This story starts to get a little tiresome: a security researcher has found
yet another set of vulnerabilities in the
Linux kernel. The researcher this time is Michal Zalewski, who, in the
past, has had great luck finding problems by feeding random data to code.
It didn't take him too long to find a few ways to crash the kernel with
corrupted CD images.
The impact of this bug is that anybody who can cause a CD to be mounted can
crash the system, and, potentially, obtain root access. Mounting a disk is
normally a privileged operation, but many systems are set up to
automatically mount a CD (and, perhaps, fire off a file manager window) on
insertion. Others are set up to allow unprivileged users to mount a CD on
demand. So corrupt CDs are, indeed, a mechanism which could be used to
compromise a system.
Of course, it is true that anybody who gets into a position where they can
insert a CD into the system may well find a way to compromise it anyway.
It is hard to defend against an attacker with physical access. Even so,
there is no point in making any sort of attack easier.
The bugs in this case are ancient; much of the ISO9660 code dates back to
the early 1990's, and it hasn't seen a great deal of maintenance since. In
some places, values obtained from the filesystem are not properly checked,
leading to inappropriate memory accesses. In one other, the check was in
place, but the code responds to a corrupt disk by calling panic(),
thus creating a nice denial of service situation. There's guaranteed to be
other problems which have not yet been found; as Linus put it, "The code is a mess."
Other filesystems may have similar problems. An on-disk filesystem is a
complicated data structure, and it can be very hard to defend against any
sort of corruption. Users are plugging in filesystems more frequently;
many consumer gadgets, such as cameras and music players, just look like
another disk to the computer. So the opportunities for filesystem-based
attacks are growing. Expect more patches as more ten-year-old bugs are
found and fixed.
Toby Dickenson discovered that Xzabite's dyndnsupdate suffers from multiple
overflows. A remote attacker, posing as a dyndns.org server, could execute
arbitrary code with the rights of the user running dyndnsupdate.
The firefox browser (prior to version 1.0.2) contains three vulnerabilities: a GIF processing buffer overflow, a (difficult) way to trick users into running hostile XUL content, and a way to get a user to run an arbitrary program by way of the sidebar panel.
LTris is vulnerable to a buffer overflow when reading the global
highscores file. By modifying the global highscores file a malicious user
could trick another user to execute arbitrary code.
Rob Holland of the Gentoo Linux Security Audit Team discovered that
rxvt-unicode fails to properly check input length. Successful exploitation
would allow an attacker to execute arbitrary code with the permissions of
the user running rxvt-unicode.
Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw
in the handling of compressed images, where shell meta-characters are not
adequately escaped. CAN-2005-0638
Insufficient validation of image properties in have been discovered which
could potentially result in buffer management errors. CAN-2005-0639
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded.
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows
(CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the
"ignore cipher bit" option is enabled (CAN-2005-0705) and various
vulnerabilities in the IAPP, JXTA, and sFlow dissectors.
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root).
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code.
The ImageMagick file
name handling code has a format string vulnerability.
Specially crafted file names can be used to crash ImageMagick
and possibly execute arbitrary code.
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine.
The IPsec-Tools package is used to build other programs such as setkey and
racoon. There is a potential denial of service vulnerability when parsing
ISAKMP headers in racoon.
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command.
The kdenetwork networking applications package has a bug
with the handling of privileged file descriptors in kppp.
A local user can use this to modify the /etc/hosts
and /etc/resolv.conf files, allowing them to
spoof domain information.
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library.
Sylvain Defresne discovered that the EXIF library did not properly
validate the structure of the EXIF tags. By tricking a user to load an
image with a malicious EXIF tag, an attacker could exploit this to
crash the process using the library, or even execute arbitrary code
with the privileges of the process.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program.
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters.
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result.
According to this iDEFENSE advisory, remote
exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 may allow
an attacker to cause heap corruption, resulting in execution of arbitrary
code.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program.
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user).
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code.
The SUSE Security Team reviewed critical parts of the OpenSLP package, an
open source implementation of the Service Location Protocol (SLP). During
the audit, various buffer overflows and out of bounds memory access have
been fixed which can be triggered by remote attackers by sending malformed
SLP packets.
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
PHP has an out of bounds memory write access vulnerability and
an integer overflow/underflow problem. See the PHP 4.3.10 Release Announcement for details.
Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code
of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup"
was enabled in the "smtpd_recipient_restrictions", Postfix turned into an
open relay, i. e. erroneously permitted the delivery of arbitrary mail to
any MX host which has an IPv6 address.
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions.
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes.
The RealPlayer media player has two buffer overflows
that can be exploited by playing specially crafted
SMIL and WAV files. This can allow a remote attacker to
execute code with the user's permissions.
Qiao Zhang has discovered a buffer overflow vulnerability in the
'parse_emelody' function in 'parse_emelody.c'. A remote attacker could
entice a Ringtone Tools user to open a specially crafted eMelody file,
which would potentially lead to the execution of arbitrary code with the
rights of the user running the application.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles.
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
Handling of certain DNS responses trigger assertion failures. By returning
a specially crafted DNS response an attacker could cause Squid to crash by
triggering an assertion failure.
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5
allows remote attackers to execute arbitrary code via an e-mail message
with certain headers containing non-ASCII characters that are not properly
handled when the user replies to the message.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information.
Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161).
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user.
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities.
Security Innovation has announced the availability of its (Microsoft-funded) web server security survey which found Windows to be a more secure platform. The document itself is available in PDF format. "For example, CAN-2004-0957 discusses a bug in MySQL's mysql_real_connect()
function. This was entered into the MySQL bug database on 4th June 2004, and fixed in
the source tree 17th June 2004. However, Red Hat only packaged this fix in RHSA-2004:611, issued on the 27th of November. This problem of the management of fixes
from a third-party is a difficult one, and one which could represent a significant challenge
to Linux on a go-forward basis."
RUXCON ("an attempt to bring together the individual talents
of the security community through live presentations, activities and
demonstrations") will be held October 1 and 2 in Sydney, Australia. Submissions are due by August 31.
