Date: 18 May 2005 17:47:05 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #236
SecurityFocus Linux Newsletter #236
------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Web Browser Forensics, Part 2
     2. Chrooted Snort on Solaris
II. LINUX VULNERABILITY SUMMARY
     1. Mozilla Firefox Install Method Remote Arbitrary Code Executi...
     2. PHPBB Unspecified BBCode.PHP Vulnerability
     3. PHP Nuke Double Hex Encoded Input Validation Vulnerability
     4. Ethereal DISTCC Dissection Stack Buffer Overflow Vulnerabili...
     5. MyServer Cross-Site Scripting Vulnerability
     6. MyServer Remote Directory Listing Vulnerability
     7. Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerabili...
     8. Gaim Remote URI Handling Buffer Overflow Vulnerability
     9. Gaim Remote MSN Empty SLP Message Denial Of Service Vulnerab...
     10. Squid Proxy Unspecified DNS Spoofing Vulnerability
     11. BakBone NetVault Unspecified Heap Overflow Vulnerability
     12. Bugzilla Authentication Information Disclosure Vulnerability
     13. Bugzilla Hidden Product Information Disclosure Vulnerability
     14. Kerio MailServer Multiple Remote Denial of Service 
Vulnerabi...
     15. BakBone NetVault Remote Heap Overflow Code Execution 
Vulnera...
     16. Ultimate PHP Board ViewForum.PHP Cross-Site Scripting 
Vulner...
     17. Ultimate PHP Board ViewForum.PHP SQL Injection Vulnerability
III. LINUX FOCUS LIST SUMMARY
     NO NEW POSTS FOR THE WEEK 2005-05-10 to 2005-05-17.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. webcvtsa 0.0.8
     2. Umbrella v0.6
     3. Kernel Socks Bouncer 2.6.11
     4. NuFW 1.0.0
     5. ldaupenum 0.02alpha
     6. File System Saint 1.02a
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Web Browser Forensics, Part 2
By Keith J. Jones and Rohyt Belani
Part 2 of this web browser forensics series looks at reconstructing 
Mozilla
Firefox's cache in order to catch an internal hacker using an
administrator's account.
http://www.securityfocus.com/infocus/1832

2. Chrooted Snort on Solaris
By Andre Lue-Fook-Sang
This article discussed installation and configuration of a chrooted 
Snort
IDS on most versions of Solaris.
http://www.securityfocus.com/infocus/1833

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Mozilla Firefox Install Method Remote Arbitrary Code Executi...
BugTraq ID: 13544
Remote: Yes
Date Published: May 07 2005
Relevant URL: http://www.securityfocus.com/bid/13544
Summary:
Mozilla Firefox is prone to a security vulnerability that could result 
in the execution of arbitrary code without requiring user interaction. 

Initial analysis of the vulnerability reveals that the vulnerability 
relies on a three-stage attack that may lead to an arbitrary script 
gaining 'UniversalXPConnect' privileges. 

It was observed that this issue might be exploited remotely to take 
arbitrary actions on the vulnerable computer in the context of the user 
that is running the affected browser.

This vulnerability is reported in all versions of Mozilla Firefox 
browsers up to 1.0.3.

To be exploitable, a Web site listed in a victim user's configuration 
to allow extension installation must be susceptible to a cross-site 
scripting vulnerability. By default, 'update.mozilla.org', and 
'addon.mozilla.org' are both listed as trusted Web sites for extension 
installation.

*Update: The cross-site scripting vulnerability that the publicly 
available exploit relied on in the mozilla.org domain has been fixed. This 
issue is no longer exploitable through this public attack vector.

2. PHPBB Unspecified BBCode.PHP Vulnerability
BugTraq ID: 13545
Remote: Yes
Date Published: May 09 2005
Relevant URL: http://www.securityfocus.com/bid/13545
Summary:
The phpbb vendor reports that a critical unspecified vulnerability 
exists in the BBCode handling routines of the 'bbcode.php' script.

Very little is known about this vulnerability except that the vendor 
has reported that it is addressed in phpBB version 2.0.15.

This BID will be updated when further analysis of this issue is 
complete.

3. PHP Nuke Double Hex Encoded Input Validation Vulnerability
BugTraq ID: 13557
Remote: Yes
Date Published: May 09 2005
Relevant URL: http://www.securityfocus.com/bid/13557
Summary:
PHP Nuke is prone to an input validation vulnerability. Reports 
indicate the script fails to correctly identify potentially dangerous 
characters when the characters are double hex-encoded (i.e. %25%41 == %41 == 
A).

