Date: Mon, 26 Jan 2004 14:31:11 -0700 (MST)
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #168


SecurityFocus Linux Newsletter #168
------------------------------------
This Issue Sponsored by: Qualys

Test the Security of Your Network! Scan Your Perimeter for
the SANS Top 20 Vulnerabilities - FREE.

http://www.securityfocus.com/sponsor/Qualys_linux-secnews_040126

Qualys FreeScan enables the enterprise to immediately identify the
prevalent and critical security vulnerabilities most likely to be
exploited on the network perimeter. With the largest vulnerability 
testing
database in the industry, QualysGuard enables you to assess, 
prioritize,
and remediate the vulnerabilities in heterogeneous networks of any 
size.
Our Web service provides you with the ability to run immediate 
assessments
without installation of hardware or software.

Click on the link below to scan your network perimeter.
http://www.securityfocus.com/sponsor/Qualys_linux-secnews_040126
------------------------------------------------------------------------
I. FRONT AND CENTER
     1. A Visit from the FBI
     2. The Giant Wooden Horse Did It!
II. LINUX VULNERABILITY SUMMARY
     1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
     2. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
     3. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
     4. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
     5. GoAhead WebServer Directory Management Policy Bypass Vulnera...
     6. GoAhead WebServer Post Content-Length Remote Resource Consum...
     7. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
     8. WebTrends Reporting Center Management Interface Path Disclos...
     9. Honeyd Remote Virtual Host Detection Vulnerability
     10. Acme thttpd CGI Test Script Cross-Site Scripting 
Vulnerabili...
III. LINUX FOCUS LIST SUMMARY
     NO NEW POSTS FOR THE WEEK 2004-01-19 to 2004-01-26.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Brcontrol v0.02
     2. weedlog  v1.0.1
     3. PeerProtect v0.5
     4. Fast OnlineUpdate for SuSE v0.11.0
     5. Qryptix v0.1b
     6. MUTE File Sharing  v0.2.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. A Visit from the FBI
By Scott Granneman

I had a little visit from the FBI recently,
in response to one of my SecurityFocus columns.

http://www.securityfocus.com/columnists/215

2. The Giant Wooden Horse Did It!
By Mark Rasch

Introducing a new legal defense to computer crime
charges -- one that's all the more frightening because it could be 
true.

http://www.securityfocus.com/columnists/208


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).

A vulnerability has been reported to exist in qmail-smtpd that may 
allow a
remote attacker to cause a denial of service condition in the software. 
It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the 
excessive
SMTP session data causes a signed integer to wrap; this negative value 
is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a 
segment
violation. This may be leveraged by a remote attacker to consume 
resources
and thereby deny service to legitimate users.

A remote attacker may potentially exploit this vulnerability to crash 
or
hang a qmail SMTP session.

qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.

2. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 
and
greater.

A vulnerability has been found in the handling of temporary files by 
the
3Ddiag tool in the SuSE Linux distribution.  This issue may allow local
destruction of data on affected systems potentially leading to a loss 
of
sensitive data or denial of service.

This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.

The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An 
attacker
would be able to remove the temporary file and replace it with a 
malicious
symbolic link pointing to a target file.  When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be 
overwritten.

The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb.  An attacker can create a symbolic 
link
with a name corresponding to the temporary file.  When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.

This issue is likely only to affect personal desktop machines and 
poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users.  Furthermore this tool is only available for SuSE Linux 
7.3
and greater.

3. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
BugTraq ID: 9447
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9447
Summary:
Invision Power Board is web forum software. It is implemented in PHP 
and
is available for Unix and Linux variants and Microsoft Windows 
operating
systems.

A vulnerability has been reported to exist in Invision Power Board that
may allow a remote user to launch cross-site scripting attacks.

The issue is reported to exist due to improper sanitizing of 
user-supplied
data. It has been reported that HTML and script code may be parsed via 
the
'act' URI parameter of 'Index.php' script. This vulnerability makes it
possible for an attacker to construct a malicious link containing HTML 
or
script code that may be rendered in a user's browser upon visiting that
link. This attack would occur in the security context of the site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also 
possible.

All versions of Invision Power Board have been reported to be 
vulnerable
to this issue.

4. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
BugTraq ID: 9449
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9449
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with YaBB SE could make it possible for a remote user to 
launch
SQL injection attacks.

It has been reported that a problem exists in the SSI.php script
distributed as part of YaBB SE. Due to insufficient sanitizing of the
user-supplied ID_MEMBER URI parameter, it is possible for a remote user 
to
inject arbitrary SQL queries into the database used by YaBB SE. This 
could
permit remote attackers to pass malicious input to database queries,
resulting in modification of query logic or other attacks.

Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.

5. GoAhead WebServer Directory Management Policy Bypass Vulnera...
BugTraq ID: 9450
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9450
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft 
Windows
and Unix/Linux derivatives.

GoAhead WebServer allows users to configure a policy for how requests 
for
resources in certain directories are handled, such as defining default
actions for resources in cgi-bin or other directories.  This is handled
internally via the websUrlHandlerRequest() server function.  GoAhead
WebServer is prone to a vulnerability that may permit remote attackers 
to
bypass directory management policy.

It is reported that certain syntax may be used in HTTP GET requests to
bypass the policy for how certain requests should be handled, for 
example,
a script that should be interpreted may be downloaded by the attacker
instead.  The following example requests are reported to reproduce this
behavior:

GET cgi-bin/cgitest.c HTTP/1.0
GET \cgi-bin/cgitest.c HTTP/1.0
GET %5ccgi-bin/cgitest.c HTTP/1.0

By omitting the initial forward-slash (/) or substituting a back-slash 
(/)
for the initial forward-slash, it is possible to bypass directory
management policy.  A URL-encoded back-slash (%5c) at the beginning of 
the
request may also bypass the policy.  Other variations also exist.

This could allow for unauthorized access to resources hosted on the
server, likely resulting in disclosure of sensitive information such as
script source code.  The exact consequences will depend on what sort of
directory management policy is in place and also the nature of 
information
included in scripts or other sensitive resources hosted on the server.

6. GoAhead WebServer Post Content-Length Remote Resource Consum...
BugTraq ID: 9452
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9452
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft 
Windows
and Unix/Linux derivatives.

A vulnerability in the handling of unusual HTTP requests and
content-length sizes may cause a vulnerable GoAhead WebServer to become
unstable.  Because of this, a remote attacker may be able consume
excessive resources on the underlying host, resulting in a denial of
service condition.

The problem is in the handling of remote POST requests.  By specifying 
a
content-length of a specific size in a POST request, and sending data 
of a
lesser size then breaking the connection, it is possible to send the
service into an infinite loop.  The program does not sufficiently 
handle
the condition of a broken connection, and can consume excessive system
resources, potentially taking down the system with the service.

7. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
BugTraq ID: 9457
Remote: No
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9457
Summary:
fvwmbug is a helper shell script to allow a user to compose and email
bug-reports that concern FVWM. wm-oldmenu2new is used to convert from 
an
old-style WindowMaker menu file to the new PropertyList style. 
x11perfcomp
is a script that merges and formats the output of x11perf. xf86debug is 
a
script used to debug X server, it must be invoked by a root user.
winpopup-send.sh is a script that is shipped as a part of the kopete
package. lvmcreate_initrd is used to create a new compressed initial
ramdisk.

Multiple scripts that are shipped with SuSE 9.0 have been reported 
prone
to insecure temporary file creation and symbolic link vulnerabilities. 
The
following scripts have been reported vulnerable:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd

The issues are present, because the vulnerable scripts create temporary
files in an insecure manner. Specifically, when a script is invoked a
predictable temporary file is created. To exploit this issue, a local
attacker may create many symbolic links in the "tmp" directory with
incremental values representing the variable part of the vulnerable
temporary filename. Each of these links will point to an arbitrary file
that the attacker wishes to target. When the vulnerable script is 
invoked,
operations that were supposed for the temporary file will be carried 
out
on the file that is linked by the malicious symbolic link.

An attacker may exploit these issues to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in 
a
system wide denial of service.

Each issue described in this BID will be given individual BID's once
further analysis is complete.

8. WebTrends Reporting Center Management Interface Path Disclos...
BugTraq ID: 9460
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9460
Summary:
WebTrends Reporting Center is used to organize and present usage
information for multiple server web environments. Reporting Center is
available for Microsoft Windows, Linux and Solaris.

The WebTrends Reporting Center management interface discloses 
installation
path information when a non-existent resource is requested.  The
management interface is accessible via HTTP on TCP port 1099.  This 
issue
exists in the 'viewreport.pl' script included with the interface and 
may
be triggering by specifying a non-existent ID for the 'profileid'
parameter.  The absolute physical path of the software installation 
will
be disclosed in the error response to such a request.  This information
may permit an attacker to enumerate the layout of the underlying file
system of the host.

This issue was reported for version 6.1a of the software running on
Microsoft Windows.  Other platforms and versions may also be affected.

9. Honeyd Remote Virtual Host Detection Vulnerability
BugTraq ID: 9464
Remote: Yes
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9464
Summary:
Honeyd is honeypot software that simulates virtual hosts on IP 
addresses
that are not in use.  It is available for various Unix/Linux 
derivatives.

