Buffer Overflow in WU FTP daemon12/03/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in
wu-ftpd, Open Unix and UnixWare's
xlock, and NetBSD's line printer daemon; and problems in Red Hat Linux's
procmail, Mandrake Linux's teTex, Hypermail, and SafeWord PremierAccess.
- Red Hat makewhatis
- Open Unix and UnixWare xlock
- Oracle dbsnmp
- SafeWord PremierAccess
- NetBSD Line Printer Daemon
The Washington University FTP daemon,
wu-ftpd, has a buffer overflow that can be used by a remote attacker to execute arbitrary code on the server with root permissions. To exploit this buffer overflow, the attacker must be able to log in to the FTP daemon with an account or the anonymous account (if configured). Many Linux distributions use
wu-ftpd and are vulnerable, including Red Hat Linux 5.2, 6.0, 6.1, 6.2, 7.0, 7.1, and 7.2; Linux Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1; OpenLinux Server 3.1 and Workstation 3.1; Conectiva Linux 6.0 and 7.0; Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, and 5.1; Debian Linux 2.2; and SuSE Linux 6.1, 6.2, 6.3, and 6.4.
wu-ftpd is configured to use RFC 931 authentication and debug mode, it is vulnerable to a format-string vulnerability that may be exploitable by a remote attacker to execute code as root. To exploit this vulnerability, the attacker must be able to log in as a user or as the anonymous account and must control or imitate the
ident server to which
wu-ftpd sends the
Affected users should contact their vendor for an update to
wu-ftpd that fixes these problems. Administrators of systems that do not require a FTP daemon should consider disabling or removing the software.
Red Hat Linux's
makewhatis command has a bug that can be exploited to overwrite or create arbitrary files with root permissions.
Users should watch Red Hat for a patch for this problem.
xlock X Window screen locker utility supplied with Open Unix 8.0.0 and UnixWare 7 versions 7.1.0 and 7.1.1 has a buffer overflow that can be exploited by a local attacker to gain root access.
Caldera recommends that users remove the set user id bit from
xlock until it has been replaced with the repaired version.
Vulnerabilities have been reported in Red Hat's and BSDI's UUCP applications that can be used to execute commands with the uucp user's account permissions. Access to the
uucp account can, under some circumstances, be leveraged into root access on the machine.
Users should watch their vendor for a patch for this problem, and should consider removing or disabling
uucp if it is not needed.
gnupg, the GNU Privacy Guard, has a format-string vulnerability that can be used by an attacker to execute arbitrary commands with the permissions of the user executing
It is recommended that users contact their vendor for an update.
dbsnmp command has several vulnerabilities that can be exploited to execute arbitrary commands and modify the file ownership and permissions on arbitrary files with the permissions of the Oracle system account. The
dbsnmp command can be made to execute programs from the incorrect directory, will execute its
chmod commands without verifying the path, and by manipulating the
ORACLE_HOME environmental variable, an attacker can make it execute arbitrary commands. If the
dbsnmp command is installed set user id root, then these vulnerabilities can be exploited to gain root access.
Oracle recommends that users remove the set user id bit from
dbsnmp and download and apply the patch for this vulnerability.
Some versions of
procmail have a vulnerability that can be exploited by an attacker by using specific signals. If procmail is installed set user id, this vulnerability can be exploited to gain additional privileges.
It is recommended that affected users upgrade
procmail to version 3.20 (unstable) or version 3.15.2.
The teTex print filters that are used when printing .dvi files with the
lpr daemon under Mandrake Linux 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1 have a problem that may be used by an attacker to gain additional privileges.
Mandrakesoft recommends that affected users update their teTex packages as soon as possible.
Hypermail converts email into html pages and is often used to create Web page archives for email lists. Attachments in email messages are converted to files with the same file name used in the email message, including file extensions. An attacker can therefore create an arbitrary file on the Web server hosting the archive that can contain server-side include instructions, or an executable CGI script. This vulnerability can be exploited to execute arbitrary commands on the server with the permissions of the user running the Web server.
Users should watch for a version of Hypermail that repairs this vulnerability.
Secure Computing's SafeWord PremierAccess application contains a modified SSH server that is vulnerable to the CRC-32 compensation attack that was reported last month in Security Alerts. It has been reported that this vulnerability in SafeWord PremierAccess is being actively exploited.
Users should contact Secure Computing for an updated SSH server or replace the supplied SSH server with OpenSSH.
The NetBSD line printer daemon
lpd has a remotely-exploitable buffer overflow that can be exploited to gain increased privileges. On NetBSD 1.3 and later systems, the line printer daemon is disabled by default.
It is recommended that users patch the line printer daemon or upgrade their system.
Read more Security Alerts columns.
Return to the Linux DevCenter.