oreilly.comSafari Books Online.Conferences.


Security Alerts

J2SE Woes

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Java 2 Runtime Environment, wget, FreeBSD's procfs and linprocfs, OpenSSL, OpenSSH, AbiWord, Blogtorrent, scponly, rssh, and kfax.

Sun and Blackdown Java

The Java 2 Runtime Environment Standard Edition (J2SE), available from Sun, and the Blackdown Java Runtime are vulnerable to an attack that bypasses the Java sandbox and can be exploited by a remote attacker to execute arbitrary code on the victim's machine and to read from and write to arbitrary files. This vulnerability is reported to affect Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04, and any Blackdown VM prior to J2SE v1.4.2-01. Example scripts that show how to exploit this vulnerability have been released to the public.

All Sun Java users should upgrade to Java 2 Runtime Environment, Standard Edition 1.4.2_06 or 1.3.1_13 or newer. Blackdown users should upgrade to J2SE v1.4.2-01 or newer. Users of other Java distributions or of Java runtime environments packaged with their operating systems should watch their vendors for an update. Users who cannot upgrade immediately should disable Java in their browsers and only execute Java code from trusted sites.


wget, a widely used web and FTP command-line retrieval utility, is reported to contain flaws that can be exploited to overwrite arbitrary files on the victim's machine, with the victim's permissions, if a carefully crafted file is retrieved from the attacker. An example file that exploits this vulnerability has been released to the public.

Affected users should watch their vendors for a repaired version of wget, or should consider using an alternative tool. In all cases, users should exercise care in choosing which files to download.

FreeBSD procfs and linprocfs

The special filesystems of the process file system procfs and the Linux process file system linprocfs provide a filesystem interface view of the system process tables. A bug in the implementation of the /proc/curproc/cmdline and /proc/self/cmdline files can, under some conditions, be exploited by a local attacker to cause the system to crash with a kernel panic, or may allow attackers to read portions of protected kernel memory that could contain sensitive information such as passwords.

It is recommended that users upgrade their systems to FreeBSD 4-STABLE or 5-STABLE and recompile their kernels. The procfs and linprocfs filesystems should be unmounted until this upgrade has been completed.


The script der_chop that is contained in the OpenSSL package is reported to be vulnerable to a temporary-file, symbolic link race condition that may be exploitable by a local attacker to overwrite arbitrary files on the system.

Users should watch their vendors for a updated OpenSSL package.


Two time-based attacks have been announced against OpenSSL. The first attack uses the difference in failure time between a failed valid login and a failed login of an invalid user to test whether a user name exists on the target system. The second attack is against machines that are configured to not allow root logins over SSH (PermitRootLogin no) and uses the difference in the failure time that exists between a valid root login that is rejected because of the configuration of SSH and a root login that is rejected due to the password being incorrect. This second attack could be used in a brute force attack to find the root password.

Affected users should watch their vendors for repaired OpenSSH packages.


AbiWord is a free, open source word processor available for Windows, Linux, QNX, FreeBSD, and Solaris systems that can read and write to files in, Microsoft Word, WordPerfect, Rich Text Format, HTML, and other formats. The wv library that is included as part of the AbiWord package is reported to be vulnerable to a buffer overflow in code that handles the DateTime field. Under some conditions, this may be exploitable by a remote attacker and result in arbitrary code being executed with the permissions of the victim. The attack is conducted using a carefully crafted document that the victim then opens in AbiWord in HTML mode.

Affected users should watch for a released version containing the repair and should exercise caution concerning the source of files they open with AbiWord.


Blogtorrent is a collection of PHP scripts designed to aid in the hosting of BitTorrent data files. A flaw in the btdownload.php script can be abused by a remote attacker to download arbitrary files from the victim's machine.

All users of Blogtorrent should upgrade to the latest version available from CVS, or should consider disabling the software until it has reached a more mature state.

scponly and rssh

rssh is a restricted shell designed to be used with OpenSSH that places a user in a chroot jail and, by design, only allows the remote execution of scp, sftp-server, cvs, rdist, and rsync. scponly is a restricted shell that can be configured to only allow specified applications to be executed. Under certain conditions, it may be possible for a remote user to cause rssh or scponly to execute arbitrary commands or run an uploaded shell script.

It has been reported that the author of rssh is not currently able to maintain rssh. Therefore, users should consider using an alternative restricted shell. Version 4.0 of scponly has been released, and all users are encouraged to upgrade as soon as possible.


The KDE fax program kfax contains a private copy of the Libtiff library that is vulnerable to several buffer overflows that can be exploited to execute arbitrary code. These buffer overflows are exploited by using a carefully crafted fax file.

Users of KDE 3.2.x or KDE 3.3.x should upgrade to the latest released packages. Users of other versions should upgrade to a maintained version of KDE or should remove kfax and from their systems.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: