Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Java 2 Runtime Environment,
linprocfs, OpenSSL, OpenSSH, AbiWord, Blogtorrent,
The Java 2 Runtime Environment Standard Edition (J2SE), available from Sun, and the Blackdown Java Runtime are vulnerable to an attack that bypasses the Java sandbox and can be exploited by a remote attacker to execute arbitrary code on the victim's machine and to read from and write to arbitrary files. This vulnerability is reported to affect Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04, and any Blackdown VM prior to J2SE v1.4.2-01. Example scripts that show how to exploit this vulnerability have been released to the public.
All Sun Java users should upgrade to Java 2 Runtime Environment, Standard Edition 1.4.2_06 or 1.3.1_13 or newer. Blackdown users should upgrade to J2SE v1.4.2-01 or newer. Users of other Java distributions or of Java runtime environments packaged with their operating systems should watch their vendors for an update. Users who cannot upgrade immediately should disable Java in their browsers and only execute Java code from trusted sites.
wget, a widely used web and FTP command-line retrieval utility, is reported
to contain flaws that can be exploited to overwrite arbitrary files on the
victim's machine, with the victim's permissions, if a carefully crafted file is
retrieved from the attacker. An example file that exploits this vulnerability
has been released to the public.
Affected users should watch their vendors for a repaired version of
should consider using an alternative tool. In all cases, users should exercise
care in choosing which files to download.
The special filesystems of the process file system
procfs and the Linux process file system
provide a filesystem interface view of the system process
tables. A bug in the implementation of the /proc/curproc/cmdline and /proc/self/cmdline
files can, under some conditions, be exploited by a local attacker to cause the
system to crash with a kernel panic, or may allow attackers to read portions of protected
kernel memory that could contain sensitive information such as passwords.
It is recommended that users upgrade their systems to FreeBSD 4-STABLE or 5-STABLE
and recompile their kernels. The
linprocfs filesystems should be
unmounted until this upgrade has been completed.
The script der_chop that is contained in the OpenSSL package is reported to be vulnerable to a temporary-file, symbolic link race condition that may be exploitable by a local attacker to overwrite arbitrary files on the system.
Users should watch their vendors for a updated OpenSSL package.
Two time-based attacks have been announced against OpenSSL. The first attack uses
the difference in failure time between a failed valid login and a failed login
of an invalid user to test whether a user name exists on the target system. The
second attack is against machines that are configured to not allow root logins
over SSH (
PermitRootLogin no) and uses the difference in the failure
time that exists between a valid root login that is rejected because of the
configuration of SSH and a root login that is rejected due to the password
being incorrect. This second attack could be used in a brute force attack to
find the root password.
Affected users should watch their vendors for repaired OpenSSH packages.
AbiWord is a free, open source word processor available for Windows, Linux,
QNX, FreeBSD, and Solaris systems that can read and write to files in OpenOffice.org,
Microsoft Word, WordPerfect, Rich Text Format, HTML, and other formats. The
wv library that is included as part of the AbiWord package is reported to be
vulnerable to a buffer overflow in code that handles the
DateTime field. Under some conditions, this may be exploitable by a remote attacker and result in
arbitrary code being executed with the permissions of the victim. The attack
is conducted using a carefully crafted document that the victim then opens
in AbiWord in HTML mode.
Affected users should watch for a released version containing the repair and should exercise caution concerning the source of files they open with AbiWord.
Blogtorrent is a collection of PHP scripts designed to aid in the hosting of BitTorrent data files. A flaw in the btdownload.php script can be abused by a remote attacker to download arbitrary files from the victim's machine.
All users of Blogtorrent should upgrade to the latest version available from CVS, or should consider disabling the software until it has reached a more mature state.
rssh is a restricted shell designed to be used with OpenSSH that places a
user in a
chroot jail and, by design, only allows the remote execution of
scponly is a restricted shell that can
be configured to only allow specified applications to be executed. Under certain
conditions, it may be possible for a remote user to cause
execute arbitrary commands or run an uploaded shell script.
It has been reported that the author of
rssh is not currently able to maintain
rssh. Therefore, users should consider using an alternative restricted shell.
Version 4.0 of
scponly has been released, and all users are encouraged to upgrade
as soon as possible.
The KDE fax program
kfax contains a private copy of the Libtiff library that
is vulnerable to several buffer overflows that can be exploited to execute
arbitrary code. These buffer overflows are exploited by using a carefully crafted
Users of KDE 3.2.x or KDE 3.3.x should upgrade to the latest released packages.
Users of other versions should upgrade to a maintained version of KDE or should
kfax and kfaxpart.la from their systems.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.