Solaris Buffer Overflows05/06/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
cachefsd, the Kerberos4 FTP client, and
dtprintinfo; problems in
mod_python, Nautilus, Red Hat Linux's DocBook
nsd, and Solaris'
rwall; and talk about reducing the risk of security problems.
- Solaris admintool
- Red Hat Linux DocBook Stylesheet
- Solaris cachefsd
- Kerberos4 FTP Client
- IRIX nsd
- Solaris rwall
- Preventing Security Problems
The X Window based Solaris administration utility
vulnerable to several buffer overflows that can be exploited to
execute arbitrary code with root permissions. Buffer overflows have
been found in the code that handles the
-d command line parameter,
PRODVERS configuration file variable, and in the media
It has been reported that Sun has released patches that repair the
PRODVERS buffer overflows. No patches have been announced
for the media installation path buffer overflow. Users should apply
the available patches and should consider removing the set user id bit
admintool. In most situations, admintool is being executed by
root and will not need a set user id bit for normal use.
mod_python versions 2.7.6 and earlier will allow the execution of
imported modules by a published module. This may allow a remote
attacker to execute arbitrary code with the permissions of the user
running the Web server.
Users should upgrade to
mod_python version 2.7.8 as soon as
possible. It has been reported that updated packages are available for
Red Hat Linux.
The GNOME graphical shell Nautilus is vulnerable to a symbolic-link race condition attack that can be used by an attacker to overwrite another user's files. Nautilus version 1.0.4 has been reported to be vulnerable.
Users should upgrade to the latest CVS version of Nautilus or should watch their vendor for a patch. Patches have been released for Red Hat Linux and Slackware.
The DocBook stylesheet that is distributed with Red Hat Linux 6.2, 7.0, 7.1, and 7.2 has an insecure option enabled that allows an untrusted document to write files outside of the current directory, if the identifiers use a full path name.
Red Hat has released an updated
docbook-utils package that corrects this problem.
cachefsd daemon is vulnerable to a buffer overflow (in
mounts supplied by a user) that can be used by a local attacker to
execute code as root.
cachefsd is also vulnerable to a remote denial-
of-service attack. Both attacks are reported to affect Solaris 2.6, 7,
and 8, for both Sparc and x86 architectures.
Users should block remote access to
cachefsd using a firewall, and
should consider disabling it until patches have been released
The Kerberos4 FTP client is vulnerable, under some conditions, to a buffer overflow that can be exploited by a remote attacker to execute code as the user running the client. The attacker must control an FTP server that has been modified to send a long reply when the client requests passive mode. Version 4-1.1.1 of the Kerberos4 FTP client is reported to be vulnerable.
Users should watch for an update to the Kerberos4 FTP client.
The IRIX name service daemon
nsd is vulnerable to a symbolic-link race condition attack when it writes its dump file.
SGI recommends that users upgrade to IRIX 6.5.11 or newer.
application supplied with Solaris 6, 7, and 8 is vulnerable,
under some conditions, to a remotely-exploitable attack that can be
used to obtain root access. A script to automate part of the
attack has been released.
It is recommended that users disable
rwall by commenting out the
appropriate line in
inetd.con and that they watch Sun for a patch for this
problem. Systems that do not receive
wall messages from other
machines may never need to have this application turned back on.
dtprintinfo, used to open the CDE Print Manager window, is vulnerable
to a buffer overflow that can be used by a local attacker to gain root
access. This vulnerability is reported to affect: Solaris 2.4, 2.5,
2.5.1, 2.6, 7, and 8; AIX 4.3, 4.3.1, 4.3.2, and 4.3.3; HP-UX 10.10,
10.20, 10.24, 11.00, 11.04, and 11.11; and Tru64 5.1A, 5.1, 5.0A,
4.0G, and 4.0F.
Users should apply the available patches as soon as possible and
should consider removing the set user id bit from
dtprintinfo if it is not needed.
This week's vulnerabilities in
walld are very good examples of
a more generic problem in modern operating systems. Many modern
systems have many set user id or set group id applications, and other
applications that run as the root user that are never used or noticed
until a security alert is written about them, or crackers begin to
exploit them. It can even sometimes be difficult to figure out what
some of these applications are used for. Most systems' default
installation is optimized for ease of use and to maximize available
features, and not with security foremost in mind.
Very few systems need to have
wall work across the network, but many
distributions have it enabled. Many systems sit with a printer daemon
listening to the network, but no printers attached or configured.
One way to protect a system from vulnerabilities is to remove or
disable applications that are not needed. If the system does not use
a printer, then disable the printing subsystem. If
dtprintinfo is not
being used, it does not need to be set user id root. It is important
to watch for security vulnerabilities, but it is even better to know
that the last five bugs in unused applications have not made your
Read more Security Alerts columns.
Return to the Linux DevCenter.