Date: 23 Nov 2004 18:24:23 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #211
SecurityFocus Linux Newsletter #211
------------------------------------

This Issue is Sponsored By: Symantec

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_linux-secnews_041123

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Detecting Rootkits And Kernel-level Compromises In Linux
     2. Bill Gates Is Right?
     3. SSH and ssh-agent
II. LINUX VULNERABILITY SUMMARY
     1. Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow ...
     2. Fcron FCronTab/FCronSighUp Multiple Local Vulnerabilities
     3. MiniBB Remote SQL Injection Vulnerability
     4. LibXPM Multiple Unspecified Vulnerabilities
     5. Linux Kernel SMBFS Multiple Remote Vulnerabilities
     6. Cscope Insecure Temporary File Creation Vulnerabilities
     7. Gentoo GIMPS EBuild Insecure Default Permissions Vulnerabili...
     8. Gentoo SETI@home EBuild Insecure Default Permissions Vulnera...
     9. Gentoo ChessBrain EBuild Insecure Default Permissions Vulner...
     10. PHPBB Admin_cash.PHP Remote PHP File Include Vulnerability
     11. Invision Power Board Index.PHP Post Action SQL Injection 
Vul...
     12. Danware NetOp Remote Control Information Disclosure 
Vulnerab...
     13. Opera Web Browser Java Implementation Multiple Remote 
Vulner...
     14. Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification 
Vu...
III. LINUX FOCUS LIST SUMMARY
     1. locking idle text consoles (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. AutoScan b0.92 R6
     2. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
     3. rootsh 0.2
     4. Maillog View  v1.03.3
     5. BullDog Firewall 20040918
     6. PIKT - Problem Informant/Killer Tool v1.17.0
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Detecting Rootkits And Kernel-level Compromises In Linux
By Mariusz Burdach

This article outlines useful ways of detecting hidden modifications to 
a
Linux kernel. Often known as rootkits, these stealthy types of malware 
are
installed in the kernel and require special techniques by Incident 
handlers
and Linux system administrators to be detected.

http://www.securityfocus.com/infocus/1811


2. Bill Gates Is Right?
By Scott Granneman

Bill Gates is right about one thing: asking people to use a two-factor 
form
of authentication would go a long way toward alleviating a lot of the
password problems that plague computer security today.

http://www.securityfocus.com/columnists/277


3. SSH and ssh-agent
By Brian Hatch

This article discusses how to take SSH Identity/Pubkey trust 
relationships
to the next level, by using ssh-agent as a keymaster to manage a user's
authentication needs automatically.

http://www.securityfocus.com/infocus/1812

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow ...
BugTraq ID: 11678
Remote: Yes
Date Published: Nov 15 2004
Relevant URL: http://www.securityfocus.com/bid/11678
Summary:
Samba is reported prone to a remote buffer overflow vulnerability.  
This issue presents itself because the application does not perform proper 
boundary checks before copying user-supplied data into finite sized 
process buffers.  This issue can allow an attacker to execute arbitrary 
code on a vulnerable computer to gain unauthorized access.

This vulnerability is reported to affect Samba versions 3.0.0 to 3.0.7.

2. Fcron FCronTab/FCronSighUp Multiple Local Vulnerabilities
BugTraq ID: 11684
Remote: No
Date Published: Nov 15 2004
Relevant URL: http://www.securityfocus.com/bid/11684
Summary:
Fcron is reported prone to multiple local vulnerabilities. The 
following issues are reported:

A local information disclosure vulnerability is reported to affect 
fcronsighup. It is reported that the affected utility will attempt to parse 
configuration files that are passed to the utility as a command line 
argument.

A local attacker may exploit this condition to reveal the contents of 
arbitrary files that are owned by the superuser. This vulnerability is 
assigned the following MITRE CVE identifier: CAN-2004-1030.

An access control bypass vulnerability is also reported to affect 
fcronsighup. It is reported that the issue exists due to a design error.

A local attacker may exploit this vulnerability to make configuration 
changes to fcronsighup. This vulnerability is assigned the following 
MITRE CVE identifier: CAN-2004-1031.

fcronsighup is reported prone to an arbitrary file deletion 
vulnerability. By exploiting the aforementioned access control bypass 
vulnerability, a local attacker may influence the fcronsighup configuration and may 
cause the application to overwrite arbitrary attacker specified files. 
This vulnerability is assigned the following MITRE CVE identifier: 
CAN-2004-1032.

