Linux Advisory Watch – August 20, 2004


Author: Ryan Maple

week, advisories were released for acroread, ftpd, gaim, glibc, gv,
kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup,
rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat. The
distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Suse, and Trustix.

Reducing the Risk

Reducing the
risk of intrusion can be achieved by eliminating many of the known
common problems.

The vast majority of attacks on done by script kiddies who scan massive
IP blocks looking for a vulnerable computer, then run a program which
they don’t understand, to exploit the vulnerability they’ve just
discovered.  To block these script kiddies just fix the common
vulnerabilities that the programs they use rely on.

Buffer Overflow

A buffer overflow attack is when the attacker sends malformed packets
to a service that causes the memory buffer to overflow.  The
cracker hopes this will cause the program to crash and defaulting into
a root prompt.  Buffer overflows happen because of programming
errors where input was not checked to be valid.

To prevent buffer overflows, all code must be meticulously hand checked
multiple times by multiple people.  Since this is not often
possible, to limit the chances of being successfully cracked by a
buffer overflow attack, make sure you keep your systems up to date and
get rid of all excess services. Reducing the number of total services
your server is offering, the less amount of code that could have a
potential buffer overflow.  Also, there are kernel patches that
prevent some forms of buffer overflow.

Denial of Service

A Denial of Service, DoS, attack can come in many shapes and forms. The
Blue Screen of Death from Windows can be one if it is caused by someone
and not just poor programming.  Also, the infamous DDoS attacks
from earlier this year are an example where multiple ‘zombie’ computers
coordinate together to attack a host all at the same time. A DoS attack
is anything that maliciously prevents the computer from doing what was
intended.  This is usually accomplished by errors in code that
will cause the program to eat up all the system resources.

IP Session Hi-Jacking

IP Session Hi-Jacking, also known as a man in the middle attack, is a
sophisticated attack which can now be done using tools circulating in
the script kiddie community.  With an IP Session Hi-Jacking, an
user connects to a system using a service like telnet, then a cracker
intercepts the packets and tricks the system into thinking that the
cracker’s machine is actually the user’s machine.  The user will
think her connect got dropped, when in actuality, it is still going,
but it has been taken over by the cracker.

With this form of attack, there is no way to block it, but there are
checks that can be done to prevent it.  Telnet is the type of
service that crackers want to hi-jack; it has shell access, is
unencrypted, and doesn’t perform many checks to make sure the person
really is who they say they are.  SSH, on the other hand, would be
very hard to hi-jack; it has strong encryption, multiple checks of an
identity, and can have its shell access limited.  Most services
can’t really be hi-jacked, but the ones that can, like telnet, usually
have a secure replacement, like SSH, that can be used instead.

 Security Tip Written by Ryan Maple (
 Additional tips are available at the following URL:

Feature Extras:

Interview with Gary McGraw, Co-author of Exploiting Software: How to
Break Code
Gary McGraw is perhaps best known for his
work on securing software, having co-authored the classic Building
Secure Software (Addison-Wesley, 2002). More recently, he has
co-written with Greg Hoglund a companion volume, Exploiting Software,
which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his
insights with all of us at

Expert Dave Wreski Discusses Open Source Security
Dave Wreski, CEO of
Guardian Digital, Inc. and respected author of various hardened
security and Linux publications, talks about how Guardian Digital is
changing the face of IT security today. Guardian Digital is perhaps
best known for their hardened Linux solution EnGarde Secure Linux,
touted as the premier secure, open-source platform for its
comprehensive array of general purpose services, such as web, FTP,
email, DNS, IDS, routing, VPN, firewalling, and much more.

[ Linux
Advisory Watch
] – [ Linux Security Week
] – [ PacketStorm
] – [ Linux
Security Documentation

Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each

Distribution: Conectiva
  8/13/2004 squirrelmail
    Multiple vulnerabilities

This patch addresses four vulnerabilities in SquirrelMail, including
XSS and SQL injection attacks.

Distribution: Debian
  8/20/2004 ruby
    Insecure file permissions

This can lead an attacker who has also shell access to the webserver to
take over a session.

  8/20/2004 rsync
    Insufficient path sanitation

The rsync developers have discoverd a security related problem in rsync
which offers an attacker to access files outside of the defined

  8/20/2004 kdelibs
    Insecure temporary file vulnerability

This can be abused by a local attacker to create or truncate arbitrary
files or to prevent KDE applications from functioning correctly.

  8/20/2004 mysql
    Insecure temporary file vulnerability

Jeroen van Wolffelaar discovered an insecure temporary file
vulnerability in the mysqlhotcopy script when using the scp method
which is part of the mysql-server package.

Distribution: Fedora
  8/20/2004 rsync
    Insufficient path sanitization

This update backports a security fix to a path-sanitizing flaw that
affects rsync when it is used in daemon mode without also using chroot.

Distribution: Gentoo
  8/13/2004 Roundup
    Filesystem access vulnerability

Roundup will make files owned by the user that it’s running as
accessable to a remote attacker.

  8/13/2004 gv
    Buffer overflow vulnerability

gv contains an exploitable buffer overflow that allows an attacker to
execute arbitrary code.

  8/13/2004 Nessus
    Race condition vulnerability

Nessus contains a vulnerability allowing a user to perform a privilege
escalation attack using “adduser”.

  8/13/2004 Gaim
    Buffer overflow vulnerability

Gaim contains a remotely exploitable buffer overflow vulnerability in
the MSN-protocol parsing code that may allow remote execution of
arbitrary code.

  8/13/2004 kdebase,kdelibs Multiple
    Buffer overflow vulnerability

KDE contains three security issues that can allow an attacker to
compromise system accounts, cause a Denial of Service, or spoof
websites via frame injection.

  8/20/2004 acroread
    Buffer overflow vulnerabilities

Acroread contains two errors in the handling of UUEncoded filenames
that may lead to execution of arbitrary code or programs.

  8/20/2004 Tomcat
    Insecure installation

Improper file ownership may allow a member of the tomcat group to
execute scripts as root.

  8/20/2004 glibc
    Information leak vulnerability

glibc contains an information leak vulnerability allowing the debugging
of SUID binaries.

  8/20/2004 rsync
    Insufficient path sanitation

This vulnerability could allow the listing of arbitrary files and allow
file overwriting outside module’s path on rsync server configurations
that allow uploading.

  8/20/2004 xine-lib Buffer overflow
    Insufficient path sanitation

An attacker may construct a carefully-crafted playlist file which will
cause xine-lib to execute arbitrary code with the permissions of the

  8/20/2004 courier-imap Format string
    Insufficient path sanitation

An attacker may be able to execute arbitrary code as the user running
courier-imapd (oftentimes root).

Distribution: Mandrake
  8/13/2004 gaim
    Buffer overflow vulnerabilities

Sebastian Krahmer discovered two remotely exploitable buffer overflow
vunerabilities in the gaim instant messenger.

  8/13/2004 mozilla
    Multiple vulnerabilities

A large number of Mozilla vulnerabilites is addressed by this update.

  8/20/2004 rsync
    Insufficient path sanitation

If rsync is running in daemon mode, and not in a chrooted environment,
it is possible for a remote attacker to trick rsyncd into creating an
absolute pathname while sanitizing it.

  8/20/2004 spamassassin
    Denial of service vulnerability

Security fix prevents a denial of service attack open to certain
malformed messages.

  8/20/2004 qt3
    Heap overflow vulnerability

his vulnerability could allow for the compromise of the account used to
view or browse malicious graphic files.

Distribution: NetBSD
  8/20/2004 ftpd
    Privilege escalation vulnerability

A set of flaws in the ftpd source code can be used together to achieve
root access within an ftp session.

Distribution: Red Hat
  8/19/2004 pam
    Privilege escalation vulnarability

If he pam_wheel module was used with the “trust” option enabled, but
without the “use_uid” option, any local user could use PAM to gain
access to a superuser account without supplying a password.

  8/19/2004 Itanium
    kernel Multiple vulnerabilities

Updated Itanium kernel packages that fix a number of security issues
are now available.

  8/19/2004 semi
    Insecure temporary file vulnerability

Temporary files were being created without taking adequate precautions,
and therefore a local user could potentially overwrite files with the
privileges of the user running emacs.

  8/20/2004 Netscape
    Multiple vulnerabilities

Netscape Navigator and Netscape Communicator have been removed from the
Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5.
These packages were based on Netscape 4.8, which is known to be
vulnerable to recent critical security issues, such as CAN-2004-0597,
CAN-2004-0598, and CAN-2004-0599.

  8/20/2004 kernel
    Denial of service vulnerability

A bug in the SoundBlaster 16 code which did not properly handle certain
sample sizes has been fixed. This flaw could be used by local users to
crash a system.

Distribution: Suse
  8/20/2004 rsync
    Insufficient pathname sanitizing

If rsync is running in daemon-mode and without a chroot environment it
is possible for a remote attacker to trick rsyncd into creating an
absolute pathname while sanitizing it.

  8/20/2004 qt3
    Buffer overflow vulnerability

Chris Evans found a heap overflow in the BMP image format parser which
can probably be abused by remote attackers to execute arbitrary code.

Distribution: Trustix
  8/20/2004 rsync
    Path escape vulnerability

Please either enable chroot or upgrade to 2.6.1. People not running a
daemon, running a read-only daemon, or running a chrooted daemon are
totally unaffected.