ProFTPD's DoS Problem and Slash's Weak Link01/14/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at several problems
with ProFTPD; a Trojan Horse application disguised as an exploit;
buffer overflows in the
Mandrake Linux's Kerberos
telnet; and problems in Slash, IBM
popauth, Aftpd, TWIG, PGPMail.pl, and the Cisco SN 5420
- IBM Websphere
- The Trojan Exploit
- Mandrake Kerberos
- Cisco SN 5420 Storage Router
The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a problem in resolving some host names properly. The denial-of-service attack can be used by a remote attacker to cause ProFTPD to consume all of the CPU and memory on the server. The resolution problem is caused by ProFTPD not properly forward-resolving reverse-resolved host names, and could be used by an attacker to get around ProFTPD access control lists or to log incorrect host names.
Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.
The globbing functions in the
glibc library have a buffer overflow
that under some circumstances may be exploitable. The globbing
functions are used to match for patterns according to a set of rules.
Users should contact their vendor for an updated
glibc for their
Slash, software that is used for many Web sites (including Slashdot), has a vulnerability that can be exploited to gain access to any account, including those of administrators. Versions of Slash that are vulnerable include 2.1.x, 2.2.0, 2.2.1, 2.2.2, and some versions available through CVS. Slash versions 2.0.x and earlier are not vulnerable.
It is recommended that affected users upgrade to Slash version 2.2.3 or
the latest CVS version as soon as possible and disable
users.pl until the upgrade has been made. Once Slash has been
upgraded, users should check their
users seclev field to insure that no
unauthorized user has a value equal to or greater than 100, and should
change their passwords.
In a default Websphere installation, a local attacker can create a custom Java application that, when executed using Websphere, can retrieve the user id and password used by Websphere, granting the attacker increased privileges. As the default installation of Websphere executes with root permissions, it is possible that the attacker can leverage the increased privileges into root access to the server.
Users should consider running Websphere as a non-privileged user and should restrict access to only trusted users.
popauth utility that is distributed with the Qpopper package has a vulnerability that can be exploited to execute arbitrary code with the
permissions of the user it is installed to run as (usually the pop
Users should remove the set user id bit from
popauth until it has been
Sun has released patches that repair a buffer overflow in the CDE
Subprocess Control Service Server
dtspcd. The patches have been
released for Solaris 8, 7, 2.6, and 2.5.1, 5.8, 5.7, 5.6, and 5.5.1.
It is recommended that the patches be applied as soon as possible.
Michal Zalewski reported that a file that claimed to be a exploit to a
dcron, written by Michal and Rafal Wojtczuk, was actually a
Trojan Horse that mails the system password file to an email address
and creates a set user id copy of bash in
/tmp. This is a very good
reminder of the dangers of running an exploit obtained from an
wmcube-gdk application has a buffer overflow that can be exploited
to execute arbitrary code with the permissions of the
Access to the
kmem group may be leveraged into root access.
Users should remove
wmcube-gdk or take away its set group id bit until
it has been patched.
Mandrake has released an update to its Kerberos packages for Mandrake
Linux 8.1 that fixes a buffer overflow in the
telnet package. This
buffer overflow can be exploited by a local attacker to gain root
Mandrake recommends that affected users upgrade to the new packages as soon as possible.
The FTP Daemon Aftpd has a bug that can be locally exploited to obtain a core file containing encrypted passwords. These passwords then can be fed into a password cracker in an attempt to obtain access to additional accounts.
Users of Aftpd should disable it until it has been repaired and should consider using a more actively-developed server.
The default installation of the Web-based application server TWIG stores passwords in the user's cookie as raw URL-encoded data. This URL-encoded data can be decoded and the login name and password recovered as plain text very easily.The file
/config/config.phpshould be edited and the line:
$config["security"] = "basic";
should be changed to read
$config["security"] = "advanced";
In addition, the line:
$config["login_handler"] = "cookie";
should be changed to read
$config["login_handler"] = "securecookie.php4session";
PGPMail.pl, a script written in PERL that PGP-encrypts data submitted via a Web page and emails it, has several flaws that can be used
to execute arbitrary commands on the server with the permissions of
the user executing the Web server.
It is recommended that users disable the script until a patch is available.
The Cisco SN 5420 Storage Router has two vulnerabilities that can be used in a denial-of-service attack and a vulnerability that can be exploited to gain access to the device's configuration. Software releases through version 1.1(5) are vulnerable.
Cisco recommends that users upgrade to software version 1.1(7).
Read more Security Alerts columns.
Return to the Linux DevCenter.