| Date: | 18 May 2005 17:47:05 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #236 |
SecurityFocus Linux Newsletter #236
------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Web Browser Forensics, Part 2
2. Chrooted Snort on Solaris
II. LINUX VULNERABILITY SUMMARY
1. Mozilla Firefox Install Method Remote Arbitrary Code Executi...
2. PHPBB Unspecified BBCode.PHP Vulnerability
3. PHP Nuke Double Hex Encoded Input Validation Vulnerability
4. Ethereal DISTCC Dissection Stack Buffer Overflow Vulnerabili...
5. MyServer Cross-Site Scripting Vulnerability
6. MyServer Remote Directory Listing Vulnerability
7. Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerabili...
8. Gaim Remote URI Handling Buffer Overflow Vulnerability
9. Gaim Remote MSN Empty SLP Message Denial Of Service Vulnerab...
10. Squid Proxy Unspecified DNS Spoofing Vulnerability
11. BakBone NetVault Unspecified Heap Overflow Vulnerability
12. Bugzilla Authentication Information Disclosure Vulnerability
13. Bugzilla Hidden Product Information Disclosure Vulnerability
14. Kerio MailServer Multiple Remote Denial of Service
Vulnerabi...
15. BakBone NetVault Remote Heap Overflow Code Execution
Vulnera...
16. Ultimate PHP Board ViewForum.PHP Cross-Site Scripting
Vulner...
17. Ultimate PHP Board ViewForum.PHP SQL Injection Vulnerability
III. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2005-05-10 to 2005-05-17.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. webcvtsa 0.0.8
2. Umbrella v0.6
3. Kernel Socks Bouncer 2.6.11
4. NuFW 1.0.0
5. ldaupenum 0.02alpha
6. File System Saint 1.02a
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Web Browser Forensics, Part 2
By Keith J. Jones and Rohyt Belani
Part 2 of this web browser forensics series looks at reconstructing
Mozilla
Firefox's cache in order to catch an internal hacker using an
administrator's account.
http://www.securityfocus.com/infocus/1832
2. Chrooted Snort on Solaris
By Andre Lue-Fook-Sang
This article discussed installation and configuration of a chrooted
Snort
IDS on most versions of Solaris.
http://www.securityfocus.com/infocus/1833
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Mozilla Firefox Install Method Remote Arbitrary Code Executi...
BugTraq ID: 13544
Remote: Yes
Date Published: May 07 2005
Relevant URL: http://www.securityfocus.com/bid/13544
Summary:
Mozilla Firefox is prone to a security vulnerability that could result
in the execution of arbitrary code without requiring user interaction.
Initial analysis of the vulnerability reveals that the vulnerability
relies on a three-stage attack that may lead to an arbitrary script
gaining 'UniversalXPConnect' privileges.
It was observed that this issue might be exploited remotely to take
arbitrary actions on the vulnerable computer in the context of the user
that is running the affected browser.
This vulnerability is reported in all versions of Mozilla Firefox
browsers up to 1.0.3.
To be exploitable, a Web site listed in a victim user's configuration
to allow extension installation must be susceptible to a cross-site
scripting vulnerability. By default, 'update.mozilla.org', and
'addon.mozilla.org' are both listed as trusted Web sites for extension
installation.
*Update: The cross-site scripting vulnerability that the publicly
available exploit relied on in the mozilla.org domain has been fixed. This
issue is no longer exploitable through this public attack vector.
2. PHPBB Unspecified BBCode.PHP Vulnerability
BugTraq ID: 13545
Remote: Yes
Date Published: May 09 2005
Relevant URL: http://www.securityfocus.com/bid/13545
Summary:
The phpbb vendor reports that a critical unspecified vulnerability
exists in the BBCode handling routines of the 'bbcode.php' script.
Very little is known about this vulnerability except that the vendor
has reported that it is addressed in phpBB version 2.0.15.
This BID will be updated when further analysis of this issue is
complete.
3. PHP Nuke Double Hex Encoded Input Validation Vulnerability
BugTraq ID: 13557
Remote: Yes
Date Published: May 09 2005
Relevant URL: http://www.securityfocus.com/bid/13557
Summary:
PHP Nuke is prone to an input validation vulnerability. Reports
indicate the script fails to correctly identify potentially dangerous
characters when the characters are double hex-encoded (i.e. %25%41 == %41 ==
A).
A remote attacker may exploit this issue to bypass PHP Nuke protections
and exploit issues that exist in the underlying PHP Nuke installation.
4. Ethereal DISTCC Dissection Stack Buffer Overflow Vulnerabili...
BugTraq ID: 13567
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13567
Summary:
A remote buffer overflow vulnerability affects Ethereal. This issue is
due to a failure of the application to securely copy network-derived
data into sensitive process buffers. The specific issue exists in the
DISTCC protocol dissector.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This
may facilitate unauthorized access or privilege escalation.
This vulnerability affects Ethereal versions 0.8.13 through to 0.10.10.
Note that this issue was originally disclosed in BID 13504.
5. MyServer Cross-Site Scripting Vulnerability
BugTraq ID: 13578
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13578
Summary:
myServer is prone to a cross-site scripting vulnerability. This issue
is due to a failure in the application to properly sanitize
user-supplied input.
An attacker may leverage this issue to have arbitrary script code
executed in the browser of an unsuspecting user. This may facilitate the
theft of cookie-based authentication credentials as well as other
attacks.
This issue reportedly affects myServer version 0.8 for Microsoft
Windows; other versions may also be affected.
6. MyServer Remote Directory Listing Vulnerability
BugTraq ID: 13579
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13579
Summary:
myServer is prone to a remote directory listing vulnerability. This
issue is due to a failure in the application to properly sanitize
user-supplied input.
A remote attacker can disclose the contents of the directory above the
configured Web document root.
An attacker may leverage this issue to gain access to sensitive
information by disclosing a directory listing; information disclosed in this
way could lead to further attacks against the target system.
This issue reportedly affects myServer version 0.8 for Microsoft
Windows; other versions may also be affected.
7. Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerabili...
BugTraq ID: 13589
Remote: No
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13589
Summary:
The Linux kernel is susceptible to a local buffer overflow
vulnerability when attempting to create ELF core dumps. This issue is due to an
integer overflow flaw that results in a kernel buffer overflow during a
copy_from_user() call.
To exploit this vulnerability, a malicious user creates a malicious ELF
executable designed to create a negative 'len' variable in
elf_core_dump().
This vulnerability may be exploited by local users to execute arbitrary
machine code in the context of the kernel, facilitating privilege
escalation.
8. Gaim Remote URI Handling Buffer Overflow Vulnerability
BugTraq ID: 13590
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13590
Summary:
Gaim is susceptible to a remote buffer overflow vulnerability when
handling long URIs. This issue is due to a failure of the application to
properly bounds check user-supplied input data prior to copying it to a
fixed-size stack buffer.
Due to the multiple protocol support of Gaim, and the nature of the
differing IM protocols, only some of the IM networks are reported
vulnerable. This is due to message length limits imposed by the IM networks.
Currently, the Jabber, and SILC IM network protocols are known to be
vulnerable. Other protocols may also be affected.
This vulnerability allows remote attackers to execute arbitrary machine
code in the context of the affected application.
Gaim versions prior to 1.3.0 are vulnerable to this issue.
9. Gaim Remote MSN Empty SLP Message Denial Of Service Vulnerab...
BugTraq ID: 13591
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13591
Summary:
Gaim is susceptible to a remote denial of service vulnerability in its
MSN protocol handling code.
This vulnerability allows remote attackers to crash affected clients,
denying service to them.
Gaim versions prior to 1.3.0 are vulnerable to this issue.
10. Squid Proxy Unspecified DNS Spoofing Vulnerability
BugTraq ID: 13592
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13592
Summary:
Squid Proxy is prone to an unspecified DNS spoofing vulnerability.
This could allow malicious users to perform DNS spoofing attacks on Squid
Proxy clients on unprotected networks.
This issue affects Squid Proxy versions 2.5 and earlier.
11. BakBone NetVault Unspecified Heap Overflow Vulnerability
BugTraq ID: 13594
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13594
Summary:
BakBone NetVault is reportedly affected by an unspecified heap overflow
vulnerability.
Specific details were not released about this issue. This BID will be
updated when more information is available.
All versions of NetVault are considered vulnerable at the moment.
12. Bugzilla Authentication Information Disclosure Vulnerability
BugTraq ID: 13605
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13605
Summary:
Bugzilla is prone to a vulnerability that could allow username and
password information to be disclosed in generated links. Any user with
access to the server's Web logs could potentially gain access to the
user's authentication information.
13. Bugzilla Hidden Product Information Disclosure Vulnerability
BugTraq ID: 13606
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13606
Summary:
Bugzilla is prone to an information disclosure vulnerability due to
improper access validation. This could allow a user to determine the
existence of a product in the Bugzilla database even if it should not be
visible to them.
14. Kerio MailServer Multiple Remote Denial of Service Vulnerabi...
BugTraq ID: 13616
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13616
Summary:
Kerio MailServer is affected by multiple remote denial of service
vulnerabilities.
Kerio MailServer running on Linux platforms is prone to a remote denial
of service vulnerability when handling specially crafted e-mail
messages.
Kerio MailServer is reportedly affected by another remote denial of
service vulnerability when emails for IMAP or Outlook are download.
Kerio MailServer 6.0.9 and prior versions are affected by these issues.
15. BakBone NetVault Remote Heap Overflow Code Execution Vulnera...
BugTraq ID: 13618
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13618
Summary:
BakBone NetVault is prone to a remote heap overflow vulnerability.
Exploitation of this issue allows for memory corruption resulting from
the application copying excessive network data into a finite sized
buffer.
An attacker can gain unauthorized access to an affected computer.
All versions of NetVault are considered vulnerable at the moment.
16. Ultimate PHP Board ViewForum.PHP Cross-Site Scripting Vulner...
BugTraq ID: 13621
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13621
Summary:
Ultimate PHP Board is prone to a cross-site scripting vulnerability.
This issue is due to a failure in the application to properly sanitize
user-supplied input.
An attacker may leverage this issue to have arbitrary script code
executed in the browser of an unsuspecting user. This may facilitate the
theft of cookie-based authentication credentials as well as other
attacks.
17. Ultimate PHP Board ViewForum.PHP SQL Injection Vulnerability
BugTraq ID: 13622
Remote: Yes
Date Published: May 13 2005
Relevant URL: http://www.securityfocus.com/bid/13622
Summary:
Ultimate PHP Board is prone to an SQL injection vulnerability. This
issue is due to a failure in the application to properly sanitize
user-supplied input before using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an attacker to
exploit vulnerabilities in the underlying database implementation.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2005-05-10 to 2005-05-17.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. webcvtsa 0.0.8
By: Paolo Ardoino
Relevant URL:
http://cvtsa.sourceforge.net/http://cvtsa.sourceforge.net/
Platforms: Linux
Summary:
WEBCVTSA is a tool that allows users to administrate their computers
[running GNU/Linux] using a form on a web page to post commands.
2. Umbrella v0.6
By: Umbrella
Relevant URL: http://umbrella.sourceforge.net/
Platforms: Linux
Summary:
Umbrella is a security mechanism that implements a combination of
Process-Based Access Control (PBAC) and authentication of binaries through
Digital Signed Binaries (DSB). The scheme is designed for Linux-based
consumer electronic devices ranging from mobile phones to settop boxes.
Umbrella is implemented on top of the Linux Security Modules (LSM)
framework. The PBAC scheme is enforced by a set of restrictions on each
process.
3. Kernel Socks Bouncer 2.6.11
By: Paolo Ardoino
Relevant URL: http://ksb.sourceforge.net/
Platforms: Linux
Summary:
Kernel Socks Bouncer is a Linux Kernel 2.6.x patch that redirects tcp
connections [SSH, telnet, browsers...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel.
4. NuFW 1.0.0
By: INL
Relevant URL: http://www.nufw.org
Platforms: Linux
Summary:
NuFW performs an authentication of every single connections passing
through the IP filter, by transparently requesting user's credentials
before any filtering decision is taken. Practically, this brings the notion
of user ID down to the IP layers.
5. ldaupenum 0.02alpha
By: Roni Bachar & Sol Zehnwirth
Relevant URL: https://sourceforge.net/projects/ldapenum
Platforms: Linux, Perl (any system supporting perl), Windows 2000,
Windows 95/98, Windows NT, Windows XP
Summary:
ldapenum is a perl script designed to enumerate system and password
information from domain controllers using the LDAP service when IPC$ is
locked. The script has been tested on windows and linux.
6. File System Saint 1.02a
By: Joshua Fritsch
Relevant URL: http://www.unixgeeks.org/saint
Platforms: Linux, UNIX
Summary:
A fast, flexible, lightweight perl-based host IDS.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------