| Date: | 10 Aug 2004 21:44:24 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #196 |
SecurityFocus Linux Newsletter #196
------------------------------------
This issue sponsored by: SPI Dynamics
ALERT: How Hackers Use LDAP Injection to Steal Your Data and Bypass
Authentication
It's as simple as placing additional LDAP query commands into a Web
form
input box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because LDAP Injections
are
seen as valid data.
Download this *FREE* white paper from SPI Dynamics for a complete guide
to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040810
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Data Driven Attacks Using HTTP Tunneling
II. LINUX VULNERABILITY SUMMARY
1. Mozilla and Netscape SOAPParameter Integer Overflow Vulnerab...
2. Sun Java Runtime Environment Remote XSLT Privilege Escalatio...
3. Horde IMP HTML+TIME HTML Injection Vulnerability
4. PuTTY Modpow Integer Handling Memory Corruption Vulnerabilit...
5. Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memo...
6. LibPNG Graphics Library Multiple Remote Vulnerabilities
7. PHP-Nuke Delete God Admin Access Control Bypass Vulnerabilit...
8. Acme thttpd Directory Traversal Vulnerability
9. Gnome VFS 'extfs' Scripts Undisclosed Vulnerability
10. Gaim Multiple Unspecified MSN Protocol Buffer Overflow
Vulne...
11. LILO gfxboot Plaintext Password Display Vulnerability
12. YaST2 Utility Library File Verification Shell Code
Injection...
13. Neon WebDAV Client Library Unspecified Vulnerability
14. LibPNG Graphics Library Unspecified Remote Buffer Overflow
V...
15. Opera Remote Location Object Cross-Domain Scripting
Vulnerab...
16. Mozilla Browser Input Type HTML Tag Unauthorized Access
Vuln...
17. Mozilla Browser/Thunderbird SendUIDL POP3 Message Handling
R...
18. Mozilla Browser Non-FQDN SSL Certificate Spoofing
Vulnerabil...
19. Mozilla SSL Redirect Spoofing Vulnerability
20. phpBB Login.PHP Cross-Site Scripting Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. can Hopster traffic be blocked? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Firewall Builder 2.0
2. Lepton's Crack 20031130
3. popa3d v0.6.4.1
4. tinysofa enterprise server 2.0-rc1
5. cenfw 0.2 beta
6. TinyCA v0.6.4
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Data Driven Attacks Using HTTP Tunneling
By Ido Dubrawsky
In this article we will look at a means to bypass the access control
restrictions of a company's router or firewall. This information is
intended to provide help for those who are legitimately testing the
security of a network (whether they are in-house expertise or outside
consultants).
http://www.securityfocus.com/infocus/1793
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Mozilla and Netscape SOAPParameter Integer Overflow Vulnerab...
BugTraq ID: 10843
Remote: Yes
Date Published: Aug 02 2004
Relevant URL: http://www.securityfocus.com/bid/10843
Summary:
It is reported that Mozilla and Netscape contain an integer overflow
vulnerability in the SOAPParameter object constructor. This overflow may
result in the corruption of critical heap memory structures, leading to
possible remote code execution.
An attacker can exploit this issue by crafting a malicious web page and
having unsuspecting users view the page in a vulnerable version of
Mozilla or Netscape.
Netscape 7.0, 7.1, and versions of Mozilla prior to 1.7.1 are known to
be vulnerable to this issue. Users of affected versions of Netscape are
urged to switch to Mozilla 1.7.1 or later, as new versions of Netscape
are not likely to appear.
2. Sun Java Runtime Environment Remote XSLT Privilege Escalatio...
BugTraq ID: 10844
Remote: Yes
Date Published: Aug 03 2004
Relevant URL: http://www.securityfocus.com/bid/10844
Summary:
It has been reported that the Sun Java Runtime Environment is affected
by an access validation vulnerability within the XSLT processor.
An attacker might exploit this issue to allow an untrusted applet or
application to read data from a trusted applet or application that is
running within the same virtual machine. It has also been reported that
this issue may facilitate privilege escalation.
3. Horde IMP HTML+TIME HTML Injection Vulnerability
BugTraq ID: 10845
Remote: Yes
Date Published: Aug 03 2004
Relevant URL: http://www.securityfocus.com/bid/10845
Summary:
Reportedly Horde IMP is affected by an HTML injection vulnerability due
to insufficient sanitization of HTML+TIME script.
An attacker can exploit this issue to gain access to an unsuspecting
user's cookie based authentication credentials; disclosure of personal
email is possible. Other attacks are also possible.
4. PuTTY Modpow Integer Handling Memory Corruption Vulnerabilit...
BugTraq ID: 10850
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10850
Summary:
Reportedly PuTTY is affected by a remote, pre-authentication code
execution vulnerability.
An attacker might leverage this issue to execute arbitrary code on an
affected system. As this issue is exploitable before any authorization
and before the host key is verified, any remote attacker can exploit
this to gain unauthorized access to a vulnerable computer with the
privileges of the user that started the affected application.
5. Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memo...
BugTraq ID: 10852
Remote: No
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10852
Summary:
A vulnerability in the Linux kernel in the 64-bit file offset handling
code may allow malicious users to read kernel memory. This issue is
due to a design error that causes the affected code to fail to properly
validate file pointers.
An attacker may leverage this issue to read arbitrary Linux kernel
memory. This could allow an attacker to read sensitive data such as cached
passwords. This issue will certainly aid in further attacks against
the affected computer.
It has been reported that the Linux 2.6.X kernel, although still
vulnerable, might not be exploitable. This BID will be updated when more
information becomes available.
6. LibPNG Graphics Library Multiple Remote Vulnerabilities
BugTraq ID: 10857
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10857
Summary:
The libpng graphics library is reported prone to multiple
vulnerabilities. The following issues are reported:
It is reported that a stack-based buffer overrun vulnerability exists
in the libpng library (CAN-2004-0597).
A remote attacker may exploit this condition, by supplying a malicious
image to an unsuspecting user. When this image is viewed, the
vulnerability may be triggered resulting in code execution occurring in the
context of the user that viewed the malicious image.
A denial of service vulnerability is also reported to affect libpng
(CAN-2004-0598).
A remote attacker may exploit this condition, by supplying a malicious
image to an unsuspecting user. When the malicious image is viewed, a
NULL pointer dereference will occur resulting in a crash of the
application that is linked to the vulnerable library.
Additionally several integer overrun vulnerabilities are reported to
exist in png_handle_sPLT(), png_read_png() and other functions of libpng
(CAN-2004-0599).
A remote attacker may exploit the integer-overrun conditions, by
supplying a malicious image to an unsuspecting user. When the malicious image
is viewed, an integer value may wrap, or be interpreted incorrectly
resulting in a crash of the application that is linked to the vulnerable
library, or may potentially result in arbitrary code execution.
This BID will be split into independent BIDs when further analysis of
these vulnerabilities is complete.
7. PHP-Nuke Delete God Admin Access Control Bypass Vulnerabilit...
BugTraq ID: 10861
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10861
Summary:
PHP-Nuke is reported prone to an access control bypass vulnerability.
Reports indicate that a PHP-Nuke superuser may bypass access controls
and privilege restrictions, to delete the PHP-Nuke "God Admin" account.
This may be accomplished by making a specially crafted request for the
"admin.php" script.
8. Acme thttpd Directory Traversal Vulnerability
BugTraq ID: 10862
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10862
Summary:
It is reported that thttpd is susceptible to a directory traversal
vulnerability. This issue presents itself due to insufficient sanitization
of user-supplied data. This issue only exists in the Windows port of
the application, as it does not correctly take into consideration the
environmental attributes of file system access in applications.
This issue may allow an attacker to retrieve arbitrary, potentially
sensitive files, from the affected host computer, as the user that the
thttpd process is running as.
Version 2.07 beta 0.4 of thttpd, running on a Microsoft Windows
platform is reported vulnerable to this issue.
9. Gnome VFS 'extfs' Scripts Undisclosed Vulnerability
BugTraq ID: 10864
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10864
Summary:
Gnome VFSs 'extfs' scripts are reported prone to an undisclosed
vulnerability.
It is reported that a user that views specially crafted, attacker
supplied URIs utilizing the 'extfs' VFS module may be able to execute
arbitrary commands in the context of the user.
This BID will be updated as further information is disclosed.
10. Gaim Multiple Unspecified MSN Protocol Buffer Overflow Vulne...
BugTraq ID: 10865
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10865
Summary:
It is reported that there are multiple unspecified buffer overflow
vulnerabilities in the MSN protocol module in Gaim.
Due to a lack of details, further information is not available at the
moment. This BID will be updated as more information becomes available.
11. LILO gfxboot Plaintext Password Display Vulnerability
BugTraq ID: 10866
Remote: No
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10866
Summary:
Reportedly gfxboot is affected by a plain text password display
vulnerability. This issue is due to a design error that fails to protect user
passwords.
The problem reportedly results in the plain text lilo boot password to
be displayed when typing.
An attacker might leverage this issue to read the plain text lilo boot
password.
12. YaST2 Utility Library File Verification Shell Code Injection...
BugTraq ID: 10867
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10867
Summary:
YaST2 utility library 'liby2util' is affected by a file verification
shell code injection vulnerability. This issue is due to a design error
that fails to properly validate files.
An attacker could leverage this issue to inject malicious shell code
into a file name being transferred using the vulnerable utility. This
might facilitate privilege escalation and unauthorized access.
13. Neon WebDAV Client Library Unspecified Vulnerability
BugTraq ID: 10869
Remote: Yes
Date Published: Aug 04 2004
Relevant URL: http://www.securityfocus.com/bid/10869
Summary:
It is reported that Neon contains an unspecified vulnerability. The
cause of this vulnerability is currently unknown.
Due to the nature of the library, it is likely that this is a remotely
exploitable issue.
It is currently unknown what the affects and impacts of this issue is.
This BID will be updated immediately when more information becomes
available.
14. LibPNG Graphics Library Unspecified Remote Buffer Overflow V...
BugTraq ID: 10872
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10872
Summary:
Reportedly LibPNG contains a buffer offset calculation error that may
facilitate a buffer overflow vulnerability. This issue is due to a
logical design error.
This vulnerability may allow an attacker to crash applications
utilizing the library, or potentially allow code execution.
Please note that vulnerabilities previously outlined in this BID have
been described in the LibPNG Graphics Library Multiple Remote
Vulnerabilities outlined in BID 10857.
15. Opera Remote Location Object Cross-Domain Scripting Vulnerab...
BugTraq ID: 10873
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10873
Summary:
Opera is affected by a remote location object cross-domain scripting
vulnerability. This issue is due to a failure to properly validate
methods that a user can access.
An attacker might leverage this issue to steal cookie based
authentication credentials, conduct phishing attacks along with other attacks.
Furthermore, provided there is an HTML script invoking 'location' methods
local to a victim's computer (such as c:/winnt/help/ciadmin.htm in most
Microsoft Windows implementations) an attacker can exploit this issue
to gain read access to directory contents, files and email read using
Opera's email utilities.
Although this issue is reported to affect versions 1.52 and 1.53 of the
affected software, it is likely that earlier versions are also
affected.
16. Mozilla Browser Input Type HTML Tag Unauthorized Access Vuln...
BugTraq ID: 10874
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10874
Summary:
Mozilla browser is reportedly affected by an input type HTML tag
unauthorized access vulnerability. This issue is due to an access validation
error that allows access to arbitrary files on an unsuspecting user's
system.
This issue will allow an attacker to obtain arbitrary files residing on
the computer of an unsuspecting user that activates a malicious script.
17. Mozilla Browser/Thunderbird SendUIDL POP3 Message Handling R...
BugTraq ID: 10875
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10875
Summary:
Mozilla and Mozilla Thunderbird are reported prone to a remote heap
overflow vulnerability. The issue is reported to exist due to a lack of
sufficient boundary checks performed on POP3 data handled by SendUidl().
An attacker controlled POP3 mail server may exploit this condition by
sending a specifically crafted email message to the affected mail
client. This will result in the corruption of heap-based memory.
18. Mozilla Browser Non-FQDN SSL Certificate Spoofing Vulnerabil...
BugTraq ID: 10876
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10876
Summary:
Mozilla browser is reportedly vulnerable to an SSL certificate spoofing
vulnerability in the 'cert_TestHostName()' function. This issue is due
to a design error that fails to properly validate certified host names.
This issue would allow an attacker to spoof a trusted certificate from
a third party site, facilitating phishing style attacks by luring an
unsuspecting user to enter information on what is apparently a trusted
site.
19. Mozilla SSL Redirect Spoofing Vulnerability
BugTraq ID: 10880
Remote: Yes
Date Published: Aug 05 2004
Relevant URL: http://www.securityfocus.com/bid/10880
Summary:
It is reported that Mozilla, and products derived from Mozilla are
susceptible to an SSL redirect spoofing vulnerability.
By exploiting this vulnerability, an attacker can ensure that the
victims browser contains the SSL lock icon, and will display the SSL
certificate information of a legitimate site when the lock is clicked on.
This vulnerability may aid in Phishing style attacks.
Mozilla prior to 1.7, Mozilla Firebird 0.7, Mozilla Firefox prior to
0.9, and Mozilla Thunderbird prior to 0.7 are all reported vulnerable.
20. phpBB Login.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 10883
Remote: Yes
Date Published: Aug 06 2004
Relevant URL: http://www.securityfocus.com/bid/10883
Summary:
phpBB is affected by a cross-site scripting vulnerability in the
'login.php' script. This issue is due to a failure of the application to
properly sanitize user-supplied URI input.
This can be exploited by constructing links that pass malicious strings
through the affected URI parameter. If an unsuspecting user visits such
a link, the malicious, externally created content supplied in the link
will be rendered (or executed, in the case of script code) as part of
the 'login.php' document and within the context of the vulnerable
website (including the phpBB forum).
Attackers may exploit this vulnerability to obtain the authentication
credentials of other forum users. If the domain hosts other
applications, their credentials and/or other sensitive information (session IDs,
etc) may be exposed.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. can Hopster traffic be blocked? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/371150
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Firewall Builder 2.0
By: Vadim Kurland
Relevant URL: http://www.fwbuilder.org/
Platforms: FreeBSD, Linux, MacOS, Solaris, Windows 2000, Windows XP
Summary:
Firewall Builder consists of a GUI and set of policy compilers for
various firewall platforms. It helps users maintain a database of objects
and allows policy editing using simple drag-and-drop operations. The GUI
and policy compilers are completely independent, and support for a new
firewall platform can be added to the GUI without any changes to the
program (only a new policy compiler is needed). This provides for a
consistent abstract model and the same GUI for different firewall platforms.
It currently supports iptables, ipfilter, and OpenBSD pf.
2. Lepton's Crack 20031130
By: Lepton and Nekromancer
Relevant URL: http://www.nestonline.com/lcrack/lcrack-20031130-beta.zip
Platforms: Linux, MacOS, Os Independent, UNIX, Windows 2000, Windows
NT, Windows XP
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable
with a simple plugin system and allows system administrators to review
the quality of the passwords being used on their systems. It can
perform a dictionary-based (wordlist) attack as well as a brute force
(incremental) password scan. It supports standard MD4 hash, standard MD5 hash,
NT MD4/Unicode, Lotus Domino HTTP password (R4), and SHA-1 hash
formats. LM (LAN Manager) plus appending and prepending
3. popa3d v0.6.4.1
By: Solar Designer, solar@openwall.com
Relevant URL: http://www.openwall.com/popa3d/
Platforms: Linux, Solaris
Summary:
popa3d is a POP3 daemon which attempts to be extremely secure,
reliable, RFC compliant, and fast (in that order).
4. tinysofa enterprise server 2.0-rc1
By: Omar Kilani
Relevant URL: http://www.tinysofa.org
Platforms: Linux, POSIX
Summary:
tinysofa enterprise server is a secure server targeted enterprise grade
operating system. It is based on Trustix Secure Linux and includes a
complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM
authentication system providing system-wide authentication
configuration, the latest upstream packages, the replacement of ncftp with lftp, the
addition of gdb and screen, feature additions to the swup updater that
provide multiple configuration file support, user login FTP support,
enable/disable support, variable expansion support (allows multiple
architectures), and many enhancements.
5. cenfw 0.2 beta
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows 95/98, Windows CE, Windows NT,
Windows XP
Summary:
The Centron IPTables Firewall Gui is an object oriented, database
driven, windows interface to linux IPtables firewall rules.
6. TinyCA v0.6.4
By: Stephan Martin
Relevant URL: http://tinyca.sm-zone.net/
Platforms: Linux, OpenNMS, POSIX
Summary:
TinyCA is a simple GUI written in Perl/Tk to manage a small
certification authority. It is based on OpenSSL and Perl modules from the OpenCA
project. TinyCA lets you manage x509 certificates. It is possible to
export data in PEM or DER format for use with servers, as PKCS#12 for use
with clients, or as S/MIME certificates for use with email programs. It
is also possible to import your own PKCS#10 requests and generate
certificates from them.
VII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: SPI Dynamics
ALERT: How Hackers Use LDAP Injection to Steal Your Data and Bypass
Authentication
It's as simple as placing additional LDAP query commands into a Web
form
input box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because LDAP Injections
are
seen as valid data.
Download this *FREE* white paper from SPI Dynamics for a complete guide
to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040810
------------------------------------------------------------------------