Finally it is reported that the fcrontab component of Fcron leaks file 
descriptors. This can result in sensitive information disclosure. 
Specifically, fcrontab leaks the file descriptors of the '/etc/fcron.allow' 
and '/etc/fcron.deny' files. This vulnerability is assigned the 
following MITRE CVE identifier: CAN-2004-1033.

3. MiniBB Remote SQL Injection Vulnerability
BugTraq ID: 11688
Remote: Yes
Date Published: Nov 16 2004
Relevant URL: http://www.securityfocus.com/bid/11688
Summary:
miniBB is reported vulnerable to remote SQL injection. This issue is 
due to a failure of the application to properly validate user-supplied 
input prior to including it in an SQL query. 

miniBB versions prior to 1.7f are reported prone to this issue.

4. LibXPM Multiple Unspecified Vulnerabilities
BugTraq ID: 11694
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11694
Summary:
libXpm is reported prone to multiple vulnerabilities. These issues may 
be triggered when handling malformed XPM images. The following issues 
are reported:
Integer overflow vulnerabilities, out-of-bounds memory access 
vulnerabilities, a shell command execution vulnerability, a path traversal 
vulnerability, and endless loop vulnerabilities.

The details regarding each of these issues are not specified at the 
time of writing. However, this BID will be updated as further details 
regarding these vulnerabilities becomes available.

5. Linux Kernel SMBFS Multiple Remote Vulnerabilities
BugTraq ID: 11695
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11695
Summary:
The Linux kernel is reported susceptible to multiple remote 
vulnerabilities in the SMBFS network file system.

These vulnerabilities may lead to the execution of attacker-supplied 
machine code, information disclosure of kernel memory, or kernel crashes, 
denying service to legitimate users.

Versions of the kernel in both the 2.4, and the 2.6 series are reported 
susceptible to various issues.

6. Cscope Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 11697
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11697
Summary:
Cscope is reportedly affected by insecure temporary file creation 
vulnerabilities. These issues are due to a design error that causes the 
application to fail to verify the existence of a file before writing to it.

It is reported that during execution the affected utility creates 
temporary files in the system's temporary directory, '/tmp', with 
predictable names. This allows attackers to create malicious symbolic links that 
will be written to by the vulnerable utility when an unsuspecting user 
executes it.

An attacker may leverage these issues to overwrite arbitrary files with 
the privileges of an unsuspecting user that activates the vulnerable 
application.

Versions up to and including version 15.5 are reported vulnerable.

7. Gentoo GIMPS EBuild Insecure Default Permissions Vulnerabili...
BugTraq ID: 11698
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11698
Summary:
The Gentoo GIMPS eBuild package is reported prone to a weak default 
permissions vulnerability.

A local attacker may exploit this vulnerability to escalate privileges.

8. Gentoo SETI@home EBuild Insecure Default Permissions Vulnera...
BugTraq ID: 11699
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11699
Summary:
The Gentoo SETI@home eBuild package is reported prone to a weak default 
permissions vulnerability.

A local attacker may exploit this vulnerability to escalate privileges.

9. Gentoo ChessBrain EBuild Insecure Default Permissions Vulner...
BugTraq ID: 11700
Remote: No
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11700
Summary:
The Gentoo ChessBrain eBuild package is reported prone to a weak 
default permissions vulnerability.

A local attacker may exploit this vulnerability to escalate privileges.

10. PHPBB Admin_cash.PHP Remote PHP File Include Vulnerability
BugTraq ID: 11701
Remote: Yes
Date Published: Nov 17 2004
Relevant URL: http://www.securityfocus.com/bid/11701
Summary:
A vulnerability is reported to exist in the phpBB Cash_Mod module that 
may allow an attacker to include malicious PHP files containing 
arbitrary code to be executed on a vulnerable system.

Remote attackers could potentially exploit this issue via a vulnerable 
variable to include a remote malicious PHP script, which will be 
executed in the context of the web server hosting the vulnerable software.

11. Invision Power Board Index.PHP Post Action SQL Injection Vul...
BugTraq ID: 11703
Remote: Yes
Date Published: Nov 18 2004
Relevant URL: http://www.securityfocus.com/bid/11703
Summary:
A remote SQL injection vulnerability affects Inivision Power Board.  
This issue is due to a failure of the application to properly validate 
user-supplied input prior to using it in an SQL query.

An attacker may leverage this issue to manipulate SQL query strings and 
potentially carry out arbitrary database queries.  This may facilitate 
the disclosure or corruption of sensitive database information.

12. Danware NetOp Remote Control Information Disclosure Vulnerab...
BugTraq ID: 11710
Remote: Yes
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11710
Summary:
It is reported that NetOp Remote Control is susceptible to an 
information disclosure vulnerability.

This vulnerability reportedly allows remote attackers to discern the 
name of the user that is logged in and the internal IP address and 
hostname of the targeted computer. This information may aid malicious users 
in further attacks.

Versions prior to 7.65 build 2004278 are reported vulnerable to this 
issue.

13. Opera Web Browser Java Implementation Multiple Remote Vulner...
BugTraq ID: 11712
Remote: Yes
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11712
Summary:
Multiple remote vulnerabilities reportedly affect the Opera Web Browser 
Java implementation.  These issues are due to the insecure proprietary 
design of the Web browser's Java implementation.

These issues may allow an attacker to craft a Java applet that violate 
Sun's Java secure programming guidelines.

These issues may be leveraged to carry out a variety of unspecified 
attacks including sensitive information disclosure and denial of service 
attacks.  Any successful exploitation would take place with the 
privileges of the user running the affected browser application.

Although only version 7.54 is reportedly vulnerable, it is likely that 
earlier versions are vulnerable to these issues as well.

14. Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification Vu...
BugTraq ID: 11715
Remote: No
Date Published: Nov 19 2004
Relevant URL: http://www.securityfocus.com/bid/11715
Summary:
It is reported that a serialization error exists in the AF_UNIX address 
family that creates a race condition. This race condition reportedly 
allows local users to repeatedly increment arbitrary kernel memory 
locations.

This vulnerability allows local users to modify arbitrary kernel 
memory, facilitating privilege escalation, or possibly allowing code 
execution in the context of the kernel.

Versions prior to 2.4.28 are reportedly affected by this vulnerability.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. locking idle text consoles (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/381905

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. AutoScan b0.92 R6
By: Lagarde Thierry
Relevant URL: http://autoscan.free.fr/
Platforms: Linux
Summary: 

AutoScan is an application designed to explore and to manage your 
network. Entire subnets can be scanned simultaneously without human 
intervention. It features OS detection, automatic network discovery, a port 
scanner, a Samba share browser, and the ability to save the network state.

2. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary: 

KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects 
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel. I have choosen to write in kernel space to enjoy myself [I know 
that there are easier and safer ways to write this in userspace].

3. rootsh 0.2
By: Gerhard Lausser
Relevant URL: http://sourceforge.net/projects/rootsh/
Platforms: AIX, HP-UX, Linux, POSIX, SINIX, Solaris, UNIX
Summary: 

Rootsh is a wrapper for shells which logs all echoed keystrokes and 
terminal output to a file and/or to syslog. It's main purpose is the 
auditing of users who need a shell with root privileges. They start rootsh 
through the sudo mechanism. I's in heavy use here at a big bavarian car 
manufacturer (three letters, fast, cool,...) for project users whom you 
can't deny root privileges.

4. Maillog View  v1.03.3
By: Angelo 'Archie' Amoruso
Relevant URL: http://www.netorbit.it/modules.html
Platforms: Linux
Summary: 

Maillog View is a Webmin module that allows you to easily view all your 
/var/log/maillog.* files. It features autorefresh, message size 
indication, ascending/descending view order, compressed file support, and a 
full statistics page. Sendmail, Postfix, Exim, and Qmail (partially) are 
supported. Courier MTA support is experimental.

5. BullDog Firewall 20040918
By: Robert APM Darin
Relevant URL: http://tanaya.net/BullDog
Platforms: Linux
Summary: 

Bulldog is a powerful but lightweight firewall for heavy use systems. 
With many features, this firewall can be used by anyone who wants to 
protect his/her systems.

This system allow dynamic and static rules sets for maximum protection 
and has several advance features.

This firewall will work for the hobbyist or a military base. Generation 
7 is a complete rewrite and redesign from scratch.

Be prepared to spend some time setting this up.

6. PIKT - Problem Informant/Killer Tool v1.17.0
By: Robert Osterlund, robert.osterlund@gsb.uchicago.edu
Relevant URL: http://pikt.org
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS
Summary: 

PIKT is a cross-categorical, multi-purpose toolkit to monitor and 
configure computer systems, organize system security, format documents, 
assist command-line work, and perform other common systems administration 
tasks.

PIKT's primary purpose is to report and fix problems, but its 
flexibility and extendibility evoke many other uses limited only by your 
imagination.

VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Symantec

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_linux-secnews_041123