Date: 22 Mar 2005 23:26:29 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #228
SecurityFocus Linux Newsletter #228
------------------------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: Hackers New Trick: Mass Automation of Web App Worms
Web Application Worms utilize a known exploit, apply worm methodology 
and
then leverage the power of search engines to accelerate effectiveness.
These attacks mark the beginning of a new generation of worms targeted 
at
web applications. Are your web apps vulnerable? Easily test your
applications for over 5,100 web app vulnerabilities and attack
methodologies with our complimentary WebInspect 15-day product trial, 
which
delivers a comprehensive risk report!

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_050322

------------------------------------------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Computer Ethics, From the Grandstands
     2. A Method for Forensic Previews
     3. Defeating Honeypots: System Issues, Part 1
     4. Linux Kernel Security, Again
II. LINUX VULNERABILITY SUMMARY
     1. PAFileDB Multiple SQL Injection And Cross-Site Scripting Vul...
     2. Wine Local Insecure File Creation Vulnerability
     3. OpenSLP Multiple Unspecified Buffer Overflow Vulnerabilities
     4. Multiple Vendor Antivirus Products Malformed ZIP Archive Sca...
     5. Spinworks Application Server Remote Denial Of Service Vulner...
     6. PABox Post Icon HTML Injection Vulnerability
     7. LuxMan Local Buffer Overflow Vulnerability
     8. Lime Wire Multiple Remote Unauthorized Access Vulnerabilitie...
     9. KAME Racoon Malformed ISAKMP Packet Headers Denial of Servic...
     10. RXVT-Unicode Escape Sequence Remote Buffer Overflow 
Vulnerab...
     11. ZPanel Multiple SQL Injection and File Include 
Vulnerabiliti...
     12. Linux Kernel PPP Driver Unspecified Remote Denial Of 
Service...
     13. Linux Kernel Netfilter Memory Leak Local Denial of Service 
V...
     14. DataRescue IDA Pro Dynamically Linked Library Remote Format 
...
     15. KDE DCOPServer Local Denial of Service Vulnerability
     16. Novell Evolution Unspecified Denial of Service Vulnerability
     17. Lysator LSH Unspecified Denial Of Service Vulnerability
     18. McAfee Antivirus Library LHA Archive Handler Stack Based 
Buf...
     19. Linux Kernel Multiple Unspecified ISO9660 Filesystem 
Handlin...
III. LINUX FOCUS LIST SUMMARY
     1. A question about passwords and login/authentication (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. File System Saint 1.02a
     2. Umbrella v0.5
     3. Travesty 1.0
     4. OCS 0.1
     5. KSB - Kernel Socks Bouncer 2.6.10
     6. DigSig 1.3.2
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Computer Ethics, From the Grandstands
By Mark Rasch
The recent security breach that exposed an individual's application 
status
at top business schools raises moral and ethical questions about 
cyberspace.
http://www.securityfocus.com/columnists/309

2. A Method for Forensic Previews
By Timothy E. Wright
This article explains the forensic preview process, whereby a 
production
machine is left as undisturbed as possible while it is evaluated for
potential intrusion and compromise.
http://www.securityfocus.com/infocus/1825

3. Defeating Honeypots: System Issues, Part 1
By Thorsten Holz and Frederic Raynal
This two-part paper discusses how hackers discover, interact with, and
sometimes disable honeypots at the system level and application layer.
http://www.securityfocus.com/infocus/1826

4. Linux Kernel Security, Again
By Jason Miller
It's a sad day when an ancient fork bomb attack can still take down 
most of
the latest Linux distributions.
http://www.securityfocus.com/columnists/308

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PAFileDB Multiple SQL Injection And Cross-Site Scripting Vul...
BugTraq ID: 12788
Remote: Yes
Date Published: Mar 12 2005
Relevant URL: http://www.securityfocus.com/bid/12788
Summary:
Multiple SQL injection and cross-site scripting vulnerabilities exist 
in paFileDB.  These issues are reported to exist in the 'viewall.php' 
and 'category.php' scripts.

Exploitation of these issues may allow for compromise of the software, 
session hijacking, or attacks against the underlying database.

2. Wine Local Insecure File Creation Vulnerability
BugTraq ID: 12791
Remote: No
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12791
Summary:
A local insecure file creation vulnerability affects Wine.  This issue 
is due to a design error that fails to securely write to files in 
world-accessible directories.

