| Date: | 10 Jun 2004 16:42:21 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #187 |
SecurityFocus Linux Newsletter #187
------------------------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may
still
be open to a Blind SQL Injection Attack. Blind SQL Injection can
deliver
total control of your server to a hacker giving them the ability to
read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Attacks and Penetration Testing (part 1 of 3)
2. Catching a Virus Writer
3. Multiple Security Roles With Unix/Linux
II. LINUX VULNERABILITY SUMMARY
1. Isoqlog Multiple Buffer Overflow Vulnerabilities
2. Spamguard Multiple Buffer Overflow Vulnerabilities
3. Gatos xatitv Missing Configuration File Privilege Escalation...
4. SquirrelMail Email Header HTML Injection Vulnerability
5. Firebird Remote Pre-Authentication Database Name Buffer Over...
6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
8. Gallery Authentication Bypass Vulnerability
9. Tripwire Email Reporting Format String Vulnerability
10. Unix and Unix-based select() System Call Overflow
Vulnerabil...
11. Trend Micro Scanning Engine Report Generation HTML
Injection...
12. Michael Krax log2mail Log File Writing Format String
Vulnera...
13. Slackware Linux PHP Packages Insecure Linking Configuration
...
III. LINUX FOCUS LIST SUMMARY
1. mrtg/snmp/subinterfaces (Thread)
2. OpenVPN? (Thread)
3. Block martians with source address 127.0.0.1 (Thread)
4. Martians? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Devil-Linux v1.2 Beta 1
2. GNU Anubis v3.9.94
3. DNSSEC Walker v3.4
4. Ettercap v0.7.0 pre2
5. Linux Intrusion Detection System (LIDS) v2.6.6
6. Astaro Security Linux (Stable 5.x) v5.007
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 1 of 3)
By Jonathan Hassell
This is the first of a three part series on penetration testing for
wireless networks. This installment will detail common styles of
attacks
against wireless networks, introduce WEP key-cracking, and then discuss
some recent developments in wireless security.
http://www.securityfocus.com/infocus/1783
2. Catching a Virus Writer
By Kelly Martin
With the consumer WiFi explosion, launching a virus into the wild has
never been easier and more anonymous than it is today.
http://www.securityfocus.com/columnists/246
3. Multiple Security Roles With Unix/Linux
By Daniel Hanson
There are some areas of security where Linux and Unix have some strong
wins, and simply fit in better than anything else.
http://www.securityfocus.com/columnists/247
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span
various source files and functions. Some of the vulnerabilities are
remotely exploitable and may permit execution of arbitrary code in the
context of the process. Others are local in nature, but as the software
is not typically installed setuid/setgid, should not present any
security risk.
2. Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that
span various source files and functions. Some of the vulnerabilities are
remotely exploitable and may permit execution of arbitrary code in the
context of the process. Others are local in nature, but as the
software is not typically installed setuid/setgid, should not present any
security risk.
3. Gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation
vulnerability.
This issue may occur when the utility, which is installed setuid root,
fails to drop privileges due to a missing configuration file.
Unsanitized user-supplied environment variables may then be exploited to
escalate privileges.
It is noted that the software ships with a default configuration file,
so exploitation would require that the file was removed at some point.
4. SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection
vulnerability. This issue is due to a failure of the application to
properly sanitize user-supplied email header strings.
An attacker can exploit this issue to gain access to an unsuspecting
user's cookie based authentication credentials; disclosure of personal
email is possible. Other attacks are also possible.
5. Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun vulnerability.
The issue presents itself due to a lack of sufficient boundary checks
performed when the database server is handling database names.
A remote attacker may exploit this vulnerability, without requiring
valid authentication credentials, to influence execution flow of the
affected Firebird database server. Ultimately this may lead to the execution
of attacker-supplied code in the context of the affected software.
6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
BugTraq ID: 10447
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10447
Summary:
PHP-Nuke is affected by a direct script access security vulnerability.
This issue is due to a failure to properly validate the location and
name of the file being accessed.
This issue will allow an attacker to gain access to sensitive scripts
such as the 'admin.php' script. The attacker may be able to exploit
this unauthorized access to carry out attacks against the affected
application.
7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist in
the krb5_aname_to_localname() and helper functions and are due to
insufficient bounds checking performed on user-supplied data.
An additional boundary condition issue also exists in the
krb5_aname_to_localname() function. The condition is reported to present itself in
the explicit mapping functionality of the krb5_aname_to_localname() as
an off-by-one.
These conditions may be theoretically exploitable to execute arbitrary
code remotely in the context of the affected service.
It is reported that explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() must be enabled for
these vulnerabilities to be present. Additionally it is necessary that
the principal name used by the attacker to exploit the issue be listed
in the explicit mapping list.
These vulnerabilities are reported to affect all releases of MIT
Kerberos 5, up to and including version krb5-1.3.3.
8. Gallery Authentication Bypass Vulnerability
BugTraq ID: 10451
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10451
Summary:
It has been disclosed that an attacker can bypass Gallery's
authentication process, and log in as any user without a password.
An attacker can override configuration variables by passing them in
GET, POST or cookie arguments. Gallery simulates the 'register_globals'
PHP setting by extracting the values of the various $HTTP_ global
variables into the global namespace. Therefore, regardless of the
'register_globals' PHP setting, an attacker can override configuration variables.
An attacker can change configuration variables and cause Gallery to
skip the authentication steps.
Versions prior to 1.4.3-pl2 are reported to be vulnerable.
9. Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string vulnerability.
This issue is due to a failure to properly inplement a formatted string
function.
This vulnerability will allow for execution of arbitrary code on a
system running the affected software. This would occur in the security
context of the user invoking the vulnerable application; typically the
superuser.
**Update - It is reported that this issue only presents itself when the
MAILMETHOD is sendmail.
10. Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition,
possibly allowing attackers to write data past the end of a fixed size
buffer.
select() uses arguments of type 'fd_set', which is of a fixed size in
many Unix variants. fd_set is used to keep track of open file
descriptors.
If a process raises its rlimit for open files past 1024, it is
theoretically possible to cause select to change individual bits past the end
of the fixed size fds_bits structure. In theory, an attacker may be able
to use this vulnerability to cause a denial of service condition, or
possibly execute arbitrary code.
It should be noted that rlimits can only be raised by root, and that
only processes with rlimits allowing more than 1024 file descriptors
would be affected.
This is a theoretical issue, and it has not been confirmed by any
vendor. This BID will be updated when further information is released.
11. Trend Micro Scanning Engine Report Generation HTML Injection...
BugTraq ID: 10456
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10456
Summary:
Trend Micro's scanning engine is reportedly affected by an HTML
injection vulnerability in its report generation feature. This issue is due to
a failure to properly sanitize user-supplied before including it in a
HTML report.
It has been speculated that the offending HTML alert reports run from
the local zone on the affected computer, although this has not been
verified.
This issue may be exploited by a remote attacker to execute arbitrary
HTML or script code on an affected computer; potentially resulting in
unauthorized access. Other attackers are also possible.
12. Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format
string vulnerability. This issue is due to a failure of the application
to properly implement a formatted string function.
This vulnerability will ultimately allow for execution of arbitrary
code on a system running the affected software. This would occur in the
security context of the user invoking the vulnerable application;
typically the 'log2mail' user with group 'adm'.
13. Slackware Linux PHP Packages Insecure Linking Configuration ...
BugTraq ID: 10461
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10461
Summary:
Slackware Linux PHP Packages are reportedly affected by an insecure
linking configuration vulnerability. This issue is due to a configuration
error that links PHP to be linked against shared libraries in insecure
directories.
This issue can be leveraged by an attacker to execute arbitrary code in
the security context of the user running the affected PHP process;
typically the user 'nobody'.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. mrtg/snmp/subinterfaces (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365318
2. OpenVPN? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365209
3. Block martians with source address 127.0.0.1 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365207
4. Martians? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/364805
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL:
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility,
supporting cross-platform interoperability over a wide range of platforms:
Windows, Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements,
regardless of the size of your organization.
Using the latest recognized standards in encryption and digital
signature technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker <heiko@devil-linux.org>
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary:
Devil-Linux is a special Linux distribution which is used for
firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and
secure Linux system. Configuration is saved on a floppy disk, and it
has several optional packages.
2. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:
GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail
User Agent) and the MTA (Mail Transport Agent), and can perform various
sorts of processing and conversion on-the-fly in accordance with the
sender's specified rules, based on a highly configurable regular
expressions system. It operates as a proxy server, and can edit outgoing mail
headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels
using the TLS/SSL encryption even if your mail user agent doesn't
support it, or tunnel a connection through a SOCKS proxy server.
3. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary:
DNSSEC Walker is a tool to recover DNS zonefiles using the DNS
protocol. The server does not have to support zonetransfer, but the zone must
contain DNSSEC "NXT" records.
4. Ettercap v0.7.0 pre2
By: ALoR <alor@users.sourceforge.net>
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT,
Windows XP
Summary:
Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It
supports active and passive dissection of many protocols (even ciphered
ones, like SSH and HTTPS). Data injection in an established connection
and filtering on the fly is also possible, keeping the connection
synchronized. Many sniffing modes were implemented to give you a powerful
and complete sniffing suite. Plugins are supported. It has the ability to
check whether you are in a switched LAN or not, and to use OS
fingerprints (active or passive) to let you know the geometry of the LAN.
5. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary:
The Linux Intrusion Detection System is a patch which enhances the
kernel's security. When it is in effect, chosen files access, all
system/network administration operations, any capability use, raw device, mem,
and I/O access can be made impossible even for root. You can define
which program can access which file. It uses and extends the system
capabilities bounding set to control the whole system and adds some network
and filesystem security features to the kernel to enhance the security.
You can finely tune the security protections online, hide sensitive
processes, receive security alerts through the network, and more.
6. Astaro Security Linux (Stable 5.x) v5.007
By: astaro
Relevant URL: http://www.astaro.com/
Platforms: Linux, POSIX
Summary:
Astaro Security Linux is a firewall solution. It does stateful packet
inspection filtering, content filtering, user authentication, virus
scanning, VPN with IPSec and PPTP, and much more. With its Web-based
management tool, WebAdmin, and the ability to pull updates via the Internet,
it is pretty easy to manage. It is based on a special hardened Linux
2.4 distribution where most daemons are running in change-roots and are
protected by kernel capabilities.
If your email address has changed email listadmin@securityfocus.com and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may
still
be open to a Blind SQL Injection Attack. Blind SQL Injection can
deliver
total control of your server to a hacker giving them the ability to
read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607
------------------------------------------------------------------------