| Date: | 15 Mar 2005 23:21:34 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #227 |
SecurityFocus Linux Newsletter #227
------------------------------------
This Issue is Sponsored By: Black Hat
Make plans now to attend the Black Hat Briefings & Training Europe,
March
29-April 1 in Amsterdam, the world's premier technical security event.
Featuring 30 speakers in four tracks, 10 training sessions, with 250
delegates from 20 nations attending. Learn about the technical
security
market drivers in the European market. Visit www.blackhat.com for
information or to register.
http://www.securityfocus.com/sponsor/BlackHat_linux-secnews_050315
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Infection Vectors
2. A Method for Forensic Previews
II. LINUX VULNERABILITY SUMMARY
1. PaX VMA Mirroring Privilege Escalation Vulnerability
2. Abuse Multiple Local Privilege Escalation Vulnerabilities
3. PHPBB Session.PHP Autologin User_Level Privilege Escalation ...
4. RedHat Linux Less Remote Buffer Overflow Vulnerability
5. Xoops Custom Avatar Remote Arbitrary PHP File Upload Vulnera...
6. YaBB Remote UsersRecentPosts Cross-Site Scripting Vulnerabil...
7. Drupal Unspecified Cross-Site Scripting Vulnerability
8. PHP Arena PAFileDB Multiple Remote Cross Site Scripting Vuln...
9. Linux Kernel SYS_EPoll_Wait Local Integer Overflow Vulnerabi...
10. Perl Local Race Condition Privilege Escalation Vulnerability
11. Grip CDDB Response Multiple Matches Buffer Overflow
Vulnerab...
12. PHPOutsourcing Zorum Multiple Remote Vulnerabilities
13. MySQL AB MySQL Multiple Remote Vulnerabilities
III. LINUX FOCUS LIST SUMMARY
1. A question about passwords and login/authentication (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Travesty 1.0
2. OCS 0.1
3. KSB - Kernel Socks Bouncer 2.6.10
4. DigSig 1.3.2
5. Firestarter 1.0.0
6. Network Equipment Performance Monitor 2.2
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Infection Vectors
By Kelly Martin
It's time to pick your favorite virus.
http://www.securityfocus.com/columnists/306
2. A Method for Forensic Previews
By Timothy E. Wright
This article explains the forensic preview process, whereby a
production
machine is left as undisturbed as possible while it is evaluated for
potential intrusion and compromise.
http://www.securityfocus.com/infocus/1825
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PaX VMA Mirroring Privilege Escalation Vulnerability
BugTraq ID: 12729
Remote: Yes
Date Published: Mar 05 2005
Relevant URL: http://www.securityfocus.com/bid/12729
Summary:
It is reported that PaX contains a privilege escalation vulnerability.
Local unprivileged users may exploit this vulnerability to execute
arbitrary code with the privileges of any targeted user. It is also
conjectured that remote attackers may also be able to exploit this
vulnerability, but exploitability depends on the ability of an attacker to control
the executable file mappings of a targeted application.
This issue is only exploitable if SEGMEXEC or RANDEXEC are enabled in
the kernel configuration.
This vulnerability is reported to affect all versions of PaX since
September, 2003, when VMA mirroring was introduced.
2. Abuse Multiple Local Privilege Escalation Vulnerabilities
BugTraq ID: 12734
Remote: No
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12734
Summary:
Abuse is reported prone to multiple vulnerabilities. The following
individual issues are reported:
Abuse is reported prone to multiple local buffer overflow
vulnerabilities.
It is reported that a local attacker may exploit these issues to
execute arbitrary code with superuser privileges.
Abuse is also reported prone to an insecure file creation
vulnerability. Reports indicate that this issue may be leveraged to overwrite
arbitrary files with superuser privileges.
3. PHPBB Session.PHP Autologin User_Level Privilege Escalation ...
BugTraq ID: 12736
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12736
Summary:
phpBB is reported prone to a privilege escalation vulnerability. The
issue is reported to exist when an autologin fails.
A remote attacker may potentially exploit this vulnerability to gain
access to parts of the affected website that should only be visible to a
website administrator.
Information harvested through exploitation of this vulnerability may be
employed to aid in further attacks against the affected site.
This vulnerability is reported to affect phpBB versions up to up to
2.0.13.
4. RedHat Linux Less Remote Buffer Overflow Vulnerability
BugTraq ID: 12753
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12753
Summary:
A remote, client-side buffer overflow vulnerability affects RedHat
Linux less. This issue is due to a failure of the application to securely
copy file data into finite process buffers.
An attacker may leverage this issue to execute arbitrary code with the
privileges of an unsuspecting user.
5. Xoops Custom Avatar Remote Arbitrary PHP File Upload Vulnera...
BugTraq ID: 12754
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12754
Summary:
Xoops is reported prone to a remote arbitrary PHP file upload
vulnerability. The issue presents itself due to a lack of sanitization performed
on image files that are uploaded using custom avatar upload
functionality.
A subsequent request for an uploaded script will result in the
execution of the script code in the context of the hosting web server.
This vulnerability is reported to affect Xoops version 2.0.9.2 and
previous versions.
6. YaBB Remote UsersRecentPosts Cross-Site Scripting Vulnerabil...
BugTraq ID: 12756
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12756
Summary:
A remote cross-site scripting vulnerability affects YaBB. This issue is
due to a failure of the application to properly sanitize user-supplied
input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code
executed in the browser of an unsuspecting user. This may facilitate the
theft of cookie-based authentication credentials as well as other
attacks.
7. Drupal Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 12757
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12757
Summary:
An unspecified remote cross-site scripting vulnerability affects
Drupal. This issue is due to a failure of the application to properly
sanitize user-supplied input prior to using it in dynamically generated Web
page content.
An attacker may leverage this issue to have arbitrary script code
executed in the browser of an unsuspecting user.
This vulnerability is reported to affect Drupal versions prior to
version 4.5.2.
8. PHP Arena PAFileDB Multiple Remote Cross Site Scripting Vuln...
BugTraq ID: 12758
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12758
Summary:
Multiple remote cross-site scripting vulnerabilities affect PHP Arena
PaFileDB. These issues are due to a failure of the application to
properly sanitize user-supplied input prior to including it in dynamically
generated Web content.
An attacker may leverage these issues to have arbitrary script code
executed in the browser of an unsuspecting user. This may facilitate the
theft of cookie-based authentication credentials as well as other
attacks.
9. Linux Kernel SYS_EPoll_Wait Local Integer Overflow Vulnerabi...
BugTraq ID: 12763
Remote: No
Date Published: Mar 09 2005
Relevant URL: http://www.securityfocus.com/bid/12763
Summary:
A Local integer overflow vulnerability affects the Linux kernel. This
issue is due to a failure of the affected kernel to properly handle
user-supplied size values.
An attacker may leverage this issue to overwrite low kernel memory.
This may potentially facilitate privilege escalation.
10. Perl Local Race Condition Privilege Escalation Vulnerability
BugTraq ID: 12767
Remote: No
Date Published: Mar 09 2005
Relevant URL: http://www.securityfocus.com/bid/12767
Summary:
Perl is reported prone to a local race condition vulnerability. The
vulnerability is present in the 'rmtree()' function provided by the
'File::Path.pm' module.
A successful attack may allow an attacker to gain elevated privileges
on a vulnerable computer.
11. Grip CDDB Response Multiple Matches Buffer Overflow Vulnerab...
BugTraq ID: 12770
Remote: Yes
Date Published: Mar 10 2005
Relevant URL: http://www.securityfocus.com/bid/12770
Summary:
A buffer overflow vulnerability exists in Grip. The vulnerability
occurs when the software processes a response to a CDDB query that has in
excess of 16 matches.
For an attacker to exploit this issue, they must be able to influence
the response to a CDDB query, either by controlling a malicious CDDB
server or through other means. Successful exploitation will result in
execution of arbitrary code.
This vulnerability is reported to affect versions 3.1.2 and 3.2.0. It
is not known if other versions are also affected.
12. PHPOutsourcing Zorum Multiple Remote Vulnerabilities
BugTraq ID: 12777
Remote: Yes
Date Published: Mar 10 2005
Relevant URL: http://www.securityfocus.com/bid/12777
Summary:
Zorum is a freely available, open source Web-based forum application
implemented in PHP. It is available for UNIX, Linux, and any other
platform that supports PHP script execution.
Multiple remote vulnerabilities affect Zorum. These issues are due to
a failure of the application to validate access rights and
user-supplied input.
The issues reported are an HTML injection vulnerability, multiple
cross-site scripting vulnerabilities, an SQL injection vulnerability, and an
authentication bypass issue.
An attacker may leverage these issues to execute script code in an
unsuspecting user's browser, to manipulate SQL queries and to bypass
authentication requirements.
13. MySQL AB MySQL Multiple Remote Vulnerabilities
BugTraq ID: 12781
Remote: Yes
Date Published: Mar 11 2005
Relevant URL: http://www.securityfocus.com/bid/12781
Summary:
MySQL is reported prone to multiple vulnerabilities that can be
exploited by a remote authenticated attacker. The following individual issues
are reported:
MySQL is reported prone to an insecure temporary file creation
vulnerability.
Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE'
privileges on an affected installation may leverage this vulnerability to
corrupt files with the privileges of the MySQL process.
MySQL is reported prone to an input validation vulnerability that can
be exploited by remote users that have INSERT and DELETE privileges on
the 'mysql' administrative database.
Reports indicate that this issue may be leveraged to load an execute a
malicious library in the context of the MySQL process.
Finally, MySQL is reported prone to a remote arbitrary code execution
vulnerability. It is reported that the vulnerability may be triggered by
employing the 'CREATE FUNCTION' statement to manipulate functions in
order to control sensitive data structures.
This issue may be exploited to execute arbitrary code in the context of
the database process.
These issues are reported to exist in MySQL versions prior to MySQL
4.0.24 and 4.1.10a.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. A question about passwords and login/authentication (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/393105
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Travesty 1.0
By: Robert Wesley McGrew
Relevant URL: http://cse.msstate.edu/~rwm8/travesty/
Platforms: Linux
Summary:
Travesty is an interactive program for managing the hardware addresses
(MAC) of ethernet devices on your computer. It supports manually
changing the MAC, generating random addresses, and applying different vendor
prefixes to the current address.
It also allows the user to import their own lists of hardware
addresses and descriptions that can be navigated from within the Travesty
interface. Travesty is written in Python, and is very simple to add
functionality to, or modify.
2. OCS 0.1
By: OverIP
Relevant URL: http://hacklab.altervista.org/download/OCS.c
Platforms: Linux
Summary:
This is a very reliable and fast mass scanner for Cisco router with
telnet/enable default password.
3. KSB - Kernel Socks Bouncer 2.6.10
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary:
KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel. I have choosen to write in kernel space to enjoy myself [I know
that there are easier and safer ways to write this in userspace].
4. DigSig 1.3.2
By:
Relevant URL: http://sourceforge.net/projects/disec/
Platforms: Linux
Summary:
DigSig Linux kernel load module checks the signature of a binary before
running it. It inserts digital signatures inside the ELF binary and
verify this signature before loading the binary. Therefore, it improves
the security of the system by avoiding a wide range of malicious
binaries like viruses, worms, Torjan programs and backdoors from running on
the system.
5. Firestarter 1.0.0
By: Tomas Junnonen
Relevant URL: http://www.fs-security.com/
Platforms: Linux
Summary:
Firestarter is graphical firewall tool for Linux. The program aims to
combine
ease of use with powerful features, serving both desktop users and
administrators.
6. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX,
Windows 2000, Windows NT, Windows XP
Summary:
NEPM is a very general, highly configurable, two part software system
that monitors any type of logged data from IP networked equipment and
reports it via E-mail and web pages. Current conditions and history from
systems based on Windows NT/2000 and UNIX can be tracked and reported.
Most major server, switch and router systems can be monitored, without
running agents on the target systems.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Black Hat
Make plans now to attend the Black Hat Briefings & Training Europe,
March
29-April 1 in Amsterdam, the world's premier technical security event.
Featuring 30 speakers in four tracks, 10 training sessions, with 250
delegates from 20 nations attending. Learn about the technical
security
market drivers in the European market. Visit www.blackhat.com for
information or to register.
http://www.securityfocus.com/sponsor/BlackHat_linux-secnews_050315
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------