Date: Tue, 6 Apr 2004 13:52:20 -0600 (MDT)
From:"Kelly Martin" <kel@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #178
SecurityFocus Linux Newsletter #178
------------------------------------
This issue is sponsored by: SPIDynamics

ALERT: Top 14 Web Application Attack Techniques and Methods to Combat
Them - White Paper

Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation. Also includes step-by-step
vulnerability testing for your own Web Applications and guidelines for
establishing policy standards and secure coding practices.

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040406
------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Dogs of War: Part Two
     2. Host Integrity Monitoring: Best Practices for Deployment
     3. Human Nature vs. Security
II. LINUX VULNERABILITY SUMMARY
     1. OFTPD Port Argument Denial Of Service Vulnerability
     2. PHPBB Privmsg.PHP SQL Injection Vulnerability
     3. Multiple Local Linux Kernel Vulnerabilities
     4. Gnome Gnome-Session Local Privilege Escalation Vulnerability
     5. Systrace Local Policy Bypass Vulnerability
     6. cPanel Multiple Module Cross-Site Scripting Vulnerabilities
     7. Interchange Remote Information Disclosure Vulnerability
     8. Clam Anti-Virus ClamAV Arbitrary Command Execution Vulnerabi...
     9. MPlayer Remote HTTP Header Buffer Overflow Vulnerability
     10. PHPKit Multiple HTML Injection Vulnerabilities
     11. CDP Console CD Player PrintTOC Function Buffer Overflow 
Vuln...
     12. Roger Wilco Server UDP Datagram Handling Denial Of Service 
V...
     13. Roger Wilco Information Disclosure Vulnerability
     14. Roger Wilco Server Unauthorized Audio Stream Denial Of 
Servi...
     15. ADA IMGSVR Remote Directory Listing Vulnerability
     16. ADA IMGSVR Remote File Download Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. nis : how to avoid user1 becoming user2 using local ... 
(Thread)
     2. iptables firewall script for debian-woody, 2.4.24 (Thread)
     3. Rewrite Rules, SSL, and .htaccess (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. GNUnet v0.6.1d
     2. Fast Logging Project for Snort v1.2.0
     3. Qryptix v0.2.1
     4. NuFW v0.7.0
     5. MIMEDefang v2.42
     6. CRM114 v2003-11-29-RC11
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Dogs of War: Securing Microsoft Groupware Environments with Unix 
(Part2)
By Bob Rudis

This article discusses the implementation of layered mail security 
using
Unix as an MTA in front of Microsoft groupware products. Part two
describes the use of Qmail, Qmail-Scanner, Clam AntiVirus and
SpamAssassin.

http://www.securityfocus.com/infocus/1772

2. Host Integrity Monitoring: Best Practices for Deployment
By Brian Wotring

The purpose of this article is to highlight the important steps and
concepts involved in deploying a host integrity monitoring system. 
These
applications can be very helpful with detecting unauthorized change,
conducting damage assessment, and preventing future attacks.

http://www.securityfocus.com/infocus/1771

3. Human Nature vs. Security
By Daniel Hanson

Social engineering in the latest crop of viruses has people jumping
through hoops to open malicious attachments. How do we change the 
pattern?

http://www.securityfocus.com/columnists/231

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. OFTPD Port Argument Denial Of Service Vulnerability
BugTraq ID: 9980
Remote: Yes
Date Published: Mar 26 2004
Relevant URL: http://www.securityfocus.com/bid/9980
Summary:
oftpd is prone to a denial of service vulnerability that may be 
exploited
by remote, unauthenticated attackers.  This issue is exposed when the
server receives an FTP PORT command with a value greater than 255 as an
argument.

2. PHPBB Privmsg.PHP SQL Injection Vulnerability
BugTraq ID: 9984
Remote: Yes
Date Published: Mar 26 2004
Relevant URL: http://www.securityfocus.com/bid/9984
Summary:
Reportedly the 'privmsg.php' phpBB script is prone to a remote SQL
injection vulnerability.  This issue is due to a failure of the
application to properly sanitize user-supplied URI parameters before 
using
them to construct SQL queries to be issued to the underlying database.

This may allow a remote attacker to manipulate query logic, potentially
leading to access to sensitive information such as the administrator
password hash or corruption of database data. SQL injection attacks may
also potentially be used to exploit latent vulnerabilities in the
underlying database implementation.

3. Multiple Local Linux Kernel Vulnerabilities
BugTraq ID: 9985
Remote: No
Date Published: Mar 26 2004
Relevant URL: http://www.securityfocus.com/bid/9985
Summary:
Multiple local vulnerabilities were reported in the Linux Kernel.  
These
issues could permit information disclosure via the ext3 filesystem, 
system
crash through buggy SoundBlaster code, a system crash via a bug in 
Kernel
DRI support and a denial of service via mremap.

These issues appear to affect the 2.4 Kernel.  Few details are known at
this time.

4. Gnome Gnome-Session Local Privilege Escalation Vulnerability
BugTraq ID: 9988
Remote: No
Date Published: Mar 26 2004
Relevant URL: http://www.securityfocus.com/bid/9988
Summary:
It has been reported that gnome-session is prone to a local privilege
escalation vulnerability.  This issue is due to a problem with
initialization of the LD_LIBRARY_PATH environment variable upon session
start-up.

This issue may be leveraged locally to gain escalated privileges on the
affected system.

5. Systrace Local Policy Bypass Vulnerability
BugTraq ID: 9998
Remote: No
Date Published: Mar 29 2004
Relevant URL: http://www.securityfocus.com/bid/9998
Summary:
Systrace has been reported prone to a vulnerability that may permit an
application to completely bypass a Systrace policy. The issue presents
itself because Systrace does not perform sufficient sanity checks while
handling a process that is being traced with ptrace.

This issue is reported to have been silently patch in Systrace version
1.4, previous versions are believed to be prone to this vulnerability.

6. cPanel Multiple Module Cross-Site Scripting Vulnerabilities
BugTraq ID: 10002
Remote: Yes
Date Published: Mar 30 2004
Relevant URL: http://www.securityfocus.com/bid/10002
Summary:
Multiple cross-site scripting vulnerabilities have been identified in
cPanel that may allow an attacker to execute arbitrary HTML or script 
code
in a user's browser.  These issues exist due to a failure of the
application to properly validate user-supplied URI input.

The issues are reported to affect the 'account', 'db', 'login', 
'email',
'dir', 'dns' and 'ip' parameters of 'ignorelist.html', 'showlog.html',
'repairdb.html', 'doaddftp.html', 'editmsg.html', 'testfile.html',
'erredit.html', 'dnslook.html', 'del.html' and 'index.html' scripts.

The issues have been reported to affect version 9.1.0-R85 of the 
software,
it is quite likely however that these issues affect previous versions 
of
the software as well.

7. Interchange Remote Information Disclosure Vulnerability
BugTraq ID: 10005
Remote: Yes
Date Published: Mar 30 2004
Relevant URL: http://www.securityfocus.com/bid/10005
Summary:
It has been reported that Interchange may be prone to a remote 
information
disclosure vulnerability allowing attackers to disclose contents of
arbitrary variables via URI requests.

This issue may allow an attacker to gain access to sensitive 
information
that may be used to launch further attacks against a system.

8. Clam Anti-Virus ClamAV Arbitrary Command Execution Vulnerabi...
BugTraq ID: 10007
Remote: No
Date Published: Mar 30 2004
Relevant URL: http://www.securityfocus.com/bid/10007
Summary:
It has been reported that ClamAV may be prone to an arbitrary command
execution vulnerability that may allow a local attacker to execute
arbitrary commands in the context of the root user.  The issue presents
itself when the 'VirusEvent' directive in the 'clamav.conf' 
configuration
file has been enabled and the 'Dazuko' module is used with the 
antivirus
software.

Although unconfirmed, all versions of the application are assumed to
vulnerable at the moment.  This information will be updated as more
details become available.

9. MPlayer Remote HTTP Header Buffer Overflow Vulnerability
BugTraq ID: 10008
Remote: Yes
Date Published: Mar 30 2004
Relevant URL: http://www.securityfocus.com/bid/10008
Summary:
It has been reported that MPlayer is prone to a remote HTTP header 
buffer
overflow vulnerability.  This issue is due to a failure of the 
application
to properly verify buffer bounds on the 'Location' HTTP header during
parsing.

Successful exploitation would immediately produce a denial of service
condition in the affected process.  This issue may also be leveraged to
execute code on the affected system within the security context of the
user running the vulnerable process.

10. PHPKit Multiple HTML Injection Vulnerabilities
BugTraq ID: 10013
Remote: Yes
Date Published: Mar 30 2004
Relevant URL: http://www.securityfocus.com/bid/10013
Summary:
It has been reported that PHPKIT is prone to multiple HTML injection
vulnerabilities.  These issues are due to a failure of the application 
to
properly sanitize user supplied input.

An attacker may exploit the aforementioned vulnerabilities to execute
arbitrary script code in the browser of an unsuspecting user. It may be
possible to steal cookie-based authentication credentials, as well as
other sensitive information. Other attacks may also be possible.

11. CDP Console CD Player PrintTOC Function Buffer Overflow Vuln...
BugTraq ID: 10021
Remote: Yes
Date Published: Mar 31 2004
Relevant URL: http://www.securityfocus.com/bid/10021
Summary:
It has been reported that cdp may be prone to a buffer overflow
vulnerability that may allow an attacker to cause a denial of service
condition in the software.  The issue exists due to insufficient 
boundary
checks performed by the printTOC() function.  The buffer overflow
condition may occur if when a song with a track name exceeding 200 
bytes
is accessed via the application.

If an attacker is able to overwrite sensitive memory locations, it may 
be
possible to execute arbitrary instructions in the context of the user
running cdp.

All versions of cdp are assumed to be vulnerable to this issue.

12. Roger Wilco Server UDP Datagram Handling Denial Of Service V...
BugTraq ID: 10022
Remote: Yes
Date Published: Mar 31 2004
Relevant URL: http://www.securityfocus.com/bid/10022
Summary:
Roger Wilco Server has been reported prone to a remote denial of 
service
vulnerability. The issue is reported to exist due to a flaw when 
handling
malicious UDP payloads that are destined for the vulnerable server.

A remote attacker may exploit this condition to deny service to 
legitimate
users.

13. Roger Wilco Information Disclosure Vulnerability
BugTraq ID: 10024
Remote: Yes
Date Published: Mar 31 2004
Relevant URL: http://www.securityfocus.com/bid/10024
Summary:
Roger Wilco Server has been reported prone to an information disclosure
vulnerability. The issue presents itself in procedures used to 
negotiate
client connections. Specifically, when a client attempts to join a 
channel
on the affected server, the entire user ID's list and their 
corresponding
IP addresses are relayed to the client.

14. Roger Wilco Server Unauthorized Audio Stream Denial Of Servi...
BugTraq ID: 10025
Remote: Yes
Date Published: Mar 31 2004
Relevant URL: http://www.securityfocus.com/bid/10025
Summary:
A vulnerability has been reported in the Roger Wilco Server, it is
reported that a user does not need to connect to the server over the 
TCP
port to have UDP based audio streams handled. Rather the attacker will
require knowledge of user ID's connected to a target channel. Because 
the
user ID's for a channel exist in a range of 0-127, the attacker may
transmit an audio stream to an affected server that will be heard by 
all
connected users, however the server administrator will have no control
over disconnecting or muting this audio stream.

15. ADA IMGSVR Remote Directory Listing Vulnerability
BugTraq ID: 10026
Remote: Yes
Date Published: Apr 01 2004
Relevant URL: http://www.securityfocus.com/bid/10026
Summary:
A vulnerability has been reported in the ImgSvr server software that 
may
allow a remote user to the disclose root directory listings.  This 
issue
has also been reported to allow for listing of directories that reside
outside the server root as well.

An attacker may leverage this issue to gain access to sensitive
information by disclosing directory listings; information disclosed in
this way could lead to further attacks against the target system.

16. ADA IMGSVR Remote File Download Vulnerability
BugTraq ID: 10027
Remote: Yes
Date Published: Apr 01 2004
Relevant URL: http://www.securityfocus.com/bid/10027
Summary:
A vulnerability has been reported in the ImgSvr server software that 
may
allow a remote user to the retrieve arbitrary files from the web server
root directory and any subdirectories therein.

An attacker may leverage this issue to gain access to arbitrary scripts
contained within the server root directory.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. nis : how to avoid user1 becoming user2 using local ... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/359418

2. iptables firewall script for debian-woody, 2.4.24 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/359401

3. Rewrite Rules, SSL, and .htaccess (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/359396

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. GNUnet v0.6.1d
By: Christian Grothoff
Relevant URL: http://www.ovmj.org/GNUnet/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:

GNUnet is a peer-to-peer framework with focus on providing security. 
All
link-to-link messages in the network are confidential and 
authenticated.
The framework provides a transport abstraction layer and can currently
encapsulate the peer-to-peer traffic in UDP, TCP, or SMTP messages. 
GNUnet
supports accounting to provide contributing nodes with better service. 
The
primary service build on top of the core GNUnet framework is anonymous
file sharing.

2. Fast Logging Project for Snort v1.2.0
By: DG  <Dirk@geschke.online.de>
Relevant URL: http://www.geschke-online.de/FLoP
Platforms: Linux, Solaris, SunOS
Summary:

FLoP is designed to gather alerts with a payload from distributed Snort
sensors at a central server, and to store them in a database 
(PostgreSQL
and MySQL are supported). On the sensor, the output is written via a 
Unix
domain socket to a process called sockserv. This process is threaded; 
one
receives and buffers the alert packets, and the other thread forwards 
them
to a central server. With this approach, the output is decoupled from
Snort, which can proceed in sniffing instead of waiting for the output
plugins. At the central server, a process called servsock gathers all
alerts from the remote sensors and feeds them via a Unix domain socket 
to
the database. All alerts are buffered to avoid blocking due to a 
hanging
database access (or a slow network on the senor side). A short 
description
of alerts with high priority together with the database ID can be sent 
via
email to a list of recipients.

3. Qryptix v0.2.1
By: Sivasankar Chander
Relevant URL: http://www.sourceforge.net/projects/qryptix
Platforms: Linux
Summary:

Qryptix consists of a PAM object and utilities for session- and
key-management for encrypted home directories using the International
Kernel (CryptoAPI) patches for Linux. It simplifies login/logout,
mounting/unmounting, and key generation and changing.

4. NuFW v0.7.0
By: regit
Relevant URL: http://www.nufw.org
Platforms: Linux, POSIX
Summary:

NuFW is a set of daemons providing filtering of packets at the user 
level.
On the client side, users have to run a client that sends 
authentication
packets to the gateway. On the server side, the gateway associates 
userids
to packets, thus enabling the possibility to filter packets on a user
basis. Furthermore, the server architecture is done to use external
authentication source such as an LDAP server.

5. MIMEDefang v2.42
By: David F. Skoll
Relevant URL: http://www.mimedefang.org/
Platforms: Linux, Perl (any system supporting perl), UNIX
Summary:

MIMEDefang is a flexible MIME e-mail scanner designed to protect 
Windows
clients from viruses. It can alter or delete various parts of a MIME
message according to a very flexible configuration file. It can also
bounce messages with unnaceptable attachments. MIMEDefang works with
Sendmail 8.11's new "Milter" API, which gives it much more flexibility
than procmail-based approaches.

6. CRM114 v2003-11-29-RC11
By: Crah the Merciless
Relevant URL: http://crm114.sourceforge.net/
Platforms: Linux, POSIX
Summary:

CRM114 is a Controllable Regex Mutilator and Smart Filter, designed for
easy creation of filters for things like incoming mail, system logs, or
monitoring processes. Filtering rules can be either hard-coded (such as
regexes), soft-coded (calculated at runtime or read from an external 
file
or process), or learned dynamically by phrase matching (by SBPH 
hashing).
This makes it possible to create very accurate filters with very little
actual work.

VII. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: SPIDynamics

ALERT: Top 14 Web Application Attack Techniques and Methods to Combat
Them - White Paper

Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation. Also includes step-by-step
vulnerability testing for your own Web Applications and guidelines for
establishing policy standards and secure coding practices.

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040406
------------------------------------------------------------------------