Linux ReiserFS Kernel Oops and Code Execution Vulnerability BugTraq ID: 2180 Remote: No Date Published: 2001-01-09 Relevant URL: http://www.securityfocus.com/bid/2180 Summary: ReiserFS is a file system alternative to the Linux ext2 file system. It was originally written by Hans Reiser, and is freely available and publicly maintained. A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified. glibc RESOLV_HOST_CONF File Read Access Vulnerability BugTraq ID: 2181 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2181 Summary: glibc is the C Library distributed with most implementations of the Linux Operating System. It is freely available through the Free Software Foundation, and publicly maintained. A problem in versions of glibc 2.1.9 and greater allow a local user access to restricted files. A typo in the glibc source creates a situation of insufficent validation and clearing of the environment variable RESOLV_HOST_CONF, a controlled environment variable that is normally cleared when suid/sgid programs are executed. Therefore, it is possible for a local user to set this environment variable to a sensitive system file and gain read privileges to the file. This vulnerability makes it possible for a user with malicious intent to read the shadow file, and gain access to encrypted passwords. Successful exploitation of this vulnerability could lead to compromise of system accounts, elevated privileges, and potentially administrative access. Apache /tmp File Race Vulnerability BugTraq ID: 2182 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2182 Summary: Apache web server is a popular http daemon, distributed with many variants of the UNIX Operating System and maintained by the Apache Project. Immunix is a hardened Linux distribution maintained by the Immunix team at the WireX Corporation. A problem has been discovered in the Apache httpd distributed with the Immunix Linux distribution, a distribution based off the RedHat Linux distribution. Apache programs htdigest and htpasswd are used to offer advanced features to users of the web server. However, these two helper programs insecurely create files in the /tmp directory, which could allow for /tmp file guessing. This makes it possible for a user with malicious motives to symblink attack files writable by the UID of the Apache process. arpwatch /tmp File Race Condition Vulnerability BugTraq ID: 2183 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2183 Summary: arpwatch is a program designed as part of the tcpdump package. It is distributed with numerous UNIX variants, and freely available. Immunix is a hardened Linux distribution maintained by the Immunix group at WireX Corporation. A vulnerability exists in arpwatch that could allow a user to perform a symbolic link attack. When executed, the arpwatch program creates files in the /tmp directory under certain conditions. These files, however, are not created in a secure manner, and not stat()'d when the program executes and attempts to create these files. It is possible to guess the handle of these files, and create them in advance as symbolic links to programs that are writable by the user executing arpwatch. The user executing arpwatch would then overwrite the linked files, or append content to them, thus corrupting the file. This makes it possible for a user with malicious motives to overwrite or append to files owned by the user of arpwatch, the typical user of arpwatch being root. squid /tmp File Race Condition Vulnerability BugTraq ID: 2184 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2184 Summary: squid is a freely available Web Proxy software package, written and maintained by the National Science Foundation. Problems with the software could lead to a race condition. The problem occurs in the operation of the software and it's creation of /tmp files. The squid package can be configured to send out emails to the administrator when updates occur. However, when the email is created, files in the /tmp directory are created insecurely and the pre-existance of files is not queried. The creation of the files in the /tmp directory normally occur under the conditions of either using a development version of squid, or when the system clock is reporting an incorrect time. Therefore, it is possible for a user with malicious motives to guess the handle of a future /tmp file, and create a symbolic link to a file writable by the UID of the squid process, thus overwriting a file owned by the squid user, or appending to and corrupting the file. linuxconf /tmp File Race Condition Vulnerability BugTraq ID: 2186 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2186 Summary: linuxconf is a powerful configuration tool available for various distributions of the Linux Operating System. A problem exists which could potentially allow a race condition and symbolic link attack. The problem occurs in the creation of /tmp files by linuxconf. The vpop3d program, which is part of the linuxconf package, creates /tmp files in an insecure manner under some circumstances. This could result in guessing of the filename of a future /tmp file, and the creation of a symbolic link to a file writable by the user executing linuxconf, which is normally root. A user with malicious motives could use this vulnerability to potentially overwrite or append to system files. mgetty /tmp File Race Condition Vulnerability BugTraq ID: 2187 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2187 Summary: mgetty is a freely available, publicly maintained software package designed to handle dialin and fax services on the Linux Operating System. A problem exists with could allow a symbolic link attack. The problem occurs in the handling of files created in the /tmp directory. During execution of the program, files are created in the /tmp directory. However, these files are created in an insecure manner, which makes it possible to guess the filename of a future /tmp file. This makes it possible for a user with malicious motives to create a number of symbolic links in the /tmp directory, and potentially append to or overwrite system files that are write-accessible to the UID executing mgetty, normally root. [ not vulnerable if your lock dir isn't world-writable ] gpm /tmp File Race Condition Vulnerability BugTraq ID: 2188 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2188 Summary: gpm is a software package designed to provide console mouse support, and is distributed with most versions of the Linux Operating System. A problem in the package could allow a race condition. The problem is in the creation and handling of /tmp files by the gpm package. gpm will under some circumstances create files in the /tmp directory. The files created in the /tmp directory are created insecurely, as they first use a predictable filename and do not check for the existance of previously existing files. It is therefore possible for a user with malicious motives to create symbolic links to files that the UID of the gpm process (normally running as root) has write access to and either overwrite, or append to and corrupt the linked files. wu-ftpd /tmp File Race Condition Vulnerability BugTraq ID: 2189 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2189 Summary: wu-ftpd is an open source, freely available ftp daemon software package included with many distributions of the Linux Operating System. A problem in the software could allow a race condition. The problem occurs in the creation and handling of files in the /tmp directory. The program privatepw within the software package creates files within the /tmp directory insecurely, first by using a predictable naming scheme for the files, and additionally by not checking for the existance of the file. It is possible to create a range of symbolic links using variants of the name of the wu-ftpd /tmp filename. This problem could allow a user to overwrite or append to and corrupt a file that the UID of the wu-ftpd process has write access to. The wu-ftpd process normally runs as root. 16. inn /tmp File Race Condition Vulnerability BugTraq ID: 2190 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2190 Summary: inn is a freely available, open source Usenet software package maintained and available through the ISC, and packaged with various distributions of the Linux Operating System. A vulnerability exists which could allow a race condition to occur. The problem occurs in the in the creation and handling of /tmp files by the inn program. Under some circumstances, inn will create files in the /tmp directory that use a predictable filename. In addition, inn may not check for the existance of these files. It is possible to create a range of symbolic links using predicted filenames in the /tmp directory, which could result in a symbolic link attack. This makes it possible for a user with malicious intent to symbolically link a file that's write-accessible by the UID of the inn process, and potentially overwrite or append to and corrupt the linked file. sdiff /tmp File Race Condition Vulnerability BugTraq ID: 2191 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2191 Summary: diffutils is a cornerstone package of all Linux distributions. It is a freely available, open source, publicly maintained software package available through the GNU. A problem in the sdiff program included with diffutils could create a race condition. This vulnerability is in the creation and handling of files in the /tmp directory. Under certain circumstances, sdiff will create files in the /tmp directory, which is done insecurely by first not checking for the existance of the file, and additionally by using a predictable filename. It is possible to create a range of symbolic links to a file that is write-accessible to the user executing the sdiff program, thus resulting in a symbolic link attack if the sdiff program attempts to create one of the predicted filenames. The result is the possibility of a user with malicious motives overwriting or appending to and corrupting a file that is write-accessible by the UID of the sdiff process. getty_ps /tmp File Race Condition Vulnerability BugTraq ID: 2194 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2194 Summary: getty_ps is an open source, freely available, publicly maintained software package shipped with many distributions of Linux. It is designed to handle logins to the console and terminal. A problem in the getty_ps software package could make it vulnerable to a symbolic link attack. The problem occurs in the creation and handling of files in the /tmp directory by the getty_ps program. Under certain circumstances, getty_ps will create files in the /tmp filesystem in an insecure manner. The program uses a naming scheme that could make it possible to guess the filename of future files in the /tmp directory, and does not check for the existance of the file before attempting to create it. It is possible to create a range of symbolic links with forecasted filenames, and link them to files that are write-accessible by the UID of the getty_ps process, which is normally run as root. A malicious user could use this vulnerability to overwrite or append to and corrupt system files. rdist /tmp File Race Condition Vulnerability BugTraq ID: 2195 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2195 Summary: rdist is a freely available, open source software package distributed with numerous variants of the Linux Operating System. It is designed to maintain identical copies of files on numerous different machines, preserving as many different attributes of the file as possible. A problem in the program exists that could allow for a symbolic link attack. Under some circumstances, rdist will create files in the /tmp directory. However, the files created in the /tmp file system are created insecurely, as the name of future files created by rdist can be predicted, and the program does not check for the existance of files before attempting to create them. It is possible to create a range of symbolic links in the /tmp file system using forecasted names of files that could be created by the rdist process, and symbolically linked to files that are write-accessible to the UID of the rdist process. This makes it possible for a user with malicious intent to overwrite or append to and corrupt files owned by another user, and potentially system files. shadow-utils /etc/default Temp File Race Condition Vulnerability BugTraq ID: 2196 Remote: No Date Published: 2001-01-10 Relevant URL: http://www.securityfocus.com/bid/2196 Summary: shadow-utils is a freely available, open source software package available with most distributions of the Linux Operating System. shadow-utils provides a higher level of security to systems by providing stronger cryptography and secure account management tools. A problem in the package could create the opportunity for a symbolic link attack. During execution of the passwd program, temporary files are created in the /etc/default directory. The files created in this directory use predictable filenames. In the event of the /etc/default directory being world writable, it is possible to create a range of symbolic links to files owned by another user that could overwrite or append to files that are write-accessible by the UID of the passwd process. This could make it possible for a user with malicious motives to overwrite or append to and corrupt files writable by the UID of the passwd process. - Pour poster une annonce: [EMAIL PROTECTED]
