Security Alerts: Remote Root Exploit in Telnet Daemon07/23/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a root exploit in BSD-derived telnet daemons; buffer overflows in
xman, the Merrit and Lucent RADIUS servers,
ypbind, the AIX
libi18n library, and
tcpdump; temporary-file race conditions in
tripwire; and vulnerabilities in SSH Secure Shell 3.0.0, Lotus Domino Server, IMP, SSLeay/OpenSSL, and
It has been reported that a buffer overflow in many BSD-derived telnet daemons may under some circumstances be exploitable by a remote attacker to gain root access. Systems that are reported to be vulnerable include: Linux netkit-telnetd before 0.14, OpenBSD 2.x and 1.x, FreeBSD, NetBSD 1.x, BSDI 4.x, IRIX 6.5, and Solaris 2.x Sparc. Versions reported to not be vulnerable were Linux netkit-telnetd 0.14 and newer, and OpenBSD current.
Users may wish to consider turning off affected telnet daemons until a fixed version has been installed.
SSH Secure Shell 3.0.0, available from ssh.com, has a flaw that will allow anyone to log in, with any password, on accounts that have a two-character password in the
passwd file. In many cases accounts are locked with a "NP", "!!", or "LK" password entry. Using this flaw, an attacker can log into these locked accounts with any password and then leverage access to these accounts (examples include
adm) into root access to the machine.
It is recommended that users upgrade to version 3.0.1 of SSH Secure Shell as soon as possible. If it is not possible to upgrade immediately, then password authentication should be disabled and alternative methods should be used until the software has been upgraded.
lmail, a mail-delivery agent that is installed as part of the smail 2.5 mail package, has a temporary-file race condition that can be exploited to overwrite arbitrary files on the system with the permissions of the root user.
It is recommended that users of
lmail should install a repaired version, or replace it with
Alerts this week:
The X-Windows-based system manual page reader
xman has a buffer overflow that can be exploited to execute arbitrary code. On systems where
xman is installed set user id root, exploiting the buffer overflow could be used to gain root privileges. Exploit scripts have been publicly released for this vulnerability.
Users should remove the set user id or set group id bits from
xman until a repaired version has been installed.
The Lotus Domino Server has a cross-site scripting vulnerability that has been reported to affect version 5.0.6 and may affect other versions.
Lotus has announced that they plan to fix this vulnerability for the Domino version 5.0.9 release.
There are multiple buffer overflows in Merrit 3.6b and Lucent 2.1-2 RADIUS servers that can be used to execute arbitrary code with the permissions of the user running the daemon (often root). RADIUS is a system for user authentication using a client-server model.
Users of the Merit RADIUS server should upgrade to version 3.6B1.
The Lucent RADIUS server is no longer being maintained by Lucent. It is now being maintained by Simon Horms of VA Linux Systems. It has been reported that patches for Lucent RADIUS will be made available at ftp://ftp.vergenet.net/pub/lucent_radius.
In addition to applying these patches, it is also recommended that RADIUS servers be installed so that they run as a normal user and not with root permissions.
IMP, a Web-based mail reader that works with IMAP- and POP3-based mail servers, has several vulnerabilities that could be used by an attacker to execute arbitrary scripts on other users' client machines and execute arbitrary code on the server.
The Horde team recommends that users of IMP 2.2.x upgrade as soon as possible to version 2.2.6.
There is a remotely exploitable buffer overflow in Solaris's
ypbind runs on all machines that are using NIS, regardless of whether they are client or server machines.
Sun has released patches for this problem and recommends that users install them as soon as possible.
tripwire security tool is used to create a cryptographic snapshot of a system so that system integrity can be verified at a later time.
tripwire has a temporary-file race condition, when scanning the file system and updating the database, that can be exploited by an attacker to overwrite files on the system with the permissions of the user running
tripwire (normally root).
tripwire should upgrade to a fixed version as soon as possible. It has been reported that a fixed version is available from http://sourceforge.net/projects/tripwire/. Once a fixed version has been installed it is suggested that the
TEMPDIRECTORY configuration option be set to a directory that can only be written to by the user executing
The random-number generator in SSLeay/OpenSSL versions through 0.9.6a have a design error that may make its output predictable, which may lead to the compromise of the encrypted communications.
It is recommended that users upgrade to OpenSSL version 0.9.6b as soon as possible.
IBM has reported that there is a buffer overflow in the
libi18n library supplied with AIX 4.3 and 5.1 that can be used by a local attacker to gain root privileges. The buffer overflow is exploited through the set user id root application
aixterm, which is linked to the library.
Users should remove the set user id bit from
aixterm until a patch has been produced by IBM.
tcpdump has a buffer overflow in the code that decodes AFC RPC packets that may be used to execute arbitrary commands as the root user. This is similar to a problem reported last month in
tcpdump, where the buffer overflow was in the code that decoded AFC ACL packets.
Users should upgrade to the latest version of
tcpdump and should only use
tcpdump on networks that contain packets from trusted sources.
A flaw in the
squid Web proxy can be exploited by an attacker to perform anonymous port scans. This is caused by
squid not properly using ACLs in the configuration file when
squid is set up in
Users should contact their vendor for updated
Read more Security Alerts columns.
Return to the Linux DevCenter.