QODS ec

Saturday, June 19, 2004

SEC: SecurityFocus Linux Newsletter #187

SecurityFocus Linux Newsletter #187
------------------------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607

------------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Attacks and Penetration Testing (part 1 of 3)
2. Catching a Virus Writer
3. Multiple Security Roles With Unix/Linux
II. LINUX VULNERABILITY SUMMARY
1. Isoqlog Multiple Buffer Overflow Vulnerabilities
2. Spamguard Multiple Buffer Overflow Vulnerabilities
3. Gatos xatitv Missing Configuration File Privilege Escalation...
4. SquirrelMail Email Header HTML Injection Vulnerability
5. Firebird Remote Pre-Authentication Database Name Buffer Over...
6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
8. Gallery Authentication Bypass Vulnerability
9. Tripwire Email Reporting Format String Vulnerability
10. Unix and Unix-based select() System Call Overflow Vulnerabil...
11. Trend Micro Scanning Engine Report Generation HTML Injection...
12. Michael Krax log2mail Log File Writing Format String Vulnera...
13. Slackware Linux PHP Packages Insecure Linking Configuration ...
III. LINUX FOCUS LIST SUMMARY
1. mrtg/snmp/subinterfaces (Thread)
2. OpenVPN? (Thread)
3. Block martians with source address 127.0.0.1 (Thread)
4. Martians? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Devil-Linux v1.2 Beta 1
2. GNU Anubis v3.9.94
3. DNSSEC Walker v3.4
4. Ettercap v0.7.0 pre2
5. Linux Intrusion Detection System (LIDS) v2.6.6
6. Astaro Security Linux (Stable 5.x) v5.007
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 1 of 3)
By Jonathan Hassell

This is the first of a three part series on penetration testing for
wireless networks. This installment will detail common styles of attacks
against wireless networks, introduce WEP key-cracking, and then discuss
some recent developments in wireless security.

http://www.securityfocus.com/infocus/1783

2. Catching a Virus Writer
By Kelly Martin

With the consumer WiFi explosion, launching a virus into the wild has
never been easier and more anonymous than it is today.

http://www.securityfocus.com/columnists/246

3. Multiple Security Roles With Unix/Linux
By Daniel Hanson

There are some areas of security where Linux and Unix have some strong
wins, and simply fit in better than anything else.

http://www.securityfocus.com/columnists/247

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.

2. Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.

3. Gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation vulnerability.

This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. Unsanitized user-supplied environment variables may then be exploited to escalate privileges.

It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point.

4. SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied email header strings.

An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials; disclosure of personal email is possible. Other attacks are also possible.

5. Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed when the database server is handling database names.

A remote attacker may exploit this vulnerability, without requiring valid authentication credentials, to influence execution flow of the affected Firebird database server. Ultimately this may lead to the execution of attacker-supplied code in the context of the affected software.

6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
BugTraq ID: 10447
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10447
Summary:
PHP-Nuke is affected by a direct script access security vulnerability. This issue is due to a failure to properly validate the location and name of the file being accessed.

This issue will allow an attacker to gain access to sensitive scripts such as the 'admin.php' script. The attacker may be able to exploit this unauthorized access to carry out attacks against the affected application.

7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist in the krb5_aname_to_localname() and helper functions and are due to insufficient bounds checking performed on user-supplied data.

An additional boundary condition issue also exists in the krb5_aname_to_localname() function. The condition is reported to present itself in the explicit mapping functionality of the krb5_aname_to_localname() as an off-by-one.

These conditions may be theoretically exploitable to execute arbitrary code remotely in the context of the affected service.

It is reported that explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() must be enabled for these vulnerabilities to be present. Additionally it is necessary that the principal name used by the attacker to exploit the issue be listed in the explicit mapping list.

These vulnerabilities are reported to affect all releases of MIT Kerberos 5, up to and including version krb5-1.3.3.

8. Gallery Authentication Bypass Vulnerability
BugTraq ID: 10451
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10451
Summary:
It has been disclosed that an attacker can bypass Gallery's authentication process, and log in as any user without a password.

An attacker can override configuration variables by passing them in GET, POST or cookie arguments. Gallery simulates the 'register_globals' PHP setting by extracting the values of the various $HTTP_ global variables into the global namespace. Therefore, regardless of the 'register_globals' PHP setting, an attacker can override configuration variables.

An attacker can change configuration variables and cause Gallery to skip the authentication steps.

Versions prior to 1.4.3-pl2 are reported to be vulnerable.

9. Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string vulnerability. This issue is due to a failure to properly inplement a formatted string function.

This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the superuser.

**Update - It is reported that this issue only presents itself when the MAILMETHOD is sendmail.

10. Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer.

select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors.

If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code.

It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected.

This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released.

11. Trend Micro Scanning Engine Report Generation HTML Injection...
BugTraq ID: 10456
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10456
Summary:
Trend Micro's scanning engine is reportedly affected by an HTML injection vulnerability in its report generation feature. This issue is due to a failure to properly sanitize user-supplied before including it in a HTML report.

It has been speculated that the offending HTML alert reports run from the local zone on the affected computer, although this has not been verified.

This issue may be exploited by a remote attacker to execute arbitrary HTML or script code on an affected computer; potentially resulting in unauthorized access. Other attackers are also possible.

12. Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format string vulnerability. This issue is due to a failure of the application to properly implement a formatted string function.

This vulnerability will ultimately allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the 'log2mail' user with group 'adm'.

13. Slackware Linux PHP Packages Insecure Linking Configuration ...
BugTraq ID: 10461
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10461
Summary:
Slackware Linux PHP Packages are reportedly affected by an insecure linking configuration vulnerability. This issue is due to a configuration error that links PHP to be linked against shared libraries in insecure directories.

This issue can be leveraged by an attacker to execute arbitrary code in the security context of the user running the affected PHP process; typically the user 'nobody'.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. mrtg/snmp/subinterfaces (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365318

2. OpenVPN? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365209

3. Block martians with source address 127.0.0.1 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365207

4. Martians? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/364805

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full access to the entire CANVAS codebase. Python is one of the easiest languages to learn, so even novice programmers can be productive on the CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise information security teams or system adminstrators, and an advanced development platform for exploit developers, or people learning to become exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, supporting cross-platform interoperability over a wide range of platforms: Windows, Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, regardless of the size of your organization.

Using the latest recognized standards in encryption and digital signature technology, SecretAgent ensures the confidentiality, integrity, and authenticity of your data.

3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business Vault, an information security solution that enables organizations to safely overcome traditional network boundaries in order to securely share business information among customers, business partners, and remote branches. It provides a seamless, LAN-like experience over the Internet that includes all the security, performance, accessibility, and ease of administration required to allow organizations to share everyday information worldwide. To learn more about these core attributes of the Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features for computer forensics and investigations. With an intuitive GUI and superior performance, EnCase Version 4 provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Guidance Software?s award winning solution yields completely non-invasive computer forensic investigations while allowing examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process. EnCase's EnScript, a powerful macro-programming language and API included within EnCase, allows investigators to build customized and reusable forensic scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed, including chat conversations, email, word processor, or even activity within an accounting or specialist system. It is completely undetectable by software scanners and provides you with one of the most powerful stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data in it?s own internal memory (not on the hard drive), it is impossible for a network intruder to gain access to any sensitive data stored within the device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any application available 24 hours per day. With no extra hardware: just use your existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to do is add more standard servers into the cluster. With the load balancing features of SafeKit, you can distribute applications over multiple servers. If one system fails completely, the others will continue to serve your users.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary:

Devil-Linux is a special Linux distribution which is used for firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and secure Linux system. Configuration is saved on a floppy disk, and it has several optional packages.

2. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:

GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail User Agent) and the MTA (Mail Transport Agent), and can perform various sorts of processing and conversion on-the-fly in accordance with the sender's specified rules, based on a highly configurable regular expressions system. It operates as a proxy server, and can edit outgoing mail headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels using the TLS/SSL encryption even if your mail user agent doesn't support it, or tunnel a connection through a SOCKS proxy server.

3. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary:

DNSSEC Walker is a tool to recover DNS zonefiles using the DNS protocol. The server does not have to support zonetransfer, but the zone must contain DNSSEC "NXT" records.

4. Ettercap v0.7.0 pre2
By: ALoR
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT, Windows XP
Summary:

Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

5. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary:

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it is in effect, chosen files access, all system/network administration operations, any capability use, raw device, mem, and I/O access can be made impossible even for root. You can define which program can access which file. It uses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features to the kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more.

6. Astaro Security Linux (Stable 5.x) v5.007
By: astaro
Relevant URL: http://www.astaro.com/
Platforms: Linux, POSIX
Summary:

Astaro Security Linux is a firewall solution. It does stateful packet inspection filtering, content filtering, user authentication, virus scanning, VPN with IPSec and PPTP, and much more. With its Web-based management tool, WebAdmin, and the ability to pull updates via the Internet, it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.

VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to linux-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607

------------------------------------------------------------

1 Comments:

Post a Comment

<< Home


Get Firefox!