QODS ec

Tuesday, June 29, 2004

SEC: SecurityFocus Linux Newsletter #190

SecurityFocus Linux Newsletter #190
------------------------------------

This Issue is Sponsored By: SecurityFocus

Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------
I. FRONT AND CENTER
1. Packet Crafting for Firewall & IDS Audits (Part 1 of 2)
II. LINUX VULNERABILITY SUMMARY
1. Sup Remote Syslog Format String Vulnerability
2. Super Local Format String Vulnerability
3. WWW-SQL Include Command Buffer Overflow Vulnerability
4. TildeSlash Monit Authentication Handling Buffer Overflow Vul...
5. ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerabi...
6. ISC DHCPD VSPRINTF Buffer Overflow Vulnerability
7. Linux Kernel IEEE 1394 Integer Overflow Vulnerability
8. PHP-Nuke Multiple Vulnerabilities
9. Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow...
10. giFT-FastTrack HTTP Header Parser Remote Denial Of Service V...
11. GNU GNATS Syslog() Format String Vulnerability
12. Sysstat Multiple Local Buffer Overflow Vulnerabilities
13. FreeS/WAN X.509 Patch Certificate Verification Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Error installing Clamav? (Thread)
2. Counting p2p traffic. (Thread)
3. just running tcpdump makes promisc mode? (Thread)
4. Close ports 137 and 138 samba server? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. SecretAgent
2. Cyber-Ark Inter-Business Vault
3. EnCase Forensic Edition
4. KeyGhost SX
5. SafeKit
6. Astaro Linux Firewall
V. NEW TOOLS FOR LINUX PLATFORMS
1. SnortNotify 1.02
2. Devil-Linux v1.2 Beta 1
3. GNU Anubis v3.9.94
4. DNSSEC Walker v3.4
5. Ettercap v0.7.0 pre2
6. Linux Intrusion Detection System (LIDS) v2.6.6
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Packet Crafting for Firewall & IDS Audits (Part 1 of 2)
By Don Parker

This article is the first of a two-part series that will discuss various
methods to test the integrity of your firewall and IDS using low-level
TCP/IP packet crafting tools and techniques.

http://www.securityfocus.com/infocus/1787

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Sup Remote Syslog Format String Vulnerability
BugTraq ID: 10571
Remote: Yes
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10571
Summary:
sup is prone to a remotely exploitable format string vulnerability. This issue could be exploited to execute arbitrary code in the context of the supfilesrv process.

2. Super Local Format String Vulnerability
BugTraq ID: 10575
Remote: No
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10575
Summary:
super is prone to a locally exploitable format string vulnerability. The problem occurs due to the incorrect usage of programming functions designed to take formatted arguments.

Because of this, attacker supplied format specifiers will be interpreted literally by the vulnerable program. This vulnerability may provide a conduit for an attacker to influence arbitrary writes into process memory space. Ultimately this vulnerability may be exploited in order to have arbitrary code executed with superuser privileges.

**Update: This issue was originally believed to be a duplicate of BID 5367, however further reports indicate that this is not the case. Therefore this BID is reinstated.

3. WWW-SQL Include Command Buffer Overflow Vulnerability
BugTraq ID: 10577
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10577
Summary:
www-sql is reportedly vulnerable to a buffer overflow vulnerability in its include command implementation. This issue arises due to a failure of the affected application to properly handle user-supplied strings when copying them into finite stack-based buffers.

An attacker can leverage this issue to manipulate process memory; by supplying program code as well as a specially selected memory address an attacker gain control of the processes execution flow allowing for arbitrary code execution.

4. TildeSlash Monit Authentication Handling Buffer Overflow Vul...
BugTraq ID: 10581
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10581
Summary:
It is reported that TildeSlash Monit is vulnerable to a buffer overflow vulnerability during authentication handling. This issue arises due to a failure of the affected application to properly handle user-supplied strings when copying them into finite stack-based buffers.

Successful exploitation of this issue allows an attacker to execute arbitrary code as the superuser; facilitating unauthorized access and privilege escalation.

5. ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerabi...
BugTraq ID: 10590
Remote: Yes
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10590
Summary:
ISC DHCPD is prone to a remotely exploitable buffer overflow vulnerability. This issue exists in routines responsible for logging hostname options provided by DHCP clients. Successful exploitation could result in execution of arbitrary code in the context of the DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases.

6. ISC DHCPD VSPRINTF Buffer Overflow Vulnerability
BugTraq ID: 10591
Remote: Yes
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10591
Summary:
ISC DHCPD is reported likely vulnerable to remotely exploitable buffer overflow vulnerabilities on systems which lack a vsnprintf() library function.

On systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:
#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

This definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call.

Other locations in DHCPD utilizing this function may be exploitable. Successfully exploiting this issue may lead to a denial of service condition, or remote code execution in the context of the DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13.

7. Linux Kernel IEEE 1394 Integer Overflow Vulnerability
BugTraq ID: 10593
Remote: No
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10593
Summary:
The driver for IEEE 1394 in the Linux kernel is reported to contain an integer overflow vulnerability.

The driver contains a function called alloc_hpsb_packet(). This function takes an unsigned integer argument and uses it to allocate kernel memory. When allocating memory, the value is incremented, potentially overflowing the integer.

There are multiple code paths leading to the vulnerable alloc_hpsb_packet() function, with multiple possible methods of exploiting this vulnerability.

Successful exploitation could lead to system crash, or possible code execution.

8. PHP-Nuke Multiple Vulnerabilities
BugTraq ID: 10595
Remote: Yes
Date Published: Jun 23 2004
Relevant URL: http://www.securityfocus.com/bid/10595
Summary:
PHP-Nuke is prone to multiple vulnerabilities. The issues result from insufficient sanitization of user-supplied data and may allow an attacker to carry out cross-site scripting, HTML injection, and SQL injection attacks.

Although unconfirmed, all versions of PHP-Nuke are considered to be vulnerable at this point. This BID will be updated as more information becomes available.

9. Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow...
BugTraq ID: 10599
Remote: No
Date Published: Jun 23 2004
Relevant URL: http://www.securityfocus.com/bid/10599
Summary:
It is reported that the bcm5820 Linux kernel driver contains an integer overflow vulnerability.

The driver contains a function ubsec_ioctl() which is used to setup operating parameters for the driver. This function takes user-supplied data and copies it into kernel-space. When copying this data, a user-supplied length value is used in a calculation. This calculation could cause an integer overflow when allocating buffer space.

This vulnerability could lead to a system crash, or possible code execution in the context of the kernel.

This driver is not present in the vanilla Linux kernel, nor is it standard in most distributions of Linux. Redhat 8, with Linux kernel 2.4.20 is confirmed to include the vulnerable driver, but others are also potentially vulnerable.

10. giFT-FastTrack HTTP Header Parser Remote Denial Of Service V...
BugTraq ID: 10604
Remote: Yes
Date Published: Jun 24 2004
Relevant URL: http://www.securityfocus.com/bid/10604
Summary:
It is reported that the giFT-FastTrack module is prone to a denial of service vulnerability in its HTTP header parser.

A remote attacker who sends malformed HTTP requests to an affected giFT server can crash the server.

The vendor has released version 0.8.7, addressing this issue. All prior versions are reported affected by this vulnerability.

11. GNU GNATS Syslog() Format String Vulnerability
BugTraq ID: 10609
Remote: Yes
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10609
Summary:
It is reported that GNU GNATS contains a format string vulnerability in its logging function.

GNATS has the ability to log to various files: stderr, syslog() or a file.

If an attacker devises a method of controlling the arguments to the logging function, they would be able to read or write arbitrary locations in memory. Code execution could be possible.

GNU GNATS version 4.0 is reported vulnerable. Other version may also be affected.

12. Sysstat Multiple Local Buffer Overflow Vulnerabilities
BugTraq ID: 10610
Remote: No
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10610
Summary:
Sysstat is reported prone to multiple local buffer overflow vulnerabilities. It is reported that these vulnerabilities are not exploitable to execute arbitrary code.

However, although unconfirmed, due to the nature of these vulnerabilities, the issue may be exploitable in order to execute arbitrary code on certain platforms or when certain compilers are used.

13. FreeS/WAN X.509 Patch Certificate Verification Vulnerability
BugTraq ID: 10611
Remote: Yes
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10611
Summary:
FreeS/WAN X.509 patch is reported susceptible to a certificate verification vulnerability.

When the vulnerable implementation is negotiating an IPSec connection using PKCS#7 wrapped X.509 certificates, it can be fooled into authenticating fake certificates.

If an attacker crafts a Certificate Authority (CA) certificate and a user certificate with identical subjects, they can reportedly be improperly authenticated by FreeS/WAN.

Using this vulnerability, an attacker could potentially successfully authenticate to a FreeS/WAN VPN server. Further attacks on machines now accessible to the attacker are likely possible.

**Update: This vulnerability was previously thought to exist in the FreeS/WAN application, however, new information suggests that the issue is present in the X.509 patch for the application.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Error installing Clamav? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/367372

2. Counting p2p traffic. (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/367366

3. just running tcpdump makes promisc mode? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/367305

4. Close ports 137 and 138 samba server? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/367161

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, supporting cross-platform interoperability over a wide range of platforms: Windows, Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, regardless of the size of your organization.

Using the latest recognized standards in encryption and digital signature technology, SecretAgent ensures the confidentiality, integrity, and authenticity of your data.

2. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business Vault, an information security solution that enables organizations to safely overcome traditional network boundaries in order to securely share business information among customers, business partners, and remote branches. It provides a seamless, LAN-like experience over the Internet that includes all the security, performance, accessibility, and ease of administration required to allow organizations to share everyday information worldwide. To learn more about these core attributes of the Inter-Business Vault click on the relevant link below:

3. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features for computer forensics and investigations. With an intuitive GUI and superior performance, EnCase Version 4 provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Guidance Software?s award winning solution yields completely non-invasive computer forensic investigations while allowing examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process. EnCase's EnScript, a powerful macro-programming language and API included within EnCase, allows investigators to build customized and reusable forensic scripts.

4. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed, including chat conversations, email, word processor, or even activity within an accounting or specialist system. It is completely undetectable by software scanners and provides you with one of the most powerful stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data in it?s own internal memory (not on the hard drive), it is impossible for a network intruder to gain access to any sensitive data stored within the device.

5. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any application available 24 hours per day. With no extra hardware: just use your existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to do is add more standard servers into the cluster. With the load balancing features of SafeKit, you can distribute applications over multiple servers. If one system fails completely, the others will continue to serve your users.

6. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:

Astaro Linux Firewall: All-in-one firewall, virus protection, content filtering and spam protection internet security software package for Linux.
Free download for home users.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. SnortNotify 1.02
By: Adam Ely
Relevant URL: http://www.780inc.com/snortnotify/
Platforms: Linux
Summary:

Running from cron at a specified interval SnortNotify will search a snort database for new alerts. If new alerts match a pre configured priority level, an email will be sent to the contact. The email will include Sensor name, the signaturename, and the timestamp.

2. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary:

Devil-Linux is a special Linux distribution which is used for firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and secure Linux system. Configuration is saved on a floppy disk, and it has several optional packages.

3. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:

GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail User Agent) and the MTA (Mail Transport Agent), and can perform various sorts of processing and conversion on-the-fly in accordance with the sender's specified rules, based on a highly configurable regular expressions system. It operates as a proxy server, and can edit outgoing mail headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels using the TLS/SSL encryption even if your mail user agent doesn't support it, or tunnel a connection through a SOCKS proxy server.

4. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary:

DNSSEC Walker is a tool to recover DNS zonefiles using the DNS protocol. The server does not have to support zonetransfer, but the zone must contain DNSSEC "NXT" records.

5. Ettercap v0.7.0 pre2
By: ALoR
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT, Windows XP
Summary:

Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

6. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary:

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it is in effect, chosen files access, all system/network administration operations, any capability use, raw device, mem, and I/O access can be made impossible even for root. You can define which program can access which file. It uses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features to the kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more.

VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to linux-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SecurityFocus

Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------

0 Comments:

Post a Comment

<< Home


Get Firefox!