Date: 17 Aug 2004 19:03:30 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #197

SecurityFocus Linux Newsletter #197
------------------------------------

This Issue is Sponsored By: SecurityFocus

Want to keep up on the latest security vulnerabilities? Don't have time
to
visit a myriad of mailing lists and websites to read the news? Just add
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------
I. FRONT AND CENTER
1. Examining a Public Exploit, Part 1
2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
3. Big Brother's Last Mile
4. The Panacea of Information Security
II. LINUX VULNERABILITY SUMMARY
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
2. Linux Kernel Unspecified chown Inode Time Vulnerability
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
4. Xine-Lib Remote Buffer Overflow Vulnerability
5. Linux Kernel Unspecified USB Vulnerability
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
10. KDE Insecure Temporary Directory Symlink Vulnerability
11. KDE DCOPServer Insecure Temporary File Creation
Vulnerabilit...
12. Mutt PGP/GnuPG Verified Email Signature Spoofing
Vulnerabili...
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary
Co...
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified
V...
16. Rsync Sanitize_path Function Module Path Escaping
Vulnerabil...
17. HanSoft 4tH Unspecified Vulnerability
18. Sympa List Creation Authentication Bypass Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. can Hopster traffic be blocked? (Thread)
2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Pads 1.1
2. cenfw 0.3b
3. Firewall Builder 2.0
4. Lepton's Crack 20031130
5. popa3d v0.6.4.1
6. tinysofa enterprise server 2.0-rc1
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Examining a Public Exploit, Part 1
By Don Parker

The purpose of this article is to analyze a public exploit in a lab
environment, see the alerts generated by an intrusion detection system,
and
then do some packet analysis of the malicious binary in order to better
understand it.

http://www.securityfocus.com/infocus/1795

2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
By Yiming Gong

This paper discusses the use of NetFlow, a traffic profile monitoring
technology available on many routers, for use in the early detection of
worms, spammers, and other abnormal network activity in large
enterprise
networks and service providers.

http://www.securityfocus.com/infocus/1796

3. Big Brother's Last Mile
By Mark Rasch

The FCC's new ruling on broadband wiretaps will force customers to pay
for
the privilege of making the Internet less secure.

http://www.securityfocus.com/columnists/261

4. The Panacea of Information Security
By Jason Miller

Step away from all the vendor hype. The one device that will always be
the
best tool for information security is a competent security
professional.

http://www.securityfocus.com/columnists/260

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
BugTraq ID: 10885
Remote: Yes
Date Published: Aug 07 2004
Relevant URL: http://www.securityfocus.com/bid/10885
Summary:
PluggedOut Blog is reported prone to a cross-site scripting
vulnerability.

This could allow for execution of hostile HTML and script code in the
web client of a user who visits a malicious link to the vulnerable site.
This code execution would occur in the security context of the site
hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

2. Linux Kernel Unspecified chown Inode Time Vulnerability
BugTraq ID: 10887
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10887
Summary:
An unspecified vulnerability has been announced in the Linux Kernel
implementation of the chown(2) system call. This issue is related to how
inode time data is updated by the system call. The impact is not known
at this time, though it is speculated that this could affect system
integrity.

3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
BugTraq ID: 10888
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10888
Summary:
An unspecified denial of service vulnerability has been reported to
exist in the Linux Kernel. This issue could occur when signals are
handled by the kernel. Further details are not available at this time.

4. Xine-Lib Remote Buffer Overflow Vulnerability
BugTraq ID: 10890
Remote: Yes
Date Published: Aug 08 2004
Relevant URL: http://www.securityfocus.com/bid/10890
Summary:
It is reported that the xine media library is affected by a remote
buffer overflow vulnerability. This issue can allow a remote attacker to
gain unauthorized access to a vulnerable computer.

xine-lib rc-5 and prior versions are reportedly affected by this issue.
xine versions 0.99.2 and prior are also vulnerable.

5. Linux Kernel Unspecified USB Vulnerability
BugTraq ID: 10892
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10892
Summary:
The Linux Kernel implementation of USB is reported prone to an
unspecified vulnerability. The impact is not known at this time, though it is
speculated that this vulnerability could affect system stability.

6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
BugTraq ID: 10894
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10894
Summary:
The Blog 'calendar' module does not sufficiently sanitize data supplied
via URI parameters, making it prone to cross-site scripting attacks.
This could allow for execution of hostile HTML and script code in the web
client of a user who visits a malicious link to the vulnerable site.

7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
BugTraq ID: 10899
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10899
Summary:
GNU cfengine cfservd is reported prone to a remote heap-based buffer
overrun vulnerability. The vulnerability presents itself in the cfengine
cfservd AuthenticationDialogue() function.

The issue exists due to a lack of sufficient boundary checks performed
on challenge data that is received from a client.

Because the size of the buffer, the size of data copied in a memcpy()
operation, and the data copied are all controlled by the attacker, a
remote attacker may likely exploit this condition to corrupt in-line heap
based memory management data.

cfservd employs an IP based access control method. This access control
must be bypassed prior to exploitation. This may hinder exploitation
attempts.

This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of
cfengine cfservd.

8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
BugTraq ID: 10900
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10900
Summary:
GNU cfengine cfservd is reported prone to a remote denial of service
vulnerability. The vulnerability presents itself in the cfengine cfservd
AuthenticationDialogue() function that is responsible for processing
SAUTH commands and also performing RSA based authentication.

The vulnerability presents itself because return values for several
statements within the AuthenticationDialogue() function are not checked.

This memcpy() operation based on the return values will fail resulting
in a daemon crash. A remote attacker may exploit this vulnerability to
crash the affected daemon effectively denying service to legitimate
users.

cfservd employs an IP based access control method
(AllowConnectionsFrom). This access control must be bypassed prior to exploitation. This may
hinder exploitation attempts.

This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of
cfengine cfservd.

9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
BugTraq ID: 10921
Remote: Yes
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10921
Summary:
Konqueror reported prone to a cross-domain frame loading vulnerability.
It is reported that if the name of a frame rendered in a target site is
known, then an attacker may potentially render arbitrary HTML in the
frame of the target site.

An attacker may exploit this vulnerability to spoof an interface of a
trusted web site.

All versions of KDE up to KDE 3.2.3 are vulnerable to this issue.

10. KDE Insecure Temporary Directory Symlink Vulnerability
BugTraq ID: 10922
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10922
Summary:
KDE is reported to contain a temporary directory symlink vulnerability.
This vulnerability is due to improper validation of the ownership of
temporary directories.

Local attackers can cause KDE applications to fail, denying service to
users, or to overwrite arbitrary files with the privileges of the
target user. Privilege escalation may be possible.

Source patches have been made available by KDE to resolve this issue.

11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 10924
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10924
Summary:
KDEs DCOPServer is reported to contain an insecure temporary file
creation vulnerability. This is due to the use of the mktemp() function.

Since temporary files are used by the DCOP daemon for authentication
purposes, a local attacker may possibly exploit this vulnerability to
compromise the account of a targeted user running KDE.

A local attacker may also possibly exploit this vulnerability to
execute symbolic link file overwrite attacks. This may allow an attacker to
overwrite arbitrary files with the privileges of the targeted user.
Privilege escalation may also be possible using this method of attack.

KDE versions from 3.2.0 to 3.2.3 are reported susceptible to this
vulnerability.

12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
BugTraq ID: 10929
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10929
Summary:
It is reported that Mutt contains a vulnerability that allows attackers
to send email that spoofs the look of a successfully verified PGP/GnuPG
email message.

An attacker may potentially simulate the look of the PGP/GnuPG output
that Mutt usually includes when processing signed email messages. If a
user employs Mutt with a specific configuration, the attacker may make
email messages look almost identical to a properly signed and verified
email.

This may allow an attacker to create a message that falsifies a
correctly verified PGP/GnuPG signature. This could allow an attacker to spoof
email from trusted sources. This will likely greatly increase the
effectiveness of social engineering attacks.

In the index mode, messages with signatures have the 's' flag. Verified
signatures change to 'S'. Ensuring that messages have the proper
attributes will aid in the mitigation of this vulnerability.

Versions 1.3.28 and 1.5.6 are reported affected by this vulnerability.
Other versions are also likely affected.

13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
BugTraq ID: 10931
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10931
Summary:
A remote code execution vulnerability is identified in Adobe Acrobat
Reader. This issue may allow an attacker gain unauthorized access to a
vulnerable computer.

Acrobat Reader is affected by a shell metacharacter command execution
vulnerability. This issue exists due to insufficient sanitization of
user-supplied data by Acrobat Reader for Unix and Linux platforms.
Successful exploitation can allow an attacker to use a specially crafted
file name to execute arbitrary commands and applications through the
shell.

Adobe Acrobat Reader version 5.0 for Unix and Linux platforms is
reported vulnerable to this issue. Acrobat Reader for Microsoft Windows
platforms is not affected by this issue.

14. RealNetwork RealPlayer Unspecified Remote Vulnerability
BugTraq ID: 10934
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10934
Summary:
It is reported that RealNetwork RealPlayer contains an unspecified
vulnerability that allows for execution of arbitrary code in the context of
the user running the player.

No further information is available at this time. This BID will be
updated as further information is disclosed.

