AIX Remote Root Exploit
06/25/2001Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in AIX's rsh, the curses library, Red Hat Linux's XFree86 packages, xinetd, MDBMS, BestCrypt, and cfingerd; format-string vulnerabilities in Kaspersky AntiVirus, eXtremail, and the Solaris at command; a symbolic-link race condition in KTVision; and problems in pmpost, AIX's diagrpt, and iptables.
AIX rsh
A buffer overflow has been reported in the rsh command that is distributed with IBM's AIX version 4.2. This buffer overflow may be exploited to execute arbitrary code with the permission of the root user.
Users of AIX 4.2 should watch IBM for a patch and further information about this problem.
curses library
The curses library, a system library shipped with UnixWare and OpenServer that is used to manipulate a user's display without regard to the terminal type, has a buffer overflow that can be exploited by an attacker to obtain root access. This buffer overflow affects UnixWare 7 and OpenServer versions 5.0.6a and earlier. The actual exploit is performed through set user id root applications that are linked to the curses library, such as the atcronsh command in OpenServer and the rtpm command in UnixWare 7.
Caldera recommends that users of UnixWare remove the set user id bit from /usr/sbin/rtpm as soon as possible and that they replace the affected applications with a patched version. They also recommend that users of OpenServer remove the set user id bit from /usr/lib/sysadm/atcronsh and replace the application with a patched version as soon as possible.
Red Hat Linux XFree86 Packages
Red Hat Linux has released updated XFree86 version 3.3.6 packages that apply many security and bug fixes and contain updated drivers for several different groups of cards. The security problems that are fixed in these packages include numerous buffer overflows, denial-of-service attacks, and temporary-file race condition problems.
|
Alerts this week: • AIX rsh • Red Hat Linux XFree86 Packages • xinetd • MDBMS • pmpost • cfingerd • KTVision |
All users of XFree86 3.3.6 under Red Hat Linux 6.2, 7.0, and 7.1 are encouraged to upgrade to the new packages.
Kaspersky AntiVirus
Kaspersky AntiVirus is a commercial antiviral package for many platforms including Exchange, Notes, sendmail, QMail, and Postfix. Kaspersky AntiVirus has a format-string vulnerability in the utility that it uses to scan and disinfect mail as it is processed by sendmail. This format-string vulnerability may be used by an attacker to execute arbitrary code with the permissions of the user that sendmail is executing as (often the root user). The application also has a potential temporary-file race condition.
It is recommended that users disable syslog by setting usesyslog=no in the avkeeper.ini file and contact the vendor for an updated version.
eXtremail
eXtremail, a free but closed-source POP and SMTP mail server for Linux, has a remotely-exploitable format-string vulnerability that can be used to execute arbitrary code as the root user.
Users should upgrade to version 1.1.10 as soon as possible.
Solaris 'at' Command
The at command distributed with Solaris 7 and 8 has a format-string vulnerability that can be used to obtain increased privileges.
Users should watch Sun for an update and should remove the set user id bit from at until a patch has been applied.
xinetd
xinetd has a buffer overflow that can be remotely exploited to obtain increased privileges and starts with its umask set to 0, causing any application xinetd starts to inherit this umask and possibly create world-writable files. The xinetd distributed with Immunix is reported to not be exploitable by the buffer overflow due to the StackGuard protections.
Users should upgrade their xinetd package as soon as possible and should examine their system for world-writable files.
MDBMS
MDBMS, a SQL database for Unix, contains a buffer overflow that can be exploited to gain the permissions of the user running the database.
Users should upgrade to a version of MDBMS newer than 0.99b.
BestCrypt
BestCrypt provides an encrypted file system on a loop-back device. Versions of BestCrypt earlier than 0.8-2 have a buffer overflow in the bctool program that can be exploited to execute arbitrary code as root. This buffer overflow occurs during the unmounting of a file system.
Users of BestCrypt should upgrade to version 0.8-2 as soon as possible.
pmpost
pmpost, a utility in the pcp suite from SGI, will improperly follow symlinks and, if installed, set user id root can be exploited to gain root privileges. This package is exploitable under IRIX and SuSE versions 7.1 and 7.2, but is not installed by default under SuSE.
SuSE recommends that users remove the set user id bits from the pmpost and pmkstat utilities. Users should watch their vendor for an update to the pcp package.
AIX diagrpt
The AIX diagnostic application diagrpt can be used by a local user to execute an arbitrary script as root.
IBM recommends that users remove the set user id bit until they have applied a patch.
cfingerd
The cfingerd daemon has a buffer overflow that can be used to obtain root privileges.
Users should watch for an update.
KTVision
KTVision, a KDE frame-grabber card application, is vulnerable to a symbolic-link race-condition attack. On systems that have had KTVision installed set user id root, this attack can be used to overwrite any file on the system.
Users should remove the set user id bit from KTVision until a fixed version has been installed.
Linux 2.4 iptables
When iptables is configured to allow FTP-related connections through the firewall, a carefully-constructed PORT command can be used by an attacker to open arbitrary holes in the firewall.
Affected users should upgrade their Linux Kernel.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
