Security Alerts: Koules Local Root Exploit And More.11/28/2000
Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include
suid Oracle helper programs, replacement
syslogd problems, and a couple of problems with Alladin Ghostscript.
It has been reported that there is a local root vulnerability and exploit for the SVGA game Koules. It requires that Koules be installed with a setuid root bit set, so some installations may not be affected.
Oracle Connection Manager Control binary
The Oracle Connection Manager Control binary (
cmctl) has a local exploit that allows any user to become the user and group that Oracle is installed under. It works by exploiting a buffer overflow in
cmctl. There is a published exploit for Linux, but this may have been ported to other architectures. A workaround for this problem is to remove the suid bit from the program. If you do not use the setuid bits on this program or on other Oracle helper programs, you may want to consider removing the suid bits on all of the Oracle helper programs.
A has a vulnerability that can permit a local user to create or overwrite any file on the system. The problem is with the
getty replacement for use with fax and data modem lines, mgetty
faxrunqd daemon that runs as root. The
faxrunqd daemon will follow a symlink named
.last_run that has been created in the world-writable
/var/spool/fax/outgoing/ directory. The fix for this is to uninstall the package and replace it with a version dated after 10 Sep 2000.
The WinVNC program is a desktop remote control package. WinVNC 3.3.x has a problem in that the software stores its passwords in the Windows NT registry, and this can allow a remote user to remove the password using
regedit. There are several problems with WinVNC: The passwords cross the network in the clear and are limited to 8 characters. If you need to use this software, make sure that you do not trust its security.
The multi-protocol file retrieval application
curl has a buffer overflow that can be exploited by a hostile server that can cause
curl to execute arbitrary code on the client. The fix for this is to upgrade your version of
curl to the latest version.
thttpd web server is a small and fast web server designed for simplicity. Versions prior to 2.20 allow remote viewing of arbitrary files on the server. This problem is caused by errors in the
ssi cgi script. The script does not prevent the use of ".." in the path and will show files that are outside the root web directory. It will only show files that are readable by the user running the web server. The solution to this is to upgrade to a version newer than 2.20.
Big Brother is a Web-based network monitoring tool. Versions prior to 1.5d3 can allow an attacker to gather sensitive information about the system that Big Brother is running on and aid in brute force password attacks. It is recommended that users upgrade it to a version later than 1.5d3.
syslog-ng is a replacement for the
syslogd daemon. It can be crashed by sending it a malformed
syslog message. This can be used by an attacker to limit the information recorded during an attack. The recommended solution is to upgrade to version 1.49a or newer.
A new problem with
modutilities has been identified in the
modprobe utility. It has a buffer overflow that can be used to execute arbitrary code as root. Specifically, the potential exploit uses
ping to exploit
modprobe. Check with your vendor for an updated package and, as a workaround, disable
modprobe and take away the setuid bit from
IBM HTTP server Denial of Service vulnerability
The IBM HTTP server based on Apache has a Denial of Service vulnerability. Passing the server an unusually long GET request will cause the server to stop responding. There is a possibility that this could be exploitable as a remote buffer overflow. To my knowledge at this time, no patches have been released to fix this problem.
Alladin Ghostscript, a PostScript interpreter has two problems:
First there is a problem with the manner in which it uses the
LD_RUN_PATH environment variable that can cause it to use libraries that are in the current directory. An attacker could use this problem to execute arbitrary code from a shared library. You should check with your vendor and upgrade to a version with this fixed.
The second problem is a race condition that can be used for a symbolic link attack. This can allow the attacker to read or write system files and possibly lead to a root compromise. The same fix that was applied for the first problem will also fix this one.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.