AIX Remote Root Exploit06/25/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in AIX's
curses library, Red Hat Linux's XFree86 packages,
xinetd, MDBMS, BestCrypt, and
cfingerd; format-string vulnerabilities in Kaspersky AntiVirus, eXtremail, and the Solaris
at command; a symbolic-link race condition in KTVision; and problems in
A buffer overflow has been reported in the
rsh command that is distributed with IBM's AIX version 4.2. This buffer overflow may be exploited to execute arbitrary code with the permission of the root user.
Users of AIX 4.2 should watch IBM for a patch and further information about this problem.
curses library, a system library shipped with UnixWare and OpenServer that is used to manipulate a user's display without regard to the terminal type, has a buffer overflow that can be exploited by an attacker to obtain root access. This buffer overflow affects UnixWare 7 and OpenServer versions 5.0.6a and earlier. The actual exploit is performed through
set user id root applications that are linked to the
curses library, such as the
atcronsh command in OpenServer and the
rtpm command in UnixWare 7.
Caldera recommends that users of UnixWare remove the
set user id bit from
/usr/sbin/rtpm as soon as possible and that they replace the affected applications with a patched version. They also recommend that users of OpenServer remove the
set user id bit from
/usr/lib/sysadm/atcronsh and replace the application with a patched version as soon as possible.
Red Hat Linux has released updated XFree86 version 3.3.6 packages that apply many security and bug fixes and contain updated drivers for several different groups of cards. The security problems that are fixed in these packages include numerous buffer overflows, denial-of-service attacks, and temporary-file race condition problems.
Alerts this week:
All users of XFree86 3.3.6 under Red Hat Linux 6.2, 7.0, and 7.1 are encouraged to upgrade to the new packages.
Kaspersky AntiVirus is a commercial antiviral package for many platforms including Exchange, Notes,
sendmail, QMail, and Postfix. Kaspersky AntiVirus has a format-string vulnerability in the utility that it uses to scan and disinfect mail as it is processed by
sendmail. This format-string vulnerability may be used by an attacker to execute arbitrary code with the permissions of the user that
sendmail is executing as (often the root user). The application also has a potential temporary-file race condition.
It is recommended that users disable syslog by setting
usesyslog=no in the
avkeeper.ini file and contact the vendor for an updated version.
eXtremail, a free but closed-source POP and SMTP mail server for Linux, has a remotely-exploitable format-string vulnerability that can be used to execute arbitrary code as the root user.
Users should upgrade to version 1.1.10 as soon as possible.
at command distributed with Solaris 7 and 8 has a format-string vulnerability that can be used to obtain increased privileges.
Users should watch Sun for an update and should remove the
set user id bit from
at until a patch has been applied.
xinetd has a buffer overflow that can be remotely exploited to obtain increased privileges and starts with its
umask set to 0, causing any application
xinetd starts to inherit this
umask and possibly create world-writable files. The
xinetd distributed with Immunix is reported to not be exploitable by the buffer overflow due to the StackGuard protections.
Users should upgrade their
xinetd package as soon as possible and should examine their system for world-writable files.
MDBMS, a SQL database for Unix, contains a buffer overflow that can be exploited to gain the permissions of the user running the database.
Users should upgrade to a version of MDBMS newer than 0.99b.
BestCrypt provides an encrypted file system on a loop-back device. Versions of BestCrypt earlier than 0.8-2 have a buffer overflow in the
bctool program that can be exploited to execute arbitrary code as root. This buffer overflow occurs during the unmounting of a file system.
Users of BestCrypt should upgrade to version 0.8-2 as soon as possible.
pmpost, a utility in the pcp suite from SGI, will improperly follow symlinks and, if installed,
set user id root can be exploited to gain root privileges. This package is exploitable under IRIX and SuSE versions 7.1 and 7.2, but is not installed by default under SuSE.
SuSE recommends that users remove the
set user id bits from the
pmkstat utilities. Users should watch their vendor for an update to the pcp package.
The AIX diagnostic application
diagrpt can be used by a local user to execute an arbitrary script as root.
IBM recommends that users remove the
set user id bit until they have applied a patch.
cfingerd daemon has a buffer overflow that can be used to obtain root privileges.
Users should watch for an update.
KTVision, a KDE frame-grabber card application, is vulnerable to a symbolic-link race-condition attack. On systems that have had KTVision installed
set user id root, this attack can be used to overwrite any file on the system.
Users should remove the
set user id bit from KTVision until a fixed version has been installed.
iptables is configured to allow FTP-related connections through the firewall, a carefully-constructed PORT command can be used by an attacker to open arbitrary holes in the firewall.
Affected users should upgrade their Linux Kernel.
Read more Security Alerts columns.
Return to the Linux DevCenter.