Date: | 23 Nov 2004 18:24:23 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #211 |
SecurityFocus Linux Newsletter #211
------------------------------------
This Issue is Sponsored By: Symantec
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_linux-secnews_041123
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Detecting Rootkits And Kernel-level Compromises In Linux
2. Bill Gates Is Right?
3. SSH and ssh-agent
II. LINUX VULNERABILITY SUMMARY
1. Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow ...
2. Fcron FCronTab/FCronSighUp Multiple Local Vulnerabilities
3. MiniBB Remote SQL Injection Vulnerability
4. LibXPM Multiple Unspecified Vulnerabilities
5. Linux Kernel SMBFS Multiple Remote Vulnerabilities
6. Cscope Insecure Temporary File Creation Vulnerabilities
7. Gentoo GIMPS EBuild Insecure Default Permissions Vulnerabili...
8. Gentoo SETI@home EBuild Insecure Default Permissions Vulnera...
9. Gentoo ChessBrain EBuild Insecure Default Permissions Vulner...
10. PHPBB Admin_cash.PHP Remote PHP File Include Vulnerability
11. Invision Power Board Index.PHP Post Action SQL Injection
Vul...
12. Danware NetOp Remote Control Information Disclosure
Vulnerab...
13. Opera Web Browser Java Implementation Multiple Remote
Vulner...
14. Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification
Vu...
III. LINUX FOCUS LIST SUMMARY
1. locking idle text consoles (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. AutoScan b0.92 R6
2. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
3. rootsh 0.2
4. Maillog View v1.03.3
5. BullDog Firewall 20040918
6. PIKT - Problem Informant/Killer Tool v1.17.0
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Detecting Rootkits And Kernel-level Compromises In Linux
By Mariusz Burdach
This article outlines useful ways of detecting hidden modifications to
a
Linux kernel. Often known as rootkits, these stealthy types of malware
are
installed in the kernel and require special techniques by Incident
handlers
and Linux system administrators to be detected.
http://www.securityfocus.com/infocus/1811
2. Bill Gates Is Right?
By Scott Granneman
Bill Gates is right about one thing: asking people to use a two-factor
form
of authentication would go a long way toward alleviating a lot of the
password problems that plague computer security today.
http://www.securityfocus.com/columnists/277
3. SSH and ssh-agent
By Brian Hatch
This article discusses how to take SSH Identity/Pubkey trust
relationships
to the next level, by using ssh-agent as a keymaster to manage a user's
authentication needs automatically.
http://www.securityfocus.com/infocus/1812
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow ...
BugTraq ID: 11678
Remote: Yes
Date Published: Nov 15 2004
Relevant URL: http://www.securityfocus.com/bid/11678
Summary:
Samba is reported prone to a remote buffer overflow vulnerability.
This issue presents itself because the application does not perform proper
boundary checks before copying user-supplied data into finite sized
process buffers. This issue can allow an attacker to execute arbitrary
code on a vulnerable computer to gain unauthorized access.
This vulnerability is reported to affect Samba versions 3.0.0 to 3.0.7.
2. Fcron FCronTab/FCronSighUp Multiple Local Vulnerabilities
BugTraq ID: 11684
Remote: No
Date Published: Nov 15 2004
Relevant URL: http://www.securityfocus.com/bid/11684
Summary:
Fcron is reported prone to multiple local vulnerabilities. The
following issues are reported:
A local information disclosure vulnerability is reported to affect
fcronsighup. It is reported that the affected utility will attempt to parse
configuration files that are passed to the utility as a command line
argument.
A local attacker may exploit this condition to reveal the contents of
arbitrary files that are owned by the superuser. This vulnerability is
assigned the following MITRE CVE identifier: CAN-2004-1030.
An access control bypass vulnerability is also reported to affect
fcronsighup. It is reported that the issue exists due to a design error.
A local attacker may exploit this vulnerability to make configuration
changes to fcronsighup. This vulnerability is assigned the following
MITRE CVE identifier: CAN-2004-1031.
fcronsighup is reported prone to an arbitrary file deletion
vulnerability. By exploiting the aforementioned access control bypass
vulnerability, a local attacker may influence the fcronsighup configuration and may
cause the application to overwrite arbitrary attacker specified files.
This vulnerability is assigned the following MITRE CVE identifier:
CAN-2004-1032.
Finally it is reported that the fcrontab component of Fcron leaks file
descriptors. This can result in sensitive information disclosure.
Specifically, fcrontab leaks the file descriptors of the '/etc/fcron.allow'
and '/etc/fcron.deny' files. This vulnerability is assigned the
following MITRE CVE identifier: CAN-2004-1033.
3. MiniBB Remote SQL Injection Vulnerability
BugTraq ID: 11688
Remote: Yes
Date Published: Nov 16 2004
Relevant URL: http://www.securityfocus.com/bid/11688
Summary:
miniBB is reported vulnerable to remote SQL injection. This issue is
due to a failure of the application to properly validate user-supplied
input prior to including it in an SQL query.
miniBB versions prior to 1.7f are reported prone to this issue.
4. LibXPM Multiple Unspecified Vulnerabilities
BugTraq ID: 11694
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11694
Summary:
libXpm is reported prone to multiple vulnerabilities. These issues may
be triggered when handling malformed XPM images. The following issues
are reported:
Integer overflow vulnerabilities, out-of-bounds memory access
vulnerabilities, a shell command execution vulnerability, a path traversal
vulnerability, and endless loop vulnerabilities.
The details regarding each of these issues are not specified at the
time of writing. However, this BID will be updated as further details
regarding these vulnerabilities becomes available.
5. Linux Kernel SMBFS Multiple Remote Vulnerabilities
BugTraq ID: 11695
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11695
Summary:
The Linux kernel is reported susceptible to multiple remote
vulnerabilities in the SMBFS network file system.
These vulnerabilities may lead to the execution of attacker-supplied
machine code, information disclosure of kernel memory, or kernel crashes,
denying service to legitimate users.
Versions of the kernel in both the 2.4, and the 2.6 series are reported
susceptible to various issues.
6. Cscope Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 11697
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11697
Summary:
Cscope is reportedly affected by insecure temporary file creation
vulnerabilities. These issues are due to a design error that causes the
application to fail to verify the existence of a file before writing to it.
It is reported that during execution the affected utility creates
temporary files in the system's temporary directory, '/tmp', with
predictable names. This allows attackers to create malicious symbolic links that
will be written to by the vulnerable utility when an unsuspecting user
executes it.
An attacker may leverage these issues to overwrite arbitrary files with
the privileges of an unsuspecting user that activates the vulnerable
application.
Versions up to and including version 15.5 are reported vulnerable.
7. Gentoo GIMPS EBuild Insecure Default Permissions Vulnerabili...
BugTraq ID: 11698
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11698
Summary:
The Gentoo GIMPS eBuild package is reported prone to a weak default
permissions vulnerability.
A local attacker may exploit this vulnerability to escalate privileges.
8. Gentoo SETI@home EBuild Insecure Default Permissions Vulnera...
BugTraq ID: 11699
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11699
Summary:
The Gentoo SETI@home eBuild package is reported prone to a weak default
permissions vulnerability.
A local attacker may exploit this vulnerability to escalate privileges.
9. Gentoo ChessBrain EBuild Insecure Default Permissions Vulner...
BugTraq ID: 11700
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11700
Summary:
The Gentoo ChessBrain eBuild package is reported prone to a weak
default permissions vulnerability.
A local attacker may exploit this vulnerability to escalate privileges.
10. PHPBB Admin_cash.PHP Remote PHP File Include Vulnerability
BugTraq ID: 11701
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11701
Summary:
A vulnerability is reported to exist in the phpBB Cash_Mod module that
may allow an attacker to include malicious PHP files containing
arbitrary code to be executed on a vulnerable system.
Remote attackers could potentially exploit this issue via a vulnerable
variable to include a remote malicious PHP script, which will be
executed in the context of the web server hosting the vulnerable software.
11. Invision Power Board Index.PHP Post Action SQL Injection Vul...
BugTraq ID: 11703
Remote: Yes
Date Published: Nov 18 2004
Relevant URL: http://www.securityfocus.com/bid/11703
Summary:
A remote SQL injection vulnerability affects Inivision Power Board.
This issue is due to a failure of the application to properly validate
user-supplied input prior to using it in an SQL query.
An attacker may leverage this issue to manipulate SQL query strings and
potentially carry out arbitrary database queries. This may facilitate
the disclosure or corruption of sensitive database information.
12. Danware NetOp Remote Control Information Disclosure Vulnerab...
BugTraq ID: 11710
Remote: Yes
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11710
Summary:
It is reported that NetOp Remote Control is susceptible to an
information disclosure vulnerability.
This vulnerability reportedly allows remote attackers to discern the
name of the user that is logged in and the internal IP address and
hostname of the targeted computer. This information may aid malicious users
in further attacks.
Versions prior to 7.65 build 2004278 are reported vulnerable to this
issue.
13. Opera Web Browser Java Implementation Multiple Remote Vulner...
BugTraq ID: 11712
Remote: Yes
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11712
Summary:
Multiple remote vulnerabilities reportedly affect the Opera Web Browser
Java implementation. These issues are due to the insecure proprietary
design of the Web browser's Java implementation.
These issues may allow an attacker to craft a Java applet that violate
Sun's Java secure programming guidelines.
These issues may be leveraged to carry out a variety of unspecified
attacks including sensitive information disclosure and denial of service
attacks. Any successful exploitation would take place with the
privileges of the user running the affected browser application.
Although only version 7.54 is reportedly vulnerable, it is likely that
earlier versions are vulnerable to these issues as well.
14. Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification Vu...
BugTraq ID: 11715
Remote: No
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11715
Summary:
It is reported that a serialization error exists in the AF_UNIX address
family that creates a race condition. This race condition reportedly
allows local users to repeatedly increment arbitrary kernel memory
locations.
This vulnerability allows local users to modify arbitrary kernel
memory, facilitating privilege escalation, or possibly allowing code
execution in the context of the kernel.
Versions prior to 2.4.28 are reportedly affected by this vulnerability.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. locking idle text consoles (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/381905
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. AutoScan b0.92 R6
By: Lagarde Thierry
Relevant URL: http://autoscan.free.fr/
Platforms: Linux
Summary:
AutoScan is an application designed to explore and to manage your
network. Entire subnets can be scanned simultaneously without human
intervention. It features OS detection, automatic network discovery, a port
scanner, a Samba share browser, and the ability to save the network state.
2. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary:
KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel. I have choosen to write in kernel space to enjoy myself [I know
that there are easier and safer ways to write this in userspace].
3. rootsh 0.2
By: Gerhard Lausser
Relevant URL: http://sourceforge.net/projects/rootsh/
Platforms: AIX, HP-UX, Linux, POSIX, SINIX, Solaris, UNIX
Summary:
Rootsh is a wrapper for shells which logs all echoed keystrokes and
terminal output to a file and/or to syslog. It's main purpose is the
auditing of users who need a shell with root privileges. They start rootsh
through the sudo mechanism. I's in heavy use here at a big bavarian car
manufacturer (three letters, fast, cool,...) for project users whom you
can't deny root privileges.
4. Maillog View v1.03.3
By: Angelo 'Archie' Amoruso
Relevant URL: http://www.netorbit.it/modules.html
Platforms: Linux
Summary:
Maillog View is a Webmin module that allows you to easily view all your
/var/log/maillog.* files. It features autorefresh, message size
indication, ascending/descending view order, compressed file support, and a
full statistics page. Sendmail, Postfix, Exim, and Qmail (partially) are
supported. Courier MTA support is experimental.
5. BullDog Firewall 20040918
By: Robert APM Darin
Relevant URL: http://tanaya.net/BullDog
Platforms: Linux
Summary:
Bulldog is a powerful but lightweight firewall for heavy use systems.
With many features, this firewall can be used by anyone who wants to
protect his/her systems.
This system allow dynamic and static rules sets for maximum protection
and has several advance features.
This firewall will work for the hobbyist or a military base. Generation
7 is a complete rewrite and redesign from scratch.
Be prepared to spend some time setting this up.
6. PIKT - Problem Informant/Killer Tool v1.17.0
By: Robert Osterlund, robert.osterlund@gsb.uchicago.edu
Relevant URL: http://pikt.org
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS
Summary:
PIKT is a cross-categorical, multi-purpose toolkit to monitor and
configure computer systems, organize system security, format documents,
assist command-line work, and perform other common systems administration
tasks.
PIKT's primary purpose is to report and fix problems, but its
flexibility and extendibility evoke many other uses limited only by your
imagination.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Symantec
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_linux-secnews_041123