An attacker may leverage this issue to use a symbolic link file named 
after the offending temporary file to write to arbitrary files with an 
unsuspecting user's privileges.  Furthermore and attacker may gain 
access to potentially sensitive information contained within the temporary 
file.

3. OpenSLP Multiple Unspecified Buffer Overflow Vulnerabilities
BugTraq ID: 12792
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12792
Summary:
OpenSLP is prone to multiple unspecified buffer overflow 
vulnerabilities.  These vulnerabilities may be triggered by malformed SLP (Service 
Location Protocol) packets.

If successfully exploited, these issues could allow remote code 
execution in the context of the software.

4. Multiple Vendor Antivirus Products Malformed ZIP Archive Sca...
BugTraq ID: 12793
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12793
Summary:
Multiple antivirus products from various vendors are reported prone to 
a vulnerability that may allow potentially malformed ZIP archives to 
bypass detection.

This issue arises when an affected application processes a ZIP archive 
containing potentially malicious files with specially crafted file 
names.

This issue could result in a malicious ZIP archive bypassing detection 
and being executed by a recipient.

This vulnerability reportedly affects Trend Micro InterScan VirusWall 
for Linux version 3.1.  AVG Anti-Virus is reported to be affected as 
well.

Sophos Sweep is being removed as a vulnerable package as the vendor has 
reported that the correct procedure for scanning archives is to use the 
'-all' switch instead of '-archive'.  The application is not affected 
if '-all' switch is used to scan a malicious archive.

This BID will be updated when more information becomes available.

5. Spinworks Application Server Remote Denial Of Service Vulner...
BugTraq ID: 12794
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12794
Summary:
A remote denial of service vulnerability affects Spinworks Application 
Server.  This issue is due to a failure of the application to properly 
handle malformed requests.

An attacker may leverage this issue to trigger a denial of service 
condition in the affected software.

6. PABox Post Icon HTML Injection Vulnerability
BugTraq ID: 12796
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12796
Summary:
paBox is reportedly affected by a HTML injection vulnerability.  This 
issue is due to a failure in the application to properly sanitize 
user-supplied input before using it in dynamically generated content.

The attacker-supplied HTML and script code would be able to access 
properties of the site, potentially allowing for theft of cookie-based 
authentication credentials.  An attacker could also exploit this issue to 
control how the site is rendered to the user; other attacks are also 
possible.

This issue is reported to affect paBox 2.0; earlier versions may also 
be vulnerable.

7. LuxMan Local Buffer Overflow Vulnerability
BugTraq ID: 12797
Remote: No
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12797
Summary:
LuxMan is reported prone to a local buffer overflow vulnerability.

A successful attack, can allow an attacker to gain elevated privileges 
on a vulnerable computer.

LuxMan 0.41-17 is reported prone to this vulnerability.  It is possible 
that other versions are affected as well.

8. Lime Wire Multiple Remote Unauthorized Access Vulnerabilitie...
BugTraq ID: 12802
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12802
Summary:
Multiple remote unauthorized access vulnerabilities affect Lime Wire.  
These issues are due to the application failing to securely service 
malicious requests.

Two issues have been reported; both issues are due to a failure of the 
application to ensure that file requests for files outside of the 
application's shared directory are denied.

An attacker may leverage these issues to gain access to potentially 
sensitive files with the permissions of the unsuspecting user that 
activated the affected application.

9. KAME Racoon Malformed ISAKMP Packet Headers Denial of Servic...
BugTraq ID: 12804
Remote: Yes
Date Published: Mar 14 2005
Relevant URL: http://www.securityfocus.com/bid/12804
Summary:
racoon is reported prone to a vulnerability that may allow a remote 
attacker to cause a denial of service condition in the application.

This issue arises from a boundary condition error when the application 
handles malformed ISAKMP packets.

racoon versions prior to 20050307 are considered to be vulnerable to 
this issue.

10. RXVT-Unicode Escape Sequence Remote Buffer Overflow Vulnerab...
BugTraq ID: 12807
Remote: Yes
Date Published: Mar 15 2005
Relevant URL: http://www.securityfocus.com/bid/12807
Summary:
A remote buffer overflow vulnerability affects rxvt-unicode.  The issue 
is due to a failure of the application to securely copy externally 
supplied input into sensitive process buffers.

An attacker may leverage this issue to execute arbitrary code with the 
privileges of the unsuspecting user that activated the affected 
application.

11. ZPanel Multiple SQL Injection and File Include Vulnerabiliti...
BugTraq ID: 12809
Remote: Yes
Date Published: Mar 15 2005
Relevant URL: http://www.securityfocus.com/bid/12809
Summary:
ZPanel is reportedly affected by multiple input validation 
vulnerabilities.

ZPanel is affected by multiple SQL injection vulnerabilities.  These 
issues are due to a failure in the application to properly sanitize 
user-supplied input before using it in SQL queries.

ZPanel is also affected by remote and local file inclusion 
vulnerabilities.  These issue are due to a failure in the application to properly 
sanitize user-supplied input.

The SQL injection vulnerabilities are reported to affect ZPanel 
versions 2 and 2.5beta; other versions may also be affected.

The remote file inclusion vulnerability is reported to only affect 
ZPanel version 2.  The local file inclusion vulnerability is reported to 
affect ZPanel version 2 and 2.5beta.

12. Linux Kernel PPP Driver Unspecified Remote Denial Of Service...
BugTraq ID: 12810
Remote: Yes
Date Published: Mar 15 2005
Relevant URL: http://www.securityfocus.com/bid/12810
Summary:
Linux Kernel (Point-to-Point Protocol) PPP Driver is reported prone to 
an unspecified remote denial of service vulnerability.

A successful attack can cause a denial of service condition in the 
server and prevent access to legitimate users.

Linux Kernel 2.6.8 was reported vulnerable.  It is possible that 
subsequent versions are affected as well.

Due to a lack of details, further information is not available at the 
moment.  This BID will be updated when more information becomes 
available.

13. Linux Kernel Netfilter Memory Leak Local Denial of Service V...
BugTraq ID: 12816
Remote: Unknown

Date Published: Mar 15 2005
Relevant URL: http://www.securityfocus.com/bid/12816
Summary:
Linux Kernel is reported prone to a local denial of service 
vulnerability due to a memory leak in Netfilter code.  This issue can allow an 
attacker to crash a computer and deny service to legitimate users.

It is not known whether this issue allows for remote exploitation.

Linux Kernel 2.6.8 was reported vulnerable, however, it is possible 
that subsequent versions are affected as well.

14. DataRescue IDA Pro Dynamically Linked Library Remote Format ...
BugTraq ID: 12819
Remote: Yes
Date Published: Mar 16 2005
Relevant URL: http://www.securityfocus.com/bid/12819
Summary:
A remote, client-side format string vulnerability affects DataRescue 
IDA Pro. This issue is due to a failure of the application to securely 
implement a formatted printing function.

An attacker may leverage this issue to execute arbitrary code with the 
privileges of an unsuspecting user that executed the vulnerable 
application.

15. KDE DCOPServer Local Denial of Service Vulnerability
BugTraq ID: 12820
Remote: No
Date Published: Mar 16 2005
Relevant URL: http://www.securityfocus.com/bid/12820
Summary:
KDE's Desktop Communication Protocol (DCOP) daemon is affected by a 
local denial of service vulnerability.

It is reported that a user's DCOPServer can be locked up by causing the 
authentication process to stall.

All versions of KDE prior to 3.4 are affected by this issue.

This BID will be updated when more information is available.

16. Novell Evolution Unspecified Denial of Service Vulnerability
BugTraq ID: 12826
Remote: Yes
Date Published: Mar 17 2005
Relevant URL: http://www.securityfocus.com/bid/12826
Summary:
Evolution is vulnerable to a remotely exploitable denial of service 
condition related to processing of messages with malformed unicode 
specifications.  Messages with certain properties can cause a failure that 
will force the client to crash when the message is processed.  The denial 
of service may persist until the message is manually removed from the 
mail archive.  Usenet posts may be an ideal vector for a passive attack 
against unsuspecting readers.

17. Lysator LSH Unspecified Denial Of Service Vulnerability
BugTraq ID: 12829
Remote: Unknown
Date Published: Mar 17 2005
Relevant URL: http://www.securityfocus.com/bid/12829
Summary:
An unspecified denial of service vulnerability affects Lysator LSH.  
The underlying cause of this issue is currently unknown; this BID will be 
updated as more details become available.

An attacker may leverage this issue to cause the affected application 
to stop responding or crash, ultimately denying service to legitimate 
users.

18. McAfee Antivirus Library LHA Archive Handler Stack Based Buf...
BugTraq ID: 12832
Remote: Yes
Date Published: Mar 17 2005
Relevant URL: http://www.securityfocus.com/bid/12832
Summary:
McAfee Antivirus Library is reported prone to a buffer overflow 
vulnerability. The issue is reported to exist in the LHA archive parser. The 
affected library does not perform sufficient bounds checking on LHA type 
two header file name fields before copying the data into a finite 
process buffer.

Although unclear, it is reported that the LHA archive must be 
especially malformed and conform to an alternate non-archive file format in 
order to trigger the vulnerability.

A remote attacker may exploit this vulnerability to execute arbitrary 
code with SYSTEM privileges on a computer that is running the affected 
software.

19. Linux Kernel Multiple Unspecified ISO9660 Filesystem Handlin...
BugTraq ID: 12837
Remote: No
Date Published: Mar 17 2005
Relevant URL: http://www.securityfocus.com/bid/12837
Summary:
It is reported that the Linux kernel is prone to multiple 
vulnerabilities that manifest because of what are described as 'range checking 
flaws' present in the ISO9660 handling routines.

These issues may be exploited to trigger kernel based memory 
corruption. Ultimately the issues may be exploited to execute arbitrary malicious 
code with ring zero privileges.

These vulnerabilities are reported to be present in the ISO9660 file 
system handler including Rock Ridge and Juliet extensions for the Linux 
kernel up to and including version 2.6.11.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. A question about passwords and login/authentication (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/393474

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. File System Saint 1.02a
By: Joshua Fritsch
Relevant URL: http://www.unixgeeks.org/saint
Platforms: Linux, UNIX
Summary: 

A fast, flexible, lightweight perl-based host IDS.

2. Umbrella v0.5
By: Umbrella
Relevant URL: http://umbrella.sf.net/
Platforms: Linux
Summary: 

A combination of process-based access control (PBAC) and authentication 
of binaries (like DigSig) - in addition the binaries have the security 
policy included within the binary, thus when it is executed, the policy 
is applied to the corrosponding process. Umbrella provides developers 
with a "restricted fork" which enables him to further restrict a 
sub-process from e.g. accessing the network.

3. Travesty 1.0
By: Robert Wesley McGrew
Relevant URL: http://cse.msstate.edu/~rwm8/travesty/
Platforms: Linux
Summary: 

Travesty is an interactive program for managing the hardware addresses 
(MAC) of ethernet devices on your computer.  It supports manually 
changing the MAC, generating random addresses, and applying different vendor 
prefixes to the current address.
 It also allows the user to import their own lists of hardware 
addresses and descriptions that can be navigated from within the Travesty 
interface.  Travesty is written in Python, and is very simple to add 
functionality to, or modify.

4. OCS 0.1
By: OverIP
Relevant URL: http://hacklab.altervista.org/download/OCS.c
Platforms: Linux
Summary: 

This is a very reliable and fast mass scanner for Cisco router with 
telnet/enable default password.

5. KSB - Kernel Socks Bouncer 2.6.10
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary: 

KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects 
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel. I have choosen to write in kernel space to enjoy myself [I know 
that there are easier and safer ways to write this in userspace].

6. DigSig 1.3.2
By: 
Relevant URL: http://sourceforge.net/projects/disec/
Platforms: Linux
Summary: 

DigSig Linux kernel load module checks the signature of a binary before 
running it.  It inserts digital signatures inside the ELF binary and 
verify this signature before loading the binary. Therefore, it improves 
the security of the system by avoiding a wide range of malicious 
binaries like viruses, worms, Torjan programs and backdoors from running on 
the system.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: Hackers New Trick: Mass Automation of Web App Worms
Web Application Worms utilize a known exploit, apply worm methodology 
and
then leverage the power of search engines to accelerate effectiveness.
These attacks mark the beginning of a new generation of worms targeted 
at
web applications. Are your web apps vulnerable? Easily test your
applications for over 5,100 web app vulnerabilities and attack
methodologies with our complimentary WebInspect 15-day product trial, 
which
delivers a comprehensive risk report!

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_050322

------------------------------------------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------