| Date: | 7 Dec 2004 21:50:13 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #213 |
SecurityFocus Linux Newsletter #213
------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Detecting Complex Viruses
2. Lycos Goes Straight
3. Closed Source Hardware
II. LINUX VULNERABILITY SUMMARY
1. File ELF Header Unspecified Buffer Overflow Vulnerability
2. 21-6 Productions Orbz Remote Buffer Overflow Vulnerability
3. EnergyMech IRC Bot Unspecified Buffer Overflow Vulnerability
4. FreeImage Interleaved Bitmap Image Buffer Overflow Vulnerabi...
5. IPCop Web Administration Interface Proxy Log HTML Injection ...
6. OpenSSH-portable PAM Authentication Remote Information Discl...
7. SuSE Linux Enterprise Server NFS Unspecified Denial Of Servi...
8. SuSE Linux Kernel Unauthorized SCSI Command Vulnerability
9. Linux NFS RPC.STATD Remote Denial Of Service Vulnerability
10. ACPID Proxy Unspecified Local Denial Of Service
Vulnerabilit...
11. FreeBSD Linux ProcFS Local Kernel Denial Of Service And
Info...
12. S9Y Serendipity Remote Cross-Site Scripting Vulnerability
13. SCPOnly Remote Arbitrary Command Execution Vulnerability
14. RSSH Remote Arbitrary Command Execution Vulnerability
15. Cisco CNS Network Registrar DNS and DHCP Server Remote
Denia...
16. Linux Kernel Unspecified Local TSS Vulnerability For AMD64
A...
17. PHProjekt Unspecified Authentication Bypass Vulnerability
18. Sandino Flores Moreno Gaim Festival Plug-in Remote Denial
Of...
III. LINUX FOCUS LIST SUMMARY
1. LIDS 1.2.2 for Linux kernel 2.4.28 released (Thread)
2. which distribution to choose (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. PatchLink Update 6.01.78
2. AutoScan b0.92 R6
3. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
4. rootsh 0.2
5. Maillog View v1.03.3
6. BullDog Firewall 20040918
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Detecting Complex Viruses
By Peter Ferrie and Frederic Perriot
The purpose of this paper is to examine the difficulties of detecting
complex viruses, including polymorphic, metamorphic and entry-point
obscuring viruses. Whether or not an anti-virus (AV) technology can
detect
these viruses can be a useful metric to consider when evaluating AV
products.
http://www.securityfocus.com/infocus/1813
2. Lycos Goes Straight
By Mark Rasch
After a week of well-deserved criticism, Lycos is abandoning its scheme
to
launch denial-of-service attacks against spammy websites. Did the
company
reform in time to avoid criminal prosecution?
http://www.securityfocus.com/columnists/282
3. Closed Source Hardware
By Jason Miller
Trust with hardware vendors for open source systems is becoming a
one-way
street, where in exchange for support they offer a closed source binary
solution with no provision to audit security.
http://www.securityfocus.com/columnists/281
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. File ELF Header Unspecified Buffer Overflow Vulnerability
BugTraq ID: 11771
Remote: Yes
Date Published: Nov 29 2004
Relevant URL: http://www.securityfocus.com/bid/11771
Summary:
The file command is affected by a buffer overflow vulnerability. This
issue is due to a failure of the application to properly validate
string lengths in the affected file prior to copying them into static
process buffers.
An attacker may leverage this issue to execute arbitrary code with the
privileges of a user that processes the malicious file with the
affected utility. This may be leveraged to escalate privileges or to gain
unauthorized access.
2. 21-6 Productions Orbz Remote Buffer Overflow Vulnerability
BugTraq ID: 11774
Remote: Yes
Date Published: Nov 29 2004
Relevant URL: http://www.securityfocus.com/bid/11774
Summary:
A remote buffer overflow vulnerability has been reported in 21-6
Productions Orbz. This issue is due to a failure of the application to
properly validate the length of user-supplied strings prior to copying them
into finite process buffers.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This
may facilitate unauthorized access or privilege escalation.
3. EnergyMech IRC Bot Unspecified Buffer Overflow Vulnerability
BugTraq ID: 11777
Remote: Unknown
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11777
Summary:
An unspecified buffer overflow vulnerability affects EnergyMech. This
issue is due to a failure of the application to properly validate the
length of user-supplied strings prior to copying them into finite process
buffers.
Although the impact of this issue is currently unknown, it is likely
that an attacker may exploit this issue to execute arbitrary code with
the privileges of the user that activated the vulnerable application.
This may facilitate unauthorized access or privilege escalation.
4. FreeImage Interleaved Bitmap Image Buffer Overflow Vulnerabi...
BugTraq ID: 11778
Remote: Yes
Date Published: Nov 26 2004
Relevant URL: http://www.securityfocus.com/bid/11778
Summary:
A buffer overflow vulnerability exists in FreeImage. This issue is due
to a boundary condition error that is presented when the library
handles malformed Interleaved Bitmap (ILBM) images.
This issue could potentially be exploited to execute arbitrary code in
the context of an application that uses the library.
5. IPCop Web Administration Interface Proxy Log HTML Injection ...
BugTraq ID: 11779
Remote: Yes
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11779
Summary:
IPCop is reported susceptible to an HTML injection vulnerability in its
proxy log viewer. This issue is due to a failure of the application to
properly sanitize user-supplied input prior to including it in
dynamically generated web pages.
This vulnerability allows remote, attacker-supplied malicious HTML or
script code to be displayed to administrative users. This code would be
executed in the context of the affected Web application. It is
conjectured that it may be possible for attackers to cause administrative
actions to be executed on their behalf when an administrator views the Squid
logs. Theft of cookie-based authentication credentials and other
attacks are also likely.
Version 1.4.1 of IPCop is reportedly vulnerable. Other versions may
also be affected.
6. OpenSSH-portable PAM Authentication Remote Information Discl...
BugTraq ID: 11781
Remote: Yes
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11781
Summary:
It is reported that OpenSSH contains an information disclosure
vulnerability. This issue exists in the portable version of OpenSSH. The
portable version is the version that is distributed for operating systems
other than its native OpenBSD platform.
This issue is related to BID 7467. It is reported that the previous fix
for BID 7476 was insufficient to completely fix the issue. It is not
confirmed at this time, but this current issue may involve differing code
paths in PAM, resulting in a new vulnerability.
This vulnerability allows remote users to test for the existence of
valid usernames. Knowledge of usernames may aid them in further attacks.
7. SuSE Linux Enterprise Server NFS Unspecified Denial Of Servi...
BugTraq ID: 11783
Remote: Yes
Date Published: Dec 01 2004
Relevant URL: http://www.securityfocus.com/bid/11783
Summary:
A remote denial of service and storage corruption vulnerability affects
SuSE Linux enterprise Server. This underlying nature of this issue is
currently unknown; this BID will be updated as further details are
released.
An attacker may leverage this issue to cause the affected server to
crash, denying service to legitimate users. It has also been reported
that this issue may be exploited to corrupt data stored on disk.
8. SuSE Linux Kernel Unauthorized SCSI Command Vulnerability
BugTraq ID: 11784
Remote: No
Date Published: Dec 01 2004
Relevant URL: http://www.securityfocus.com/bid/11784
Summary:
SuSE Linux is reported susceptible to an unauthorized SCSI command
vulnerability.
Malicious users may be able to send commands to SCSI devices that
result in the overwriting of their firmware. This potentially results in the
failure of the targeted device to further operate. This may result in
the permanent, unrecoverable destruction of SCSI devices, requiring that
they be sent to the vendor for service or replacement.
SuSE Linux 9.1, and SuSE Linux Enterprise Server 9 are reported to be
vulnerable to this issue. Other versions, and other distributions of
Linux are also potentially affected.
9. Linux NFS RPC.STATD Remote Denial Of Service Vulnerability
BugTraq ID: 11785
Remote: Yes
Date Published: Dec 01 2004
Relevant URL: http://www.securityfocus.com/bid/11785
Summary:
It is reported that rpc.statd is vulnerable to a remote denial of
service vulnerability.
This vulnerability allows remote attackers to crash the affected
application. This may result in the failure to cleanup NFS network locks,
possibly resulting in denied access to files, as they may be considered
permanently locked.
Verion 1.0.6 of nfs-utils is reported vulnerable to this issue. Other
versions may also be affected.
10. ACPID Proxy Unspecified Local Denial Of Service Vulnerabilit...
BugTraq ID: 11786
Remote: No
Date Published: Dec 01 2004
Relevant URL: http://www.securityfocus.com/bid/11786
Summary:
An unspecified local denial of service vulnerability affected
acpid_proxy. The underlying issue causing this vulnerability is currently
unknown, this BID will be updated as more details are released.
A local attacker may leverage this issue to cause the affected computer
to crash, denying service to legitimate users.
11. FreeBSD Linux ProcFS Local Kernel Denial Of Service And Info...
BugTraq ID: 11789
Remote: No
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11789
Summary:
A local denial of service and information disclosure vulnerability
affects the procfs and linprocfs implementation on FreeBSD. This issue is
due to a design error that causes the mismanagement of memory
references.
An attacker may leverage this issue to cause a kernel panic on an
affected computer, denying service to legitimate users. It is also possible
to leverage this issue to disclose kernel memory, potentially
facilitating access to sensitive information in kernel buffers.
12. S9Y Serendipity Remote Cross-Site Scripting Vulnerability
BugTraq ID: 11790
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11790
Summary:
A cross-site scripting vulnerability affects S9Y Serendipity. This
issue is due to a failure of the application to properly sanitize
user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary HTML and script
code rendered and executed in the browser of an unsuspecting user. This
may facilitate theft of cookie-based authentication credentials as well
as other attacks.
13. SCPOnly Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 11791
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11791
Summary:
scponly is reported prone to a remote arbitrary command execution
vulnerability. This issue may allow a remote attacker to execute commands
and scripts on a vulnerable computer and eventually allow an attacker to
gain elevated privileges on a vulnerable computer.
Versions prior to 4.0 are reported susceptible to this issue.
14. RSSH Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 11792
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11792
Summary:
rssh is reported prone to a remote arbitrary command execution
vulnerability. This issue may allow a remote attacker to execute commands and
scripts on a vulnerable computer and eventually allow an attacker to
gain elevated privileges on a vulnerable computer.
All versions of rssh are considered vulnerable at the moment.
15. Cisco CNS Network Registrar DNS and DHCP Server Remote Denia...
BugTraq ID: 11793
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11793
Summary:
Cisco CNS Network Registrar is a DNS/DHCP server offered by Cisco. It
is available for Microsoft Windows, UNIX, and Linux platforms.
Cisco CNS Network Registrar is reported prone to multiple remote denial
of service vulnerabilities. These issues affect the Domain Name
Service and Dynamic Host Configuration Protocol server components of the CNS
Network Registrar. It is reported that an attacker may cause a crash
by sending a specially crafted packet sequence to an affected server.
These vulnerabilities only affect Cisco CNS Network Registrar for the
Microsoft Windows platform. The first issue affects CNS Network
Registrar versions 6.0 upto and including 6.1.1.3 and the second issue affects
all versions including 6.1.1.3.
16. Linux Kernel Unspecified Local TSS Vulnerability For AMD64 A...
BugTraq ID: 11794
Remote: No
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11794
Summary:
The Linux kernel is reported prone to an unspecified local TSS-related
(Task State Segment) vulnerability. This vulnerability reportedly only
affects the AMD64, and the EMT64T CPU architectures.
This vulnerability reportedly allows local attackers to crash the
kernel, or possibly gain elevated privileges.
It is reported that Linux kernels prior to version 2.4.23 are
susceptible to this vulnerability.
17. PHProjekt Unspecified Authentication Bypass Vulnerability
BugTraq ID: 11797
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11797
Summary:
PHPProject is reported prone to an unspecified authentication bypass
vulnerability. Reports indicate that the vulnerability is present in the
'setup.php' source file and may be exploited by a remote attacker to
gain access to the 'setup.php' file without requiring authentication.
18. Sandino Flores Moreno Gaim Festival Plug-in Remote Denial Of...
BugTraq ID: 11805
Remote: Yes
Date Published: Dec 03 2004
Relevant URL: http://www.securityfocus.com/bid/11805
Summary:
The Gaim Festival Plug-in is reported prone to a remote denial of
service vulnerability. Reports indicate that the plug-in does not handle
certain characters correctly and will crash if these characters are parsed
from an incoming message.
A remote attacker may exploit this condition to deny service to
legitimate users. Further attacks may also be possible.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. LIDS 1.2.2 for Linux kernel 2.4.28 released (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/383376
2. which distribution to choose (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/383368
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. PatchLink Update 6.01.78
By: PatchLink Corporation
Relevant URL:
http://www.patchlink.com/products_services/plu_evaluationrequest.html
Platforms: AIX, DG-UX, Digital UNIX/Alpha, DOS, HP-UX, Java, Linux,
MacOS, Net, NetBSD, Netware, OpenVMS, PalmOS, POSIX, SecureBSD, SINIX,
Solaris, SunOS, True64 UN, True64 UNIX, Ultrix, UNICOS, UNIX, Unixware,
Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary:
With PATCHLINK UPDATE, patch management is the secure, proactive, and
preventative process it should be. PATCHLINK UPDATE scans networks for
security holes and closes them with the click of a mouse, no matter the
operating system, the vendor applications, the mix, or the size of the
environment. From 5K nodes to 20+K nodes, PATCHLINK UPDATE works
quickly, accurately and safely to ensure desktops and servers are patched
correctly and completely the first time around.
2. AutoScan b0.92 R6
By: Lagarde Thierry
Relevant URL: http://autoscan.free.fr/
Platforms: Linux
Summary:
AutoScan is an application designed to explore and to manage your
network. Entire subnets can be scanned simultaneously without human
intervention. It features OS detection, automatic network discovery, a port
scanner, a Samba share browser, and the ability to save the network state.
3. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary:
KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel. I have choosen to write in kernel space to enjoy myself [I know
that there are easier and safer ways to write this in userspace].
4. rootsh 0.2
By: Gerhard Lausser
Relevant URL: http://sourceforge.net/projects/rootsh/
Platforms: AIX, HP-UX, Linux, POSIX, SINIX, Solaris, UNIX
Summary:
Rootsh is a wrapper for shells which logs all echoed keystrokes and
terminal output to a file and/or to syslog. It's main purpose is the
auditing of users who need a shell with root privileges. They start rootsh
through the sudo mechanism. I's in heavy use here at a big bavarian car
manufacturer (three letters, fast, cool,...) for project users whom you
can't deny root privileges.
5. Maillog View v1.03.3
By: Angelo 'Archie' Amoruso
Relevant URL: http://www.netorbit.it/modules.html
Platforms: Linux
Summary:
Maillog View is a Webmin module that allows you to easily view all your
/var/log/maillog.* files. It features autorefresh, message size
indication, ascending/descending view order, compressed file support, and a
full statistics page. Sendmail, Postfix, Exim, and Qmail (partially) are
supported. Courier MTA support is experimental.
6. BullDog Firewall 20040918
By: Robert APM Darin
Relevant URL: http://tanaya.net/BullDog
Platforms: Linux
Summary:
Bulldog is a powerful but lightweight firewall for heavy use systems.
With many features, this firewall can be used by anyone who wants to
protect his/her systems.
This system allow dynamic and static rules sets for maximum protection
and has several advance features.
This firewall will work for the hobbyist or a military base. Generation
7 is a complete rewrite and redesign from scratch.
Be prepared to spend some time setting this up.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------