oreilly.comSafari Books Online.Conferences.


Security Alerts Trojaned Networking Tools

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at trojaned networking tools; a new version of OpenSSH; buffer overflows in fetchmail, mnews, Debian Solaris Netstd, Informix, and BannerWheel; and problems in dhcpd, Sendmail, Solaris' rwalld, and FreeBSD's rc.


fetchmail, a very useful email retrieval and forwarding client, is vulnerable to a buffer overflow. This buffer overflow is reported to affect versions of fetchmail before 5.9.10.

Users should upgrade fetchmail to version 5.9.10 or newer as soon as possible. Red Hat and Mandrake have announced updated packages that repair this problem.

Trojaned Networking Tools

On May 17th, 2002, the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tar files on were replaced with versions that included trojan back door code. This was discovered and the system was restored a week later. has taken steps to increase their security and has installed OpenBSD-current.

Anyone who downloaded one of these packages during this time period should disable the package, if it was installed, and replace it with a new version. It is also recommended that anyone running a version that was downloaded during this time period check their system carefully for any sign that their system has been cracked.


dhcpd, a daemon that provides Dynamic Host Configuration Protocol (DHCP) support, is vulnerable to a format-string-based attack that can be used by a remote attacker to execute commands with the permissions of the user running dhcpd (often root). The format string vulnerability is in the portion of the code that deals with the DNS update feature. Under SuSE Linux, dhcpd is not installed in the default installation, but if installed will execute as root. Under Mandrake Linux, the daemon runs as root except under version 8.x, where it runs as the dhcp user.

Affected users should upgrade to the latest dhcpd package as soon as possible. Users can disable the DNS update feature in dhcpd by adding the following lines to the dhcpd configuration file:

ddns-update-style none;
ddns-updates off;

Mandrake and SuSE have released updated DHCP packages.

OpenSSH 3.2.3

OpenSSH version 3.2.3 has been released. This version corrects a problem on OpenBSD and BSD/OS systems using Yellow Pages that can, under some conditions, result in the database entry of a different user being used during authentication. This problem could cause a user that has been denied access to be allowed to log in, and an authorized user to not be allowed to log in. Also fixed in this release are problems with login/ttys under Solaris and build problems on Sygwin systems.


Sendmail is vulnerable to a denial-of-service attack using a problem in flock() or fcntl() file locking. This vulnerability can be exploited in a denial-of-service attack by a local user who opens and locks certain files used by Sendmail. The user that is locking a file and causing a denial-of-service attack can be determined by using a tool such as lsof. Files that can be used in a denial-of-service attack against Sendmail include: aliases, maps, statistics, and the pid file.

Users can protect their Sendmail installation by modifying file permissions so that users on the system can not open the affected files.

Solaris rwalld

The rwalld daemon that is distributed with Solaris is vulnerable to a format string attack that may, under some conditions, be exploited by a remote attacker to execute code with the permissions of the user running rwalld. This vulnerability has been reported to affect Solaris versions 2.5.1, 2.6, 7, and 8.

Related Reading

SSH, The Secure Shell: The Definitive Guide
By Daniel J. Barrett, Richard E. Silverman

It is recommended that users apply the patch available from Sun and consider disabling rwalld if it is not needed.


mnews, an email and news client, is vulnerable to buffer overflows and can be exploited by a local (or, in some cases, remote) user to execute arbitrary code (often as group mail). This vulnerability is reported to affect version 1.22.

Users should consider disabling mnews until it is repaired.

FreeBSD rc

The FreeBSD startup script rc does not safely handle file globbing. This can be exploited, under some conditions, by a local attacker to remove arbitrary files during a system startup.

Users should upgrade to FreeBSD 4.5-STABLE, security branches, or remove the line rm -f /tmp/.X*-lock /tmp/.X11-unix/* from /etc/rc.

Debian Netstd

Netstd is a legacy set of network daemons and applications that has in the past been distributed with Debian Linux. It has been reported that there are buffer overflows in several applications in Netstd that can be exploited by a remote attacker who controls a name server. This package was distributed as part of the Debian Potato release, but is reported to not be distributed with the Woody release.

Users should consider removing the Netstd package.

Solaris rarpd

rarpd is a reverse arp utility. The Solaris version of rarpd is reported to be vulnerable to three remotely-exploitable buffer overflows and two format string vulnerabilities.

Users should watch for an update that repairs these vulnerabilities. They should also consider disabling or uninstalling rarpd until it has been repaired.


BannerWheel, a random banner ad display script, has been reported to be vulnerable to a buffer overflow that can be exploited remotely to execute arbitrary code as the user running the Web server.

Users should disable BannerWheel until it has been repaired.


A buffer overflow has been reported in Informix that can be exploited by a local attacker to obtain root permissions. This buffer overflow is reported to affect Informix version SE-7.25 under Linux, but may affect other platforms.

Users should watch IBM for a patch.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: