Specifications
SAFER – Vol. 3, Issue 6 12 © 2000 The Relay Group
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
Released May 23, 2000
Affects Cobalt RaQ 3.0, 2.0
Reference http://www.securityfocus.com/bid/1238
Problem
- There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web
hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage
site.
- When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned by user "httpd"
instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses
cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass
cgiwrap and run scripts as user "httpd".
SAFER
- Cobalt Networks has released patches for the RaQ 3i and RaQ 2 which fix this issue.
GNOME gdm XDMCP Buffer Overflow Vulnerability
Released May 22, 2000
Affects gdm 2.0.x BETA, 1.0.x
Reference http://www.securityfocus.com/bid/1233
Problem
- A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped
as part of the GNOME desktop. By sending a properly crafted XDMCP message, it is possible for
a remote attacker to execute arbitrary commands as root on the susceptible machine. The
problem lies in the handling of the display information sent as part of an XDMCP
'FORWARD_QUERY' request.
- By default, gdm is not configured to listen via XDMCP. The versions of gdm shipped with RedHat
6.0-6.2, Helix GNOME and gdm built from source are not vulnerable unless they were configured
to accept XDMCP requests. This is configured via the /etc/X11/gdm/gdm.conf on some systems,
although this file may vary. If the "Enable" variable is set to 0, you are not susceptible.
SAFER
- Changing the contents of the 'Enable' variable to 0 in the gdm configuration file (often
/etc/X11/gdm/gdm.conf) will eliminate this vulnerability.
Multiple Linux Vendor fdmount Buffer Overflow Vulnerability
Released May 22, 2000
Affects S.u.S.E. Linux, Slackware Linux, Turbo Linux
Reference http://www.securityfocus.com/bid/1239
Problem
- A buffer overflow exists in the 0.8 version of the fdmount program, distributed with a number of
popular versions of Linux. By supplying a large, well crafted buffer containing machine executable
code in place of the mount point, it is possible for users in the 'floppy' group to execute arbitrary
commands as root.
- This vulnerability exists in versions of S.u.S.E., 4.0 and later, as well as Mandrake Linux 7.0.
TurboLinux 6.0 and earlier ships with fdmount suid root, but users are not automatically added to
the 'floppy' group. This list is by no means meant to be complete; other Linux distributions may be
affected. To check if you're affected, check for the presence of the setuid bit on the binary. If it is
present, and the binary is either world executable, or group 'floppy' executable, you are affected
and should take action immediately.
SAFER
- MandrakeSoft has provided a source patch to this problem. It is expected that both MandrakeSoft
and SuSE will release RPM's to fix this problem shortly. A suitable solution may be to remove the
setuid bit on the fdmount binary, or remove non-trusted users from the 'floppy' group.