OpenBSD Local Root Exploit06/18/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories.
In this column, we look at a race condition in the OpenBSD kernel; cross-site request forgeries; a new version of
tcpdump; buffer overflows in
fetchmail, the HP-UX implementation of CDE, and UW-IMAP; a symbolic-link race condition in
mandb; and vulnerabilities in SITEWare Editor's Desktop, Apache under Mac OS X client, LPRng, Caldera's Volution, and Slackware 7.1's
OpenBSD versions 2.8 and 2.9 are vulnerable to a race condition in the kernel that can be exploited to execute arbitrary code as the root user. An exploit has been publicly distributed. This vulnerability is similar to the
ptrace exploit of the Linux kernel that was announced a few months ago. It is unclear what versions, if any, of FreeBSD and NetBSD may be vulnerable to this exploit.
Users of OpenBSD should apply the source code patch to repair the vulnerability. Users of FreeBSD and NetBSD should watch for announcements and patches.
Cross-site request forgeries are a new type of attack against web-based applications. They use HTML tags to hide an URL that will be processed by the client application without the user's knowledge or permission. Examples of client applications include web browsers, email clients, and news readers that process inline HTML code.
This type of attack is enacted by inserting an URL into an
<img> tag that causes an action on a web application. When the client application parses the page, it will query the URL inside the image attack in an attempt to download an image. This instead causes an action in a web application. Attacks that use this method can use a user's cookies or saved passwords and will appear to the web application as being initiated by the user.
Most methods of protection from this type of attack will have to be provided by the makers of the client applications. However, some things users can do to lower their vulnerability include: using an email client that does not render HTML, not using a newsgroup reader that is embedded in your web browser, being careful about what passwords your browser saves, and logging off any important web sites.
Alerts this week:
rxvt X-Windows terminal emulator, has a locally-exploitable buffer overflow that can be used to gain additional privileges. Version 2.6.2 was reported to be vulnerable; version 2.6.3 may also be vulnerable, as there is no mention of this problem in the
changelog file. An exploit script has been publicly released.
Users should remove any set user ID or set group ID bits from
rxvt until it has been patched.
fetchmail is a very nice mail retrieval and forwarding tool. Versions of the program prior to 5.8.6 have a buffer overflow that can be exploited when
fetchmail processes a message with a long header.
Users should upgrade to
fetchmail version 5.8.6 or newer as soon as possible.
A new version of
tcpdump, a network monitoring tool, has been released. This new version fixes several remote buffer overflows and a vulnerability with decoding AFS ACL packets, which could be used to execute arbitrary code on the machine running
tcpdump with the permissions of the root user.
All users of
tcpdump should upgrade to version 3.6.2 as soon as possible.
A vulnerability in the SITEWare Editor's Desktop, a web-based administration tool for ScreamingMedia content, has a vulnerability that can be used by an attacker to retrieve arbitrary files, such as the unencrypted password file from a ScreamingMedia server.
Users should contact ScreamingMedia for an update.
The HP-UX implementation of the Common Desktop Environment (CDE) contains buffer overflows that can be exploited to gain root permissions. These buffer overflows are present in HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11.
Users should apply the appropriate patch from HP for their version of HP-UX.
UW-IMAP, the IMAP (Internet Message Access Protocol) server from the University of Washington, has several buffer overflows that can be exploited by an authorized user to gain access to a remote interactive shell running as the user. Systems that provide interactive shells to users are not affected by this problem.
Users should watch their vendors for updated packages.
Under some conditions, Apache on the client version of Mac OS X will not protect directories from view or script execution despite being configured to do so. This problem only affects directories mounted on a HFS+ volume. Mac OS X Server ships with a
mod_hfs_apple.so Apache module that corrects this problem, but this module is not available as source or as part of the Apache distribution.
A workaround for this problem is to place all of the directories that need to be protected on a UFS volume. Users should watch Apple for a patch to solve this problem.
mandb application has a symbolic-link race condition that can be exploited to overwrite files with the permissions of the man user.
Users should upgrade to
mandb version 2.3.16-4.
LPRng does not drop any supplemental group memberships it has when it drops
gid during startup. This may cause LPRng and its child processes to have unnecessary privileges.
Users should watch their vendor for an update.
Under some conditions, the Volution client can be controlled by an unauthorized Volution server.
Caldera recommends that users upgrade to the latest release of the Volution client and server as soon as possible.
Slackware 7.1 installs the file
/etc/shells with world-writable permissions. This can be exploited by a local user to deny other users access and, in the case of a user with a restricted shell, may be used to increase their access.
It is recommended that users correct the permissions of the
Read more Security Alerts columns.
Return to the Linux DevCenter.