A remote attacker may exploit this issue to bypass PHP Nuke protections 
and exploit issues that exist in the underlying PHP Nuke installation.

4. Ethereal DISTCC Dissection Stack Buffer Overflow Vulnerabili...
BugTraq ID: 13567
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13567
Summary:
A remote buffer overflow vulnerability affects Ethereal. This issue is 
due to a failure of the application to securely copy network-derived 
data into sensitive process buffers.  The specific issue exists in the 
DISTCC protocol dissector.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

This vulnerability affects Ethereal versions 0.8.13 through to 0.10.10.

Note that this issue was originally disclosed in BID 13504.

5. MyServer Cross-Site Scripting Vulnerability
BugTraq ID: 13578
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13578
Summary:
myServer is prone to a cross-site scripting vulnerability.  This issue 
is due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage this issue to have arbitrary script code 
executed in the browser of an unsuspecting user.  This may facilitate the 
theft of cookie-based authentication credentials as well as other 
attacks.

This issue reportedly affects myServer version 0.8 for Microsoft 
Windows; other versions may also be affected.

6. MyServer Remote Directory Listing Vulnerability
BugTraq ID: 13579
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13579
Summary:
myServer is prone to a remote directory listing vulnerability.  This 
issue is due to a failure in the application to properly sanitize 
user-supplied input.

A remote attacker can disclose the contents of the directory above the 
configured Web document root. 

An attacker may leverage this issue to gain access to sensitive 
information by disclosing a directory listing; information disclosed in this 
way could lead to further attacks against the target system.

This issue reportedly affects myServer version 0.8 for Microsoft 
Windows; other versions may also be affected.

7. Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerabili...
BugTraq ID: 13589
Remote: No
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13589
Summary:
The Linux kernel is susceptible to a local buffer overflow 
vulnerability when attempting to create ELF core dumps. This issue is due to an 
integer overflow flaw that results in a kernel buffer overflow during a 
copy_from_user() call.

To exploit this vulnerability, a malicious user creates a malicious ELF 
executable designed to create a negative 'len' variable in 
elf_core_dump().

This vulnerability may be exploited by local users to execute arbitrary 
machine code in the context of the kernel, facilitating privilege 
escalation.

8. Gaim Remote URI Handling Buffer Overflow Vulnerability
BugTraq ID: 13590
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13590
Summary:
Gaim is susceptible to a remote buffer overflow vulnerability when 
handling long URIs. This issue is due to a failure of the application to 
properly bounds check user-supplied input data prior to copying it to a 
fixed-size stack buffer.

Due to the multiple protocol support of Gaim, and the nature of the 
differing IM protocols, only some of the IM networks are reported 
vulnerable. This is due to message length limits imposed by the IM networks. 
Currently, the Jabber, and SILC IM network protocols are known to be 
vulnerable. Other protocols may also be affected.

This vulnerability allows remote attackers to execute arbitrary machine 
code in the context of the affected application.

Gaim versions prior to 1.3.0 are vulnerable to this issue.

9. Gaim Remote MSN Empty SLP Message Denial Of Service Vulnerab...
BugTraq ID: 13591
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13591
Summary:
Gaim is susceptible to a remote denial of service vulnerability in its 
MSN protocol handling code.

This vulnerability allows remote attackers to crash affected clients, 
denying service to them.

Gaim versions prior to 1.3.0 are vulnerable to this issue.

10. Squid Proxy Unspecified DNS Spoofing Vulnerability
BugTraq ID: 13592
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13592
Summary:
Squid Proxy is prone to an unspecified DNS spoofing vulnerability.  
This could allow malicious users to perform DNS spoofing attacks on Squid 
Proxy clients on unprotected networks.

This issue affects Squid Proxy versions 2.5 and earlier.

11. BakBone NetVault Unspecified Heap Overflow Vulnerability
BugTraq ID: 13594
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13594
Summary:
BakBone NetVault is reportedly affected by an unspecified heap overflow 
vulnerability.

Specific details were not released about this issue.  This BID will be 
updated when more information is available.

All versions of NetVault are considered vulnerable at the moment.

12. Bugzilla Authentication Information Disclosure Vulnerability
BugTraq ID: 13605
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13605
Summary:
Bugzilla is prone to a vulnerability that could allow username and 
password information to be disclosed in generated links.  Any user with 
access to the server's Web logs could potentially gain access to the 
user's authentication information.

