Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Lotus Notes for Linux,
honeyd, NetWorker, NetPBM,
mc, and Mambo Open Source.
Lotus Notes for Linux has a vulnerability that can be exploited by a local attacker to change its configuration and gain unauthorized access to files. During the installation of Lotus Notes for Linux, the configuration file notesdata/notes.ini is installed world-readable and -writable. This vulnerability is reported to affect Lotus Notes 6.0.2 for Linux.
Users should modify the permissions on the notesdata/notes.ini file so that only authorized users may write to it.
The network sniffer
tcpdump is vulnerable to several buffer overflows that can be exploited, under some conditions, by a remote attacker to execute arbitrary code with root permissions, or to crash
tcpdump and cause network activity to not be recorded. The buffer overflows are reported to be in code that handles ISAKMP packets and in the L2TP protocol parser. These buffer overflows are reported to affect versions of
tcpdump through version 3.8.1.
Affected users should watch their vendors for a repaired version of
tcpdump. Guardian Digital has released repaired packages for EnGarde Secure Community 1.0.1 and 2 and for EnGarde Secure Professional 1.1, 1.2, and 1.5.
mod_perl Apache module is reported to have a vulnerability whereby any user who can have Perl code interpreted by
mod_perl can exploit to gain control of the HTTPS port (port number 443) or the standard web port (normally 80) and emulate the web server. The problem is caused by the file descriptor being leaked to Perl processes that can then pass the file descriptor to an external program or script. A script to automate the exploitation of this problem has been released to the public.
|Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.|
There was a good amount of discussion about this vulnerability; one side wrote that
mod_perl is a trusted Apache module that has access to Apache's file descriptors and could not be locked down tight enough to make any difference The other side wrote that while
mod_perl may have access as a trusted Apache module, the Perl code that it interprets should not have the same level of access.
Anyone who uses an Apache module to interpret end-user scripts should keep in mind that the user may have more access to the system than they would appear to have (or should have) and should watch their vendors for an updated version of Apache's
mod_perl, which, regardless of the debate (and its effectiveness), will almost certainly be released soon.
honeyd is used to create fake virtual hosts on a network using unused IP addresses. Under some conditions, a bug can cause
honeyd to set both the SYN and RST flags on network packets. This bug can be used by a remote attacker to identify a host found in a scan as a fake host generated by
It is recommended that users upgrade to
honeyd version 0.8. This new version can also be configured to drop root permissions when it starts.
kdepim, a collection of personal information management tools distributed with KDE, contains a buffer overflow in the code that reads .VCF files. A carefully crafted .VCF file could be used by an attacker to execute code with the user's permissions when the user previews or reads the attacker's file. This buffer overflow is reported to affect all versions of
kdepim distributed with KDE versions 3.1.0 through 3.1.4.
Users should upgrade to KDE version 3.1.5 or apply the appropriate patch for KDE 3.1.4. A possible workaround is to remove the kfile_vcf.desktop file.
Also in Security Alerts:
It has been reported that the backup system NetWorker is vulnerable to a symbolic-link-race-condition-based attack that can be used to overwrite arbitrary files on the system with the permission of the user running NetWorker (usually root). The report states that the
nsr_shutdown script distributed with NetWorker 6.0 uses the /tmp directory in an unsafe manner.
Affected users should contact their vendors for a repaired version of NetWorker.
NetPBM is a toolkit for manipulation of graphic images that is made up of many single-purpose utilities. Many of these utilities are vulnerable to a temporary-file symbolic link race condition that can be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the user executing the utility.
Users should watch their vendors for a repaired version.
jabber, an instant messaging system, has a bug in the code in the server that can cause
jabber to crash while handling SSL connections causing a denial of service.
Debian and Mandrake have released repaired versions of
jabber. Users of other distributions should watch for repaired or updated versions.
mc (Midnight Commander) is vulnerable to an attack that uses a carefully constructed archive file (for example, a .tar file) to cause arbitrary code to be executed when a user opens the archive file using
Affected users should watch their vendors for a repaired version. Debian has released a repaired version of
sid. Red Hat has released repaired packages for Red Hat Linux 9.
Mambo Open Source, an open source web-based content management system written using PHP and MySQL, has a bug in
./modules/mod_mainmenu.php that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. This bug is reported to affect version 4.6 and earlier.
Users should watch for a patch to repair this problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the LinuxDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.