| Date: | Mon, 2 Feb 2004 13:10:31 -0700 (MST) |
From: | "John Boletta" <jboletta@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #169 |
SecurityFocus Linux Newsletter #169
------------------------------------
This issue sponsored by: Tenable Network Security
Doing network vulnerability scanning? Did you have to ask for
permission?
Did you have to beg for forgiveness from the admins you caused panic
and
disruption to? Try NeVO, the worlds only 100% passive vulnerability
scanner, from Tenable Network Security!
http://www.securityfocus.com/sponsor/TenableSecurity_linux-
secnews_040202
For your 30 day demo please contact: sales@tenablesecurity.com
------------------------------------------------------------------------
I. FRONT AND CENTER
1. The Soft Underbelly: Attacking the Client
2. Digital Signatures and European Laws
3. Worms Hit Home
4. We are pleased to announce a new search engine on
SecurityFocus.
II. LINUX VULNERABILITY SUMMARY
1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
2. Antologic Antolinux Administrative Interface NDCR Parameter ...
3. Cherokee Error Page Cross Site Scripting Vulnerability
4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
III. LINUX FOCUS LIST SUMMARY
1. UNIX Authentication (Thread)
2. Shadow files and the password "!!". (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Andutteye Surveillance (server) v1.16
2. PIKT - Problem Informant/Killer Tool v1.16.1
3. DNS Blacklist Packet Filter v0.1
4. MUTE File Sharing v0.2.2
5. Socks Server 5 v2.4r7
6. Scapy v0.9.
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. The Soft Underbelly: Attacking the Client
By Tom Vogt
This article discusses the lack of security inside many corporate
networks
once hackers have breached the border perimeter and firewall.
Client-based
attack vectors, malicious payloads and their potential impact to an
organization are also discussed.
http://www.securityfocus.com/infocus/1758
2. Digital Signatures and European Laws
By Mirella Mazzeo
This article discusses the security requirements for electronic
communications and commerce with European governments and many
European-
based businesses. It will also give an overview of the current trends
for
public key infrastructure in Europe, useful for any organization that
does
business with the EU.
http://www.securityfocus.com/infocus/1756
3. Worms Hit Home
By Kelly Martin
The fact that each of us can only control and manage the patches and
virus
definitions on machines within our own borders means little as we watch
the promulgation of malcode on millions of home machines outside of our
control.
http://www.securityfocus.com/columnists/216
4. We are pleased to announce a new search engine on SecurityFocus,
offering faster and more intuitive results. Features include site wide
or
section specific searching by author, headline or entire document and
sorting by date, headline or URL.
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
BugTraq ID: 9489
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9489
Summary:
Gaim is an instant messaging client that supports numerous protocols.
It
is available for the Unix and Linux platforms.
Several vulnerabilities in the handling of YMSG protocol, Oscar
protocol,
proxy handling, and Gaim utilities have been identified. Because of
these
issues, it may be possible for a remote attacker to gain unauthorized
access to hosts using the vulnerable software.
Reports indicate the following 12 problems:
Due to two errors in the handling of octal decoding code used for
e-mail
notification, it is possible to create a condition suitable for
heap-based
overflow attacks.
An overflow in the parsing of Yahoo Web cookies in HTTP headers exists
when handling a specially prepared cookie. Initial reports indicate a
low
possibility of exploitation due to circumstances in memory management
of
various platforms.
There is insufficient bounds checking of data returned from the Yahoo!
Login page. Name and Value strings returned to the client from a
system
purporting to be the Yahoo! Login page could potentially result in the
execution of arbitrary code on the client side.
The YMSG protocol handler is vulnerable to a buffer overflow when
handling
keynames of excessive sizes, usually greater than 64 bytes. Remote
communications with maliciously crafted keynames can be forwarded
through
the Yahoo! server.
An integer overflow exists in the DirectIM handling by Gaim. A remote
user sending a value to a vulnerable Gaim client with a payload length
of
UINT_MAX will result in an overflow in the calloc function.
Due to two errors in the handling of Quoted Printable decoding code
used
for e-mail notification, it is possible to create conditions suitable
for
heap-based overflow attacks.
The URI parsing utility contains an overflow in the handling of
specially
crafted URIs. An attacker could pass along a URI of excessive length
to
create an exploitable stack overflow.
The Get User Info utility performs inadequate bounds checking on data
received from the YMSG and MSN protocol handlers. Because of this, it
is
possible for a remote attacker to exploit a stack overflow in the
utility
to execute arbitrary code.
A client-side overflow in the handling of HTTP proxy connections exists
in
Gaim. A remote proxy sending a string of data in excess of 8192 bytes
could potentially create an exploitable stack overflow on the client
system.
These issues are undergoing further analysis and will be separated into
individual BIDs when analysis is complete.
*Update: Ultramagnetic, a concurrent fork of the Gaim instant messaging
software, has also been reported to be affected by the issues listed
under
CAN-2004-0006, CAN-2004-0007 and CAN-2004-0008.
2. Antologic Antolinux Administrative Interface NDCR Parameter ...
BugTraq ID: 9495
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9495
Summary:
Antologic Antolinux is a Linux server based server. The server is
shipped
with an administrative interface written in PHP.
A vulnerability has been reported to exist in the administration
interface
of the product that may allow a remote attacker to execute arbitrary
commands on vulnerable systems. The issue reportedly exists in the
'NDCR'
parameter of the software. Due to insufficient sanitization of
user-supplied input, data supplied to this variable will be interpreted
in
the shell. An attacker can exploit this vulnerability by passing
malicious shell metacharacters to the software in order to execute
arbitrary commands with the privileges of the server hosting the
vulnerable software. It has been demonstrated that an attacker may
gain
access to the password file by carrying out a 'cat' command. An
attacker
may need to spoof the HTTP REFERER to carry out successful
exploitation.
Antologic Antolinux 1.0 has been reported to be prone to this issue,
however, other versions may be affected as well.
3. Cherokee Error Page Cross Site Scripting Vulnerability
BugTraq ID: 9496
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9496
Summary:
Cherokee is a web server distributed under the GNU public license. It
is
available for numerous platforms, including Microsoft Windows and
Unix/Linux variants.
Cherokee has been reported to contain a cross-site scripting
vulnerability. This issue is due to the server failing to check and
filter user-supplied strings issued to the server in a web request,
which
are then included directly in error output.
An attacker can exploit this issue by crafting a URI link containing
the
malevolent HTML or script code, and enticing a user to follow it. If
this
link were followed, the hostile code may be rendered in the web browser
of
the victim user. This would occur in the security context of the
affected
web server and may allow for theft of cookie-based authentication
credentials or other attacks.
4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
BugTraq ID: 9497
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9497
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run
on
most Unix and Linux distributions.
A vulnerability has been reported to exist in Xoops that may allow a
remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of
user-supplied
data. It has been reported that HTML and script code may be parsed via
the
'topic_id' and 'forum' URI parameters of 'newbb/viewtopic.php' script.
This vulnerability makes it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. This attack would occur in the
security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also
possible.
Xoops versions 2.x have been reported to be prone to this issue.
5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
BugTraq ID: 9507
Remote: Yes
Date Published: Jan 27 2004
Relevant URL: http://www.securityfocus.com/bid/9507
Summary:
tcpdump is a freely available, open source network monitoring tool. It
is
available for the Unix, Linux, and Microsoft Windows operating systems.
A vulnerability has been identified in the software that may allow a
remote attacker to cause a denial of service condition in the software.
The issue occurs due to the way tcpdump decodes Internet Security
Association and Key Management Protocol (ISAKMP) packets. A remote
attacker may cause the software to enter an infinite loop by sending
malformed ISAKMP packets resulting in a crash or hang.
Although unconfirmed, due to the nature of this issue, an attacker may
leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing an affected
procedure to return to an address of their choice. Successful
exploitation
of this issue may allow an attacker to execute arbitrary code with the
privileges of the tcpdump process in order to gain unauthorized access.
tcpdump versions prior to 3.8.1 have been reported to be prone to this
issue.
6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
BugTraq ID: 9521
Remote: No
Date Published: Jan 28 2004
Relevant URL: http://www.securityfocus.com/bid/9521
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a
standalone
product for Unix, Linux, and Microsoft Operating Systems.
ColdFusion MX has been reported prone to a security sandbox
circumvention
vulnerability. The issue is reported to exist because programmers have
the
ability to create instances of classes without using "CreateObject()"
or
"<cfobject>" tags. It has been reported that the security sandbox does
not
prevent this behavior.
This issue cannot be exploited remotely, but the vulnerability may
present
a danger in a shared hosted environment.
An attacker may exploit this issue to circumvent the security sandbox
of
ColdFusion MX.
This issue has been reported to affect ColdFusion MX 6.1.
7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
BugTraq ID: 9523
Remote: No
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9523
Summary:
CVSup is a network file distribution utility that is intended to be
used
with CVS repositories. It is available for various Unix/Linux
derivatives.
It has been reported that some third-party vendor-supplied CVSup
binaries
may have an insecure ELF RPATH that includes world-writeable
directories
in the path. This variable is used to specify the run-time search path
for ELF objects. A local attacker could exploit this issue by placing
malicious libraries in these directories, which would be dynamically
linked against at run-time when the cvsup, cvsupd or cvpasswd programs
are
executed. This would result in execution of arbitrary code with
elevated
privileges.
This issue was reported to affect CVSup RPMs that ship with SuSE Linux.
Other distributions may also be affected. In the instance of SuSE, the
/home/anthon and /usr/src/packages directories included in the search
path
may be world-writeable, depending on the value of the
PERMISSIONS_SECURITY
setting in the /etc/sysconfig/security configuration file. Statically
linked versions of the software should not be affected by this version.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. UNIX Authentication (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/352108
2. Shadow files and the password "!!". (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/351826
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to
become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL:
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility,
supporting
cross-platform interoperability over a wide range of platforms:
Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements,
regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for
computer forensics and investigations. With an intuitive GUI and
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely
non-invasive computer forensic investigations while allowing examiners
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data
in it?s own internal memory (not on the hard drive), it is impossible
for
a network intruder to gain access to any sensitive data stored within
the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application
available 24 hours per day. With no extra hardware: just use your
existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Andutteye Surveillance (server) v1.16
By: andutt
Relevant URL: http://www.utterberg.com
Platforms: Linux
Summary:
Andutteye is surveillance software for Linux and Unix systems. Its used
to
monitor your system, resolve local actions, and send alarms to a
central
point. You can manage your client configurations, view and handle the
incoming alarms, and have FAQ entries on well known alarms.
2. PIKT - Problem Informant/Killer Tool v1.16.1
By: Robert Osterlund, robert.osterlund@gsb.uchicago.edu
Relevant URL: http://pikt.org
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS
Summary:
PIKT is a cross-platform, multi-functional toolkit for monitoring
systems,
reporting and fixing problems, and managing system configurations. It
consists of an embedded scripting language with unique, labor-saving
features, a script and system config file preprocessor, a scheduler, an
installer, and other tools.
3. DNS Blacklist Packet Filter v0.1
By: Russell Miller
Relevant URL:
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:
DNS Blacklist Packet Filter is a BSD/Linux netfilter client that
decides
whether to accept or drop packets based on the results of a DNS
blacklist
query (such as MAPS, SORBS, or SPEWS, to name a few). One use is to
filter
all incoming SMTP SYN packets for spam filtering.
4. MUTE File Sharing v0.2.2
By: Jason Rohrer
Relevant URL: http://mute-net.sourceforge.net/
Platforms: Linux, MacOS, Os Independent, Windows 2000, Windows 95/98
Summary:
MUTE File Sharing is an anonymous, decentralized search-and-download
file
sharing system. Several people have described MUTE as the "third
generation file sharing network" (From Napster to Gnutella to MUTE,
with
each generation getting less centralized and more anonymous). MUTE uses
algorithms inspired by ant behavior to route all messages, include file
transfers, through a mesh network of neighbor connections.
5. Socks Server 5 v2.4r7
By: Matteo Ricchetti
Relevant URL: http://digilander.iol.it/matteo.ricchetti/
Platforms: Linux
Summary:
Socks Server 5 is a socks server for the Linux platform which supports
the
Socks protocol versions 4 and 5.
6. Scapy v0.9.
By: Philippe Biondi
Relevant URL: http://www.cartel-securite.fr/pbiondi/scapy.html
Platforms: Linux, POSIX
Summary:
Scapy is a powerful interactive packet manipulation tool, packet
generator, network scanner, network discovery tool, and packet sniffer.
It
provides classes to interactively create packets or sets of packets,
manipulate them, send them over the wire, sniff other packets from the
wire, match answers and replies, and more. Interaction is provided by
the
Python interpreter, so Python programming structures can be used (such
as
variables, loops, and functions). Report modules are possible and easy
to
make. It is intended to do about the same things as ttlscan, nmap,
hping,
queso, p0f, xprobe, arping, arp-sk/arpspoof, firewalk, irpas,
tethereal,
and tcpdump.
VII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Tenable Network Security
Doing network vulnerability scanning? Did you have to ask for
permission?
Did you have to beg for forgiveness from the admins you caused panic
and
disruption to? Try NeVO, the worlds only 100% passive vulnerability
scanner, from Tenable Network Security!
http://www.securityfocus.com/sponsor/TenableSecurity_linux-
secnews_040202
For your 30 day demo please contact: sales@tenablesecurity.com
------------------------------------------------------------------------