Honeyd is prone to a vulnerability that may permit remote users to 
detect
the presence of the server.  This is due to a flaw in how Honeyd 
responds
to certain TCP SYN packets, effectively allowing a remote user to
determine if a scanned address is a virtual Honeyd host.  Upon receipt 
of
such a packet, the daemon will respond with a packet that has the SYN 
and
RST flags set.  The consequence is that a remote attacker could 
enumerate
the existence of simulated Honeyd hosts and then either target specific
attacks against these hosts or avoid them altogether.

10. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
BugTraq ID: 9474
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9474
Summary:
thttpd is an HTTP server implementation that is maintained by Acme.  It 
is
intended to run on Unix/Linux variants.

thttpd is prone to a cross-site scripting vulnerability in the CGI test
script.  This could permit a remote attacker to create a malicious link 
to
the web server that includes hostile HTML and script code.  If this 
link
were followed, the hostile code may be rendered in the web browser of 
the
victim user.  This would occur in the security context of the web 
server
and may allow for theft of cookie-based authentication credentials or
other attacks.

It should be noted that FREESCO includes an embedded version of thttpd 
and
is also prone to this vulnerability due to their inclusion of the
vulnerable component.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2004-01-19 to 2004-01-26.


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Brcontrol v0.02
By: tascon
Relevant URL: http://sourceforge.net/projects/brcontrol/
Platforms: Linux
Summary:

Brcontrol is a set of patches to allow some interaction between an IDS 
and
a firewall. Currently, snort is supported as an IDS, and the netfilter
facility of Linux is supported as a firewall. Brcontrol can help in the
creation of aggresive honeypots or other advanced firewall and IDS
configurations. It can also work as a bridge.

2. weedlog  v1.0.1
By: Phil Jones, weed@firepool.com
Relevant URL: http://www.firepool.com/weedlog/
Platforms: Linux
Summary:

weedlog is a packet logger designed to help in debugging network
connections on non-router systems. It currently supports the ICMP, 
IGMP,
TCP, and UDP protocols. weedlog supports sending output to stdout, a 
file,
or to syslog.

3. PeerProtect v0.5
By: Poulet Fabrice
Relevant URL: http://www.atout.be/
Platforms: Linux, POSIX
Summary:

PeerProtect is an addon for Jay's firewall that generates a file which
contains all IP addresses from the RIAA and MPAA, etc. and will protect
peer-to-peer programs from them.

4. Fast OnlineUpdate for SuSE v0.11.0
By: Markus Gaugusch
Relevant URL: http://fou4s.gaugusch.at/
Platforms: Linux, POSIX
Summary:

Fast OnlineUpdate for SuSE (fou4s) is a bash script that provides the
functionality of YOU (YaST OnlineUpdate), but can also work in 
background
and check for updates every night. It supports resumed downloads and
proxies by using wget. GPG signatures are also checked.

5. Qryptix v0.1b
By: Sivasankar Chander
Relevant URL: http://www.sourceforge.net/projects/qryptix
Platforms: Linux
Summary:

Qryptix consists of a PAM object and utilities for session- and
key-management for encrypted home directories using the International
Kernel (CryptoAPI) patches for Linux. It simplifies login/logout,
mounting/unmounting, and key generation and changing.

6. MUTE File Sharing  v0.2.1
By: Jason Rohrer
Relevant URL: http://mute-net.sourceforge.net/
Platforms: Linux, MacOS, Os Independent, Windows 2000, Windows 95/98
Summary:

MUTE File Sharing is an anonymous, decentralized search-and-download 
file
sharing system. Several people have described MUTE as the "third
generation file sharing network" (From Napster to Gnutella to MUTE, 
with
each generation getting less centralized and more anonymous). MUTE uses
algorithms inspired by ant behavior to route all messages, include file
transfers, through a mesh network of neighbor connections.

VII. SPONSOR INFORMATION
-----------------------
This Issue Sponsored by: Qualys

Test the Security of Your Network! Scan Your Perimeter for
the SANS Top 20 Vulnerabilities - FREE.

http://www.securityfocus.com/sponsor/Qualys_linux-secnews_040126

Qualys FreeScan enables the enterprise to immediately identify the
prevalent and critical security vulnerabilities most likely to be
exploited on the network perimeter. With the largest vulnerability 
testing
database in the industry, QualysGuard enables you to assess, 
prioritize,
and remediate the vulnerabilities in heterogeneous networks of any 
size.
Our Web service provides you with the ability to run immediate 
assessments
without installation of hardware or software.

Click on the link below to scan your network perimeter.
http://www.securityfocus.com/sponsor/Qualys_linux-secnews_040126
------------------------------------------------------------------------