Security Alerts: OpenBSD Non-exploit and More11/13/2000
Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. This week there was a wide range of security-related announcements, from an OpenBSD non-exploit to problems with Netscape and system backup software.
A forged announcement of a vulnerability in OpenBSD was published this week. The vulnerability, in short, was: "OpenBSD is a vulnerable operating system because it runs on a computer which can be physically accessed by an intruder." The forger made it appear as though it was from cripto, who said about the message, "We do not know the individual who posted this 'OpenBSD exploit' and had no knowledge of it until we saw it on Bugtraq along with the rest of the world."
Red Hat Linux restore
Red Hat announced that the restore program can be exploited by a local user to become root. It seems that the RSH environment variable can be set to any executable program you want and then will execute that program as root. The latest versions no longer require a setuid root bit, so upgrade now.
Star Office 5.2
Star Office 5.2 has a problem that can allow users read and write access to files of users who run Star Office. When Star Office starts up it creates a /tmp/soffice.tmp directory and sets the permissions to 0777. It will also on other occasions set these same permissions while it is running. It is possible to create a symbolic link named /tmp/soffice.tmp to a file or directory owned by a Star Office user and have the permissions on the file changed to 0777 when the user runs Star Office. A suggested fix for this problem is to set the $TMP environment variable to a temporary directory that only the Star Office user can write to, such as something like $HOME/tmp. This will cause Star Office to use the specified location ($TMP), for its temporary files.
New FreeBSD security officer
Warner Losh is resigning as FreeBSD's security officer. He is going to be succeeded by Kris Kennaway, who has been working as Warner's deputy in charge of the ports system for the last ten months.
Pine Version 4.21
Pine 4.21 and earlier have a buffer overflow that can allow a remote user to execute arbitrary code by sending a carefully crafted e-mail message. Upgrading to Pine 4.30 will fix this problem.
Red Hat usermode packages
Red Hat's usermode package has some potential format-string problems. The usermode package allows you to control access to programs which are to be executed as root. If one of the programs that usermode is controlling access for uses the LANG or LC_ALL environment variables, it is possible to exploit them with a format-string attack. Red Hat has updated packages available.
The bind name server can be crashed by using an authorized compressed zone transfer. The default installation of bind does not support compressed zone transfers, and a request for this can crash bind. From what I have seen, this bug seems to affect up to bind 8.2.2 patch level 6. ISC recommends that everyone upgrade to 8.2.2 patch level 7. This will fix several other denial of service problems with bind.
The program vlock is designed to lock virtual consoles. It was reported that the one that comes with Red Hat Linux 7.0 can be bypassed if a regular user locks the console. According to the report, the crack is simple: When vlock asks for the password, hold down the enter key until you see the message "broken pipe." The consoles will then be unlocked.
I was unable to duplicate this on my Red Hat Linux 7.0 machine. I placed a weight on my enter key and let it go for about five minutes without getting a broken pipe message. Perhaps it takes longer or there is some other factor at work. I should point out that vlock does not prevent someone from rebooting or powering off your machine and booting from a CD or floppy. If you can touch the machine you can do almost anything to it, and because of this, a console locker is of only limited use.
FreeBSD xfce port display
The xfce window manager under FreeBSD during its startup uses xhost to
allow local users to connect to the local xserver. On a multiuser
system this would be a very bad thing. It would allow a malicious
user to watch everything that the local user was doing, including
passwords typed in. The FreeBSD security team suggests that you
upgrade the package or remove '
xhost +$HOSTNAME' from
A carefully crafted e-mail that is replied to with the mail program (a
simple console-based mail program) can grant a malicious user
privileges equal to those of the user replying to the mail. The e-mail
message can even be crafted by using a series of
^h characters so that
the victim can not see the dangerous text, and can then be tricked
into replying to it. At this time I do not know of a fix for this.
So if you use mail for your mail, be careful what you reply to.
Netscape versions prior to 4.76 have a client-side buffer exploit. HTML can be created that will cause a buffer overflow and execute arbitrary code on the client's machine. The fix is to upgrade your version of Netscape to one that is newer than 4.76.
Discuss this article in the Linux Forum.
Return to the Linux DevCenter.