13. Bugzilla Hidden Product Information Disclosure Vulnerability
BugTraq ID: 13606
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13606
Summary:
Bugzilla is prone to an information disclosure vulnerability due to 
improper access validation.  This could allow a user to determine the 
existence of a product in the Bugzilla database even if it should not be 
visible to them.

14. Kerio MailServer Multiple Remote Denial of Service Vulnerabi...
BugTraq ID: 13616
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13616
Summary:
Kerio MailServer is affected by multiple remote denial of service 
vulnerabilities.

Kerio MailServer running on Linux platforms is prone to a remote denial 
of service vulnerability when handling specially crafted e-mail 
messages.

Kerio MailServer is reportedly affected by another remote denial of 
service vulnerability when emails for IMAP or Outlook are download.

Kerio MailServer 6.0.9 and prior versions are affected by these issues.

15. BakBone NetVault Remote Heap Overflow Code Execution Vulnera...
BugTraq ID: 13618
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13618
Summary:
BakBone NetVault is prone to a remote heap overflow vulnerability.

Exploitation of this issue allows for memory corruption resulting from 
the application copying excessive network data into a finite sized 
buffer.

An attacker can gain unauthorized access to an affected computer.

All versions of NetVault are considered vulnerable at the moment.

16. Ultimate PHP Board ViewForum.PHP Cross-Site Scripting Vulner...
BugTraq ID: 13621
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13621
Summary:
Ultimate PHP Board is prone to a cross-site scripting vulnerability.  
This issue is due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage this issue to have arbitrary script code 
executed in the browser of an unsuspecting user.  This may facilitate the 
theft of cookie-based authentication credentials as well as other 
attacks.

17. Ultimate PHP Board ViewForum.PHP SQL Injection Vulnerability
BugTraq ID: 13622
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13622
Summary:
Ultimate PHP Board is prone to an SQL injection vulnerability.  This 
issue is due to a failure in the application to properly sanitize 
user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the 
application, disclosure or modification of data, or may permit an attacker to 
exploit vulnerabilities in the underlying database implementation.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2005-05-10 to 2005-05-17.

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. webcvtsa 0.0.8
By: Paolo Ardoino
Relevant URL: 
http://cvtsa.sourceforge.net/http://cvtsa.sourceforge.net/
Platforms: Linux
Summary: 

WEBCVTSA is a tool that allows users to administrate their computers 
[running GNU/Linux] using a form on a web page to post commands.

2. Umbrella v0.6
By: Umbrella
Relevant URL: http://umbrella.sourceforge.net/
Platforms: Linux
Summary: 

Umbrella is a security mechanism that implements a combination of 
Process-Based Access Control (PBAC) and authentication of binaries through 
Digital Signed Binaries (DSB). The scheme is designed for Linux-based 
consumer electronic devices ranging from mobile phones to settop boxes.

Umbrella is implemented on top of the Linux Security Modules (LSM) 
framework. The PBAC scheme is enforced by a set of restrictions on each 
process.

3. Kernel Socks Bouncer 2.6.11
By: Paolo Ardoino
Relevant URL: http://ksb.sourceforge.net/
Platforms: Linux
Summary: 

Kernel Socks Bouncer is a Linux Kernel 2.6.x patch that redirects tcp 
connections [SSH, telnet, browsers...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel.

4. NuFW 1.0.0
By: INL
Relevant URL: http://www.nufw.org
Platforms: Linux
Summary: 

NuFW performs an authentication of every single connections passing 
through the IP filter, by transparently requesting user's credentials 
before any filtering decision is taken. Practically, this brings the notion 
of user ID down to the IP layers.

5. ldaupenum 0.02alpha
By: Roni Bachar & Sol Zehnwirth
Relevant URL: https://sourceforge.net/projects/ldapenum
Platforms: Linux, Perl (any system supporting perl), Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Summary: 

ldapenum is a perl script designed to enumerate system and password 
information from domain controllers using the LDAP service when IPC$ is 
locked. The script has been tested on windows and linux.

6. File System Saint 1.02a
By: Joshua Fritsch
Relevant URL: http://www.unixgeeks.org/saint
Platforms: Linux, UNIX
Summary: 

A fast, flexible, lightweight perl-based host IDS.

VII. SPONSOR INFORMATION
-----------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------