oreilly.comSafari Books Online.Conferences.


Vulnerability in login

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a problem in SysV-derived login programs; buffer overflows in frox, OpenServer getty, and Load Sharing Facility; and problems in script, Cisco Secure Integrated Software, JRun Java Application Server, Mandrake Linux's Apache, HP-UX's rlpdaemon, ATPhttpd, and Unix Manual.


Some versions of the login program have a vulnerability that can be used by a remote attacker to execute arbitrary commands as the root user. Systems reported to be vulnerable include Sun Solaris (versions 8 and earlier) and OpenServer (version 5.0.6a and earlier). It is not known if other SysV-based login programs are vulnerable. The problem is caused by login not properly handling long environmental variables passed to it by daemons such as in.telnetd and in.rlogind.

Both Sun and Caldera have released updated login packages and affected users should upgrade to the appropriate package as soon as possible.


The script utility is used to record a log of an interactive shell session. It has a vulnerability that can be exploited to overwrite arbitrary files on the system with the permissions of the user executing script. The script utility uses typescript as its default output file and does not check for a hard link before writing the file.

Users of script should upgrade to the latest version and avoid executing it in directories to which other users can write.

Cisco Secure Integrated Software

Cisco Secure Integrated Software, also known as the IOS Firewall Feature set and as the Context Based Access Control, has a bug that can, under some circumstances, allow traffic that should have been denied by the dynamic access control lists to pass through the firewall. Only systems that implement CBAC are vulnerable to this bug. Cisco has reported that the affected router models are: 800, 820, 950, 1400, 1600, 1700, 2500, 2600, 3600, 4000 Gateway, 4224, 7100, 7200, 7400, 7500, SOHO 70, ubr900, and ICS7750. Also affected are Catalyst 5000 and 6000 devices, if the are running Cisco IOS.

Cisco recommends that affected users upgrade their Cisco IOS software to the appropriate release level.

JRun Java Application Server

The JRun Java application server has a vulnerability that can be used by an attacker to view the source code of Java Server pages and other files. This vulnerability has been reported to affect versions 2.3.3, 3.0, and 3.1 of the JRun Java application server.

Users of JRun should disable the SSI support in the Web server and should watch Allaire for a patch to fix this vulnerability.

New Mandrake Linux Apache Package

The Apache Web server has a vulnerability that can be used by a remote attacker to bypass directory index restrictions, and a problem in the Perl-proxy management software that could be used to gather information about the system.

New packages for Mandrake Linux have been released, and it is recommended that all users of Apache upgrade as soon as possible.

HP-UX rlpdaemon

The set user id root rlpdaemon printer daemon distributed with HP-UX has a problem that can be exploited by a local attacker to create or append to any file. An attacker can use this problem to create a file that can be leveraged into root access. It has been reported that versions 10.20 and 11.00 of HP-UX are affected by this problem. It is not required that printers be configured for this problem to be exploited.

Users should contact HP for a fix for this problem, and should consider disabling the printer subsystem if it is not being used.


ATPhttpd is a small caching Web server designed for serving a large amount of static content. It is vulnerable to a denial-of-service attack using a very long URL.

Users should watch ATPhttpd's Web site for an updated version.

Unix Manual

The PHP script Unix Manual allows the viewing of Unix man pages with a Web browser. The script does not filter for unsafe characters, and can be exploited by a remote attacker to execute arbitrary shell commands with the permissions of the user executing the Web server.

Users of this script should disable it until it has been modified to filter out shell meta-characters.


Related Reading

Running LinuxRunning Linux
By Matt Welsh, Matthias Kalle Dalheimer & Lar Kaufman
Table of Contents
Sample Chapters
Full Description
Read Online -- Safari

frox, a transparent FTP proxy, has a buffer overflow that can under some circumstances be exploited remotely to execute arbitrary code with the permissions of the user running frox. The exploit requires that the FTP server return a long string in reply to the client's MDTM request.

It is recommended that users upgrade to version 0.6.7 or newer as soon as possible.

OpenServer getty

The getty program distributed with OpenServer 5.0.6a and earlier is vulnerable to a buffer overflow that can be used by a remote attacker to gain root access to the server.

Caldera recommends that users upgrade their getty program to a repaired version.

Load Sharing Facility

Load Sharing Facility is a set of utilities that are used to share, monitor, and analyze work across multiple computers. Load Sharing Facility has several problems that can be used to read any file on the system, and several buffer overflows in set user id root executables that can be used to execute arbitrary code with root permissions.

Platform has released a patch for Load Sharing Facility version 4.2 on all major platforms, and is working on patches for other versions and platforms. Users should contact Platform for details and help with configuration changes that may fix many of the vulnerabilities.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: