1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Linux Vulnerabilities : Dec 11 onwards

Discussion in 'Linux and Unix' started by eddie5659, Dec 15, 2001.

Thread Status:
Not open for further replies.
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001

    Wietse Venema reported he found a denial of service vulnerability in
    postfix. The SMTP session log that postfix keeps for debugging purposes
    could grow to an unreasonable size



    OpenSSH is a freely available, open source implementation of the
    Secure Shell protocol. It provides secure encrypted communication
    between two untrusted hosts over an insecure network.

    The OpenSSH developers released[1] a new version of OpenSSH which
    fixes a local vulnerability[2] related to the "UseLogin" option. If
    this option is enabled, local users may be able to pass arbitrary
    environment variables to the "login" process. By setting LD_PRELOAD
    and using a malicious shared library, an attacker might execute
    arbitrary code as root.

    Please note that Conectiva Linux does not have the "UseLogin" option
    enabled by default. Therefore, it's not vulnerable to attacks unless
    the system administrator has turned it on.



    The OpenSSH team has reported a vulnerability in the OpenSSH server
    that allows remote attackers to obtain root privilege if the server
    has the UseLogin option enabled. This option is off by default on
    OpenLinux, so a default installation is not vulnerable.

    We nevertheless recommend to our customers to upgrade to the fixed

    Exploits of this vulnerability have apparently been circulated for
    some time

    Linux - Remote vulnerability in OpenSSH


    The default pam files for the passwd program did not include support
    for md5 passwords, thus any password changes or post-install added
    users would not have md5 passwords.



    The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option.
    By default, Mandrake Linux does not enable UseLogin, but if the
    administrator enables it, local users are able to pass environment
    variables to the login process. This update also fixes a security
    hole in the KerberosV support that is present in versions 2.9.9 and



    Updated glibc packages are available to fix an overflowable buffer
    and for 7.x to fix a couple of non-security related bugs.

    Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9

    Red Hat Linux 7.0 - alpha, alphaev6, i386, i686

    Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64

    Red Hat Linux 7.2 - i386, i686



  2. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001

    Might as well add this on here:

    There is a problem in the glob(3) function of the Glibc library which
    allows for exploitation of programs that pass user supplied input
    directly to it.


    A malicious local user can pass environment variables to the login
    process if the administrator enables the UseLogin option. This can
    be abused to bypass authentication and gain root access.
    Note that this option is not enabled by default on TSL.


    The 2.2.20 release of the Linux kernel fixes a number of bugs. In
    addition there are some driver updates and SMP fixes in this package


    A remote format string vulnerability was found in the libgtop daemon by
    Laboratory intexxia. By sending a specially crafted format string to
    the server, a remote attacker could potentially execute arbitrary code
    on the remote system with the daemon's permissions. By default libgtop
    runs as the user nobody, but the flaw could be used to compromise local
    system security by allowing the attacker to exploit other local
    vulnerabilities. A buffer overflow was also found by Flavio Veloso
    which could allow the client to execute code on the server. Both
    vulnerabilities are patched in this update and will be fixed upstream
    in version 1.0.14. libgtop_daemon is not invoked by default anywhere
    in Mandrake Linux.


    Updated Mailman packages are now available for Red Hat PowerTools 7 and
    7.1. These updates fix cross-site scripting bugs which might allow another
    server to be used to gain a user's private information from a server
    running Mailman


    Updated Mailman packages are now available for Red Hat Linux 7.2. These
    updates fix cross-site scripting bugs which might allow another server to
    be used to gain a user's private information from a server running Mailman


    process if the administrator enables the UseLogin option. This can
    be abused to bypass authentication and gain root access.
    Note that this option is not enabled by default on TSL.

    Updated, part II:
    There was a file conflict in the packages in the two first advisories.
    Packages are now fixed, and the MD5 sum is updated



  3. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001
    and a few more:

    The file globbing (matching filenames against patterns such as "*.bak")
    routines in the glibc exhibits an error that results in a heap corruption
    and that may allow a remote attacker to execute arbitrary commands from
    processes that take globbing strings from user input.
    Tom Parker, Global InterSec LLC, addressed SuSE Security and illustrated
    an attack scenario against the BSD-derived ftp daemon that is installed
    as /usr/sbin/in.ftpd in SuSE Linux distributions. The said in.ftpd should
    not be confused with the Washington University ftp daemon (wu-ftpd) that
    comes installed as /usr/sbin/wu.ftpd in SuSE Linux and uses its own
    globbing functions.

    Since the attack against in.ftpd is based on a heap corruption in glibc,
    the proper solution for the error is to exchange the responsible code in
    the glibc globbing functions. It should be expected that other network
    service daemons that accept user-supplied globbing strings such as rsyncd
    can be exploited with this glibc globbing error. There is no satisfactory
    workaround against the problem other than updating the glibc libraries
    with a fixed version. We provide update packages for this purpose.

    Users of the SuSE Linux 6.3 distribution should upgrade their systems
    to a newer product since security update support for SuSE Linux 6.3
    has been discontinued two years after the release.


    Updated namazu packages are available for Red Hat Linux 7.0J. These
    packages fix cross-site scripting vulnerability


    There is a format string vulnerability in stunnel which may allow an
    attacker to exploit a victim by impersonating a mail server.


    The package 'gpm' contains the 'gpm-root' program, which can be used to
    create mouse-activated menus on the console.
    Among other problems, the gpm-root program contains a format string
    vulnerability, which allows an attacker to gain root privileges



  4. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001
    Might as well post here. No point opening a new thread.

    Updated Mailman packages are now available for Red Hat Secure Web Server
    3.2 (U.S.). These updates fix cross-site scripting bugs which might allow
    another server to be used to gain a user's private information from a
    server running Mailman.


    mutt- is released as an update to the last stable version of
    mutt, mutt-1.2.5. The ONLY relevant change in this version is the
    fix mentioned above. No other bugs present in 1.2.5 have been
    fixed. You only want to upgrade to this version of mutt if you
    absolutely have to stick with the mutt-1.2 series.

    mutt-1.3.25 is the latest BETA version of mutt, and very close to
    what will eventually become mutt-1.4. Personally, I'd recommend
    that you download and use this version.


    Joost Pol found a buffer overflow in the address handling code of
    mutt (a popular mail user agent). Even though this is a one byte
    overflow this is exploitable.

    This has been fixed upstream in version and 1.3.25. The
    relevant patch has been added to version 1.2.5-5 of the Debian


    The GNU C Library (glibc) is the standard library used by almost any
    program in a common linux system.

    There is a buffer overflow[1] discovered by Flávio Veloso in the
    glibc's glob() function. By triggering this vulnerability[2], an
    attacker could make a program which uses that function execute
    arbitrary code.


    LibGTop (from the Gnome project) is a library that fetches system
    related information such as CPU Load, Memory Usage and running
    processes. It includes a daemon (libgtop_daemon) which can be used to
    monitor processes remotely.

    There are two libgtop_daemon vulnerabilities addressed by this

    The first one[1] was found by the Laboratory intexxia and is related
    to a format string vulnerability in the libgtop_daemon logging
    mechanisms. The second[2] was found later[3] by Flavio Veloso when
    investigating the first and is a buffer overflow in the same part of
    the code.

    By exploiting any of the vulnerabilities an attacker would be able to
    execute arbitrary code with the privileges of the user libgtop_daemon
    is running as.

    Notice that libgtop_daemon is not invoked by default anywhere in
    Conectiva Linux, even if you're running Gnome as your desktop.


    The Exim maintainer, Philip Hazel, writes about this issue: "The
    problem exists only in the case of a run time configuration which
    directs or routes an address to a pipe transport without checking the
    local part of the address in any way. This does not apply, for
    example, to pipes run from alias or forward files, because the local
    part is checked to ensure that it is the name of an alias or of a
    local user. The bug's effect is that, instead of obeying the correct
    pipe command, a broken Exim runs the command encoded in the local part
    of the address."

    This problem has been fixed in Exim version 3.12-10.2 for the stable
    distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
    unstable distribution. We recommend that you upgrade your exim


    The sparc binary for the mutt security fix described in DSA-096-1
    is now available.



  5. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001
    some more for the sheer hell of it. Again, no point making a new thread.

    ProFTPD is a highly configurable FTP daemon written from scratch for
    Unix and Unix-like operating systems.

    This advisory addresses two security problems:

    1. ProFTPD was not forward resolving reverse-resolved hostnames. A
    remote attacker could explore this vulnerability[1] to bypass ProFTPD
    access control lists or have false information (client hostname)
    logged. It was discovered by Matthew S. Hallacy
    <[email protected]>.

    2. A DoS vulnerability[2] was found by Frank Denis. By sending a
    malicious command to the server, a remote attacker could force the
    process to consume all CPU and memory resources available to it.
    Multiple attack instances could effectively bring the server down.

    This update also fixes a Segmentation Fault problem, found[3] by
    Mattias <[email protected]>, which was further analyzed and
    considered by the developers as not exploitable


    There are some insecure permissions on configuration files and
    executables with the bind 9.x packages shipped with Mandrake Linux 8.0
    and 8.1. This update provides stricter permissions by making the
    /etc/rndc.conf and /etc/rndc.key files read/write by the named user and
    by making /sbin/rndc-confgen and /sbin/rndc read/write/executable only
    by root


    The use of LD_PRELOAD can make a program with privileges given by LIDS
    execute attackers code. This mean that a root intruder can get every
    capability or fs access you configured LIDS to grant. Moreover, if you
    granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
    deactivate LIDS and thus, access any file.

    In some configurations, this also lead to users being able to become root.
    (there must be a program granted CAP_SETUID which is not setuid)


    Updated namazu packages are available for Red Hat Linux 7.0J. These
    packages fix cross-site scripting vulnerabilities. It also fixes a possible
    buffer overflow


    The pine port, versions previous to pine-4.44, handles URLs in
    messages insecurely. PINE allows users to launch a web browser to
    visit a URL embedded in a message. Due to a programming error, PINE
    does not properly escape meta-characters in the URL before passing it
    to the command shell as an argument to the web browser.

    The pine port is not installed by default, nor is it "part of FreeBSD"
    as such: it is part of the FreeBSD ports collection, which contains
    over 6000 third-party applications in a ready-to-install format. The
    ports collection shipped with FreeBSD 4.4 contains this problem since
    it was discovered after the release.

    FreeBSD makes no claim about the security of these third-party
    applications, although an effort is underway to provide a security
    audit of the most security-critical ports.


    The webmail frontend IMP has a cross site scripting problem, allowing
    a remote attacker to send you an E-mail with a malformed URL that when
    clicked on will open your mail session to the attacker, allowing him
    to read and delete your E-mails.


    Slash, the code that runs Slashdot and many other web sites, has a
    vulnerability in recent versions that allows any logged-in user to
    log in as any other user.

    This allows users to take nearly full control of a Slash system (post
    and delete stories, posting stories, edit users, post as other users,
    etc., and do anything that a Slash user can do) by logging in to
    an adminstrator's Slash account.



  6. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001
    and again:


    Exploitation of the conditions discovered during the audit could lead
    to a denial of service or remote root compromise


    EnGarde Secure Linux is a secure distribution of Linux that features
    improved access control, host and network intrusion detection, Web
    based secure remote management, complete e-commerce using AllCommerce,
    and integrated open source security tools

    There is a signed integer handling vulnerability in rsync which can
    allow an attacker to potentially gain root access.



    The rsync program allows users and administrators to synchronize files and
    whole directory structures on different machines. It is common practise
    to allow remote users to mirror ftp servers via anonymous rsync access.
    There exist several signedness bugs within the rsync program which allow
    remote attackers to write 0-bytes to almost arbitrary stack-locations,
    therefore being able to control the programflow and obtaining a shell
    remotely. These bugs have been fixed.



    Sebastian Krahmer from SuSe did an audit on the rsync source code and
    found several vulneranilities regarding the use of signed integers.
    Some variables could receive a negative value, and this was a
    condition that was not expected by the program. A remote attacker
    could exploit this to execute commands on the rsync server



    Sebastian Krahmer found several places in rsync (a popular tool to
    synchronise files between machines) where signed and unsigned numbers
    were mixed which resulted in insecure code. This could be abused by
    remote users to write 0-bytes in rsync's memory and trick rsync into
    executing arbitrary code


    Slackware 8.0 ChangeLog

    patches/packages/rsync.tgz: Fixed a security hole by upgrading to
    rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file


    New rsync packages available

    New rsync packages are available; these fix a remotely exploitable problem
    in the I/O functions


  7. Massive


    Feb 3, 2002
    Great :)
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/61895

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice