New Security Problems and a Warning About Checking User Input01/30/2001
Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include buffer overflows in
write, and Lotus Domino's SMTP server; temporary file problems with webmin and Apache's
mod_rewrite; format string problems with
icecast; ip firewalling problems with FreeBSD; and SQL problems in Postaci.
splitvt program splits a vt100 compatible terminal or screen into an upper and lower window that can each execute a different program. Versions before 1.6.5 have a format string vulnerability and several buffer overflows. Since
splitvt is installed suid root on many systems, this vulnerabilty can be exploited to obtain root privileges.
It is recommended that you upgrade to version 1.6.5 or newer. If you are not using
splitvt or do not wish to upgrade, then the suid and sgid bits should be removed from the application.
A throughput measurement tool,
bing has a buffer overflow that can lead (on systems with it installed suid root) to a root exploit. The buffer overflow is in the code that handles the host name that it uses. The overflow requires that the attacker be able to create an arbitrary resolvable host name that they can pass to the application.
Security Alerts This Week:
It is recommended that you remove the suid bit from
A web-based administrative interface for Unix machines,
webmin creates temporary files insecurely. This problem can be used to overwrite and create arbitrary files and can lead to a root compromise. Versions prior to 0.84 are affected.
It is recommended that webmin be upgraded to version 0.84 or newer.
icecast audio stream server has a format string vulnerability that can be used to execute arbitrary commands. Since
icecast normally runs as the root user, this can lead to a remote root compromise.
A patch has been published and incorporated in several distributions. I was not able to find out if the fix has been made to the version that can be downloaded from the icecast.org web site. I recommend that you check with your vendor for an updated version.
mod_rewrite module for the Apache webserver has a problem in the way it uses its temporary files. This can be exploited to read any protected file on the system.
It is recommended that you upgrade Apache to version 1.3.14 or newer. This version also fixes problems with
The Apache Project has also announced that they will not be making any more updates to the 1.2.x versions of Apache and users of that series are encouraged to upgrade to the latest 1.3.x version.
The Oracle XSQL Servlet has a problem that can be used to execute arbitrary Java code on an Oracle database server. Versions affected include the 220.127.116.11.0 database server, Oracle8i release 18.104.22.168.0 and the Enterprise Edition running Oracle Internet Application server with XSQL release 22.214.171.124, and XSQL releases 126.96.36.199 to 188.8.131.52 on all platforms.
If you are using any of these products you should download release 184.108.40.206 of XSQL. Oracle will also be correcting this problem when they release Oracle8i, release 220.127.116.11.
write command allows you to send lines of text to other users of a system. The write command under Solaris 7 has a buffer overflow in the handling of its second command line argument. By exploiting this vulnerability, an attacker can execute arbitrary code with the permissions of the group
It is recommended that the set group id bit be removed from
write until a patch has been released by Sun. This problem has been fixed in Solaris 8.
The stand-alone shell,
sash, is a statically linked shell that contains many built-in utilities. These include
mount, and many more. It can be used to replace shared libraries safely or used in emergencies. Versions prior to 3.4-4 did not clone the shadow file properly. This could lead to this file becoming exposed.
It is recommended that users upgrade to 3.4-4 or newer as soon as possible.
The Lotus Domino SMTP server has a buffer overflow in the relay policy checking code. This can lead to a remote execution of arbitrary code or a denial of service.
To recover from the denial of service, you may have to remove the log.nsf or mail.box files, so care should be taken when testing for this problem.
Lotus has fixed this problem in their 5.0.6 release of Domino server.
The FreeBSD tools
ip6fw provide packet-filtering redirecting and accounting functions. A TCP/IP packet crafted so that the ECE flag is set can incorrectly be passed through by the packet filters if a rule exists to allow established connections. An example of such a rule would be "allow tcp from any to any established." How vulnerable this will make a system or network will vary according to the exact rules in place.
You can work around this problem by rewriting any rule that contains the established keyword. It is however recommended that you upgrade to FreeBSD 3.5-STABLE or 4.2-STABLE after the correction date (01-12-01), or apply the
Postaci, a popular web mail package, does not properly check for malicious SQL code in variables coming from the user when using the PostgreSQL database. This can allow a user to execute arbitrary SQL queries.
At this time a patch to fix this problem has not been released.
This sort of problem is easy for a programmer to fall into. It occurs when the programmer fails to check all possible user-supplied input. With PHP, this can be any variable that you use in your forms and scripts. Remember that the user is in control of his client and can send you whatever data they choose. You need to check or initialize every variable before you use it or send it to your SQL database as part of a query. Numbers should be numbers and not SQL statements, and so on.
An interesting exercise is to trade places with the attacker. Put yourself in their shoes and see what unexpected things you can make your system or software do when you put your mind into it. You may be surprised with what you find out, and that is much better than being surprised by a system cracker.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.