Here we go again... The Berkeley Internet Domain server (BIND)
versions 4 and 8 have a new
set of remotely exploitable vulnerabilities. They are well described in this
ISS advisory; in short, the problems are:
The really nasty one is a buffer overflow in the server's caching
code; this one could (and probably will) be used for remote root
exploits.
The server can be made to terminate (with an assertion failure) when
fed a large OPT record with certain kinds of queries.
BIND servers can also be made to crash (with a null pointer
dereference) when passed information with the right kind of bogus
expiration time.
The first vulnerability leaves much of the net open to root exploits,
worms, etc. There is no doubt that many servers will not be patched in
time, with the result that malware writers will find no shortage of fertile
ground for their unpleasant stuff. Business as usual, in other words.
The other result of this set of vulnerabilities is likely to be to force
many sites to upgrade, at last, to BIND version 9. That will reduce
the diversity of BIND implementations running on the net, thus ensuring
that the next vulnerability will affect even more systems. BIND 9 is
said to be more secure (having been rewritten with that goal in mind), but
there are, beyond doubt, more problems lurking in that body of code. Then
we'll get to go through this again.
Here we go again... the source distribution of a popular application has
been compromised by a trojan horse. This time around, the affected
application is tcpdump, which was compromised on November 11 and
remained available for download for two days. As with other trojans, this
one opens up a connection to a remote host, which can then execute shell
commands. The fact that tcpdump was compromised allowed an additional
twist, however: tcpdump will not show traffic to and from the hostile
remote system.
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
iDEFENSE reports a security vulnerability in the klisa package, that
provides a LAN information service similar to "Network Neighbourhood",
which was discovered by Texonet. It is possible for a local attacker
to exploit a buffer overflow condition in resLISa, a restricted
version of KLISa. The vulnerability exists in the parsing of the
LOGNAME environment variable, an overly long value will overwrite the
instruction pointer thereby allowing an attacker to seize control of
the executable.
kgpg: keys generated in wizard have an empty passphrase
Package(s):
kgpg
CVE #(s):
Created:
November 11, 2002
Updated:
November 13, 2002
Description:
A bug in Kgpg's key generation affects all secret keys generated through
Kgpg's wizard. (Bug does not affect keys created in console/expert
mode). All keys created through the wizard have an empty passphrase, which
means that if someone has access to your computer and can read your secret
key, he/she can decrypt your files whitout the need of a passphrase. See
the full report for
details.
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account.
A set of buffer overflows have been discovered in masqmail, a mail
transport agent for hosts without a permanent Internet connection. In
addition to this privileges were dropped only after reading a user supplied
configuration file. Together this could be exploited to gain unauthorized
root access to the machine on which masqmail is installed.
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
traceroute-nanog: buffer overflow and root exploit
Package(s):
traceroute-nanog/nkitb
CVE #(s):
Created:
November 12, 2002
Updated:
February 27, 2003
Description:
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point.
Al Viro found a problem in the image handling code used in Window Maker,
a popular NEXTSTEP like window manager. When creating an image it would
allocate a buffer by multiplying the image width and height, but did not
check for an overflow. This makes it possible to overflow the buffer.
This could be exploited by using specially crafted image files (for
example when previewing themes).
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0.
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
gv, a graphical front end to ghostscript, has a buffer overflow
vulnerability which can be exploited by a properly crafted PostScript or
PDF file. If a user can be tricked into viewing such a file, arbitrary
code can be executed with that user's privileges. See this iDEFENSE advisory for the details.
The heartbeat failover system has a remotely exploitable buffer overflow
vulnerability; versions prior to 0.4.9e and 0.4.9.2 are affected. Any
system that is worth running heartbeat on is worth upgrading. See the advisory for the details.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
Package(s):
kdelibs
CVE #(s):
Created:
September 17, 2002
Updated:
November 18, 2002
Description:
Konqueror for KDE 3.0.3, and earlier versions, is subject to
this cross-site
scripting vulnerability.
Since the problem is in kdelibs, any other application which
uses the KHTML renderer is also vulnerable.
Javascript code running in one frame can
access other frames which should be inaccessible. The problem is
fixed in kdelibs 3.0.3a.
A number of security fixes have gone out for the 2.2 and 2.4 kernels. There are no known exploits at this time, but upgrading will make sense anyway. As always with kernel updates, read the distributor instructions carefully; there is usually more involved than just installing a new package.
CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
MIT Kerberos version 4 and version 5 up to and including
krb5-1.2.6
KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
0.5.1
Other Kerberos implementations derived from vulnerable MIT or KTH
code
Overview
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate.
linuxconf: bad sendmail configuration file creation
Package(s):
linuxconf
CVE #(s):
Created:
November 6, 2002
Updated:
November 6, 2002
Description:
The linuxconf "mailconf" module can create sendmail configurations which allow the server to run as an open relay, instantly turning your site into a spammer's tool and getting you onto blacklists.
Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching
logfiles and sending lines with matching patterns via mail. The log2mail
daemon is started upon system boot and runs as root. A specially crafted
(remote) log message could overflow a static buffer, potentially leaving
log2mail to execute arbitrary code as root.
LuxMan is a maze game which, one would think, would not be much of a threat. It has, however, a pathname vulnerability that can be turned into a local root exploit. Versions through 0.41 are vulnerable.
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution.
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using
a combination of "UseCanonicalName off" and wildcard DNS. This is very
unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it
already escapes this HTML.
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
Thorsten Kukuck discovered a problem in the ypserv program which is
part of the Network Information Services (NIS). A memory leak in all
versions of ypserv prior to 2.5 is remotely exploitable. When a
malicious user could request a non-existing map the server will leak
parts of an old domainname and mapname.
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later.
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions.
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08.
iDEFENSE has posted an advisory warning of a
couple of ways of bypassing the restrictions imposed by the sendmail
"smrsh" utility. smrsh puts limits on which programs a user may run out of
a .forward file; this vulnerability could give a local user
undesired access to the mail server system. A patch has
been made available from sendmail.org which closes the vulnerability.
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
Package(s):
squid
CVE #(s):
Created:
July 8, 2002
Updated:
November 15, 2002
Description:
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
Security fixes in how Squid parses FTP directory listings into
HTML
FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
A security issue in how Squid forwards proxy authentication
credentials has been fixed
Versions 1.4.15 and 1.5.20 (and prior) of the syslog-ng system logging package have a remotely exploitable buffer overflow vulnerability; see this advisory for the details.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd.
Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright
published a paper at LISA 2002 entitled "Timing the Application of Security
Patches for Optimal Uptime." It is now available for download in
PostScript format.
MIS Training Institute has announced
that the Conference on Mobile and Wireless Security will happen in
Scottsdale, Arizona on February 11 to 13, 2003.
