Date: Tue, 28 Jun 2005 16:06:30 -0600
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #241
SecurityFocus Linux Newsletter #241
----------------------------------------

This Issue is Sponsored By: Black Hat

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las 
Vegas. World renowned security experts reveal tomorrow.s threats today. 
Free of vendor pitches, the Briefings are designed to be pragmatic 
regardless of your security environment. Featuring 29 hands-on training 
courses and 10 conference tracks, networking opportunities with over 2,000 
delegates from 30+ nations. 

http://www.securityfocus.com/sponsor/BlackHat_sf-news_050628

------------------------------------------------------------------
I.   FRONT AND CENTER
       1. Where's the threat?
       2. Software Firewalls: Made of Straw? Part 2 of 2
II.  LINUX VULNERABILITY SUMMARY
       1. Edgewall Software Trac Unauthorized File Upload/Download 
Vulnerability
       2. Todd Miller Sudo Local Race Condition Vulnerability
       3. Novell NetMail Patch Packaging Insecure File Permissions 
Vulnerability
       4. Yukihiro Matsumoto Ruby XMLRPC Server Unspecified Command 
Execution Vulnerability
       5. Tor Arbitrary Memory Information Disclosure Vulnerability
       6. RaXnet Cacti Multiple SQL Injection Vulnerabilities
       7. RaXnet Cacti Config_Settings.PHP Remote File Include 
Vulnerability
       8. RaXnet Cacti Top_Graph_Header.PHP Remote File Include 
Vulnerability
       9. Asterisk Manager Interface Command Processing Remote Buffer 
Overflow Vulnerability
       10. Linux Kernel Unauthorized SCSI Command Vulnerability
       11. Simple Machines Msg Parameter SQL Injection Vulnerability
       12. Linux Kernel 64 Bit AR-RSC Register Access Validation 
Vulnerability
       13. Linux Kernel Subthread Exec Local Denial Of Service 
Vulnerability
       14. PHP-Nuke Avatar HTML Injection Vulnerability
       15. IBM DB2 Universal Database Unspecified Authorization Bypass 
Vulnerability
       16. Clam Anti-Virus ClamAV Unspecified Quantum Decompressor 
Denial Of Service Vulnerability
III. LINUX FOCUS LIST SUMMARY
       1. Apache issue
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. Where's the threat?
By Matthew Tanase
I'm sure everyone remembers the story of Goldilocks and the three bears
http://www.securityfocus.com/columnists/335

2. Software Firewalls: Made of Straw? Part 2 of 2
By Israel G. Lugo, Don Parker
In part two we look at how easily the firewall's operation can be 
circumvented by inserting a malicious Trojan into the network stack itself.
http://www.securityfocus.com/infocus/1840


II.  LINUX VULNERABILITY SUMMARY
------------------------------------
1. Edgewall Software Trac Unauthorized File Upload/Download 
Vulnerability
BugTraq ID: 13990
Remote: Yes
Date Published: 2005-06-20
Relevant URL: http://www.securityfocus.com/bid/13990
Summary:
Trac is affected by an unauthorized file upload/download vulnerability.

This issue can lead to information disclosure and unauthorized remote 
access as an attacker can place and execute malicious PHP scripts on an 
affected computer.

Trac 0.8.3 and prior versions are affected by this issue.

2. Todd Miller Sudo Local Race Condition Vulnerability
BugTraq ID: 13993
Remote: No
Date Published: 2005-06-20
Relevant URL: http://www.securityfocus.com/bid/13993
Summary:
Sudo is prone to a local race condition vulnerability. The issue only 
manifests under certain conditions, specifically, when the sudoers 
configuration file contains a pseudo-command 'ALL' that directly follows a 
users sudoers entry.

When the aforementioned configuration exists, this issue may be 
leveraged by local attackers to execute arbitrary executables with escalated 
privileges. This may be accomplished by creating symbolic links to 
target files.



3. Novell NetMail Patch Packaging Insecure File Permissions 
Vulnerability
BugTraq ID: 14005
Remote: No
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14005
Summary:
Novell NetMail is susceptible to an insecure file permissions 
vulnerability. This issue is due to a flaw in the patch packaging system used to 
update NetMail. This vulnerability only presents itself on Linux 
installations of NetMail.

This vulnerability allows local attackers to modify or replace NetMail 
binaries. This will result in the compromise of the NetMail account.

Computers running versions 3.52A, 3.52B, or 3.52C on Linux are affected 
by this issue.

4. Yukihiro Matsumoto Ruby XMLRPC Server Unspecified Command Execution 
Vulnerability
BugTraq ID: 14016
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14016
Summary:
Ruby is affected by an unspecified command execution vulnerability.  
Reportedly, this issue affects the XMLRPC server.

It may be possible for an attacker to gain unauthorized access to an 
affected computer by exploiting this issue.

Ruby 1.8.2 is known to be vulnerable to this vulnerability, however, 
other versions may be affected as well.


5. Tor Arbitrary Memory Information Disclosure Vulnerability
BugTraq ID: 14024
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14024
Summary:
Tor is prone to an arbitrary memory information disclosure 
vulnerability.

A remote attacker could exploit this vulnerability to gain sensitive 
information,  possibly private keys.

This issue is reported to affect Tor versions prior to 0.1.0.10.

6. RaXnet Cacti Multiple SQL Injection Vulnerabilities
BugTraq ID: 14027
Remote: Yes
Date Published: 2005-06-22
Relevant URL: http://www.securityfocus.com/bid/14027
Summary:
Cacti is prone to multiple SQL injection vulnerabilities.

These issues could permit remote attackers to pass malicious input to 
database queries, resulting in modification of query logic or other 
attacks.

Successful exploitation could result in a compromise of the 
application, disclosure or modification of data, or may permit an attacker to 
exploit vulnerabilities in the underlying database implementation.  An 
attacker can obtain the administrative password by exploiting these issues.

Cacti versions prior to 0.8.6e are affected by these vulnerabilities.


7. RaXnet Cacti Config_Settings.PHP Remote File Include Vulnerability
BugTraq ID: 14028
Remote: Yes
Date Published: 2005-06-22
Relevant URL: http://www.securityfocus.com/bid/14028
Summary:
RaXnet Cacti is prone to a remote file include vulnerability. 

The problem presents itself specifically when an attacker passes the 
location of a remote attacker-specified script through the 
'config_settings.php' script.

An attacker may leverage this issue to execute arbitrary server-side 
script code on an affected computer with the privileges of the Web server 
process. This may facilitate unauthorized access. 


8. RaXnet Cacti Top_Graph_Header.PHP Remote File Include Vulnerability
BugTraq ID: 14030
Remote: Yes
Date Published: 2005-06-22
Relevant URL: http://www.securityfocus.com/bid/14030
Summary:
RaXnet Cacti is prone to a remote file include vulnerability. 

The problem presents itself specifically when an attacker passes the 
location of a remote attacker-specified script through the 
'top_graph_header.php' script.

An attacker may leverage this issue to execute arbitrary server-side 
script code on an affected computer with the privileges of the Web server 
process. This may facilitate unauthorized access. 


9. Asterisk Manager Interface Command Processing Remote Buffer Overflow 
Vulnerability
BugTraq ID: 14031
Remote: Yes
Date Published: 2005-06-22
Relevant URL: http://www.securityfocus.com/bid/14031
Summary:
Asterisk manager interface is prone to a remote buffer overflow 
vulnerability. The issue manifests due to a lack of sufficient boundary checks 
performed by command line interface processing routines. Reports 
indicate that the issue may only be exploited if the manager interface is 
accessible and an attacker is able to write commands to the interface.

Under certain circumstances a remote attacker may exploit this issue to 
execute arbitrary code in the context of the affected software.

10. Linux Kernel Unauthorized SCSI Command Vulnerability
BugTraq ID: 14040
Remote: No
Date Published: 2005-06-23
Relevant URL: http://www.securityfocus.com/bid/14040
Summary:
Linux kernel is reported susceptible to an unauthorized SCSI command 
vulnerability. 

Commands sent to a SCSI device may render the device's state 
inconsistent or change the drive parameters so that other users find the drive to 
be unusable.

It is possible that this issue is related to BID 11784 (SuSE Linux 
Kernel Unauthorized SCSI Command Vulnerability).  This is not confirmed at 
the moment, however, this BID will be updated or the two BIDs will be 
combined into one when further analysis is completed.


11. Simple Machines Msg Parameter SQL Injection Vulnerability
BugTraq ID: 14043
Remote: Yes
Date Published: 2005-06-23
Relevant URL: http://www.securityfocus.com/bid/14043
Summary:
Simple Machines is prone to an SQL injection vulnerability.  This issue 
is due to a failure in the application to properly sanitize 
user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the 
application, disclosure or modification of data, or may permit an attacker to 
exploit vulnerabilities in the underlying database implementation.

This issue is reported to affect Simple Machines version 1.0.4; earlier 
versions may also be vulnerable.



12. Linux Kernel 64 Bit AR-RSC Register Access Validation Vulnerability
BugTraq ID: 14051
Remote: No
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14051
Summary:
The Linux Kernel for 64 Bit architectures is prone to an access 
validation vulnerability. The issue manifests due to a failure to restrict 
access to the 'ar.rsc' register (register stack engine control register) 
by the 'restore_sigcontext' function.

Immediate consequences of exploitation would likely be a denial of 
service, other attacks are also possible.



13. Linux Kernel Subthread Exec Local Denial Of Service Vulnerability
BugTraq ID: 14054
Remote: No
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14054
Summary:
The Linux kernel is prone to a local denial of service vulnerability. 
The issue manifests when a call to exec is made for a subthread that has 
a timer pending. 

A local attacker may exploit this issue to crash the kernel effectively 
denying service for legitimate users.


14. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 14056
Remote: Yes
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14056
Summary:
PHP-Nuke is prone to an HTML injection vulnerability.  This issue is 
due to a failure in the application to properly sanitize user-supplied 
input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context 
of the affected Web site, potentially allowing for theft of 
cookie-based authentication credentials. An attacker could also exploit this issue 
to control how the site is rendered to the user; other attacks are also 
possible.

This issue is reported to affect all versions of PHP-Nuke up to version 
7.7, this has not been confirmed.



15. IBM DB2 Universal Database Unspecified Authorization Bypass 
Vulnerability
BugTraq ID: 14057
Remote: Yes
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14057
Summary:
IBM DB2 Universal Database is susceptible to an authorization bypass 
vulnerability. This issue is due to a failure of the application to 
properly enforce authorization restrictions for database users.

Users with SELECT privileges on in a database may bypass authorization 
checks to execute INSERT, UPDATE, or DELETE statements. Further details 
are not available at this time. This BID will be updated as more 
information is disclosed.

This vulnerability allows attackers to modify or destroy data without 
having proper authorization to do so.

16. Clam Anti-Virus ClamAV Unspecified Quantum Decompressor Denial Of 
Service Vulnerability
BugTraq ID: 14058
Remote: Yes
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14058
Summary:
ClamAV is prone to a denial of service vulnerability. The issue 
manifests in the Quantum decompressor, the exact cause of this issue is not 
known.

It is conjectured that a remote attacker may exploit this condition 
using a malicious file to crash a target ClamAV server.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Apache issue
http://www.securityfocus.com/archive/91/403019

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: Black Hat

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las 
Vegas. World renowned security experts reveal tomorrow.s threats today. 
Free of vendor pitches, the Briefings are designed to be pragmatic 
regardless of your security environment. Featuring 29 hands-on training 
courses and 10 conference tracks, networking opportunities with over 2,000 
delegates from 30+ nations. 

http://www.securityfocus.com/sponsor/BlackHat_sf-news_050628