A DoS Attack via Tux11/13/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a denial-of-service attack against Tux and the Linux kernel; buffer overflows in Solaris'
xntpd, the DCE SPC library, Rational ClearCase, and Red Hat's
lpd; and problems in IMP, Cisco Secure Intrusion Detection System, OS X 10.1, Novell GroupWise,
6tunnel, Ikonboard, Viralator,
w3m, and Procmail.
- Linux Denial-of-Service Attack
- IMP Webmail
- Cisco Secure Intrusion Detection System
- OS X 10.1
- Novell GroupWise
- Solaris xntpd
- DCE SPC Library
- Rational ClearCase
- Red Hat lpd
Tux is a Web server built into the Linux kernel that is designed to serve static content very efficiently. Submitting large "Host:" headers to the Tux daemon will cause it to crash, and will eventually cause the kernel to panic, crashing the system. Tux is not enabled by default in most distributions. This problem was reported to affect Linux kernel 2.4.9-7 with Tux 2.1.0-2. It is not known what other kernel and Tux versions are vulnerable.
Affected users should watch their vendor or the kernel releases for an update that repairs this problem.
Procmail processes incoming email, filtering and sorting it. Several signal-handling race conditions have been reported that can be used by a local attacker to gain root permissions.
Users of Procmail should upgrade to a repaired version as soon as possible, and should consider disabling Procmail until it has been upgraded.
The IMP Webmail system is vulnerable to a cross-site scripting attack that can be used to manipulate users' email. All versions of IMP prior to 2.2.7 have been reported to be vulnerable.
The Horde Project recommends that users upgrade to IMP version 2.2.7 as soon as possible.
The Cisco Secure Intrusion Detection System (once known as Netranger) can be tricked into not reporting certain URLs by carefully encoding the URL. This problem also affects the Cisco Catalyst 6000 Intrusion Detection System Module.
Cisco has released a service pack to repair this vulnerability in the Cisco Secure Intrusion Detection System, and will be releasing a service pack for the Cisco Catalyst 6000 Intrusion Detection Module.
The desktop folder, under OS X 10.1 installations that have been localized for French, German, Italian, and Spanish, has world-writable permissions.
Users of OS X should check the permissions on their desktop folder and correct them if necessary.
The Web server component of Novell GroupWise has a bug that can be exploited by a remote attacker to view any file on the volume the Web server is installed on.
Users should contact Novell for an update to repair this bug.
nvi, a version of the
vi editor that was first distributed as part of the Fourth Berkeley Software Distribution, has a format-string vulnerability.
It is recommended that users upgrade to a repaired version as soon as possible.
6tunnel is an IPv6 tunnel application that can be used by applications that do not support IPv6.
6tunnel has a bug that can be used to crash the tunnel and prevent additional connections.
It is recommended that users upgrade to version 0.09 or newer.
The time protocol daemon
xntpd has a buffer overflow that can be exploited by a remote attacker to gain root privileges. This problem affects the version of
xntpd shipped with Solaris 2.6, 7, and 8, for both Sparc and Intel platforms.
Sun recommends that users apply the patch appropriate for their operating system as soon as possible. Users should also consider using the
ntpupdate utility to synchronize the system time without using a potentially remotely vulnerable daemon.
Ikonboard, a Web-based bulletin board system written using Perl, has vulnerabilities that can be remotely exploited by an attacker to gain administrator privileges on the board and execute arbitrary commands on the server with the permissions of the user running the Web server. It has been reported that this vulnerability affects Ikonboard versions ib219 and earlier.
Users of Ikonboard should watch for an update.
Viralator is a virus-scanning tool used with applications such as Squid and Apache. It has a problem that can allow a remote attacker to execute arbitrary commands on the Web server as the user executing the Web server.
No repair for this problem has been announced, and users should consider disabling Viralator until it has been repaired.
w3m, a text pager that can browse Web pages, has a vulnerability that can be exploited by an attacker using a remote Web server to return malformed headers.
It is recommended that users upgrade
w3m to a repaired version.
The DCE SPC library distributed with Open Unix and UnixWare has a buffer overflow that can be exploited remotely through the dtspcd utility. The buffer overflow is reported to affect all versions of UnixWare 7 and Open Unix 8.0.0.
Caldera recommends that users upgrade their system as soon as possible.
Rational ClearCase, a software configuration management package, has a buffer overflow in the
db_loader binary that can be used by a local attacker to gain root access. The buffer overflow affects ClearCase versions 3.2+, 4.0, 4.1, and 4.2 on Linux, Solaris Sparc, Solaris x86, AIX, HP, Digital, IRIX, and SCO platforms. An exploit script has been released to the public.
It is recommended that users remove the set user id bit from the
db_loader command and contact Rational for an update.
The printer daemon
lpd, shipped with Red Hat Linux 6.2, has a buffer overflow in the display code that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the root user.
Red Hat released a package to fix this problem (
lpr-0.50.1-1) that was broken, and has released a new package that both fixes the bug and works. Red Hat recommends that users upgrade to this new package as soon as possible.
Users who do not use the line printer system (or any other complex system installed on their machine) should consider removing or disabling it.
Read more Security Alerts columns.
Return to the Linux DevCenter.