Java JDE Allows Unauthorized Commands02/27/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a problem in Java that allows Java code to execute unauthorized commands; buffer overflows in CUPS and sudo; temporary file problems with StarOffice, MicroFocus COBOL, and CUPS; and vulnerabilities in pgp4pine, the Solaris LDAP PAM module, adcycle, and Zope.
Some versions of Sun's JRE (Java Runtime Environment), SDK (System Development Kit), and the JDK (Java Development Kit) have a bug that can allow Java code to execute unauthorized commands. This bug is mitigated by the requirement that the malicious code have permission to execute at least one command. Sun has reported that they have no knowledge of the bug affecting Netscape Navigator or Microsoft Explorer.
It has been reported that the following versions of Java are affected: Windows Production and Solaris Reference Releases SDK and JRE 1.2.2_005 or earlier, SDK and JRE 1.2.1_003 or earlier, JDK and JRE 1.1.8_003 or earlier, JDK and JRE 1.1.7B_005 or earlier, and JDK and JRE 1.1.6_007 or earlier; Solaris Production Releases SDK and JRE 1.2.2_05a or earlier, SDK and JRE 1.2.1, JDK and JRE 1.1.8_10 or earlier, JDK and JRE 1.1.7B, and JDK and JRE 1.1.6; and Linux Production Release SDK and JRE 1.2.2_005 or earlier.
Alerts this week:
Sun recommends that users upgrade to one of the following versions: Reference releases for Windows or Solaris SDK and JRE 1.2.2_007, SDK and JRE 1.2.1_004, JDK and JRE 1.1.8_006, JDK and JRE 1.1.7B_007, JDK and JRE 1.1.6_009; Solaris Production releases SDK and JRE 1.2.2_07 or JDK and JRE 1.1.8_12; or Linux Production release SDK and JRE 1.2.2_007.
A recent audit of CUPS (Common Unix Printing System) found various potential vulnerabilities, including buffer overflows, unsafe use of temporary files, and more.
It is recommended that users upgrade to a version released Feb. 20, 2001, or newer.
Debian has reported that there are multiple vulnerabilities in the XFree86 implementation of the X Window System. These vulnerabilities include denial-of-service attacks against X servers, buffer overflows in X clients based on Xlib, buffer overflows in XDM's XDMCP code, and several components not using temporary files safely. Debian reports that they are not aware of any working exploits that use these problems.
Users of Debian should upgrade their packages. Users of other distributions should watch their vendor for an upgrade.
The PAM module,
pam_ldap.so.1, that provides LDAP authentication under Solaris does not properly authenticate logins. When a system has been configured to use this module, a user can log in by entering either their correct password or no password at all. This module is configured in pam.conf to allow authentication for user logins and is not configured in the default configuration of Solaris. The Sunsolve bugid for this problem is 4384816.
Users should discontinue using the LDAP module until Sun provides a patch or until they compile the module using source code from http://www.padl.com.
Microfocus COBOL is a COBOL programming language suite for Unix systems. There are two vulnerabilities in version 4.1 that can be exploited to gain root privileges. Both vulnerabilities are only exploitable if the Apptrack feature has been enabled. The first vulnerability is a world-writable script (
/var/mfaslmf/nolicense) that is executed by root and the second is predictable temporary files in the
If the Apptrack feature is not needed, turn it off. If Apptrack is needed, then change the permissions on the
/var/mfaslmf directory and
The office suite StarOffice does not create temporary files safely. This problem can be used by an attacker to change the permissions of a file owned by the user running StarOffice to be world writable.
One method for protecting yourself from this type of attack is to set the
$TMP environment variable to a temporary directory that is only writable by your account, for example
$HOME/tmp. StarOffice will then use the specified location (
$TMP) for its temporary files.
sudo utility is used to allow specified users to execute specific commands with root permissions. Versions of sudo prior to 1.6.3p6 have a buffer overflow that potentially can be exploited for a root compromise.
Users are recommended to upgrade to version 1.6.3p6 or newer.
pgp4pine, users of the pine mail package can easily use various PGP applications to encrypt their e-mail. keys When it is using GnuPGP (the Gnu Privacy Guard Program),
pgp4pine does not correctly identify expired. If an expired key is used, pgp4pine will fail to encrypt the message and will send it in the clear without issuing a warning to the user. This problem affects versions of
pgp4pine through 1.75-6.
It has been reported that attempts to contact the author of pgp4pine were not successful. There is a patch to fix this problem available from http://www.securityfocus.com/archive/1/164255.
An ad banner rotation system,
adcycle has a problem that can allow an attacker to execute arbitrary SQL commands. This problem is a result of
adcycle not properly initializing and checking all its variables before using the variables in a SQL call.
Users should watch the adcycle web site for a patch for this vulnerability.
Two denial-of-service attacks have been found against the ICQ chat client LICQ. The first attack is exploited by sending the LICQ a rich-text-file-formatted document and the second is exploited by sending random data to the port the Remote Management Service is listening on.
Users should watch their vendor for a patch for these vulnerabilities.
Zope is an open source web-based application server. Zope versions through 2.3.1b1 have a security flaw that can allow a malicious user to make changes in excess of his authorized security level.
The developers of Zope highly recommend that users apply the latest hotpatch as soon as possible.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.