Flaws in LIDS, CUPS, and Sawmill02/19/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a security
vulnerability in LIDS; buffer overflows in CUPS,
jgroff, Sun Solstice
Enterprise Master Agent, and Ettercap; and problems in Sawmill,
pforum, GNAT, Taylor UUCP, and IRIX O2 Video.
LIDS is a Linux kernel patch and admin tool that enhances Linux kernel
security and provides a reference monitor and Mandatory Access Control
in the kernel. There are several vulnerabilities in LIDS that can be
exploited by a local attacker to execute arbitrary commands with root
permissions and bypass or disable LIDS. These vulnerabilities include
problems with the
LD_PRELOAD environment variable, writing directly to
/dev/kmem, and a race condition in applications that are launched
prior to LIDS being sealed.
The LIDS team recommends that users upgrade to
lids-1.1.1pre2-2.4.16.tar.gz for 2.4-series kernel users and that 2.2
kernel users apply the patch
Sawmill, a Web server log file analysis and report generator, has a vulnerability that can be exploited by a local attacker to overwrite the Sawmill password file, replacing the Sawmill password with a arbitrary password. When Sawmill is executed and the user enters the initial password, the password file is created with world-writable permissions. As the password is stored in an MD5 hash, an arbitrary password can be easily created.
It is recommended that users upgrade to Sawmill version 6.2.15 and
change the permissions of the
AdminPassword file to
CUPS, the Common Unix Printing System, has a potentially-exploitable buffer overflow in the code that handles the names of attributes. It has been reported that this buffer overflow affects all versions of CUPS earlier than version 1.1.14.
Users should upgrade CUPS to version 1.1.14 or newer as soon as possible and if the printing system is not needed, they should consider removing it or turning it off.
It is recommended that users watch their vendor for an update to repair this problem or download the latest stable version from the Faq-O-Matic Web site.
jgroff is a version of the
groff document-formatting system that has
been modified to support the Japanese character set. It has a buffer
overflow that may be exploitable to execute arbitrary code with the
permissions of the printing system.
Affected users should upgrade to a repaired version as soon as
possible or replace
jgroff with a version of
groff that supports Japanese
pforum, a Web-based bulletin board system written using PHP and MySQL, does not properly check all user input under some circumstances. This
problem can be exploited, if the Web server does not have Magic-Quotes
enabled, to log in to
pforum as the administrator or another user.
Users should ensure that the Web server that
pforum is installed on
has Magic-Quotes enabled in the
php.ini file. It has been reported
that there is a patch available for those users who do not have the
ability to change the
php.ini file on their Web server.
A buffer overflow in the Sun Solstice Enterprise Master Agent
may be exploitable by a remote attacker to execute arbitrary code with
Affected users should obtain and apply the appropriate patch for their system. Patches have been released by Sun for Solaris (X86 and Sparc versions) 2.6, 7, and 8.
Executables created with GNAT (the GNU Ada compiler) that use the facility to create named temporary files are vulnerable to temporary-file symbolic-link race condition attacks by a local attacker. Versions 3.12p, 3.13po, and 3.14p are known to be affected.
Users should watch for an update that repairs this vulnerability.
A flaw in Taylor UUCP can be used by an attacker to write arbitrary files to any location to which UUCP can write. On some systems, this may be usable to gain root access.
It is recommended that users watch for a patch or an upgrade to repair this flaw, and that if the UUCP system is not needed, it be removed or disabled.
The Ettercap network sniffer package has a bug that, under some conditions, can be exploited by a remote attacker to execute arbitrary code with root permissions. An exploit script has been created that will allow a remote root login if Ettercap is listening on an interface with a MTU larger than 2000. On interfaces with MTUs smaller than 2000, Ettercap can be crashed with a carefully-crafted packet.
Users should not use Ettercap to listen on an interface with a MTU that is set to 2000 or larger until they have upgraded Ettercap to a repaired version.
On all SGI O2 systems, a remote attacker can view the system's screen, even
xauth configuration would normally provide
protection. If the
vcp default input is configured to "Output Video,"
the remote attacker can execute
videoin and will see the
SGI recommends that all affected users watch for a patch and add the following to
# # Set the permissions of /dev/mvp so only # the console user has access # if [ -r /dev/mvp ]; then chown $USER /dev/mvp chmod 600 /dev/mvp fi
and add the following to
# # Reset the permissions on /dev/mvp # if [ -r /dev/mvp ]; then chown root /dev/mvp chmod 666 /dev/mvp fi
Read more Security Alerts columns.
Return to the Linux DevCenter.