OpenSSH Remote Challenge Vulnerabilityby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at remotely-exploitable
vulnerabilities in OpenSSH and Apache; a denial-of-service attack
against BIND 9; buffer overflows in
tcpdump, and some RADIUS
daemons; and problems in
dnstools, XChat, UnixWare and Open UNIX's
ppptalk, and IRIX's
- OpenSSH Remote Challenge Vulnerability
- UnixWare and Open UNIX ppptalk
- IRIX pmpost
OpenSSH, a free version of SSH (Secure Shell), is vulnerable to a
buffer overflow attack in the challenge response code, which can be used
by a remote attacker to gain root access to a server. In addition,
OpenSSH versions 2.9.9 through 3.3 are vulnerable to an integer
overflow that also can be used to gain root access, versions 2.3.1
through 3.3 are vulnerable to a problem in
and versions between 2.9.9 and 3.3 have a bug in
ChallengeResponseAuthentication. Distributions known to be vulnerable
include OpenBSD 3.0, OpenBSD 3.1, FreeBSD-Current, and any system
using OpenSSH version 3.0 through 3.2.3. Only OpenSSH versions
compiled with the
BSD_AUTH are vulnerable to the challenge-response vulnerability.
It is recommended that users of OpenSSH upgrade to version 3.4 or
newer as soon as possible and that
There is a remotely exploitable vulnerability in the Apache Web server that can be used to execute arbitrary code on the server with the permissions of the user account running Apache. It has been reported that all versions of Apache before 1.3.26 and 2.0.37 are vulnerable. Exploit programs have been released that automate the exploitation of this vulnerability under OpenBSD, FreeBSD, and NetBSD. It is very likely that other exploit scripts or applications have been or will be released for other operating systems.
Users should upgrade to a repaired version of the Apache Web server. It has been reported that the repaired versions are 2.0.39 and 1.3.26. Update packages have been announced for Red Hat Linux, Mandrake Linux, Slackware Linux, OpenLinux, IBM Linux Affinity, OpenPKG, Unisphere Networks SDX-300 Service Deployment System, and EnGarde Secure Linux.
BIND 9 is vulnerable to a denial-of-service attack that, when exploited, will cause the BIND daemon to shut down. The denial-of-service attack is conducted by sending a carefully-crafted DNS packet that causes a function to call
abort() and shut down the BIND daemon. The attacker cannot cause code to be executed, nor any files to be written, by exploiting this problem. BIND versions 4 and 8 are not reported to be
Affected users should upgrade to BIND 9.2.1 or watch their vendor for an update. Packages containing a repaired version of BIND have been announced for SuSE Linux, Conective Linux, OpenUnix, and Red Hat Linux.
A buffer overflow in the DNS resolver code of
libc has been reported. This buffer overflow may be exploitable by an attacker that controls a DNS server to send a reply that will overflow the library function
(the example given in the report was the function
the local machine, and allow the attacker to execute arbitrary code.
It is reported that
libc in the CVS repositories for FreeBSD, NetBSD,
and OpenBSD have been fixed.
There are several buffer overflows in
tcpdump that may be exploitable
by a remote attacker to execute arbitrary code with the permissions of
the account running
tcpdump (often root).
Affected users should upgrade to an updated
tcpdump package. Repaired
packages have been announced for SuSE Linux, Conectiva Linux,
OpenLinux, and Trustix Secure Linux.
Several RADIUS servers, including
radiusclient, are vulnerable to a buffer overflow in the code that deals with digest calculations. This buffer
overflow can be used by a remote attacker to execute arbitrary code on the server using the permissions of the user running the RADIUS
It is recommended that users upgrade their affected RADIUS daemon to a repaired version. The buffer overflow is reported to be fixed in version 1.6.5 of
radiusd-cistron and version 0.3.2 of
dnstools is a Web-based DNS configuration and administration tool. It has a flaw that can be used by an attacker to access pages with administrative privileges, allowing the attacker to modify the DNS records on the server.
Users should upgrade to version 2.0 beta 5 as soon as possible.
The XChat Internet Relay Chat (IRC) client is vulnerable to a remote attack that can be used to execute arbitrary commands on the client with the permissions of the user running XChat. The attacker must control an IRC server that the client connects to, and cause it to send a malicious response back to the client during a
/dns command, in order to exploit this vulnerability.
Users should upgrade XChat to version 1.8.9 or newer as soon as possible.
ppptalk under Open UNIX and UnixWare is vulnerable to a local attack that can be exploited to gain root. This vulnerability affects UnixWare 7.1.1 and Open UNIX 8.0.0.
ppptalk should be upgraded to the latest packages or should have its set user id bit removed.
pmpost, part of the Performance Co-Pilot, has a bug that can be used by a local attacker to append data to system files, possibly leading to a root compromise. The Performance Co-Pilot package is not installed by default on IRIX 6.5 systems.
Affected users should contact SGI for updated packages. Users who
choose to not upgrade the Performance Co-Pilot package should remove the set user id bit from
/usr/pcp/bin/pmpost. SGI states that removing the set user id bit will cause non-root processes to not be able to append to
Read more Security Alerts columns.
Return to the Linux DevCenter.