Date: Tue, 13 Apr 2004 14:51:34 -0600 (MDT)
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #179

SecurityFocus Linux Newsletter #179
------------------------------------
This Issue is Sponsored by: Check Point

Worm attacks got your Microsoft applications down?  Download our
Technology Brief today and learn how Check Point can protect your
Microsoft environment from any threat.

CLICK HERE now to learn more:
http://www.securityfocus.com/sponsor/CheckPoint_linux-secnews_040412
------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Forensic Analysis of a Live Linux System, Part Two
     2. Witty Extinction
II. LINUX VULNERABILITY SUMMARY
     1. HAHTsite Scenario Server Project File Name Buffer Overrun Vu...
     2. Heimdal Kerberos Cross-Realm Trust Impersonation Vulnerabili...
     3. eMule Remote Buffer Overflow Vulnerability
     4. FTE Multiple Local Unspecified Buffer Overflow Vulnerabiliti...
     5. Context Texutil Insecure Temporary Log File Vulnerability
     6. ADA IMGSVR GET Request Buffer Overflow Vulnerability
     7. SuSE YaST Online Update Insecure Temporary File Creation Vul...
     8. ADA IMGSVR Directory Traversal Vulnerability
     9. Multiple Monit Administration Interface Remote Vulnerabiliti...
     10. Gentoo Portage Sandbox Insecure Temporary Lockfile Creation 
...
     11. Racoon IKE Daemon Unauthorized X.509 Certificate Connection 
...
III. LINUX FOCUS LIST SUMMARY
     1. Re[2]: chroot & mount --bind = security ? (Thread)
     2. Re: chroot & mount --bind = security ? (Thread)
     3. chroot & mount --bind = security ? (Thread)
     4. iptables firewall script for debian-woody, 2.4.24 (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Astaro Security Linux (Stable 5.x) v5.000
     2. NSA Security-enhanced Linux v2004040714
     3. Telconi Terminal for Cisco IOS v0.6a
     4. fwsnort v0.6.3
     5. PGP Java API v2.0
     6. Dazuko v2.0.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Forensic Analysis of a Live Linux System, Part Two
By Mariusz Burdach

This article is the second of a two-part series that provides 
step-by-step
instructions for forensics of a live Linux system that has been 
recently
compromised.

http://www.securityfocus.com/infocus/1773

2. Witty Extinction
By Kelly Martin

The Witty worm set a dangerous precedent on the Internet because it
introduced a number of evil new "firsts" in the ever-changing world of
modern worms and viruses.

http://www.securityfocus.com/columnists/232


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. HAHTsite Scenario Server Project File Name Buffer Overrun Vu...
BugTraq ID: 10033
Remote: Yes
Date Published: Apr 02 2004
Relevant URL: http://www.securityfocus.com/bid/10033
Summary:
HAHTsite Scenario Server is reported to be prone to a remotely 
exploitable
buffer overrun vulnerability.

The issue may be triggered by submitting an HTTP GET request to the
vulnerable server component that specifies overly long project file 
name
parameters. hsrun.exe is name of the vulnerable component on Microsoft
Windows platforms.  This could be exploited to execute arbitrary code 
in
the context of the server.

This issue is reported to affect HAHTsite Scenario Server 5.1 on 
Windows,
Solaris and Linux platforms.  The name of the vulnerable component will
likely be different depending on the hosting platform.

2. Heimdal Kerberos Cross-Realm Trust Impersonation Vulnerabili...
BugTraq ID: 10035
Remote: No
Date Published: Apr 02 2004
Relevant URL: http://www.securityfocus.com/bid/10035
Summary:
It has been reported that Heimdal is prone to a cross-realm trust
impersonation vulnerability. This issue is due to a failure of the
implementation to properly validate cross-realm requests.

An attacker may leverage this issue to mask their identity, potentially
conducting attacks or other nefarious activity while feigning to be
someone else.

3. eMule Remote Buffer Overflow Vulnerability
BugTraq ID: 10039
Remote: Yes
Date Published: Apr 03 2004
Relevant URL: http://www.securityfocus.com/bid/10039
Summary:
eMule is prone to a remote buffer overflow vulnerability.  This issue 
is
due to a failure of the application to properly validate buffer 
boundaries
during memory copy operations.

Successful exploitation would immediately produce a denial of service
condition in the affected process. This issue may also be leveraged to
execute code on the affected system within the security context of the
user running the vulnerable process.

4. FTE Multiple Local Unspecified Buffer Overflow Vulnerabiliti...
BugTraq ID: 10041
Remote: No
Date Published: Apr 04 2004
Relevant URL: http://www.securityfocus.com/bid/10041
Summary:
It has been reported that vfte is prone to multiple unspecified buffer
overflow vulnerabilities.  These issues are due to a failure of the
application to verify buffer boundaries while processing user supplied
input.

Successful exploitation would immediately produce a denial of service
condition in the affected process. This issue may also be leveraged to
execute code on the affected system with root privileges, as this
application is setuid root.

5. Context Texutil Insecure Temporary Log File Vulnerability
BugTraq ID: 10042
Remote: No
Date Published: Apr 05 2004
Relevant URL: http://www.securityfocus.com/bid/10042
Summary:
The ConTeXt TeXUtil program creates log files in an insecure manner 
when
invoked with the '--silent' command line option.  This could allow a
malicious local user to launch a symbolic link attack when such a file 
is
created.  This could cause attacker-specified files that are writeable 
by
the user invoking the utility to be corrupted.

6. ADA IMGSVR GET Request Buffer Overflow Vulnerability
BugTraq ID: 10046
Remote: Yes
Date Published: Apr 05 2004
Relevant URL: http://www.securityfocus.com/bid/10046
Summary:
A vulnerability has been reported in ImgSvr that may allow a remote
attacker to corrupt local process memory, potentially leading to 
arbitrary
code execution.  This issue is due to a failure of the application to
properly validate the size of user supplied HTTP requests.

Successful exploitation would immediately produce a denial of service
condition in the affected process. This issue may also be leveraged to
execute code on the affected system within the security context of the
user running the vulnerable process.

7. SuSE YaST Online Update Insecure Temporary File Creation Vul...
BugTraq ID: 10047
Remote: No
Date Published: Apr 05 2004
Relevant URL: http://www.securityfocus.com/bid/10047
Summary:
SuSE YaST Online Update reportedly creates temporary files in an 
insecure
manner.

The source of the problem is that the online_update program will create
temporary files using predictable filenames in a world writeable 
location
(/usr/tmp).

Since these file names are static, it may be trivial for an attacker to
create a symbolic link in its place.  A malicious local user could take
advantage of this issue by mounting a symbolic link attack to corrupt
other system files, most likely resulting in destruction of data.

The vendor has reported that the problem is present in SUSE Linux 8.2 
and
9.0.

8. ADA IMGSVR Directory Traversal Vulnerability
BugTraq ID: 10048
Remote: Yes
Date Published: Apr 05 2004
Relevant URL: http://www.securityfocus.com/bid/10048
Summary:
Reportedly ImgSvr is prone to an issue that may allow an attacker to 
view
files that reside outside of the server root directory.  This issue is 
due
to a failure of the application to properly sanitize user-supplied URI
data.

Successful exploitation of this vulnerability may allow a remote 
attacker
to gain access to sensitive information that may be used to launch 
further
attacks against a vulnerable system.

9. Multiple Monit Administration Interface Remote Vulnerabiliti...
BugTraq ID: 10051
Remote: Yes
Date Published: Apr 05 2004
Relevant URL: http://www.securityfocus.com/bid/10051
Summary:
The remote administration interface of Monit has been reported to be 
prone
to multiple vulnerabilities.

The first issue reported may be exploited by a remote attacker to 
trigger
a denial of service. The issue presents itself when no password is
submitted as a part of a basic authentication request.

The second vulnerability, a stack-based buffer overflow vulnerability 
has
been reported to exist during basic authentication procedures. The 
issue
presents itself due to a lack of sufficient bounds checking performed 
on
user-supplied usernames.

A third issue, an off-by-one vulnerability, has also been reported to
affect Monit. The issue presents itself when a large POST submission is
handled. Depending on memory layout and compiler optimizations, this 
issue
may potentially be exploited on some platforms to allow an attacker to
influence the least significant byte of the stack frame base pointer.

10. Gentoo Portage Sandbox Insecure Temporary Lockfile Creation ...
BugTraq ID: 10060
Remote: No
Date Published: Apr 06 2004
Relevant URL: http://www.securityfocus.com/bid/10060
Summary:
Gentoo portage has been reported prone to an insecure temporary file
creation vulnerability. The vulnerability exists because portage 
creates a
lockfile with a predictable name in a world writeable location.

An attacker may create many symbolic hard links in the "/tmp" folder,
named with incrementing filenames in an attempt to predict the PID of 
the
vulnerable process. These links will point to a file that the attacker
wishes to corrupt. When portage is executed the file that is linked 
will
be overwritten with a blank file with the privileges of the user who is
invoking the portage application.

11. Racoon IKE Daemon Unauthorized X.509 Certificate Connection ...
BugTraq ID: 10072
Remote: Yes
Date Published: Apr 07 2004
Relevant URL: http://www.securityfocus.com/bid/10072
Summary:
The racoon IKE daemon is prone to a security vulnerability that may 
allow
unauthorized access.  This issue may allow holders of valid X.509
certificates to make unauthorized connections to the VPN without being
required to be in possession of the corresponding private key.
Man-in-the-middle attacks are also possible.

This issue affects the racoon daemon included in IPsec-Tools for Linux 
2.6
Kernel and the  version included in KAME's IPsec utilities.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Re[2]: chroot & mount --bind = security ? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/360112

2. Re: chroot & mount --bind = security ? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/360111

3. chroot & mount --bind = security ? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/360070

4. iptables firewall script for debian-woody, 2.4.24 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/359573


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Astaro Security Linux (Stable 5.x) v5.000
By: astaro
Relevant URL: http://www.astaro.com/
Platforms: Linux, POSIX
Summary:

Astaro Security Linux is a firewall solution. It does stateful packet
inspection filtering, content filtering, user authentication, virus
scanning, VPN with IPSec and PPTP, and much more. With its Web-based
management tool, WebAdmin, and the ability to pull updates via the
Internet, it is pretty easy to manage. It is based on a special 
hardened
Linux 2.4 distribution where most daemons are running in change-roots 
and
are protected by kernel capabilities.

2. NSA Security-enhanced Linux v2004040714
By: National Security Agency
Relevant URL: http://www.nsa.gov/selinux/
Platforms: Linux
Summary:

NSA Security-enhanced Linux is a set of patches to the Linux kernel and
some utilities to incorporate a strong, flexible mandatory access 
control
architecture into the major subsystems of the kernel. It provides a
mechanism to enforce the separation of information based on
confidentiality and integrity requirements, which allows threats of
tampering and bypassing of application security mechanisms to be 
addressed
and enables the confinement of damage that can be caused by malicious 
or
flawed applications. It includes a set of sample security policy
configuration files designed to meet common, general-purpose security
goals.

3. Telconi Terminal for Cisco IOS v0.6a
By: Stywiz
Relevant URL: http://www.telconi.com/
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows NT, Windows XP
Summary:

Telconi Terminal is an unique network management application with
interactive full-screen configuration editing, browsing, help facility
support, debugging, and more. It focuses on common Cisco IOS 
functionality
present with any hardware or software configuration, and complements 
the
command line interface with a rich set of features. It is intended for
users with knowledge of Cisco IOS, and is designed to work with any
IOS-based device, such as routers and switches.

4. fwsnort v0.6.3
By: Michael Rash
Relevant URL: http://www.cipherdyne.com/fwsnort/
Platforms: Linux
Summary:

fwsnort translates snort rules into an equivalent iptables ruleset. By
making use of the iptables string match module, fwsnort can detect
application layer signatures which exist in many snort rules. fwsnort 
adds
a --hex-string option to iptables, which allows snort rules that 
contain
hex characters to be input directly into iptables rulesets without
modification. In addition, fwsnort makes use of the IPTables::Parse 
Perl
module in order to (optionally) restrict the snort rule translation to
only those rules that specify traffic that could potentially be allowed
through an existing iptables policy.

5. PGP Java API v2.0
By: CrypTom
Relevant URL: http://www.cryptography.ch/projects/pgpjava
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

The PGP Java API provides access to a PGP implementation which is based 
on
PGP 2.3a. The PGP implementation will be compiled as a shared object,
which will be accessible to Java via the Java Native Interface (JNI). 
The
PGPi class provides the methods you can use to interact with PGP. All 
the
encrypted / signed files you generate with this API are compatible with
PGP 2.6.3i and vice versa. You can use the same keyrings, too.

6. Dazuko v2.0.1
By: John Ogness
Relevant URL: http://www.dazuko.org/
Platforms: FreeBSD, Linux
Summary:

This project provides a kernel module which provides 3rd-party
applications with an interface for file access control. It was 
originally
developed for on-access virus scanning. Other uses include a 
file-access
monitor/logger or external security implementations. It operates by
intercepting file-access calls and passing the file information to a
3rd-party application. The 3rd-party application then has the 
opportunity
to tell the kernel module to allow or deny the file-access. The 
3rd-party
application also receives information about the file, such as type of
access, process ID, user ID, etc.

VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Check Point

Worm attacks got your Microsoft applications down?  Download our
Technology Brief today and learn how Check Point can protect your
Microsoft environment from any threat.

CLICK HERE now to learn more:
http://www.securityfocus.com/sponsor/CheckPoint_linux-secnews_040412
------------------------------------------------------------------------