-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN FreeBSD Port Exploits for mh/nmh, Lynx, and mtr March 28, 2000 17:00 GMT Number K-028 ______________________________________________________________________________ PROBLEM: Buffer overflow vulnerabilities have been identified in mh/nmh/exmh/exmh2 and Lynx ports. A local root exploit has been identified in mtr. PLATFORM: All systems that are running FreeBSD port collections that predate the correction dates given in the vendor bulletins: mh/nmh/exmh/exmh2 -- SA-00:07 (Revised 2000-03-19) Lynx -- SA-00:08 (Announced 2000-03-15) mtr -- SA-00:09 (Announced 2000-03-15) DAMAGE: mh/nmh/exmh/exmh2 -- An attacker can send a hostile MIME attachment which can execute arbitrary code if the recipient opens the attachment. Lynx -- There are numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) that are exploitable by a malicious server. mtr -- It is possible that a local user can obtain root privileges. SOLUTION: mh/nmh/exmh/exmh2 -- Remove all old versions and install the updated ports as indicated in the bulletin. Lynx -- Remove all old versions and use other text-mode WWW browsers. mtr -- Either remove all old versions, disable the setuid bit, or upgrade the ports collection and rebuild the mtr port. ______________________________________________________________________________ VULNERABILITY mn/nmh/exmh/exmh2 -- Risk is low. The attacker must send a ASSESSMENT: specially-crafted email attachment, and the recipient must open the attachment. Lynx -- Risk is medium. There are several publicized security vulnerabilities. mtr -- Risk is low. Only local users can take advantage of the exploit. ______________________________________________________________________________ [ Start FreeBSD-SA-00:07 (Revised 2000-03-19) ] - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:07 Security Advisory FreeBSD, Inc. Topic: mh/nmh/exmh/exmh2 ports allow remote execution of binary code Category: ports Module: mh/nmh/exmh/exmh2 Announced: 2000-03-15 Revised: 2000-03-19 Affects: Ports collection before the correction date. Corrected: [See below for a more complete description] All versions fixed in 4.0-RELEASE. mh: 2000-03-04 nmh: 2000-02-29 exmh: 2000-03-05 exmh2: 2000-03-05 FreeBSD only: NO I. Background MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. There are also Japanese-language versions of the MH and EXMH2 ports, but these are developed separately and are not vulnerable to the problem described here. II. Problem Description The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted email attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened. The *MH ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker who can convince a user to open a hostile MIME attachment sent as part of an email message can execute arbitrary binary code running with the privileges of that user. If you have not chosen to install any of the mh/nmh/exmh/exmh2 ports/packages, then your system is not vulnerable. The Japanese-language version of MH is being actively developed and is believed to have fixed this particular problem over a year ago. Consequently the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem. IV. Workaround 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will prevent the viewing of MIME attachments from within *mh. 2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them. V. Solution The English language version of the MH software is no longer actively developed, and no fix is currently available. It is unknown whether a fix to the problem will be forthcoming - consider upgrading to use NMH instead, which is the designated successor of the MH software. EXMH and EXMH2 can both be compiled to use NMH instead (this is now the default behaviour). It is not necessary to recompile EXMH/EXMH2 after reinstalling NMH. SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and perform one of the following: 1) Upgrade your entire ports collection and rebuild the mail/nmh port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz 3) download a new port skeleton for the nmh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision history v1.0 2000-03-15 Initial release v1.1 2000-03-19 Update to note that the japanese-localized ports are not vulnerable - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBONXFXlUuHi5z0oilAQHQ/QP9FCTFiFlaeSv2ROM46PbDkF6MN39SLTuv DEW6a6wmMU5+YbSTlFLjvYrqYgpjOmM7NMOMhhceVVpoZVMMPonHuJxHWh7YvF2G T4bZcRM3kpRcjXAOQnIiUrgh77zoEmfBysAmHZbNucCmOB5y7UqHI3CM31+geiPR /bsvHCy4U0U= =Odcg - -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:07 (Revised 2000-03-19) ] - --------------------------------------------------------------------- [ Start FreeBSD-SA-00:08 (Announced 2000-03-15) ] - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:08 Security Advisory FreeBSD, Inc. Topic: Lynx ports contain numerous buffer overflows Category: ports Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: See below. FreeBSD only: NO I. Background Lynx is a popular text-mode WWW browser, available in several versions including SSL support and Japanese language localization. II. Problem Description The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server. The lynx ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious server which is visited by a user with the lynx browser can exploit the browser security holes in order to execute arbitrary code as the local user. If you have not chosen to install any of the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then your system is not vulnerable. IV. Workaround Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you you have installed them. V. Solution Unfortunately, there is no simple fix to the security problems with the lynx code: it will require a full review by the lynx development team and recoding of the affected sections with a more security-conscious attitude. In the meantime, there are two other text-mode WWW browsers available in FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled version, and japanese/w3m for Japanese-localization) and www/links. Note that the FreeBSD Security Officer does not make any recommendation about the security of these two browsers - in particular, they both appear to contain potential security risks, and a full audit has not been performed, but at present no proven security holes are known. User beware - please watch for future security advisories which will publicize any such vulnerabilities discovered in these ports. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7 +541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+ +vcp5WAqDu4= =dtMU - -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:08 (Announced 2000-03-15) ] - --------------------------------------------------------------------- [ Start FreeBSD-SA-00:09 (Announced 2000-03-15) ] - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:09 Security Advisory FreeBSD, Inc. Topic: mtr port contains a local root exploit. Category: ports Module: mtr Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: 2000-03-07 (included in FreeBSD 4.0-RELEASE) FreeBSD only: NO I. Background mtr ("Multi Traceroute") combines the functionality of the "traceroute" and "ping" programs into a single network diagnostic tool. II. Problem Description The mtr program (versions 0.41 and below) fails to correctly drop setuid root privileges during operation, allowing a local root compromise. The mtr port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can exploit the security hole to obtain root privileges. If you have not chosen to install the mtr port/package, then your system is not vulnerable. IV. Workaround 1) Remove the mtr port if you have installed it. 2) Disable the setuid bit - run the following command as root: chmod u-s /usr/local/sbin/mtr This will mean non-root users cannot make use of the program, since it requires root privileges to properly run. V. Solution 1) Upgrade your entire ports collection and rebuild the mtr port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/net/mtr-0.42.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the mtr port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/J3FUuHi5z0oilAQFdjQP+MCxSn1WYvRehaxky8xnOLP8sAOiLvxLf DG3emT6hgG7IFKTHNQ/KvHE5M9Y4/frk1tJGKVb/RKEbpbDDF3mmN0eq6S2B2Qda TB4YjbaLVAnFKVhFcbZjVfc4YTtutNgl7xd/4bvXennki77oQiO5T3VRNnIXkjD1 NUk4XQDyTQ4= =Rrxf - -----END PGP SIGNATURE----- [ End FreeBSD-SA-00:09 (Announced 2000-03-15) ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of FreeBSD, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-018: HP-UX - Security Vulnerability with PMTU Strategy K-019: Microsoft - "Spoofed LPC Port Request" Vulnerability K-020: Majordomo open() call Vulnerability K-021: Malicious HTML Tags Vulnerability K-022: FreeBSD - Asmon/Ascpu Vulnerability K-023: FreeBSD - Delegate Proxy Server Vulnerability K-024: Microsoft Systems Management Server Vulnerability K-025: MySQL Password Authentication Vulnerability K-026: Microsoft SQL Server Admin Login Encryption Vulnerability K-027: Microsoft SQL Server and MSDE Malicious Query Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOOELnLnzJzdsy3QZAQEWRwQAkg8HVmXQfi8tOKipHUDVvkQ+OOJ3K6Dt kXBdYd9CdO68iq+lCZ4gHlRsibxNlpWCY7jd/WeOAKeHQ8xVL/pGmjbTLsuufWIC sYCsgZwqKPQ9XapKXvka/wwB6qt6JDxLztP9mkhNxtzAeYn9wtFQdHO7n6Fhgr1g FArxXCiF72Y= =A+SR -----END PGP SIGNATURE-----