oreilly.comSafari Books Online.Conferences.


Security Alerts

ProFTPD's DoS Problem and Slash's Weak Link


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at several problems with ProFTPD; a Trojan Horse application disguised as an exploit; buffer overflows in the glibc library, dtspcd, wmcube-gdk, and Mandrake Linux's Kerberos telnet; and problems in Slash, IBM Websphere, popauth, Aftpd, TWIG,, and the Cisco SN 5420 Storage Router.


The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a problem in resolving some host names properly. The denial-of-service attack can be used by a remote attacker to cause ProFTPD to consume all of the CPU and memory on the server. The resolution problem is caused by ProFTPD not properly forward-resolving reverse-resolved host names, and could be used by an attacker to get around ProFTPD access control lists or to log incorrect host names.

Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.


The globbing functions in the glibc library have a buffer overflow that under some circumstances may be exploitable. The globbing functions are used to match for patterns according to a set of rules.

Users should contact their vendor for an updated glibc for their system.


Slash, software that is used for many Web sites (including Slashdot), has a vulnerability that can be exploited to gain access to any account, including those of administrators. Versions of Slash that are vulnerable include 2.1.x, 2.2.0, 2.2.1, 2.2.2, and some versions available through CVS. Slash versions 2.0.x and earlier are not vulnerable.

It is recommended that affected users upgrade to Slash version 2.2.3 or the latest CVS version as soon as possible and disable and until the upgrade has been made. Once Slash has been upgraded, users should check their users seclev field to insure that no unauthorized user has a value equal to or greater than 100, and should change their passwords.

IBM Websphere

In a default Websphere installation, a local attacker can create a custom Java application that, when executed using Websphere, can retrieve the user id and password used by Websphere, granting the attacker increased privileges. As the default installation of Websphere executes with root permissions, it is possible that the attacker can leverage the increased privileges into root access to the server.

Users should consider running Websphere as a non-privileged user and should restrict access to only trusted users.


The popauth utility that is distributed with the Qpopper package has a vulnerability that can be exploited to execute arbitrary code with the permissions of the user it is installed to run as (usually the pop user).

Users should remove the set user id bit from popauth until it has been repaired.


Sun has released patches that repair a buffer overflow in the CDE Subprocess Control Service Server dtspcd. The patches have been released for Solaris 8, 7, 2.6, and 2.5.1, 5.8, 5.7, 5.6, and 5.5.1. It is recommended that the patches be applied as soon as possible.

The Trojan Exploit

Michal Zalewski reported that a file that claimed to be a exploit to a bug in dcron, written by Michal and Rafal Wojtczuk, was actually a Trojan Horse that mails the system password file to an email address and creates a set user id copy of bash in /tmp. This is a very good reminder of the dangers of running an exploit obtained from an untrusted source.


The wmcube-gdk application has a buffer overflow that can be exploited to execute arbitrary code with the permissions of the kmem group. Access to the kmem group may be leveraged into root access.

Users should remove wmcube-gdk or take away its set group id bit until it has been patched.

Mandrake Kerberos

Mandrake has released an update to its Kerberos packages for Mandrake Linux 8.1 that fixes a buffer overflow in the telnet package. This buffer overflow can be exploited by a local attacker to gain root access.

Mandrake recommends that affected users upgrade to the new packages as soon as possible.


The FTP Daemon Aftpd has a bug that can be locally exploited to obtain a core file containing encrypted passwords. These passwords then can be fed into a password cracker in an attempt to obtain access to additional accounts.

Users of Aftpd should disable it until it has been repaired and should consider using a more actively-developed server.


The default installation of the Web-based application server TWIG stores passwords in the user's cookie as raw URL-encoded data. This URL-encoded data can be decoded and the login name and password recovered as plain text very easily.

The file /config/config.php should be edited and the line:

$config["security"] = "basic";

should be changed to read

$config["security"] = "advanced";

In addition, the line:

$config["login_handler"] = "cookie";

should be changed to read

$config["login_handler"] = "securecookie.php4session";, a script written in PERL that PGP-encrypts data submitted via a Web page and emails it, has several flaws that can be used to execute arbitrary commands on the server with the permissions of the user executing the Web server.

It is recommended that users disable the script until a patch is available.

Cisco SN 5420 Storage Router

The Cisco SN 5420 Storage Router has two vulnerabilities that can be used in a denial-of-service attack and a vulnerability that can be exploited to gain access to the device's configuration. Software releases through version 1.1(5) are vulnerable.

Cisco recommends that users upgrade to software version 1.1(7).

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: