Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

A Root Exploit and DoS in the Linux Kernel

10/22/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a root exploit and a denial-of-service attack in the Linux kernel; buffer overflows in Snes9x and Oracle 9i Web Cache; and problems in PAM's login, Squid, Apache, Mac OS X, W3Mail, sdiff, and looking-glasses.

Linux Kernel Root Exploit

Some Linux kernels have vulnerabilities that can be exploited to gain root access and be used in a denial-of-service attack. It is reported that Linux kernels 2.2.19 and earlier in the 2.2.x series, and 2.4.9 and earlier in the 2.4.x series, are vulnerable.

The vulnerability that can be used to gain root permissions is exploited by ptrace and a set user id program. When it is exploited, arbitrary code will be executed with root permissions. A script to automate the exploit using the newgrp command has been released.

The denial-of-service attack is caused by making the kernel de-reference multiple symbolic links. The Linux Kernel version 2.4.10 has a partial fix for this vulnerability. A script has also been released that can be used to automate the denial-of-service attack.

It is recommended that affected users upgrade their Linux kernel to version 2.4.12 or a patched version of the 2.2.x kernel as soon as possible. At the time of this writing, it had been reported that updated packages had been released by Caldera, Red Hat, EnGarde Secure Linux, Trustix Secure Linux, and Immunix OS.

PAM Login

There is a problem in the way that PAM's login implementation handles users' credentials that, under some circumstances, can be exploited to gain access to other users' accounts. The login program stores the user's credentials in a static buffer that, when used with other non-default PAM modules (such as pam_limits), may result in the credentials overwriting another user's and allowing them access to the account.

Affected users should watch their vendor for an updated util-linux package. Red Hat and Trustix Secure Linux have released updated util-linux packages that repair this problem.

Squid

There is a bug in the way that Squid handles mkdir PUT requests in a FTP session that can be used by an attacker in a denial-of-service attack.

It has been reported that this bug was fixed on September 18, 2001 and that users should upgrade to a version released after this date. Updated packages have been released for Red Hat Linux 6.2, 7.0, and 7.1.

Apache

Two remotely-exploitable problems have been reported in the Apache Web server: a specially crafted host header can be used by an attacker to overwrite arbitrary files on the server that have a name that ends in .log, and when multiviews are being used for a directory index, a directory listing may be returned instead of the proper content.

Users should upgrade to Apache 1.3.22 or newer as soon as possible. Updated packages have been announced for Conectiva Linux and EnGarde Secure Linux.

Mac OS X

It has been reported that local users on Mac OS X can execute applications and shells as the root user. The menu bar on OS X runs as root and executes applications that it starts as the root user. For example, it will start a text editor with root permissions or execute applications from the "Recent Items" list as root.

It has been reported that Apple has a "Security Update 10-19-01" that will fix this problem.

W3Mail

The W3Mail Web mail package's CGI scripts fail to check for meta-characters and can be exploited to execute arbitrary commands as the user running the Web server.

Users should watch for an updated version of W3Mail and should consider removing or disabling the package until it has been repaired.

sdiff

There is a temporary file race condition vulnerability in the sdiff utility that may be exploitable by an attacker to overwrite arbitrary files.

It is recommended that users watch their vendor for an updated sdiff package. Red Hat has released an updated diffutils package for Red Hat Linux 5.2, 6.2, 7.0, and 7.1.

looking-glasses

looking-glasses is a set of scripts that are used to allow viewing of specific information about a Cisco router on a Web page. There are multiple versions, but most are reported to have been written in Perl. Some versions of looking-glasses that are based on the original looking-glasses have vulnerabilities that can be exploited by a remote attacker to execute Cisco IOS commands or to view unauthorized information on the router that looking-glasses is reporting on.

The vulnerable looking-glasses version that can be obtained from nitrous.digex.net is unsupported and no patches have been released for it.

Snes9x

Related Reading

Incident ResponseIncident Response
By Kenneth R. van Wyk & Richard Forno
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

Snes9x emulates a Super Nintendo Entertainment System under Linux. Version 1.37 of Snes9x, and possibly earlier versions, is vulnerable to a buffer overflow that may be exploitable to gain root access if the emulator is installed set user id root. Snes9x is sometimes installed set user id root so that it can be run in full screen mode.

Affected users should upgrade Snex9x as soon as possible and should consider removing the set user id bit.

Oracle 9i Web Cache

The Oracle 9i Web Cache has a buffer overflow that can be used by an attacker to deny access to the server. The buffer overflow is exploited by sending a very long URL to the Web Cache and is reported to affect version 2.0.0.1.0 of the Web Cache on all platforms.

It is reported that Oracle has released patches for this problem. Affected users should contact Oracle for the patch for their system.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.