K-028: FreeBSD Port Exploits for mh/nmh, Lynx, and mtr

PROBLEM:       Buffer overflow vulnerabilities have been identified in
               mh/nmh/exmh/exmh2 and Lynx ports. A local root exploit has been
               identified in mtr.
PLATFORM:      All systems that are running FreeBSD port collections that
               predate the correction dates given in the vendor bulletins:
                    mh/nmh/exmh/exmh2 -- SA-00:07 (Revised 2000-03-19)
                    Lynx -- SA-00:08 (Announced 2000-03-15)
                    mtr -- SA-00:09 (Announced 2000-03-15)
DAMAGE:        mh/nmh/exmh/exmh2 -- An attacker can send a hostile MIME
               attachment which can execute arbitrary code if the recipient
               opens the attachment.
               Lynx -- There are numerous potential and several proven
               security vulnerabilities (publicized on the BugTraq mailing
               list) that are exploitable by a malicious server.
               mtr -- It is possible that a local user can obtain root
               privileges.
SOLUTION:      mh/nmh/exmh/exmh2 -- Remove all old versions and install the
               updated ports as indicated in the bulletin.
               Lynx -- Remove all old versions and use other text-mode WWW
               browsers.
               mtr -- Either remove all old versions, disable the setuid bit,
               or upgrade the ports collection and rebuild the mtr port.
VULNERABILITY  mn/nmh/exmh/exmh2 -- Risk is low. The attacker must send a
ASSESSMENT:    specially-crafted email attachment, and the recipient must open
               the attachment.
               Lynx -- Risk is medium. There are several publicized security
               vulnerabilities.
               mtr -- Risk is low. Only local users can take advantage of the
               exploit.


[ Start FreeBSD-SA-00:07 (Revised 2000-03-19) ]

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:07                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          mh/nmh/exmh/exmh2 ports allow remote execution of binary code

Category:       ports
Module:         mh/nmh/exmh/exmh2
Announced:      2000-03-15
Revised:        2000-03-19
Affects:        Ports collection before the correction date.
Corrected:      [See below for a more complete description]
                All versions fixed in 4.0-RELEASE.
                mh: 2000-03-04
                nmh: 2000-02-29
                exmh: 2000-03-05
                exmh2: 2000-03-05
FreeBSD only:   NO

I.   Background

MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are
TCL/TK-based front-ends to the MH system. There are also Japanese-language
versions of the MH and EXMH2 ports, but these are developed separately and are
not vulnerable to the problem described here.

II.  Problem Description

The mhshow command used for viewing MIME attachments contains a buffer
overflow which can be exploited by a specially-crafted email attachment,
which will allow the execution of arbitrary code as the local user when the
attachment is opened.

The *MH ports are not installed by default, nor are they "part of
FreeBSD" as such: they are part of the FreeBSD ports collection, which
contains over 3100 third-party applications in a ready-to-install
format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to
this problem.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.

III. Impact

An attacker who can convince a user to open a hostile MIME attachment sent
as part of an email message can execute arbitrary binary code running with
the privileges of that user.

If you have not chosen to install any of the mh/nmh/exmh/exmh2
ports/packages, then your system is not vulnerable.

The Japanese-language version of MH is being actively developed and is
believed to have fixed this particular problem over a year ago. Consequently
the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem.

IV.  Workaround

1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will
prevent the viewing of MIME attachments from within *mh.

2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them.

V.   Solution

The English language version of the MH software is no longer actively
developed, and no fix is currently available. It is unknown whether a fix
to the problem will be forthcoming - consider upgrading to use NMH instead,
which is the designated successor of the MH software. EXMH and EXMH2 can
both be compiled to use NMH instead (this is now the default behaviour). It
is not necessary to recompile EXMH/EXMH2 after reinstalling NMH.

SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and
perform one of the following:

1) Upgrade your entire ports collection and rebuild the mail/nmh port.

