Denial-of-Service Attacks

Listen Print

by Noel Davis
10/06/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at denial-of-service attacks against Apache, OpenSSL, and FreeBSD, and problems in Perl, lsh, Teapop, ProFTPD, TclHttpd, MPlayer, Node, mpg123, and Freesweep.

Apache
Perl Code
OpenSSL
lsh
Teapop
ProFTPD
TclHttpd
MPlayer
FreeBSD ARP Resource Starvation
Node
mpg123
Freesweep

Apache

A bug in Apache can be used by an attacker who can execute custom CGI scripts to cause a denial of service in the httpd server. When a CGI script writes more than 4k of data to STDERR, the script and the Apache instance will hang. When all available Apache instances are hung, Apache will stop responding to additional requests.

Users can upgrade to the latest mod_cgi.c from Apache 2.1's CVS tree or watch their vendors for an updated package. Mandrake has released an updated package for Mandrake Linux 9.1.

Perl Code

A problem in safe.pm can be used by an attacker to break out of secure compartments and bypass safe.pm's protections. In addition, the start_form() function of CGI.pm is vulnerable to a cross-site scripting attack that can be used by an attacker, under some circumstances, to execute arbitrary code in other users' browsers.

Affected users should upgrade to repaired Perl packages. Red Hat has released packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.

OpenSSL

OpenSSL provides version 2 and 3 of the Secure Sockets Layer and version 1 Transport Layer Security protocols, as well as full-strength cryptography functions. OpenSSL has several vulnerabilities in the code that handles ASN.1 tags that may result in a denial-of-service condition or in the attacker being able to exploit arbitrary code.

It is recommended that users upgrade their OpenSSL libraries and that any applications statically linked against OpenSSL libraries be recompiled against a repaired library.

`lsh`

lsh, the GNU implementation of OpenSSH or SSH, is reported to be vulnerable to several remotely exploitable buffer overflows that may be usable by a remote attacker to execute arbitrary code as the root user.

Users who have installed lsh should watch their vendors for a repaired version. SuSE has released updated and repaired packages for SuSE Linux 8.0, 8.1, and 8.2.

Teapop

Teapop is a POP 3 email server that can authenticate using normal password authentication, MySQL, Apache htpasswd, or PostgreSQL. Teapop can be used in an SQL injection attack when it is configured to authenticate using PostgreSQL or MySQL.

It is recommended that affected users upgrade as soon as possible to a repaired version of Teapop.

ProFTPD

ProFTPD, an FTP daemon, has a flaw that may be exploitable by any remote attacker that can upload a file in ASCII mode. Successfully exploiting the flaw will allow the attacker to execute arbitrary code with root permissions. This vulnerability is reported to affect version 1.2.7 and earlier versions of ProFTPD.

Users should watch for a repaired version of ProFTPD, and should consider disabling it until it has been updated.

TclHttpd

TclHttpd is a web server, written in Tcl, that can be used as a base to build a web-server-based applications or as a general-purpose web server. Versions 3.4.2 and earlier of TclHttpd are reported to be vulnerable to many cross-site scripting attacks and a flaw that can be used to view arbitrary directories on the server.

A patch has been released for the directory-viewing problem. Users should watch for a new release that deals with the cross-site scripting problems.

MPlayer

MPlayer, a movie player for Linux and other Unixes that supports many movie formats, is vulnerable to a buffer overflow in the code that handles ASX headers. This vulnerability can be exploited by a remote attacker if the user reads remote ASX streaming content, and may result in arbitrary code being executed with the permissions MPlayer is running under. This vulnerability is reported to affect MPlayer versions from 0.90pre1 through 0.91 and version 1.0pre1.

It is recommended that users of 0.91 and earlier versions of MPlayer upgrade to MPlayer 0.92 and that users of 1.0pre1 upgrade using CVS.

Also in Security Alerts:

FreeBSD ARP Resource Starvation

A flaw in the arplookup() function of the FreeBSD kernel can be exploited, under some conditions, by a remote attacker to cause a denial-of-service condition that can cause the server to crash or become unresponsive. The attacker must be able to send spoofed ARP packets to the local network the server is on, and in many cases, that will prevent an attack from being viable. The flaw is reported to be in all versions of FreeBSD before the fix date.

Affected users should apply the appropriate patch or upgrade to a repaired version of the kernel.

Node

The Amateur Packet Radio program Node is vulnerable to a format-string vulnerability that may be exploitable to execute arbitrary code with the permissions of the user running Node.

Affected users should watch for a repaired version. A new package for SuSE Linux has been reported to be available.

`mpg123`

The mpg123 command-line MPG music player is reported to be vulnerable to a buffer overflow that under some conditions may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running mpg123.

It is recommended that users use mpg123 versions 0.59r-r3 or 0.59s-r1.

Freesweep

The game Freesweep is reported to be vulnerable to a buffer overflow while dealing with some environmental variables that can be exploited to execute arbitrary code. On systems where Freesweep is installed set group ID games, exploiting this vulnerability can gain the attacker access to the games group.

Users should upgrade to a repaired version from their vendors when it becomes available.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.