| Date: | 12 Oct 2004 19:33:33 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #205 |
SecurityFocus Linux Newsletter #205
------------------------------------
This issue sponsored by: Internet Security Systems
Internet Security Systems - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be
stopped before they impact your network. To learn how Internet Security
Systems keeps organizations ahead of the threat with preemptive
intrusion
prevention, download the new whitepaper, Defining the Rules of
Preemptive
Protection, and end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_linux-secnews_041012
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Defeating Honeypots: Network Issues, Part 2
2. Fueling the Fire
II. LINUX VULNERABILITY SUMMARY
1. Mozilla Firefox DATA URI File Deletion Vulnerability
2. Debian GNU/Linux Telnetd Invalid Memory Handling Vulnerabili...
3. Roaring Penguin PPPoE Arbitrary File Overwrite Vulnerability
4. Macromedia ColdFusion MX Template Handling Privilege Escalat...
5. DistCC Access Control Bypass Vulnerability
6. IBM DB2 Multiple Critical Remote Vulnerabilities
7. Jetty Directory Traversal Vulnerability
8. Macromedia ColdFusion MX Remote File Content Disclosure Vuln...
9. Invision Power Board Referer Cross-Site Scripting Vulnerabil...
10. RealOne Player and RealPlayer Multiple Unspecified Remote
Vu...
11. MySQL MaxDB WebDBM Server Name Denial of Service
Vulnerabili...
12. Cyrus SASL Multiple Remote And Local Vulnerabilities
13. Nathaniel Bray Yeemp File Transfer Public Key Verification
B...
III. LINUX FOCUS LIST SUMMARY
1. iptables & tcp wrappers (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. PIKT - Problem Informant/Killer Tool v1.17.0
2. ID-Synch 3.1
3. Nmap v3.70
4. THC-Hydra v4.3
5. Pads 1.1
6. cenfw 0.3b
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Defeating Honeypots: Network Issues, Part 2
By Laurent Oudot and Thorsten Holz
The purpose of this paper is to explain how attackers behave when they
attempt to identify and defeat honeypots, and is useful information for
security professionals who need to deploy honeypots in a more stealthy
manner. Part 2 looks at Sebek-based honeypots, snort_inline, Fake AP,
and
Bait and Switch honeypots.
http://www.securityfocus.com/infocus/1805
2. Fueling the Fire
By Scott Granneman
The latest Symantec Threat Report can provide us with information,
knowledge, and even a little bit of wisdom -- about what has truly
become
an epidemic and an avenue for organized crime.
http://www.securityfocus.com/columnists/271
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Mozilla Firefox DATA URI File Deletion Vulnerability
BugTraq ID: 11311
Remote: Yes
Date Published: Oct 02 2004
Relevant URL: http://www.securityfocus.com/bid/11311
Summary:
It is reported that Mozilla Firefox is susceptible to a file deletion
vulnerability.
This vulnerability allows attackers that can lure unsuspecting users to
view malicious HTML or script code to cause the recursive deletion of
the victim users configured download directory. They can achieve this by
crafting malicious web pages containing either HTML or script code that
utilizes the 'data:' URI scheme.
This vulnerability is reported to exist in Mozilla Firefox in versions
prior to 0.10.1.
2. Debian GNU/Linux Telnetd Invalid Memory Handling Vulnerabili...
BugTraq ID: 11313
Remote: Yes
Date Published: Oct 03 2004
Relevant URL: http://www.securityfocus.com/bid/11313
Summary:
Telnetd as provided by Debian/GNU Linux is reported susceptible to an
invalid memory handling vulnerability. This issue is due to a failure of
the application to ensure that memory buffers are properly allocated
and deallocated.
It is conjectured that attackers may potentially leverage this
vulnerability to execute code in the context of the telnetd process. Debian
GNU/Linux runs the process as the unprivileged 'telnetd' user by default.
Versions of telnetd prior to 0.17-18woody1 for the stable branch, and
0.17-26 for the unstable branch are reported to be affected by this
vulnerability.
3. Roaring Penguin PPPoE Arbitrary File Overwrite Vulnerability
BugTraq ID: 11315
Remote: No
Date Published: Oct 04 2004
Relevant URL: http://www.securityfocus.com/bid/11315
Summary:
Roaring Penguin PPPoE is vulnerable to a local arbitrary file overwrite
vulnerability. This issue is due to a failure of the affected driver
to properly validate the existence of temporary files prior to writing
to them.
An attacker may exploit this vulnerability to overwrite any file on the
affected computer if the setuid superuser bit is set privileges. It
should be noted that this application is not installed with the setuid
bit set by default.
