oreilly.comSafari Books Online.Conferences.


Security Alerts Snort Problems

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Snort and SheerDNS, and problems in Xinetd, vixie-cron, Oracle E-Business Suite FNDFS, xfsdump, Ximian Evolution, GtkHTML, kdegraphics, and psbanner.


Snort, a network-intrusion detection system, has a vulnerability in the stream4 preprocessor module that can be exploited by a remote attacker to execute arbitrary code with the permissions of the user that is running Snort (in most cases, root). The stream4 module puts TCP traffic back together when it has been fragmented across multiple TCP segments prior to it being analyzed.

It is recommended that users upgrade Snort to version 2.0 or newer as soon as possible. A workaround for this vulnerability is to comment out the line "preprocessor stream4_reassemble" in the Snort configuration file. This workaround will protect the server from this vulnerability, but it will make it easier to evade the intrusion detection system by fragmenting an attack across different TCP segments.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz


Xinetd, a replacement for inetd, is vulnerable to a denial-of-service attack when it is configured to reject some connections in hosts.deny.

Affected users should upgrade to Xinetd 2.3.11 or newer, or watch their vendor for an updated package.


The vixie-cron scheduling daemon's crontab utility contains a vulnerability that may, under some conditions, be exploitable by a local attacker to obtain root permissions.

It is recommended that users upgrade to a repaired package as soon as possible. It has been reported that repaired packages are available for Debian GNU/Linux 2.2; Linux-Mandrake 7.1, 7.2, 8.0 and Corporate Server 1.0.1; SuSE Linux 7.1; and Conectiva Linux. Users who cannot upgrade vixie-cron immediately should consider removing the set-user-id bit from the crontab utility.

Oracle E-Business Suite FNDFS

The Oracle E-Business Suite FNDFS (FND File Server or Report Review Agent) application is used to retrieve reports from the Concurrent Manager server. A flaw in FNDFS can be remotely exploited to retrieve any file on the system that is readable by the oracle or applmgr accounts. SQL*Net access to the Concurrent Manager server is required to exploit this flaw.

Oracle is reported to have released patches for Oracle Application server 11.0 and 11i and Application Desktop Integrator. It is also recommended that users use a tool such as a firewall to block all SQL*Net traffic from untrusted networks.


The utility xfsdump does not safely create the file in which quota information is stored during a dump. This problem can be exploited by a local attacker, under some circumstances, to obtain root permissions.

Users should watch their vendor for an update that repairs this problem. SGI and Mandrake are reported to have released patches that repair this problem.

Ximian Evolution and GtkHTML

Ximian Evolution, a workgroup and individual information management system that runs under Linux and other Unix systems, has several vulnerabilities that can be used in a denial-of-service attack, including a problem in the HTML widget GtkHTML. The system features such as email, group calendaring, contact lists, and task management.

It is recommended that users upgrade to Ximian Evolution 1.2.4 or newer or watch their vendor for updated Ximian Evolution and GtkHTML packages. Updated packages have been announced for Red Hat Linux and Mandrake Linux.


The kdegraphics package contains Ghostscript software that is used to handle PostScript and PDF files. A bug in this software can be exploited by an attacker creating a carefully crafted file that, when viewed (or previewed) by a user, can result in arbitrary shell commands being executed with the permissions of the user. The file can be delivered to the user though many methods, including a web page or email. This vulnerability is reported to affect KDE 2 and KDE 3 versions through KDE 3.1.1.

It is strongly recommended that affected users upgrade to KDE 3.0.5b or KDE 3.1.1a as soon as possible. Users who cannot upgrade immediately should exercise care when viewing PostScript and PDF files and should disable any preview features in the KDE software they are using.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


The psbanner utility is distributed as part of the LPRng package and is used to create a banner in a PostScript format. When used as a printer filter, psbanner is vulnerable to a symbolic-link race condition that can be used by a local attacker to create or overwrite arbitrary files on the system with the permissions under which the printing system is running.

Users should watch their vendor for an updated package and should consider disabling psbanner until it has been updated. Users of systems that do not use the printing system should consider removing or disabling it.


SheerDNS is a small DNS server that stores every record in its own file and does not require restarting the server when a change is made to a record. Its web site states, "SheerDNS is extremely light-weight, simple, and fast, and written with security in mind." SheerDNS version 1.0.0 is vulnerable to a buffer overflow in the code that handles replies in a CNAME request, and a directory traversal vulnerability. A local user may be able to exploit both of these vulnerabilities together and execute arbitrary code with the permissions of the user running SheerDNS.

It is recommended that users upgrade to SheerDNS 1.0.0 or newer as soon as possible. It has been reported that the author of SheerDNS fixed these vulnerabilities the day they where reported to him.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: