MySQL File Overwrite Vulnerability03/27/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a buffer overflow in ASPSeek; a denial of service attack against
timed; a new version of OpenSSH with many improvements; an attack against the private keys used by GnuPG; a race condition in the UFS and EXT2FS file systems; and problems with MySQL, VIM, FCheck, Solaris perfmon, Interchange, and Compaq's management software.
The SQL (Structured Query Language) database server MySQL can be used to create or overwrite files with the permissions of the user running MySQL. If MySQL has been installed so that it runs under the root user ID, an attacker can create or overwrite any file on the system.
Users should configure MySQL to run as a normal user and should watch their vendor for an update.
The GNU version of PGP, GnuPG, is vulnerable to an attack that can be used to calculate a private key from a public key. This attack requires the attacker to be able to modify the user's private key file and then to intercept or receive a message signed using the modified key. If an attacker can write to your private key file, they most likely can steal your private key, passphrase, and other private information in simpler ways.
Alerts this week:
Patches have been released for GnuPG that correct this problem by adding additional consistency checks. Users should watch their vendors for an updated version.
OpenSSH is a free version of the SSH protocol suite of encrypted communication tools. OpenSSH Version 2.5.2 has been released and improves protection from traffic analysis attacks, fixes some interoperability problems with other versions of the suite, improves protection against keys being recovered when using SSH protocol 1.5, and adds some additional functionality.
Users of OpenSSH are encouraged to upgrade to version 2.5.2.
A remote user can cause the Time Synchronization Protocol daemon
timed to crash by sending it carefully crafted packets. In many cases, timed will not automatically restart after a crash. This is known to affect the timed daemons distributed with FreeBSD and Linux-Mandrake. It is not known if it affects other Unix distributions.
Users of timed may wish to implement firewall rules that prevent unauthorized connections and should check with their vendor for an updated version.
ASPSeek, a GPLed search engine that is written in C++ and uses a SQL server-based back end, has several buffer overflows that can be exploited to execute arbitrary commands on the server with the permission of the user running the web server. To the best of my knowledge, the buffer overflows affect only versions released before March 21, 2001.
It is recommended that users upgrade to the latest version of ASPSeek as soon as possible.
FCheck is a file auditing and integrity checking application written in Perl. An attacker can execute arbitrary commands with the permissions of the user executing FCheck (usually root) by creating a file with a carefully crafted name.
It is recommended that users of FCheck should upgrade to version 2.07.59 or newer as soon as possible.
VIM (Vi IMproved) is a programmers text editor compatible with the vi editor. Many distributions of Linux use VIM as the system vi editor. An attacker can embed control codes into a file, and VIM will execute arbitrary commands when a user opens the file. The commands will be executed with the permissions of the user editing the file with VIM.
A workaround for this problem is to disable the status line option in
.vimrc. Users of VIM should contact their vendor for an updated version.
A system monitoring tool for Solaris systems,
perfmon can be used by an attacker to overwrite or create a file with the permissions of the root user ID. An optional package,
perfmon is not installed as part of the default Solaris installation.
On systems where
perfmon is installed, the set user ID bit should be removed.
The default installation of Interchange, an open source electronic commerce system, has a group login configured with no password in the three demo stores distributed with the server. An attacker can use this group login to access the back-end administrative area and alter product information, orders, and customer information.
Users of Interchange that configured a store based on any of the three demos should change the line ":backup<tab><tab>Backup" to "backup<tab>*<tab>Backup" in the file products/access.asc in all of the catalog directories and the catalog templates in the Interchange Software directories. The line can also be deleted if it is not needed. Once the line has been changed or deleted, the Interchange server must be restarted so that the changes will take effect.
The problem with the group account in the demo stores has been fixed in Interchange version 4.6.4. This new version of Interchange also tightens login security by rejecting all group logins, user names with invalid characters, and user names with blank passwords.
Compaq web-enabled software may under some conditions function as a generic proxy server. This can be used under some conditions to bypass security controls on outgoing traffic or may be used by incoming traffic to bypass a firewall.
Compaq recommends that web-enabled software only be installed on private networks, access to nonessential ports be disabled, and that users choose strong passwords. Compaq is working on patches for the affected software. Users should contact Compaq for information specific to their products.
UFS is the default file system on FreeBSD systems, and EXT2FS is the default file system on many Linux systems. Both of these file systems have a race condition under FreeBSD that can allow users to access areas that contain data from other users' deleted files. Normally, when a file is deleted, the blocks are zeroed prior to becoming available to user processes. This problem is suspected to affect Linux and other Unix systems, but no confirmation of this has been made.
Users of FreeBSD should upgrade their system to 3.5-STABLE or 4.2-STABLE released after March 22, 2001.
Read more Security Alerts columns.
Return to the Linux DevCenter.