4. Macromedia ColdFusion MX Template Handling Privilege Escalat...
BugTraq ID: 11316
Remote: Yes
Date Published: Oct 04 2004
Relevant URL: http://www.securityfocus.com/bid/11316
Summary:
Reportedly Macromedia ColdFusion MX is affected by privilege escalation
vulnerability when handling templates. This issue is due to an access
validation error that allows a user to perform actions with
administrator privileges.
An attacker may exploit this issue to gain administrative privileges on
a computer running the vulnerable application.
5. DistCC Access Control Bypass Vulnerability
BugTraq ID: 11319
Remote: Yes
Date Published: Oct 04 2004
Relevant URL: http://www.securityfocus.com/bid/11319
Summary:
It is reported that the distcc access controls may malfunction under
certain circumstances. This may result in access controls not being
enforced.
A remote attacker may potentially exploit this vulnerability to gain
access to the affected distcc service regardless of access control rules
that are set in place.
This vulnerability is addressed in distcc 2.16.
6. IBM DB2 Multiple Critical Remote Vulnerabilities
BugTraq ID: 11327
Remote: Yes
Date Published: Oct 05 2004
Relevant URL: http://www.securityfocus.com/bid/11327
Summary:
The reported vulnerabilities include 20 remote vulnerabilities, most of
which are buffer overflows. All of these issues are apparently of
'critical' severity.
Details about any of the vulnerabilities are not known at this time.
This BID will be updated and split into individual BIDs as further
information becomes available.
7. Jetty Directory Traversal Vulnerability
BugTraq ID: 11330
Remote: Yes
Date Published: Oct 05 2004
Relevant URL: http://www.securityfocus.com/bid/11330
Summary:
It is reported that Jetty is susceptible to a directory traversal
vulnerability. This issue is due to a failure of the application to properly
sanitize HTTP request URIs.
This vulnerability allows remote attackers to retrieve the contents of
arbitrary, potentially sensitive files located on the serving computer
with the credentials of the affected process.
It is unclear at this time exactly which versions of Jetty are affected
by this vulnerability. This BID will be updated as further information
is disclosed.
This vulnerability may be related to BID 4360.
8. Macromedia ColdFusion MX Remote File Content Disclosure Vuln...
BugTraq ID: 11331
Remote: Yes
Date Published: Oct 05 2004
Relevant URL: http://www.securityfocus.com/bid/11331
Summary:
Macromedia ColdFusion MX is affected by a remote file content
disclosure vulnerability. This vulnerability is caused by access validation
issue that allows an attacker to bypass protections to reveal the contents
of files.
It should be noted that this issue does not reveal directory contents,
therefore attackers must have prior knowledge of target files.
An attacker may leverage this issue to read the contents of files
contained under the webroot directory that are readable by the ColdFusion
process on the affected computer; affectively bypassing access
restrictions set in the IIS management system.
9. Invision Power Board Referer Cross-Site Scripting Vulnerabil...
BugTraq ID: 11332
Remote: Yes
Date Published: Oct 05 2004
Relevant URL: http://www.securityfocus.com/bid/11332
Summary:
Reportedly Invision Power Board is affected by a remote cross-site
scripting vulnerability. This issue is due to a failure of the application
to validate or sanitize user supplied input prior to including it in
dynamic Web content.
An attacker may leverage this issue to execute arbitrary script code in
the browser of an unsuspecting user in the context of the vulnerable
application, facilitating the theft of cookie-based authentication
credentials as well as other attacks.
10. RealOne Player and RealPlayer Multiple Unspecified Remote Vu...
BugTraq ID: 11335
Remote: Yes
Date Published: Oct 06 2004
Relevant URL: http://www.securityfocus.com/bid/11335
Summary:
NGSSoftware have reported that multiple buffer overflow and
unauthorized file access vulnerabilities exist in RealOne and RealPlayer. Details
about these vulnerabilities have been withheld until a later date, but
it appears that some of the issues may overlap with existing BIDs 11307
and 11308. There also appears to be other vulnerabilities that are not
covered in these two BIDs.
Real Networks have reportedly released fixes for all of the issues.
11. MySQL MaxDB WebDBM Server Name Denial of Service Vulnerabili...
BugTraq ID: 11346
Remote: Yes
Date Published: Oct 07 2004
Relevant URL: http://www.securityfocus.com/bid/11346
Summary:
A remotely exploitable denial of service vulnerability exists in MaxDB.
The cause of this condition is an input validation error that is
exposed when an internal function in the WebDBM handles a client-supplied
'Server' name in an HTTP request that includes specific values.
This will reportedly trigger an exception due to an assert directive
failing, resulting in a denial of service condition in the web agent.
This issue was reportedly tested on Windows and Linux versions. Other
versions could also be affected.
12. Cyrus SASL Multiple Remote And Local Vulnerabilities
BugTraq ID: 11347
Remote: Yes
Date Published: Oct 07 2004
Relevant URL: http://www.securityfocus.com/bid/11347
Summary:
Cyrus SASL is affected by multiple critical vulnerabilities that may be
remotely exploitable. The first issue is due to a boundary condition
error, the second issue is due to a failure of the application to
properly handle environment variables.
Information currently available regarding these issues is insufficient
to provide a more detailed analysis. This BID will be updated and split
into separate BIDs when more information becomes available.
An attacker can leverage the boundary condition issue to exploit
arbitrary code on the affected computer. The impact of the environment
variable issue is currently unknown.
13. Nathaniel Bray Yeemp File Transfer Public Key Verification B...
BugTraq ID: 11353
Remote: Yes
Date Published: Oct 08 2004
Relevant URL: http://www.securityfocus.com/bid/11353
Summary:
It is reported that Yeemp does not properly verify public keys when a
file is transferred. Yeemp clients are assigned public keys and Yeemp
uses public keys to authenticate users and encrypt messages.
Reportedly, the application does not verify keys on incoming files. Due to this,
remote attackers are able to spoof sender information and send
potentially malicious files to users.
Yeemp versions 0.9.9 and earlier are affected by this issue.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. iptables & tcp wrappers (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/377742
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. PIKT - Problem Informant/Killer Tool v1.17.0
By: Robert Osterlund, robert.osterlund@gsb.uchicago.edu
Relevant URL: http://pikt.org
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS
Summary:
PIKT is a cross-categorical, multi-purpose toolkit to monitor and
configure computer systems, organize system security, format documents,
assist command-line work, and perform other common systems administration
tasks.
PIKT's primary purpose is to report and fix problems, but its
flexibility and extendibility evoke many other uses limited only by your
imagination.
2. ID-Synch 3.1
By: M-Tech Information Technology, Inc.
Relevant URL: http://idsynch.com/
Platforms: AIX, AS/400, DG-UX, Digital UNIX/Alpha, HP-UX, IRIX, Linux,
MacOS, MPE/iX, Netware, OpenBSD, OpenVMS, OS/2, OS/390, RACF, Solaris,
SunOS, True64 UNIX, Ultrix, VM, VMS, VSE, Windows 2000, Windows NT
Summary:
ID-Synch is enterprise user provisioning software. It reduces the cost
of user administration, helps new and reassigned users get to work more
quickly, and ensures prompt and reliable access termination. This is
accomplished through automatic propagation of changes to user profiles
from systems of record to managed systems, with self service workflow for
security change requests, through consolidated and delegated user
administration, and with federation.
3. Nmap v3.70
By: Fyodor
Relevant URL: http://www.insecure.org/nmap/
Platforms: AIX, BSDI, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD,
Solaris, SunOS, UNIX
Summary:
Nmap is a utility for port scanning large networks, although it works
fine for single hosts. Sometimes you need speed, other times you may
need stealth. In some cases, bypassing firewalls may be required. Not to
mention the fact that you may want to scan different protocols (UDP,
TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN
(half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp
proxy (bounce attack) scanning, SYN/FIN scanning using IP frag
4. THC-Hydra v4.3
By: THC
Relevant URL: http://www.thc.org/releases/hydra-4.3-src.tar.gz
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, Solaris,
UNIX
Summary:
THC-Hydra - parallized login hacker is available: for Samba, FTP, POP3,
IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS,
Cisco and more. Includes SSL support and is part of Nessus. Visit the
project web site to download Win32, Palm and ARM binaries. Changes:
important bugfix!
5. Pads 1.1
By: Matt Shelton
Relevant URL:
http://freshmeat.net/projects/pads/?branch_id=52504&release_id=169973
Platforms: Linux
Summary:
Pads (Passive Asset Detection System) is a signature-based detection
engine used to passively detect network assets. It is designed to
complement IDS technology by providing context to IDS alerts.
6. cenfw 0.3b
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Summary:
The Centron IPTables Firewall Gui is an object oriented, database
driven, windows interface to linux IPtables firewall rules.
VII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Internet Security Systems
Internet Security Systems - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be
stopped before they impact your network. To learn how Internet Security
Systems keeps organizations ahead of the threat with preemptive
intrusion
prevention, download the new whitepaper, Defining the Rules of
Preemptive
Protection, and end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_linux-secnews_041012
------------------------------------------------------------------------