TUCoPS :: BSD :: ciack028.htm

FreeBSD Port Exploits for mh/nmh, Lynx, and mtr
FreeBSD Port Exploits for mh/nmh, Lynx, and mtr Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-028: FreeBSD Port Exploits for mh/nmh, Lynx, and mtr

March 28, 2000 18:00 GMT
PROBLEM:       Buffer overflow vulnerabilities have been identified in
               mh/nmh/exmh/exmh2 and Lynx ports. A local root exploit has been
               identified in mtr.
PLATFORM:      All systems that are running FreeBSD port collections that
               predate the correction dates given in the vendor bulletins:
                    mh/nmh/exmh/exmh2 -- SA-00:07 (Revised 2000-03-19)
                    Lynx -- SA-00:08 (Announced 2000-03-15)
                    mtr -- SA-00:09 (Announced 2000-03-15)
DAMAGE:        mh/nmh/exmh/exmh2 -- An attacker can send a hostile MIME
               attachment which can execute arbitrary code if the recipient
               opens the attachment.
               Lynx -- There are numerous potential and several proven
               security vulnerabilities (publicized on the BugTraq mailing
               list) that are exploitable by a malicious server.
               mtr -- It is possible that a local user can obtain root
               privileges.
SOLUTION:      mh/nmh/exmh/exmh2 -- Remove all old versions and install the
               updated ports as indicated in the bulletin.
               Lynx -- Remove all old versions and use other text-mode WWW
               browsers.
               mtr -- Either remove all old versions, disable the setuid bit,
               or upgrade the ports collection and rebuild the mtr port.

VULNERABILITY mn/nmh/exmh/exmh2 -- Risk is low. The attacker must send a ASSESSMENT: specially-crafted email attachment, and the recipient must open the attachment. Lynx -- Risk is medium. There are several publicized security vulnerabilities. mtr -- Risk is low. Only local users can take advantage of the exploit.
[ Start FreeBSD-SA-00:07 (Revised 2000-03-19) ] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:07 Security Advisory FreeBSD, Inc. Topic: mh/nmh/exmh/exmh2 ports allow remote execution of binary code Category: ports Module: mh/nmh/exmh/exmh2 Announced: 2000-03-15 Revised: 2000-03-19 Affects: Ports collection before the correction date. Corrected: [See below for a more complete description] All versions fixed in 4.0-RELEASE. mh: 2000-03-04 nmh: 2000-02-29 exmh: 2000-03-05 exmh2: 2000-03-05 FreeBSD only: NO I. Background MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. There are also Japanese-language versions of the MH and EXMH2 ports, but these are developed separately and are not vulnerable to the problem described here. II. Problem Description The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted email attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened. The *MH ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker who can convince a user to open a hostile MIME attachment sent as part of an email message can execute arbitrary binary code running with the privileges of that user. If you have not chosen to install any of the mh/nmh/exmh/exmh2 ports/packages, then your system is not vulnerable. The Japanese-language version of MH is being actively developed and is believed to have fixed this particular problem over a year ago. Consequently the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem. IV. Workaround 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will prevent the viewing of MIME attachments from within *mh. 2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them. V. Solution The English language version of the MH software is no longer actively developed, and no fix is currently available. It is unknown whether a fix to the problem will be forthcoming - consider upgrading to use NMH instead, which is the designated successor of the MH software. EXMH and EXMH2 can both be compiled to use NMH instead (this is now the default behaviour). It is not necessary to recompile EXMH/EXMH2 after reinstalling NMH. SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and perform one of the following: 1) Upgrade your entire ports collection and rebuild the mail/nmh port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz 3) download a new port skeleton for the nmh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision history v1.0 2000-03-15 Initial release v1.1 2000-03-19 Update to note that the japanese-localized ports are not vulnerable -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBONXFXlUuHi5z0oilAQHQ/QP9FCTFiFlaeSv2ROM46PbDkF6MN39SLTuv DEW6a6wmMU5+YbSTlFLjvYrqYgpjOmM7NMOMhhceVVpoZVMMPonHuJxHWh7YvF2G T4bZcRM3kpRcjXAOQnIiUrgh77zoEmfBysAmHZbNucCmOB5y7UqHI3CM31+geiPR /bsvHCy4U0U= =Odcg -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:07 (Revised 2000-03-19) ] --------------------------------------------------------------------- [ Start FreeBSD-SA-00:08 (Announced 2000-03-15) ] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:08 Security Advisory FreeBSD, Inc. Topic: Lynx ports contain numerous buffer overflows Category: ports Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: See below. FreeBSD only: NO I. Background Lynx is a popular text-mode WWW browser, available in several versions including SSL support and Japanese language localization. II. Problem Description The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server. The lynx ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious server which is visited by a user with the lynx browser can exploit the browser security holes in order to execute arbitrary code as the local user. If you have not chosen to install any of the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then your system is not vulnerable. IV. Workaround Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you you have installed them. V. Solution Unfortunately, there is no simple fix to the security problems with the lynx code: it will require a full review by the lynx development team and recoding of the affected sections with a more security-conscious attitude. In the meantime, there are two other text-mode WWW browsers available in FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled version, and japanese/w3m for Japanese-localization) and www/links. Note that the FreeBSD Security Officer does not make any recommendation about the security of these two browsers - in particular, they both appear to contain potential security risks, and a full audit has not been performed, but at present no proven security holes are known. User beware - please watch for future security advisories which will publicize any such vulnerabilities discovered in these ports. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7 +541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+ +vcp5WAqDu4= =dtMU -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:08 (Announced 2000-03-15) ] --------------------------------------------------------------------- [ Start FreeBSD-SA-00:09 (Announced 2000-03-15) ] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:09 Security Advisory FreeBSD, Inc. Topic: mtr port contains a local root exploit. Category: ports Module: mtr Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: 2000-03-07 (included in FreeBSD 4.0-RELEASE) FreeBSD only: NO I. Background mtr ("Multi Traceroute") combines the functionality of the "traceroute" and "ping" programs into a single network diagnostic tool. II. Problem Description The mtr program (versions 0.41 and below) fails to correctly drop setuid root privileges during operation, allowing a local root compromise. The mtr port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can exploit the security hole to obtain root privileges. If you have not chosen to install the mtr port/package, then your system is not vulnerable. IV. Workaround 1) Remove the mtr port if you have installed it. 2) Disable the setuid bit - run the following command as root: chmod u-s /usr/local/sbin/mtr This will mean non-root users cannot make use of the program, since it requires root privileges to properly run. V. Solution 1) Upgrade your entire ports collection and rebuild the mtr port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/net/mtr-0.42.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the mtr port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/J3FUuHi5z0oilAQFdjQP+MCxSn1WYvRehaxky8xnOLP8sAOiLvxLf DG3emT6hgG7IFKTHNQ/KvHE5M9Y4/frk1tJGKVb/RKEbpbDDF3mmN0eq6S2B2Qda TB4YjbaLVAnFKVhFcbZjVfc4YTtutNgl7xd/4bvXennki77oQiO5T3VRNnIXkjD1 NUk4XQDyTQ4= =Rrxf -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:09 (Announced 2000-03-15) ]

CIAC wishes to acknowledge the contributions of FreeBSD, Inc. for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH