GNOME trouble

edwardhayes

GNOME trouble
by Noel Davis
08/27/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in BitKeeper, the GNOME Display Manager, rcpd, ViRobot Linux Server, OpenSLP, eMule, lMule, xMule, netris, and autorespond.


BitKeeper
GNOME Display Manager
srcpd
ViRobot Linux Server
OpenSLP
eMule, lMule, and xMule
netris
autorespond
BitKeeper
It has been reported that the trigger functionality of the source-control system BitKeeper can be exploited using a carefully crafted patch. Details of this vulnerability have been withheld, pending a patch from BitMover. It is also reported that exploits for this vulnerability exist, but have not been released to the public. This problem is reported to affect all versions of BitKeeper through 3.0.2.

Users of BitKeeper should exercise care as to what patches are applied and can disable the trigger functionality by adding export BK_NO_TRIGGERS=YES to their .profile.

GNOME Display Manager
The GNOME Display Manager can be manipulated by a local attacker to allow any file on the system to be read. A flaw in the GNOME Display Manager causes the ~/.xsession-errors file to be read using root permissions. As this file is under the control of the user, it can be replaced with a symbolic link that points to any file on the system, which will then be read by the GNOME Display Manager using root's permissions. This flaw is reported to affect versions 2.4.1.6 and earlier of the GNOME Display Manager, which contain the feature "examine session errors."

A bug in XDMCP (the X Display Manager Control Protocol) can, under some conditions, be exploited by an attacker in a denial-of-service attack that crashes the GNOME Display Manager daemon.

Users should watch their vendor for updated packages that repair these problems. Red Hat has released updated packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.

srcpd
srcpdis a daemon that implements SRCP (the Simple Railroad Command Protocol) and allows the control of a digital model railroad. It is vulnerable to several buffer overflows that can be used to crash the server, execute arbitrary code with the permissions of the user running the daemon, cause the trains to miss their scheduled departure times, and, under some rare conditions, can cause trains to crash. A program to automate the exploitation of these vulnerabilities has been released to the public.

It is recommended that users protect srcpd from access by unauthorized hosts and networks using firewalling tools, that it be executed by a user with no special permissions, and that users consider disabling srcpd until it has been updated with a repaired version.

ViRobot Linux Server
Version 2.0 of the anti-virus tool ViRobot Linux Server is reported to be vulnerable to several buffer overflows that can be exploited by a remote attacker to execute code with root permissions. The ViRobot Linux Server installs many set-user-id-bit cgi-bin applications, some of which are vulnerable to buffer-overflow-based attacks. A script to automate a local attack that results in a root shell has been released. It is not known if other versions of ViRobot Linux Server are vulnerable.

Users should watch their vendor for a repaired version of ViRobot Linux Server and recommended workarounds. One possible workaround is to remove the set-user-id bits from all ViRobot Linux Server binaries; it is not known if this will affect the performance of the anti-virus tool.

OpenSLP
OpenSLP is an implementation of the Service Location Protocol V2, used by applications to discover networked services in an enterprise network. OpenSLP is vulnerable to a symbolic-link temporary file race condition attack in its init script that can be exploited by a local attacker to overwrite arbitrary files on the system, with the permissions of the user running OpenSLP's init script (in most cases, root).

It is recommended that users upgrade to version 1.0.11, which contains a safe init script and is reported to contain additional repairs and features.

eMule, lMule, and xMule
eMule, lMule, and xMule are open source file sharing clients for a peer-to-peer network named the eDonkey2000 network. eMule is a Windows client and lMule and xMule are Unix clients that use the wxWindows library. These clients are reported to be vulnerable to several vulnerabilities, including buffer overflows, format-string errors, and an attack similar to a double-free vulnerability.

Users of eMule should upgrade to version 0.30a or newer. xMule 1.4.3 has been released and repairs several of the vulnerabilities. lMule does not appear to have released a new version that repairs any of the vulnerabilities. Users should watch for repaired versions of lMule and xMule, and should consider not using them until they have been fully repaired.

netris
The networked game netris is vulnerable to a buffer overflow that a hostile netris server could abuse to execute code on a connecting netris client with the permissions of the user running the client.

Debian has released a repaired netris package. Users of other distributions should watch their vendors for updated packages.

autorespond
autorespond is an automated email responder distributed with qmail. When a user has configured qmail to use autorespond, it may be exploitable, under some conditions, by a remote attacker to execute arbitrary code with the permissions of the user. It has been reported that this vulnerability is not thought to be exploitable, due to some of the conditions necessary to exploit it.

It is recommended that users refrain from using autorespond until it has been repaired. If autorespond is exploitable, it would not be the first time that a vulnerability thought to not be exploitable was.

Noel Davis is a Unix system administrator. He has been using Linux for more than six years and working as a system administrator for more than five years.