15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
BugTraq ID: 10936
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10936
Summary:
Kerio MailServer version 6.0.1 has been released. This release
addresses various unspecified security vulnerabilities in the embedded HTTP
server implemented with the Kerio MailServer application. The cause and
impact of these issues is currently unknown.

All versions of Kerio MailServer prior to 6.0.1 are considered
vulnerable.

16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
BugTraq ID: 10938
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10938
Summary:
If an rsync server is installed as a daemon with a read/write enabled
module without using the 'chroot' option, it is possible that a remote
attacker could read/write files outside of the configured module path.
Rsync does not properly sanitize the paths when not running with chroot.
The problem exists in the 'sanitize_path' function.

This could potentially be exploited to execute arbitrary code by
corrupting or place arbitrary files on the system. Destruction of data could
also result, possibly causing a denial of service condition. Other
attacks could also occur, depending on the attacker's motives.

17. HanSoft 4tH Unspecified Vulnerability
BugTraq ID: 10939
Remote: Unknown
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10939
Summary:
An unspecified vulnerability is reported in the HanSoft 4tH compiler.

This vulnerability is reported to be fixed in version 3.4e-pre4.

No further information was reported. This BID will be updated as new
information is disclosed.

18. Sympa List Creation Authentication Bypass Vulnerability
BugTraq ID: 10941
Remote: Yes
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10941
Summary:
Sympa is reported to be prone to an authentication bypass vulnerability
when creating new mailing lists.

This vulnerability presents itself upon creating a new mailing list.
The list master approval process could reportedly be skipped by an
attacker.

An attacker may exploit this issue to create unauthorized mailing
lists. This may possibly be used to forward UCE messages, or possibly other
attacks.

Versions prior to 4.1.2 are reportedly affected by this vulnerability.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. can Hopster traffic be blocked? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/371590

2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/371540

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.

The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:

Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:

Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.

We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Pads 1.1
By: Matt Shelton
Relevant URL:
http://freshmeat.net/projects/pads/?branch_id=52504&release_id=169973
Platforms: Linux
Summary:

Pads (Passive Asset Detection System) is a signature-based detection
engine used to passively detect network assets. It is designed to
complement IDS technology by providing context to IDS alerts.

2. cenfw 0.3b
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Summary:

The Centron IPTables Firewall Gui is an object oriented, database
driven, windows interface to linux IPtables firewall rules.

3. Firewall Builder 2.0
By: Vadim Kurland
Relevant URL: http://www.fwbuilder.org/
Platforms: FreeBSD, Linux, MacOS, Solaris, Windows 2000, Windows XP
Summary:

Firewall Builder consists of a GUI and set of policy compilers for
various firewall platforms. It helps users maintain a database of objects
and allows policy editing using simple drag-and-drop operations. The GUI
and policy compilers are completely independent, and support for a new
firewall platform can be added to the GUI without any changes to the
program (only a new policy compiler is needed). This provides for a
consistent abstract model and the same GUI for different firewall platforms.
It currently supports iptables, ipfilter, and OpenBSD pf.

4. Lepton's Crack 20031130
By: Lepton and Nekromancer
Relevant URL: http://www.nestonline.com/lcrack/lcrack-20031130-beta.zip
Platforms: Linux, MacOS, Os Independent, UNIX, Windows 2000, Windows
NT, Windows XP
Summary:

Lepton's Crack is a generic password cracker. It is easily-customizable
with a simple plugin system and allows system administrators to review
the quality of the passwords being used on their systems. It can
perform a dictionary-based (wordlist) attack as well as a brute force
(incremental) password scan. It supports standard MD4 hash, standard MD5 hash,
NT MD4/Unicode, Lotus Domino HTTP password (R4), and SHA-1 hash
formats. LM (LAN Manager) plus appending and prepending

5. popa3d v0.6.4.1
By: Solar Designer, solar@openwall.com
Relevant URL: http://www.openwall.com/popa3d/
Platforms: Linux, Solaris
Summary:

popa3d is a POP3 daemon which attempts to be extremely secure,
reliable, RFC compliant, and fast (in that order).

6. tinysofa enterprise server 2.0-rc1
By: Omar Kilani
Relevant URL: http://www.tinysofa.org
Platforms: Linux, POSIX
Summary:

tinysofa enterprise server is a secure server targeted enterprise grade
operating system. It is based on Trustix Secure Linux and includes a
complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM
authentication system providing system-wide authentication
configuration, the latest upstream packages, the replacement of ncftp with lftp, the
addition of gdb and screen, feature additions to the swup updater that
provide multiple configuration file support, user login FTP support,
enable/disable support, variable expansion support (allows multiple
architectures), and many enhancements.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SecurityFocus

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------