Buffer Overflows Abound02/11/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
mIRC; and problems in Plesk,
dnrd, Perdition, DeleGate, BSCW, Oracle9iAS Web Cache, and FreeBSD's AIO.
- Oracle9iAS Web Cache
- FreeBSD AIO
- OpenServer lpstat
- UnixWare 7 and Open Unix timed
The email client
mutt has a buffer overflow that can be exploited by a
remote attacker to execute code with the permissions of the user
Users should watch their vendor for an updated
mutt package that
repairs this problem.
Plesk is a Web-based front end for administrating Unix-based Web servers that is written in PHP. Versions of Plesk before 2.0 have a vulnerability that can allow an attacker to read the source of all of the PHP files in Plesk and obtain information (such as passwords).
PLESK recommends that users upgrade to version 2.0 and turn off the UserDir directive in their Web server.
A problem in OpenLDAP can be used to make unauthorized changes to non-mandatory fields in the database. In the 2.0.8 and later versions of OpenLDAP only authenticated users can exploit this problem but in versions earlier than 2.0.8 anonymous users can abuse this problem. OpenLDAP versions 1.2.x are not vulnerable to this problem.
It is recommended that users upgrade OpenLDAP to version 2.0.21 or newer.
mrtgconfig is a Web-based front end for the Multi Router Traffic
Grapher (MRTG). MRTG monitors network traffic and creates HTML pages
with the statistics.
mrtgconfig has a path discloser vulnerability
and also can be manipulated into displaying the first line of any file
on the system that is readable by the user executing the Web
server. Version 0.5.9 of
mrtgconfig has been reported to be vulnerable
to these problems.
Users should watch
mrtgconfig's home page for a repaired version.
The proxy DNS daemon
dnrd has a vulnerability that can be used to
crash the server and, under some circumstances, may be exploitable to
gain additional permissions.
Users should watch their vendor for an updated package.
Perdition, a mail-retrieval proxy server, is vulnerable to a format-string bug in the required library
vanessa_logger. This vulnerability
can be used by a remote attacker to execute arbitrary code on the
server with the permissions of the user executing Perdition. Version
0.0.1 of the library
vanessa_logger is reported to be vulnerable.
It is recommended that users disable Perdition until the
library has been upgraded to version 0.0.2 or newer. It is reported
vanessa_logger library can be found here. It is also
recommended that Perdition be executed using the
--group options to cause it to run with normal user permissions.
DeleGate is a multi-purpose application-level gateway, or proxy server. Versions 7.7.1 and 7.7.0 are vulnerable to a cross-site scripting vulnerability that can be used by an attacker to execute arbitrary scripts in the victim's browser.
Users should upgrade to DeleGate version 7.8.0.
BSCW (Basic Support for Cooperative Work), a Web-based groupware server, has a problem in the default configuration that allows users to register accounts on the server, and a vulnerability related to unfiltered shell meta characters that can be used by an attacker to execute arbitrary commands on the server with the permissions of the user running the Web server.
It is recommended that users decide if self-registration is acceptable and configure the system appropriately, and that they watch for a patch for the unfiltered shell meta characters vulnerability.
The Oracle9iAS Web Cache is vulnerable to an attack that can be used by a local attacker to overwrite files with the permissions of the Oracle user, gain access to the Oracle account, and obtain the password for the Web Cache administrator account.
Users should contact Oracle for a patch to repair this problem.
grn preprocessor that is part of the
system has a buffer overflow that may be exploitable to gain
Affected users should upgrade to a repaired version as soon as possible. If printing is not needed on the system, users should consider removing or disabling the printing system.
AIO is a POSIX standard for asynchronous I/O. Under some conditions, AIO under FreeBSD can be exploited to gain additional privileges. AIO is not enabled by default in the FreeBSD kernel.
The security requirements of the system should be considered before AIO is enabled on a FreeBSD machine.
lpstat commands supplied with OpenServer versions 5.0.6a and
earlier have a buffer overflow that can be used by a local attacker to
gain additional privileges.
Caldera recommends that users upgrade the
lpstat command as soon as
possible, or remove its set group id bit.
The windows IRC client
mIRC has a buffer overflow that can be
exploited by a specially-crafted IRC server to execute arbitrary code
on the user's machine. It is possible to create a Web page that, when
viewed with Internet Explorer, will execute
mIRC and connect it to the
specified IRC server. This vulnerability affects all versions of
prior to version 6.0.
mIRC installed on their machine should remove it or
upgrade it to version 6.0 as soon as possible.
The time daemon
in.timed that is supplied with all versions of
UnixWare 7 and with version 8.0.0 of Open Unix does not enforce null
termination of strings. This may be exploitable as part of a denial-of-service attack.
Caldera recommends that affected users upgrade the
in.timed binary or, if
timed is not needed, disable the binary.
Read more Security Alerts columns.
Return to the Linux DevCenter.