| Date: | 11 Jan 2005 21:22:28 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #218 |
SecurityFocus Linux Newsletter #218
------------------------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK?-FREE Product
Trial
Firewalls, IDS and Access Controls don't stop these attacks because
hackers
using the web application layer are NOT seen as intruders. Test your
web
application for over 4,100 vulnerabilities and attack methodologies
with
our FREE WebInspect 15 day download trial!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_050111
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Microsoft Anti-Spyware?
2. The Perils of Deep Packet Inspection
3. SSH Port Forwarding
II. LINUX VULNERABILITY SUMMARY
1. Bugzilla Internal Error Cross-Site Scripting Vulnerability
2. Linux Kernel SYSENTER Thread Information Pointer Local Infor...
3. Linux Kernel Local File Descriptor Passing Security Module B...
4. IBM DB2 XML Function Unauthorized File Creation and Disclosu...
5. LibTIFF TIFFDUMP Heap Corruption Integer Overflow Vulnerabil...
6. Noah Grey Greymatter Password Disclosure Vulnerability
7. Noah Grey Greymatter GM-CPLog.CGI HTML Injection Vulnerabili...
8. Exim Illegal IPv6 Address Buffer Overflow Vulnerability
9. Exim SPA Authentication Remote Buffer Overflow Vulnerability
10. Noah Grey Greymatter GM-Comments.CGI HTML Injection
Vulnerab...
11. Linux kernel Uselib() Local Privilege Escalation
Vulnerabili...
12. SugarCRM/SugarSales Remote File Include Vulnerability
13. Linux Kernel Multiple Local MOXA Serial Driver Buffer
Overfl...
14. Linux Kernel Random Poolsize SysCTL Handler Integer
Overflow...
15. Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial Of Service
V...
16. Linux Kernel SCSI IOCTL Integer Overflow Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. NMAP : Different interpretation of "filtered" ports ...
(Thread)
2. ipv6, again (Thread)
3. CAN-2004-1137 (Thread)
4. firewall 1.4 (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. pasmal 1.5
2. PatchLink Update 6.01.78
3. AutoScan b0.92 R6
4. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
5. rootsh 0.2
6. Maillog View v1.03.3
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Microsoft Anti-Spyware?
By Kelly Martin
Microsoft has jumped into the anti-spyware market, but is this a new
approach to thwarting bugs, or are they gearing up to profit from a
dubious
industry they helped create?
http://www.securityfocus.com/columnists/289
2. The Perils of Deep Packet Inspection
By Dr. Thomas Porter
This paper looks at the evolution of firewall technology towards Deep
Packet Inspection, and then discusses some of the security issues with
this
evolving technology.
http://www.securityfocus.com/infocus/1817
3. SSH Port Forwarding
By Brian Hatch
In this article we look at SSH Port Forwarding in detail, as it is a
very
useful but often misunderstood technology. SSH Port Forwarding can be
used
for secure communications in a myriad of different ways.
http://www.securityfocus.com/infocus/1816
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Bugzilla Internal Error Cross-Site Scripting Vulnerability
BugTraq ID: 12154
Remote: Yes
Date Published: Jan 04 2005
Relevant URL: http://www.securityfocus.com/bid/12154
Summary:
Bugzilla is prone to a cross-site scripting vulnerability. The issue
is exposed when the software renders internal errors that include
user-supplied input.
This issue may be exploited by enticing a user into following a link
that will cause hostile HTML and script code to be rendered in an
internal error page. Exploitation may allow for theft of cookie-based
authentication credentials or other attacks.
2. Linux Kernel SYSENTER Thread Information Pointer Local Infor...
BugTraq ID: 12167
Remote: No
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12167
Summary:
The Linux kernel is reported susceptible to a local information
disclosure vulnerability.
This vulnerability may allow local attackers to gain access to
potentially sensitive information that may aid them in further attacks.
There is insufficient information at this time to elaborate further.
This BID will be updated as more information is disclosed.
This vulnerability is reported to exist in the Linux kernel in the 2.6
series, in versions prior to 2.6.10.
3. Linux Kernel Local File Descriptor Passing Security Module B...
BugTraq ID: 12168
Remote: No
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12168
Summary:
It is reported that in certain cases, the Linux kernel fails to
properly call defined security module functions in its SCM system.
This vulnerability may allow local attackers to bypass the expected
security measures when passing file descriptors. The exact results of this
vulnerability depend on the implementation of applications that utilize
file descriptor passing. It is conjectured that this may result in open
file descriptors being passed to processes that would not normally be
able to access them. This may lead to attackers gaining access to read
or modify files that would normally be denied to them.
This vulnerability is reported to exist in the Linux kernel in the 2.6
series, in versions prior to 2.6.10.
4. IBM DB2 XML Function Unauthorized File Creation and Disclosu...
BugTraq ID: 12170
Remote: Yes
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12170
Summary:
IBM DB2 is reported prone to a vulnerability allowing attackers to
create and disclose arbitrary files on an affected computer. This issue
may allow an attacker to corrupt data, disclose sensitive information and
ultimately execute arbitrary code on a vulnerable computer.
It is reported that this issue can be exploited by employing XML
functions supplied with DB2 that allow users to create, overwrite, and
disclose arbitrary files with the permissions of the DB2 server.
The attacker must have a database connection to exploit this issue. A
successful attack can result in a complete compromise of the computer
or the database.
This issue appears to correspond to one of the unspecified
vulnerabilities announced in BID 11327.
5. LibTIFF TIFFDUMP Heap Corruption Integer Overflow Vulnerabil...
BugTraq ID: 12173
Remote: Yes
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12173
Summary:
It has been reported that 'tiffdump' is affected by a heap corruption
vulnerability due to an integer overflow error that can be triggered
when malicious or malformed image files are processed. Theoretically, an
attacker can exploit this vulnerability to execute arbitrary code in
the context of the affected application when TIFF image data is
processed. Because image data is frequently external in origin, these
vulnerabilities are considered remotely exploitable.
6. Noah Grey Greymatter Password Disclosure Vulnerability
BugTraq ID: 12182
Remote: Yes
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12182
Summary:
Noah Grey greymatter 3.1 is reportedly affected by a password
disclosure vulnerability. This issue is due to the application creating a
temporary file, which includes the username and plaintext password of a user
when greymatter rebuilds a 'main entry pages' section.
7. Noah Grey Greymatter GM-CPLog.CGI HTML Injection Vulnerabili...
BugTraq ID: 12184
Remote: Yes
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12184
Summary:
Noah Grey Greymatter is reportedly affected by an HTML injection
vulnerability. This issue is due to the application failing to properly
sanitize user-supplied input during login.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
8. Exim Illegal IPv6 Address Buffer Overflow Vulnerability
BugTraq ID: 12185
Remote: Unknown
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12185
Summary:
Exim is reported susceptible to a buffer overflow vulnerability when
attempting to parse illegal IPv6 addresses. This issue is due to a
failure of the application to properly bounds check user-supplied input prior
to copying it to a fixed-size memory buffer.
The original reporter suggested that this vulnerability may be
exploited to gain elevated privileges via calling Exim with unspecified command
line arguments. Gaining elevated privileges would only be possible
where the Exim binary is installed with setuid privileges.
It is conjectured that code paths other than those pertaining to
command line processing may result in remotely exploitable buffer overflow
vulnerabilities, but this is not confirmed at the present time.
9. Exim SPA Authentication Remote Buffer Overflow Vulnerability
BugTraq ID: 12188
Remote: Yes
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12188
Summary:
Exim is reported susceptible to a buffer overflow vulnerability when
attempting to authenticate remote users via SPA. This issue is due to a
failure of the application to properly bounds check user-supplied input
prior to copying it to a fixed-size memory buffer.
