to fix this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: