| Date: | 25 May 2005 15:38:22 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #237 |
SecurityFocus Linux Newsletter #237
------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Is Deleting Spyware A Crime?
2. Chrooted Snort on Solaris
3. Sit Back and React
II. LINUX VULNERABILITY SUMMARY
1. PServ Symbolic Link Information Disclosure Vulnerability
2. PostNuke Blocks Module Directory Traversal Vulnerability
3. PServ Remote Source Code Disclosure Vulnerability
4. Mozilla Suite And Firefox Multiple Script Manager Security B...
5. Pserv Directory Traversal Vulnerability
6. Mozilla Suite And Firefox DOM Property Overrides Code Execut...
7. Pserv completedPath Remote Buffer Overflow Vulnerability
8. Multiple Linux Kernel IOCTL Handlers Local Memory Corruption...
9. bzip2 Remote Denial of Service Vulnerability
10. MySQL mysql_install_db Insecure Temporary File Creation
Vuln...
11. Cheetah Local Privilege Escalation Vulnerability
12. Linux Kernel 64 Bit EXT3 Filesystem Extended Attribute
Denia...
13. PPXP Local Privilege Escalation Vulnerability
14. NetWin SurgeMail Multiple Unspecified Input Validation
Vulne...
15. GDB Multiple Vulnerabilities
16. Gedit Filename Format String Vulnerability
17. ImageMagick And GraphicsMagick XWD Decoder Denial Of
Service...
III. LINUX FOCUS LIST SUMMARY
1. Secure Kickstart Installation (Thread)
2. Bind cache availability... (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. webcvtsa 0.0.8
2. Umbrella v0.6
3. Kernel Socks Bouncer 2.6.11
4. NuFW 1.0.0
5. ldaupenum 0.02alpha
6. File System Saint 1.02a
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Is Deleting Spyware A Crime?
By Mark Rasch
The murky waters that sustain the spyware companies may have a few
unpleasant surprises just beneath the surface.
http://www.securityfocus.com/columnists/329
2. Chrooted Snort on Solaris
By Andre Lue-Fook-Sang
This article discussed installation and configuration of a chrooted
Snort
IDS on most versions of Solaris.
http://www.securityfocus.com/infocus/1833
3. Sit Back and React
By Daniel Hanson
As the security industry moves more mainstream, it's becoming stagnant
due
to a lack of vision. Who will lead the charge?
http://www.securityfocus.com/columnists/328
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PServ Symbolic Link Information Disclosure Vulnerability
BugTraq ID: 13634
Remote: No
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13634
Summary:
pServ is prone to an information disclosure vulnerability through
symbolic link files. This occurs because the application will follow
symbolic links to files outside the Web root.
This issue was reported to affect pServ 3.2 and 3.3; other versions are
likely vulnerable.
2. PostNuke Blocks Module Directory Traversal Vulnerability
BugTraq ID: 13636
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13636
Summary:
PostNuke Blocks module is affected by a directory traversal
vulnerability.
The problem presents itself when an attacker passes a name for a target
file, along with directory traversal sequences, to the affected
application.
An attacker may leverage this issue to disclose arbitrary files on an
affected computer. It was also reported that an attacker can supply
NULL bytes with a target file name. This may aid in other attacks such as
crashing the server.
3. PServ Remote Source Code Disclosure Vulnerability
BugTraq ID: 13638
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13638
Summary:
pServ is affected by a remote source code disclosure vulnerability.
When handling a specially-crafted URI request, the application
discloses the source code of scripts in the 'cgi-bin' directory.
Information gathered through this attack could be used to launch
further attacks against a system.
4. Mozilla Suite And Firefox Multiple Script Manager Security B...
BugTraq ID: 13641
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13641
Summary:
Multiple issues exist in Mozilla Suite and Firefox. These issues allow
attackers to bypass security checks in the script security manager.
Security checks in the script security manager are designed to prevent
script injection vulnerabilities.
An attacker sending certain undisclosed JavaScript in 'view-source:',
and 'jar:' pseudo protocol URIs, may bypass these security checks.
An undisclosed, nested URI, as well as a variant of BID 13216 are
reportedly also able to bypass security checks.
These vulnerabilities allow remote attackers to execute script code
with elevated privileges, leading to the installation and execution of
malicious applications on an affected computer. Cross-site scripting, and
other attacks are also likely possible.
The vendor has not provided enough information to determine how many
specific instances of the issue were addressed, and has not clarified
whether or not they have addressed a single general vulnerability or
multiple specific vulnerabilities. This BID may be split into its separate
issues as further information is disclosed.
Further details are scheduled to be released in the future. This BID
will be updated at that time.
5. Pserv Directory Traversal Vulnerability
BugTraq ID: 13642
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13642
Summary:
pServ is prone to a directory traversal vulnerability. This occurs
because the application does not implement a proper method for filtering
directory traversal sequences from URIs. Since this can be done from
the cgi-bin directory, it is possible to execute commands to which the
Web server has permission.
This issue was reported to affect pServ version 3.2; earlier versions
are like vulnerable.
6. Mozilla Suite And Firefox DOM Property Overrides Code Execut...
BugTraq ID: 13645
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13645
Summary:
Mozilla Suite and Mozilla Firefox are affected by a code execution
vulnerability. This issue is due to a failure in the application to
properly verify Document Object Model (DOM) property values.
An attacker may leverage this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable Web browser,
ultimately facilitating a compromise of the affected computer.
This issue is reportedly a variant of BID 13233. Further details are
scheduled to be released in the future, and this BID will be updated
accordingly.
7. Pserv completedPath Remote Buffer Overflow Vulnerability
BugTraq ID: 13648
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13648
Summary:
pServ is prone to a remotely exploitable buffer overflow vulnerability.
The issue occurs because proper boundary checks are not performed
allowing an internal buffer to be overrun. This vulnerability could
potentially be exploited to execute arbitrary code in the context of the Web
server.
This issue was fixed in pServ 3.3; earlier versions are likely
vulnerable.
8. Multiple Linux Kernel IOCTL Handlers Local Memory Corruption...
BugTraq ID: 13651
Remote: No
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13651
Summary:
The Linux kernel raw device and pktcdvd block device ioctl handlers are
reported prone to local kernel-based memory corruption vulnerabilities.
The issues manifest due to a lack of sanity checks performed on
argument values that are passed to the 'raw_ioctl()' and 'pkt_ioctl()'
functions.
A local attacker, that has read access to a sufficient block device,
may leverage this memory corruption to execute arbitrary
attacker-supplied code in the context of the system kernel (ring-0).
9. bzip2 Remote Denial of Service Vulnerability
BugTraq ID: 13657
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13657
Summary:
bzip2 is prone to a remote denial of service vulnerability. This issue
arises when the application processes malformed archives.
A successful attack can result in resource exhaustion and trigger a
denial of service condition.
bzip2 version 1.0.2 is reportedly affected by this issue. Other
version are likely vulnerable as well.
10. MySQL mysql_install_db Insecure Temporary File Creation Vuln...
BugTraq ID: 13660
Remote: No
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13660
Summary:
MySQL is reportedly affected by a vulnerability that can allow local
attackers to gain unauthorized access to the database or gain elevated
privileges. This issue results from a design error due to the creation
of temporary files in an insecure manner.
The vulnerability affects the 'mysql_install_db' script.
Due to the nature of the script it may be possible to create database
accounts or gain elevated privileges.
MySQL versions prior to 4.0.12 and MySQL 5.x releases 5.0.4 and prior
versions are reported to be affected.
11. Cheetah Local Privilege Escalation Vulnerability
BugTraq ID: 13662
Remote: No
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13662
Summary:
Cheetah is prone to a local privilege escalation vulnerability.
The issue arises because the application imports modules from the
'/tmp' directory before searching for the path from the 'PYTHONPATH'
variable.
This can result in arbitrary code execution granting elevated
privileges to an attacker.
Cheetah versions prior to 0.9.17-rc1 are affected by this issue.
12. Linux Kernel 64 Bit EXT3 Filesystem Extended Attribute Denia...
BugTraq ID: 13680
Remote: No
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13680
Summary:
The Linux Kernel is prone to a local denial of service vulnerability.
Reports indicate the issue manifests on 64-bit platforms and is because
of a flaw present in offset handling for the extended attribute file
system code.
A local attacker may trigger this issue to crash the system kernel.
13. PPXP Local Privilege Escalation Vulnerability
BugTraq ID: 13681
Remote: No
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13681
Summary:
ppxp is prone to a local privilege escalation vulnerability. An
attacker may abuse the issue to open a shell with superuser privileges.
14. NetWin SurgeMail Multiple Unspecified Input Validation Vulne...
BugTraq ID: 13689
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13689
Summary:
Multiple unspecified vulnerabilities affect SurgeMail. Reportedly,
these issues are due to a failure of the application to properly sanitize
user-supplied input prior to employing it in critical locations
including dynamic content. A successful attack may allow attackers to execute
arbitrary HTML and script code in a user's browser.
SurgeMail 3.0c2 is reported to be affected by these issues. Other
versions may be vulnerable as well.
Due to a lack of details, further information cannot be provided at the
moment. This BID will be updated when more details are available.
15. GDB Multiple Vulnerabilities
BugTraq ID: 13697
Remote: Yes
Date Published: May 20 2005
Relevant URL: http://www.securityfocus.com/bid/13697
Summary:
GDB is reportedly affected by multiple vulnerabilities. These issues
can allow an attacker to execute arbitrary code and commands on an
affected computer. A successful attack may result in the attacker gaining
elevated privileges or unauthorized access.
The following specific issues were identified:
The application is affected by a remote heap overflow vulnerability
when loading malformed object files.
Another vulnerability affecting the application may allow local
attackers to gain elevated privileges.
GDB 6.3 is reportedly affected by these issues. Other versions are
likely vulnerable as well.
16. Gedit Filename Format String Vulnerability
BugTraq ID: 13699
Remote: Yes
Date Published: May 30 2005
Relevant URL: http://www.securityfocus.com/bid/13699
Summary:
gEdit is prone to a format string vulnerability. Exploitation may
occur when the program is invoked with a filename that includes malicious
format specifiers. This issue could be exploited to corrupt arbitrary
regions of memory with attacker-supplied data, potentially resulting in
execution of arbitrary code in the context of the user running the
program.
17. ImageMagick And GraphicsMagick XWD Decoder Denial Of Service...
BugTraq ID: 13705
Remote: Yes
Date Published: May 21 2005
Relevant URL: http://www.securityfocus.com/bid/13705
Summary:
A remote, client-side denial of service vulnerability affects
ImageMagick and GraphicsMagick. This issue is due to a failure of the
application to handle malformed XWD image files.
A remote attacker may leverage this issue to cause the affected
application to enter into an infinite loop condition, consuming CPU resources
on the affected computer, denying service to legitimate users.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Secure Kickstart Installation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/398817
2. Bind cache availability... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/398739
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. webcvtsa 0.0.8
By: Paolo Ardoino
Relevant URL:
http://cvtsa.sourceforge.net/http://cvtsa.sourceforge.net/
Platforms: Linux
Summary:
WEBCVTSA is a tool that allows users to administrate their computers
[running GNU/Linux] using a form on a web page to post commands.
2. Umbrella v0.6
By: Umbrella
Relevant URL: http://umbrella.sourceforge.net/
Platforms: Linux
Summary:
Umbrella is a security mechanism that implements a combination of
Process-Based Access Control (PBAC) and authentication of binaries through
Digital Signed Binaries (DSB). The scheme is designed for Linux-based
consumer electronic devices ranging from mobile phones to settop boxes.
Umbrella is implemented on top of the Linux Security Modules (LSM)
framework. The PBAC scheme is enforced by a set of restrictions on each
process.
3. Kernel Socks Bouncer 2.6.11
By: Paolo Ardoino
Relevant URL: http://ksb.sourceforge.net/
Platforms: Linux
Summary:
Kernel Socks Bouncer is a Linux Kernel 2.6.x patch that redirects tcp
connections [SSH, telnet, browsers...] to follow through socks5. KSB26
uses a character device to pass socks5 and target ips to the Linux
Kernel.
4. NuFW 1.0.0
By: INL
Relevant URL: http://www.nufw.org
Platforms: Linux
Summary:
NuFW performs an authentication of every single connections passing
through the IP filter, by transparently requesting user's credentials
before any filtering decision is taken. Practically, this brings the notion
of user ID down to the IP layers.
5. ldaupenum 0.02alpha
By: Roni Bachar & Sol Zehnwirth
Relevant URL: https://sourceforge.net/projects/ldapenum
Platforms: Linux, Perl (any system supporting perl), Windows 2000,
Windows 95/98, Windows NT, Windows XP
Summary:
ldapenum is a perl script designed to enumerate system and password
information from domain controllers using the LDAP service when IPC$ is
locked. The script has been tested on windows and linux.
6. File System Saint 1.02a
By: Joshua Fritsch
Relevant URL: http://www.unixgeeks.org/saint
Platforms: Linux, UNIX
Summary:
A fast, flexible, lightweight perl-based host IDS.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------