This vulnerability reportedly allows remote attackers to execute
arbitrary code in the context of the affected server application. This issue
is only exploitable if SPA authentication is configured to be used. SPA
authentication is not enabled by default.
10. Noah Grey Greymatter GM-Comments.CGI HTML Injection Vulnerab...
BugTraq ID: 12189
Remote: Yes
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12189
Summary:
Greymatter is reportedly affected by an HTML injection vulnerability.
This issue is due to the application failing to properly sanitize
user-supplied input to 'gm-comments.cgi'.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user, other attacks are also
possible.
11. Linux kernel Uselib() Local Privilege Escalation Vulnerabili...
BugTraq ID: 12190
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12190
Summary:
Linux kernel is reported prone to a local privilege escalation
vulnerability. This issue arises in the 'uselib()' functions of the Linux
binary format loader as a result of a race condition. Successful
exploitation of this vulnerability can allow a local attacker to gain elevated
privileges on a vulnerable computer.
The ELF and a.out loaders are reportedly affected by this
vulnerability.
12. SugarCRM/SugarSales Remote File Include Vulnerability
BugTraq ID: 12191
Remote: Yes
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12191
Summary:
SUgarCRM and SugarSales are reported prone to a vulnerability that may
allow attackers to influence the include path for external files.
This vulnerability allows arbitrary script code to be executed in the
context of the web server hosting the affected software. In the case of
including local files, this may expose sensitive information. In the
case of including remote files, it is possible to include a malicious PHP
script from a remote source.
13. Linux Kernel Multiple Local MOXA Serial Driver Buffer Overfl...
BugTraq ID: 12195
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12195
Summary:
The MOXA serial port driver in the Linux kernel is reported susceptible
to multiple buffer overflow vulnerabilities. These issues are due to a
failure of the driver to perform proper bounds checks prior to copying
user-supplied data to fixed-size memory buffers.
These vulnerabilities exist in the 'drivers/char/moxa.c' file.
The vulnerable functions perform a 'copy_from_user()' function call to
copy user-supplied, user-space data to a fixed-size, static kernel
memory buffer (moxaBuff) of 10240 bytes in length while utilizing the
user-supplied length argument as passed from 'MoxaDriverIoctl()'. This
reportedly results in improperly bounded operations, potentially resulting
in locally exploitable buffer overflows.
Linux kernels from 2.2, through 2.4, and 2.6 are all reportedly
susceptible to these vulnerabilities.
14. Linux Kernel Random Poolsize SysCTL Handler Integer Overflow...
BugTraq ID: 12196
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12196
Summary:
The Linux Kernel is reported prone to a local integer overflow
vulnerability. The issue occurs in the 'poolsize_strategy' function of the
'random.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization
performed on integer values before these values are employed as the size
argument of a user-land to kernel memory copy operation.
This vulnerability may be leveraged to corrupt kernel memory and
ultimately execute arbitrary code with ring-0 privileges. Alternatively, the
issue may be exploited to trigger a kernel panic.
It is reported that a user must have UID 0 to exploit this issue,
however the user does not require superuser privileges. This may hinder
exploitability.
15. Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial Of Service V...
BugTraq ID: 12197
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12197
Summary:
The Linux kernel contains the capability to lock allocated memory. This
capability is used by certain applications to ensure that memory is not
swapped out of main memory and onto disk.
The Linux kernel is reported susceptible to a local denial of service
vulnerability when handling locked memory pages. This issue is due to a
failure of the kernel to properly enforce defined limits to the
'mlockall()' system call.
This vulnerability is reported to exist in versions 2.6.9 and 2.6.10 of
the Linux kernel.
16. Linux Kernel SCSI IOCTL Integer Overflow Vulnerability
BugTraq ID: 12198
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12198
Summary:
The Linux Kernel is reported prone to a local integer overflow
vulnerability. The issue occurs in the 'sg_scsi_ioctl' function of the
'scsi_ioctl.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization
performed on user-controlled integer values before these values are employed
as the size argument of a user-land to kernel memory copy operation.
This vulnerability may be leveraged to corrupt kernel memory and
ultimately execute arbitrary code with ring-0 privileges. Alternatively, the
issue may be exploited to trigger a kernel panic or to disclose
contents of kernel memory.
It is reported that a user must have access to the respective SCSI
devices in order to exploit this issue. This may hinder exploitability.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. NMAP : Different interpretation of "filtered" ports ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/386668
2. ipv6, again (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/386225
3. CAN-2004-1137 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/386222
4. firewall 1.4 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/386064
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. pasmal 1.5
By: James Meehan
Relevant URL: http://www.elitelabs.org/
Platforms: Linux
Summary:
pasmal 1.5 is a port knocking authentification system using simple or
encrypted tcp/udp/icmp packets. pasmal can be used with
iptables/ipchains (firewall purposes) or any other program (remote shell, reboot,
etc)It is packaged with a php web admin, a command line client
pasmal.client, start/stop rc.d scripts.pasmal 1.5 also feature an intrusion/attempts
detection system due to its sniffers capabilities, running with syslogd
and custom log files.
2. PatchLink Update 6.01.78
By: PatchLink Corporation
Relevant URL:
http://www.patchlink.com/products_services/plu_evaluationrequest.html
Platforms: AIX, DG-UX, Digital UNIX/Alpha, DOS, HP-UX, Java, Linux,
MacOS, Net, NetBSD, Netware, OpenVMS, PalmOS, POSIX, SecureBSD, SINIX,
Solaris, SunOS, True64 UN, True64 UNIX, Ultrix, UNICOS, UNIX, Unixware,
Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary:
With PATCHLINK UPDATE, patch management is the secure, proactive, and
preventative process it should be. PATCHLINK UPDATE scans networks for
security holes and closes them with the click of a mouse, no matter the
operating system, the vendor applications, the mix, or the size of the
environment. From 5K nodes to 20+K nodes, PATCHLINK UPDATE works
quickly, accurately and safely to ensure desktops and servers are patched
correctly and completely the first time around.
3. AutoScan b0.92 R6
By: Lagarde Thierry
Relevant URL: http://autoscan.free.fr/
Platforms: Linux
Summary:
AutoScan is an application designed to explore and to manage your
network. Entire subnets can be scanned simultaneously without human
intervention. It features OS detection, automatic network discovery, a port
scanner, a Samba share browser, and the ability to save the network state.
4. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary:
KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel. I have choosen to write in kernel space to enjoy myself [I know
that there are easier and safer ways to write this in userspace].
5. rootsh 0.2
By: Gerhard Lausser
Relevant URL: http://sourceforge.net/projects/rootsh/
Platforms: AIX, HP-UX, Linux, POSIX, SINIX, Solaris, UNIX
Summary:
Rootsh is a wrapper for shells which logs all echoed keystrokes and
terminal output to a file and/or to syslog. It's main purpose is the
auditing of users who need a shell with root privileges. They start rootsh
through the sudo mechanism. I's in heavy use here at a big bavarian car
manufacturer (three letters, fast, cool,...) for project users whom you
can't deny root privileges.
6. Maillog View v1.03.3
By: Angelo 'Archie' Amoruso
Relevant URL: http://www.netorbit.it/modules.html
Platforms: Linux
Summary:
Maillog View is a Webmin module that allows you to easily view all your
/var/log/maillog.* files. It features autorefresh, message size
indication, ascending/descending view order, compressed file support, and a
full statistics page. Sendmail, Postfix, Exim, and Qmail (partially) are
supported. Courier MTA support is experimental.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK?-FREE Product
Trial
Firewalls, IDS and Access Controls don't stop these attacks because
hackers
using the web application layer are NOT seen as intruders. Test your
web
application for over 4,100 vulnerabilities and attack methodologies
with
our FREE WebInspect 15 day download trial!
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_050111
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------