PalmOS, Half-Life Server, and Ethereal Vulnerabilities01/02/2001
Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include more symlink problems with catman and dialog, buffer overflows in oops, halflifeserver, and ethereal, key problems with gnupg, problems with PalmOS devices, and a prime example of amazing vulnerabilities in third-party software packages.
Devices that use the PalmOS such as the Palm Pilot line of devices or the Handspring Visor line of devices have a security method that is used by all of the built-in applications. This security method allows the protection of individual records by marking them as private. Once they are marked as private, the record is inaccessible unless the correct password is entered.
The problem is that anyone with physical access to your PalmOS-based device or with access to your hotsync files can determine your password or just bypass the password altogether.
It is recommended that users of PalmOS devices who put any sensitive information on their devices maintain complete physical security and use the "turn off and lock" feature of the OS. They also may look into third-party encryption and security software to add additional layers of protection.
catman program outputs preformatted versions of the manual pages. Under Solaris 2.x, it has an exploitable problem with the way that it uses temporary files. Because this program is setuid root, a malicious user can overwrite arbitrary files on the system using a symlink attack. As of this time, Sun has not released an official patch for this problem with
catman. It is recommended that you remove the execute bits from this application until Sun releases a patch.
Alerts this week:
Oracle WebDB, part of the Oracle Internet Application Server, a popular dynamic content connectivity engine, can be manipulated into executing a carefully constructed web request as a SQL query. This can allow an attacker to view anything that the Oracle WebDB has read access to and write to anything that it has write access to, bypassing any application-level security that is in place. This attack can also be used to reconfigure the web engine and change settings or passwords. Oracle is working on patches for this problem and will post an announcement as soon as they are available.
A caching proxy webserver,
oops has buffer and stack overflows that are vulnerable to remote attacks. These vulnerabilities can allow a user to execute arbitrary code on the server as the user that is running
oops. Users of
oops should remove it or upgrade it to a version newer than 1.5.2.
A dedicated server used to host Half-Life games,
halflifeserver is locally and remotely vulnerable to buffer overflows and format string vulnerabilities. These vulnerabilities can allow an attacker to execute arbitrary code on the server as the user that is running
halflifeserver. Users should upgrade to version 220.127.116.11 or newer.
An application for monitoring network traffic,
ethereal has buffer overflows that can be used to crash ethereal or allow a malicious user to execute arbitrary code on the server as the user that is running
ethereal (usually root). Users should not use
ethereal on a network that contains untrusted packets until they upgrade it to version 0.8.14 or newer.
The GNU version of PGP (Pretty Good Privacy), digital signature/encryption,
gnupg has a problem with the way it imports keys. It will import private keys in addition to the public keys when it imports keys from a public key server. This corrupts the users web of trust. If the file being checked contains clear signed data,
gnupg also has a problem where it will ignore detached signatures. Users should check their vendor for an updated version.
A program to display dialog boxes from shell scripts,
dialog is vulnerable to a symlink based attack. It does not create its lock files in a safe manner, which can allow an attacker to overwrite arbitrary files on the system that can be written to by the user running
dialog. It is recommended that you upgrade to version 0.9a-20000118-3bis.
Sonata Conferencing Software has a truly amazing vulnerability that is a great example of a class of problem to watch out for in third-party applications. Simply, the software comes with a program named
doroot that is setuid root. This program executes its command line argument as root. This would allow any local user to execute any command as root. No workaround has been tested, so it is not known what effect removing the setuid bit from
doroot would have on the conferencing package.
Any time you have some third-party application for Unix that requires root permissions to run and you do not immediately understand why it needs these permissions, you should look at it closely with deeply felt suspicion. Keep asking the vendor "Why does it run as root?" until you are satisfied or they have fixed it so that it does not run as root or require root privileges.
Most tasks under Unix do not need root permissions. In most cases, the third-party applications I have seen that had setuid root programs or wanted to be run as root did not need to be. At the most, they need a group or to be setuid some other user so that they can write to a queue or file.
I have no idea why so many of these products are written this way. The best theory I have heard is that the developers of these products all wrote their code as root and never took into account permission problems until the application was finished. As crazy as this may seem, it is a problem that I have run into again and again.
If it runs as root, you need to be very careful. Remember that it is much easier to ask the vendor why it is running as root and how you can run it as a regular user before they have sold it to you. The fix for this class of problem is to make sure that the third-party application you are purchasing does not run as root unless it really needs to.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.