Linux Kernel Exploitationby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, Oracle
Database Server, Oracle Application Server, DB2 Universal Database,
MIT Kerberos 5,
libDtHelp, Anonymous CVS, Samba, the
Courier-IMAP, and Python.
- The Linux Kernel
- Oracle Database Server and Oracle Application Server
- DB2 Universal Database
- MIT Kerberos 5
- SSHD/Anonymous CVS
The Linux Kernel
A problem in the way the Linux kernel handles 64-bit file offset pointers can, under some conditions, be exploited by an attacker to view portions of kernel memory and gain access to sensitive information, such as the root password. This problem is reported to affect Linux kernel versions 2.4 through 2.4.26 and 2.6 through 2.6.7.
Users should watch their vendors for an updated version of the Linux kernel.
Oracle Database Server and Oracle Application Server
Multiple unspecified security vulnerabilities (including buffer overflows, PL/SQL injection bugs, trigger abuse conditions, character set conversion bugs, and bugs that can be used in a denial-of-service attack) have been reported to affect the Oracle Database Server and the Oracle Application Server. Affected versions include Oracle Database 10g Release 1 Version 10.1.0.2; Oracle9i Database Server Release 2 versions 18.104.22.168 and 22.214.171.124; Oracle9i Database Server Release 1, versions 126.96.36.199, 188.8.131.52, and 9.0.4; Oracle8i Database Server Release 3, version 184.108.40.206; Oracle Application Server 10g (9.0.4), versions 220.127.116.11 and, 18.104.22.168; Oracle9i Application Server Release 2, versions 22.214.171.124 and 126.96.36.199; and Oracle9i Application Server Release 1, version 188.8.131.52.
It is reported that Oracle released, on August 31, 2004, a set of patches to repair three vulnerabilities and that the patches are available from Oracle's Metalink web site. Users of affected Oracle products should contact Oracle for more information.
DB2 Universal Database
IBM's DB2 Universal Database is reported to be vulnerable to two remotely exploitable buffer overflows. While details have been withheld, a vulnerability of this type often can be exploited to execute arbitrary code with the permissions of the account running the database. Versions of DB2 reported to be affected by this vulnerability are DB2 8.1 Fixpak 6 and older, and DB2 7.x Fixpak 11 and older.
IBM has released Fixpak 7 for DB2 8.1 and Fixpak 12 for DB2 7.x. Affected users are encouraged to upgrade as soon as possible.
A heap corruption bug has been reported in the RSA authentication code of
This bug, under some circumstances, is exploitable by a remote attacker to execute
arbitrary code with root permissions. An additional bug in
cfservd may be exploited
as part of a denial-of-service attack against
cfengine should watch their vendors for an updated package.
vpopmail is used to manage virtual email domains and non-/etc/passwd email
accounts on a
qmail or Postfix mail server.
vpopmail is vulnerable to several
SQL injection bugs and, under some conditions, a buffer overflow and a format-string-based bug. These vulnerabilities may be exploitable by a remote attacker
to execute arbitrary code with the permissions of the user account running
The developers of
vpopmail recommend that users upgrade to the 5.4.6 release
or newer as soon as possible.
MIT Kerberos 5
Problems have been discovered in the KDC utility, the ASN.1 decoder library,
krb5 library code in versions of MIT Kerberos 5 earlier than krb5-1.3.5.
Under some conditions, these problems may be exploitable by a remote attacker
to execute arbitrary code with (in many cases) root permissions, or used to conduct
a denial-of-service attack. At this time, no exploits have been published and
the MIT Kerberos 5 development team believes that exploiting these vulnerabilities
would be very difficult.
Users of MIT Kerberos 5 should upgrade to krb5-1.3.5 or newer as soon as possible.
libDtHelp library distributed with the Common Desktop Environment (CDE)
contains a buffer overflow vulnerability that can be exploited by a local attacker
to gain root permissions and execute arbitrary commands. The buffer overflow
is in the library code that handles the
environmental variables. When exploited in a CDE application that is installed
set user id root, the attacker will gain root permissions.
Affected users should watch their vendors for a repaired version of the CDE
Sites allowing anonymous CVS in conjunction with a default install of SSH may be vulnerable to an attack that uses the SSH port-forwarding functionality to bounce unauthorized network traffic (for example, spam) through the server.
It is suggested that any site that allows anonymous connections set
no in their sshd_config file.
A denial-of-service vulnerability has been announced for all versions of Samba
earlier than 3.0.6 and 2.2.11. This vulnerability is caused when a Microsoft
Windows XP SP2 client sends a
FindNextPrintChangeNotify() request without having
first sent a
The Samba developers have released versions 3.0.6 and 2.2.11 of Samba to mitigate this problem.
zlib library is reported to be vulnerable to a denial-of-service attack
in applications linked to the library. The attack is reported to use bugs in
Affected users should watch their vendors for a repaired version of the
The Courier-IMAP IMAP email server has a format-string-based vulnerability
auth_debug() function, when
DEBUG_LOGIN is enabled, that can be exploited
by a remote attacker to execute arbitrary code with the permissions of the user
account running Courier-IMAP.
It is recommended that users upgrade to a repaired version of Courier-IMAP as soon as possible.
A buffer overflow in the Python programming language's DNS handling function
getaddrinfo() may be exploitable under some conditions and result in arbitrary
code being executed. Python is only vulnerable when IPV6 is disabled.
Users should watch their vendors for a repaired version of Python or upgrade to Python 2.2.2 or newer.
Read more Security Alerts columns.
Return to LinuxDevCenter.com