2) Reinstall a new package obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz

3) download a new port skeleton for the nmh port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

VI.   Revision history

v1.0  2000-03-15   Initial release
v1.1  2000-03-19   Update to note that the japanese-localized ports are not
                   vulnerable


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBONXFXlUuHi5z0oilAQHQ/QP9FCTFiFlaeSv2ROM46PbDkF6MN39SLTuv
DEW6a6wmMU5+YbSTlFLjvYrqYgpjOmM7NMOMhhceVVpoZVMMPonHuJxHWh7YvF2G
T4bZcRM3kpRcjXAOQnIiUrgh77zoEmfBysAmHZbNucCmOB5y7UqHI3CM31+geiPR
/bsvHCy4U0U=
=Odcg
-----END PGP SIGNATURE-----

[ End FreeBSD-SA-00:07 (Revised 2000-03-19) ]

---------------------------------------------------------------------

[ Start FreeBSD-SA-00:08 (Announced 2000-03-15) ]

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:08                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          Lynx ports contain numerous buffer overflows

Category:       ports
Module:         lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
Announced:      2000-03-15
Affects:        Ports collection before the correction date.
Corrected:      See below.
FreeBSD only:   NO

I.   Background

Lynx is a popular text-mode WWW browser, available in several versions
including SSL support and Japanese language localization.

II.  Problem Description

The lynx software is written in a very insecure style and contains numerous
potential and several proven security vulnerabilities (publicized on the
BugTraq mailing list) exploitable by a malicious server.

The lynx ports are not installed by default, nor are they "part of FreeBSD"
as such: they are part of the FreeBSD ports collection, which contains over
3100 third-party applications in a ready-to-install format.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.

III. Impact

A malicious server which is visited by a user with the lynx browser can
exploit the browser security holes in order to execute arbitrary code as
the local user.

If you have not chosen to install any of the
lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then
your system is not vulnerable.

IV.  Workaround

Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you
you have installed them.

V.   Solution

Unfortunately, there is no simple fix to the security problems with the
lynx code: it will require a full review by the lynx development team and
recoding of the affected sections with a more security-conscious attitude.

In the meantime, there are two other text-mode WWW browsers available in
FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled
version, and japanese/w3m for Japanese-localization) and www/links.

Note that the FreeBSD Security Officer does not make any recommendation
about the security of these two browsers - in particular, they both appear
to contain potential security risks, and a full audit has not been
performed, but at present no proven security holes are known. User beware -
please watch for future security advisories which will publicize any such
vulnerabilities discovered in these ports.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn
Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7
+541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+
+vcp5WAqDu4=
=dtMU
-----END PGP SIGNATURE-----

[ End FreeBSD-SA-00:08 (Announced 2000-03-15) ]

---------------------------------------------------------------------

[ Start FreeBSD-SA-00:09 (Announced 2000-03-15) ]

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:09                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          mtr port contains a local root exploit.

Category:       ports
Module:         mtr
Announced:      2000-03-15
Affects:        Ports collection before the correction date.
Corrected:      2000-03-07 (included in FreeBSD 4.0-RELEASE)
FreeBSD only:   NO

I.   Background

mtr ("Multi Traceroute") combines the functionality of the "traceroute" and
"ping" programs into a single network diagnostic tool.

II.  Problem Description

The mtr program (versions 0.41 and below) fails to correctly drop setuid
root privileges during operation, allowing a local root compromise.

The mtr port is not installed by default, nor is it "part of FreeBSD" as
such: it is part of the FreeBSD ports collection, which contains over 3100
third-party applications in a ready-to-install format. The FreeBSD
4.0-RELEASE ports collection is not vulnerable to this problem.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit of
the most security-critical ports.

III. Impact

A local user can exploit the security hole to obtain root privileges.

If you have not chosen to install the mtr port/package, then your system is
not vulnerable.

IV.  Workaround

1) Remove the mtr port if you have installed it.

2) Disable the setuid bit - run the following command as root:

chmod u-s /usr/local/sbin/mtr

This will mean non-root users cannot make use of the program, since it
requires root privileges to properly run.

V.   Solution

1) Upgrade your entire ports collection and rebuild the mtr port.

2) Reinstall a new package obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mtr-0.42.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/net/mtr-0.42.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/net/mtr-0.42.tgz

Note: it may be several days before the updated packages are available.

3) download a new port skeleton for the mtr port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOM/J3FUuHi5z0oilAQFdjQP+MCxSn1WYvRehaxky8xnOLP8sAOiLvxLf
DG3emT6hgG7IFKTHNQ/KvHE5M9Y4/frk1tJGKVb/RKEbpbDDF3mmN0eq6S2B2Qda
TB4YjbaLVAnFKVhFcbZjVfc4YTtutNgl7xd/4bvXennki77oQiO5T3VRNnIXkjD1
NUk4XQDyTQ4=
=Rrxf
-----END PGP SIGNATURE-----

[ End FreeBSD-SA-00:09 (Announced 2000-03-15) ]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)